seen that there are things in the key that we've chosen or in the sub key that we've chosen.
Now we have to actually get information out of them.
So what we're gonna do with that the way we're going to go about doing that Rather
is fairly straightforward. We're tryingto enumerates keys.
So we're going to use the function.
There you go. And it's a key and an index. The index is which key you're gonna receive.
So is you met as I showed you. Why delete character that window? But it returned one sub key.
So there's an easy way to do that
for any python loop. Obviously, we can just do four I in
And then there's a similar function. Cold.
which again is exactly what it sounds like.
Works pretty much exactly the same way.
Distinction between these is that numb values are
some keys or data fields within a registry key, which actually contained information.
enough value returns A to pull that you name value data data type.
So we're just going to check out about you name it. Value data for right now
be data and then just
d type, which we're going to throw away and ignore
equals in noon value.
okay, nice and easy.
And then for that will do Prince
group. And it freaked out at us,
So these air imagers. So it should actually be for I and range from sub keys and fry and ranged on values.
It's not We're seeing some information Not very cleanly formatted. I admit
what we're seeing information. So we see
one sub key followed by 37 values.
And we can clean that up just little bit
and values. And this is just so we can more easily differentiate
big sub keys values.
so these values all tell windows something different. Color table 0001
Cursor size. All of these things can be used to make changes if you need to.
Specifically, this is for the console. So if we were to make changes, this registry key, we could actually change what we're seeing, and you can feel free to do that to yours. I am not a huge fan of missing registry keys
because it's an easy way to break things.
There you go. Some keys values nice and easy.
At that point, we've
pretty effectively not actually downloaded. But we've pretty effectively checked all of the registry keys
so we could move on to the next function.
Next function is going to be downloading a file. Nice thing is,
we're gonna go easy on this one, and you're downloading of a file isn't going to be using C types and tracking the file through the entire drive. It's just gonna be a pretty straightforward
F equals open file name.
This again is included primarily just for methodology rather than for how you go about doing this. This is just because this is an important function to have in any script like this
So we're gonna open it for reading to do
for now, we'll print that read.
Next function a little bit more interesting function, I think
is gather information,
gathering information is this huge slew of things I've shown you up here
and for gather information. You can see I included. Log name is argument.
It is possible to just send all of the data directly on the socket.
We want to avoid that. We want to write logs so that we can more safely
keep track of that data. As I mentioned before,
the way we're implanting download file is actually just gonna print it out on the client. It's just gonna print it to the screen.
for example, if you were to use your old file transfer the the FDP tool that we wrote in the other lab,
then you would want to make sure that you're downloading an actual proper log.
gather information is going to consist of 123456 79 commands and pretty much all of them are gonna be done through P open.
so we can do this in a couple ways. The best way to do it we're going to do it is to do,
uh, multi dimensional list. So we're going to do command's list.
That's going to be I p config.
Well, actually, it's going to live.
Does it mention its multi dimensional?
The reason for that is because again, are you generally wanted to be a list
And even if you don't have anything to populate a full list, it's not a terrible idea to just make a list for syntactical clarity
Sure, you get all the compass you need in here.
There will be a few extra
and then the Net sweet
and a riveting stuff, folks, riveting stuff
and view. There we go.
So now we've got our dimensional or are multi dimensional list of commands. These were the things that were going to pass to be open
execute. Essentially. So we're going to
log name, and we're gonna open log name
We're not opening for a pending. We're gonna overwrite any old logs, so keep that in mind whenever you start deciding log names.
So he opened We right,
we open. We're going to that right
So for I in command list
sub process dot p open
I because again, now we're giving it a list.
I and then we can reopen
p a p open so that we can now
double check and make sure you got all the right things for it.
So first thing is our eggs. First thing is ours. That buff sized, inexcusable standard in
standard out. We want to be logged
we make standard error log just to be safe.
And then when it's done,
So gather information.
Log name is going to be
and sock. It'll just be easier over there
says Log. Created batch file can be found on a board.
info log nine. Killer right file.
Look at all the data we gathered.
That's a lot of information that we could make you. So
the user accounts, we see active connections,
aliases. We see all sorts of information,
most of what I showed you
in the other court. Most of the detail was the information
grabbed all at once.
For those of you who are curious, really, for those of you who aren't curious and say it either way,
it's worth going through an understanding exactly what each of these air doing and why they're worth grabbing the information. So accounts
password data. It tells you what the rules are for this system. That way you're able to keep track of
one. You'll be able to know how easily cracked it is or how you
strong their password system is. I say this is, ah, computer that I use for teaching these courses.
It's not really very heavily secured.
Next one we have on there is no file.
That's not anything right now because it's not doing anything. That file are currently open shared files, so Net file is for something. Say, you're running my computer. A lot of times I run a movie server
for my entire house, where we just all of the movies. I started my hard drive, and then we could just watch him wherever the House Net file. If any of those folders were open, would report that.
So when you're gathering information, that file could be used to say Okay,
I know what folders this guy sharing out. I know where to store some stuff. If I wanted to go everywhere or where to avoid. If I don't want people to see it,
just tells you what groups are on this machine?
again. Nothing useful here
that describes currents communications going on with other machines. It can be used to terminate, which is handy.
see with machines sharing out. See, this has got a default share on C and E as well as a
default road, admitted the fault ABC. This committee has not been hardened. You could pretty easily target this machine
with a lot of old attacks, which is handy to know
share. Then you get in that user, which obviously you guys have seen plenty of a list of users and Net view,
which takes a minute. And that's just the other machines that are currently active on the network that your computer knows about.
So those were the commands over. And then, of course, there is the I. P. Config all
Those were the commands, though, that
you just wrote a script to Ron. And the intent of those commands I mentioned is pretty straightforward. It's just decided together as much information as quickly as possible.
The next we're going to do is execute command.
Execute Command is a little bit different for everything else we've done in that it executes an arbitrary command.
So rather than executing, you know, a specific list, it's just whatever you throw at it, it's gonna run.
And you're gonna run into a specific issue with that in certain cases. And I'm gonna show you one of those cases now
process, Stop, You open
We'll have a lot here just for safety's sake.
So you can see how all this works
first thing we pass is a command that we're gonna pass this tree.
That was the dramatic looking command I gave earlier.
Second command or secondary, We're gonna pass Gonna be the log name. We're just going to do tree log
if you get it. I hope you get it.
Tree logged out text and we run
and we got a Windows air system cannot buy this file specified.
So reading this it would seem logical that it can't find tree log, got text, but what it actually can't find
The reason for that is because tree isn't in execute a ble.
Some process that p open looks for this command, assuming it's inexcusable, but it's not
so there are a few ways you can fix this. The hack that I mentioned, we're going to do that.
Some people really won't like and others will think it's fantastic
What we're gonna do is our command isn't found because it says, Oh, that's not a file
What we can do is just
tell you what kind of fire we're looking for.
the distinction is, if we pass it a list of arguments,
for example, if we were to pass it
A, that would be an issue.
So you do want to pass it a proper list,
but not necessarily going to be able to.
So this is not a smart fix on the reason that that's going to be able to, because your users
major send you a string of text, which is actually what happens for the client for this.
So this is This is a very kind of dumb fix. It doesn't solve everything,
but it's a good sort of hacking work around, which is what we're working on it discuss what we're learning in this class,
so that's what we're going to do here just a work around
which is designed to work in about
90% of cases, and they're going to obviously be cases where it doesn't work.
Just roll with the punches. Everything's gonna be just fine.
Some process up you open command
dot com and let's try that
it's not expected to be except
president You to continue looks promising.
And we've got a tree log
and we took a tree log of a pretty terrible area. But
So there are obviously ways that we go about fixing that If we did change it, if we did cause the user to only send good in good input
what we could do, that is.
And now we're taking a much better
gotta make sure we don't escape things we shouldn't be escaping.
create a protocol, we can create a system by which are you there has to give us a list arguments
than awesome. Weaken much more cleanly. Take care of it.
What we're doing right now and what the clients actually going to send is a string because I kind of want to drive home the point that
sometimes things aren't perfect. And sometimes they you just kinda have to cheat your way through
if you're trying to become a hacker and anyone tells you you cheated, all that actually means is you did it right.
So there we go. We finished cheating on execute command, and now we move on to the last little tidbit function before we go about making this thing into a big
monstrosity of awesomeness.
when you get this code will just be included. But these two functions
but get data is just a
the second function that I built our third function a built in
for the specific cases. When you're sending, when you're requesting commands for whatever purpose
and it receives sock and stir descend all it doesn't send data
Um, this may not seem particularly necessary to create a function to cover what's effectively, what two lines of code.
I'll tell you it is a lifesaver because you write that those two lines of code about
30 times. If you don't do that.
Now that we've gone through a major, all of our separate functions work.
is creating a networking device. Making this thing capable of actually talking
over the Web or over the wire
with another computer with a client so that it can send this information somewhere rather than simply printing it to the screen
you're putting into the screen is pretty. It doesn't actually do that much for us.
So ready to sock equals Suck it, Suck it
server. So we need to do a socket out mind?
buying on every port we have pardoned me
are on every interface
we have on port 12345
we're only gonna listen for one customer because we only want to serve
the one person which is obviously going to be our client. Connecting to this. We don't want any rain. A person to be able to connect,
And now we get into the menu and all of that dress. Oh, the menu for this obviously is going to be a series of commands. Now, what I did for it to make things a little bit easier on both sides is that
it's a It's a series of two or three letter commands, which we're just gonna steal from the client
Morrow from the play. We're not gonna take it.
which just kind of simplifies the process of sending receiving command
easier to type is what it really amounts to.
So we're going to do
while true, because it's going to be a consistently running server.
Con sock equals invalid. Whatever the invalid code is for a socket. But we're going to do the easy way we're going to do well, Troop.
First thing we're gonna do is we're going to do a send
and the Sturgis end is going to be
and seeing the evils get data
and this is where and see you would have a case, a switch case table. They could actually go through. And just
you write a specific case for each item.
Fortunately, Python doesn't implement that. So we've got a hand. Shame it the hard way.
See you translates to create user.
We need a name password on the log file for that.
The log file. As I mentioned, we're not actually going to be doing so. We really need is a name and password.
and get data for password.
So obviously, we're going to have to do a bit of a change here. So for creating
user, we've got log file.
If something goes wrong, we write it to a log file.
Now, if we're reading this and limits, we could actually just replace log, pile with sock
and put things in socket. Now,
unfortunately, we can't do that for various reasons.
It's what we're going to do instead is we're going to create
for error logging only. So we're not going to take standard out. We're only going to take standard air because if something comes to standard out,
then we can assume that it was a proper success and everything worked out. All right,
so we're going to do error. Log
and create user rather than putting log file here. This is standard outward, but none
for this life. I'll we're going to put
and Rose is gonna get rid of data. So now create user just became silent.
Other than in the case, Obviously of errors, something goes wrong is going to write to airlock. Otherwise it's just gonna run.
obviously, there are ways that we can go about checking to make sure things were working right.
if we're on the machine And if we have execute command capabilities, we can simply
run a command and see
Hey, are you actually sending my stuff correctly?
Another's create user and create user actually receives from across the network now, so that's done.
he lifts cmd equals equals to you, which is delete, user,
and we're gonna make some of the same changes to delete user
delete user is going to get rid of
this log pile. Just turned that to none
There you go. So now we've cleaned up, creating delete user a little bit, which is kind of nice but we've also
So there are potentials for it returns that aren't necessarily errors that don't go to see under there that we don't necessarily want.
That's sort of the trade off that you're always gonna have in this. I personally advocate the quieter it is, the better, and you can do your own checks. But whatever works for you, if you prefer to have a log file of every single thing you do
So now we've called two functions and move on to our third. Our third function is going to be the download register. Keep a little bit more involved.
and those things register. Key needs are going to be route.
gonna be route, path and suck. So route, as you may remember, is not
an actual string. It's a pound defined, So we're gonna have to do something about that
for sending data back across.
So what we're gonna do here
in the download register keys we're going to create a dictionary
on the dictionary is going to be is going to map the defined values to the actual strings for root.
So we'll call it root dicked,
and it's going to be
And we're gonna bring up Bridget over here again so we could make sure writing the right red streaky names
Exactly. It sounds like
and unfortunately, this is kind of the part where it gets into a little bit of busywork. I'm gonna need you to bear with me
H key, current user.
and each key current big. There we go.
We made it through together, folks,
to make life easy so we don't have to go through Injun, you bunch of code. All we're gonna do is fruit equals
I was gonna change the value to be whatever the define is for the string that we received.
So now it gets it on sock,
and we actually want to send the data back on the socket
rather than doing a print. For all of these things were going to do,
sent data specifically
and I'm not actually sure I'm curious myself as to whether or not
formatting this in this manner will work. So we're gonna find out. I think it will, but I'm not positive.
So we're gonna be in for a ride together
There we go. So now we downloaded the register key. Nice and quick. Nice and easy.
he lives. CMD equals equals
Gonna take the area. It's a file name
And we can look at this download file to make sure it's
Yeah. So instead of print F,
we're going to just do ascend
much easier in this than we were using. C types,
gather information, gather information. We actually take a log name because with something with this much data,
we want to write it to a log and then just send the log across through download file.
Um, the reason for that is because if we were actually collecting the state and the best thing to do would be destroyed in a log and then to exfiltrate the log itself
through the FDA he tool or something like that. In this case, we're doing it because it's easier to story that way for the purpose of sending it later. We don't run into memory errors is often
because when you start dealing with
nine K outputs for one function,
if you start trying to send too many of those across the network quickly, you're gonna start breaking things. And rather than try and build an incredibly robust program,
we are, as always, going to cheat.
I for gather information
starting a minute takes is sucking
and the last argument
Command. Rather, CMD equals equals
And there is a log name option.
And that's again just because writing the data back across the network in this case is kind of challenging
simply because of Windows doesn't actually use sockets as file descriptors. Where's Lenox? Does so in linens You could actually pass socket is that log name, And it would let you do that
There you go. Now I've got a server and the info client. You see, it's got a Nell so we don't have to worry about it's sending us data that isn't
makes life a little bit easier for us.