Python : HackBack [ Updated ]

L3akM3-0day · August 2, 2016, 12:22pm

Hello World ! Today, I look the auth.log file from my VPS and I see a lot of bruteforce attempt. I decided to make a python Script called HackBack.

This script will get the ip who failed to log in your server and do a passive recon with the shodan api.

Here is the script :

#!/usr/bin/python3.4
import re
import urllib.request
import json
log_path = "/var/log/auth.log"
hosts = []
key = "{YOUR_API_KEY}"
#GET FAILED PASSWORD ATTEMPT
def get_host(test):
        for line in text.split('\n'):
                if line.find("Failed password for invalid ") != -1:
                        if get_ip(line) not in hosts:
                                hosts.append(get_ip(line))
        return hosts
#GET USERNAME
def get_username(line):
        username_word = line.split("Failed password for invalid user ")
        username = (username_word[1]).split(" ")
        return username[0]

#LOCATE IP WITH GEOIP
def geoip(host):
        response = urllib.request.urlopen("http://freegeoip.net/json/"+host)
        geoip = response.read().decode("utf-8")
        geoip = json.loads(geoip)
        print("\n[+] Tracking ip {}".format(geoip['ip']))
        print("-------------------------------")
        print('\tCountry : {}\n\ttimezone : {}\n\tlatitude : {}\n\tlongitude : {}'.format(geoip['country_name'],geoip['time_zone'],geoip['latitude'],geoip['longitude']))
def passive_recon(host,key):
        url = "https://api.shodan.io/shodan/host/{}?key={}&minify=true".format(host,key)
        try:
                response = urllib.request.urlopen(url)
                result = response.read().decode('utf-8')
                result = json.loads(result)
                print("[+] Passive Recon using shodan.io")
                print("-------------------------------")
                print("\tPort : {}\n\tOrganisation {}".format(result['ports'],result['org']))
                for x in range(len(result['ports'])):
                        print("Banner {}".format(result['data'][x]['data']))
        except:
                print("[+] Passive Recon using shodan.io")
                print("-------------------------------")
                print("\tCan't retrieve information")
                pass
if __name__ == "__main__":
        with open(log_path, 'rt') as log:
                text = log.read()
get_host(text)
for host in hosts:
        geoip(host)
        passive_recon(host,key)

What the script does ?

Here are all the functions explained :

def get_host(test):
        for line in text.split('\n'):
                if line.find("Failed password for invalid ") != -1:
                        if get_ip(line) not in hosts:
                                hosts.append(get_ip(line))
        return hosts

def get_username(line):
        username_word = line.split("Failed password for invalid user ")
        username = (username_word[1]).split(" ")
        return username[0]

These functions will get the ip and username tested from the auth.log file

To locate the ip, I use freegeoip.net to get some ip location ( but you could use shodan.io api ) , this function just parse the json output to a pretty text ouput.

def geoip(host):
        response = urllib.request.urlopen("http://freegeoip.net/json/"+host)
        geoip = response.read().decode("utf-8")
        geoip = json.loads(geoip)
        print("\n[+] Tracking ip {}".format(geoip['ip']))
        print("-------------------------------")
        print('\tCountry : {}\n\ttimezone : {}\n\tlatitude : {}\n\tlongitude : {}'.format(geoip['country_name'],geoip['time_zone'],geoip['latitude'],geoip['longitude']))

Here we’re doing passive recon with shodan :

def passive_recon(host,key):
        url = "https://api.shodan.io/shodan/host/{}?key={}&minify=true".format(host,key)
        try:
                response = urllib.request.urlopen(url)
                result = response.read().decode('utf-8')
                result = json.loads(result)
                print("[+] Passive Recon using shodan.io")
                print("-------------------------------")
                print("\tPort : {}\n\tOrganisation {}".format(result['ports'],result['org']))
                for x in range(len(result['ports'])):
                        print("Banner {}".format(result['data'][x]['data']))
        #If we don't get a 200 response code print 'Can't retrive information
        except:
                print("[+] Passive Recon using shodan.io")
                print("-------------------------------")
                print("\tCan't retrieve information")
                pass

To get information about the hackers :

./hackBack.py

Enjoy

Update

Thank a lot for your feedback I have some idea now for a new version of HackBack, maybe a honeyPot kind of thing I’ll post the code on github and make a new post for the update

Preview

[Album] imgur.com

pry0cc · August 2, 2016, 2:03pm

Very very very nice I once thought about this, but I never got round to it!

Perhaps upload on github?

L3akM3-0day · August 2, 2016, 2:05pm

This is a good idea

Cromical · August 2, 2016, 4:12pm

This is…Well bloody hell mate this is freakin awesome! Great job! I’m absolutely amazed! Thanks for sharing it.

oaktree · August 2, 2016, 4:53pm

You know what could make this even better? Make it a daemon that scans your logs every day and proceeds automatically.

pry0cc · August 2, 2016, 5:16pm

OHHHH (Deep gravely voice)

It would be even better if it processed it into a nice HTML report, sorted those servers that have SSH servers, and then automatically cue them to be bruteforced. And then send you daily reports of the attackers.

L3akM3-0day · August 2, 2016, 6:09pm

This is something I’ve planned on doing.

Well, I didn’t think about that but it’s a good idea :), I’ll update the script

I don’t get it.
Do you mean the script should bruteforce the hackers ?

pry0cc · August 2, 2016, 8:23pm

Yes. Thats absolutely what I think should happen

SmartOne · August 2, 2016, 8:26pm

Well, letting it blindly bruteforce things could be a bit dangerous (especially if its the NSA who tried to hack you ) So I think at least a confirmation by the user would be better.

L3akM3-0day · August 2, 2016, 8:31pm

The script is called HackBack because I wanted hack the hacker. I planned on doing a lot of thing :

Get password tried by hacker to have some good worlist
Get username tried by hacker to have some good worlist

possible feature

Use proxy/vpn and/or tor to bruteforce
Search if an exploit is available on exploit-db
if not exploit is available use bruteforce technique on ssh, telnet
if web server is available search for sql injection to get admin panel
if The exploitation is sucessful : drop a logic bomb
if the exploitation is successful : add it to yout botnet

This is what the script could possibly do, but this is kind of blackhat way ^^. I’ll see what feature will really be available

oaktree · August 2, 2016, 8:59pm

I think it’s time I add:

Counter-attacks are still attacks. As such, they will be treated as any other kind of hacking attempt, meaning there can be severe consequences.

What you’re doing should only be a PoC.

L3akM3-0day · August 2, 2016, 9:09pm

That’s why it only do passive recon and show ip location right now.[quote=“L3akM3-0day, post:10, topic:882”]
possible feature * Use proxy/vpn and/or tor to bruteforce* Search if an exploit is available on exploit-dbif not exploit is available use bruteforce technique on ssh, telnetif web server is available search for sql injection to get admin panel

if The exploitation is sucessful : drop a logic bomb
if the exploitation is successful : add it to yout botnet
[/quote]

Those won’t surely not be in the final version because of script kiddies ( and those are blackhat way technique ).
and as you said[quote=“oaktree, post:11, topic:882”]
Counter-attacks are still attacks. As such, they will be treated as any other kind of hacking attempt, meaning there can be severe consequences.
[/quote]

The Open Source version will only have

system · January 21, 2018, 12:30am

This topic was automatically closed after 30 days. New replies are no longer allowed.