How to cross-compile a Python script into a Windows executable on Linux

Using Wine and Pyinstaller.

Pyinstaller is a program that packages Python programs into stand-alone executables, under the most used OSs (Windows, Linux, Mac OS X, FreeBSD, Solaris and AIX).
Initially Pyinstaller had a beta feature that allows the cross-compilation of a windows executable under Linux.
However, due the instability of the feature, it has been removed since version 1.5.

Continue…

How to build a simple Echo Bot on Telegram using hook.io and Python

Please note:

This article has been written almost a year ago: in this months a lot of updates and bugfixes has been rolled up on hook.io infrastructure.
So it’s quite possible that the code snippets related to hook.io do not work correctly.
I will update the article with correct code, when i have time! :-)

In this tutorial, i want to explain how to create a simple “Echo BOT” on Telegram using the WebHook feature and a microservice hosted on Hook.io.

Telegram currently support two ways of processing bot updates, getUpdates and setWebhook. getUpdates is a pull mechanism, setWebhook is push.

The main advantages of using a Webhook over getUpdates is pretty clear: as soon as an update arrives, it will delivered to your microservice for processing.

Microservices are small, independent processes that communicate with each other to form complex applications which utilize language-agnostic APIs.

These services are small building blocks, highly decoupled and focused on doing a small task, facilitating a modular approach to system-building

In this tutorial I suggest to use Hook.io.
This service provides an infrastructure that let you deploy HTTP microservices effortlessly: basically you can script HTTP requests without deploying an entire web stack.
On hook.io, microservices are represented by a single function matched to a single unique URL.

Let’s try to create this bot! (in 3 simple steps) :-)

1. Create a Telegram Bot

In order to register a bot with Telegram, you first need to create a personal Telegram account. Visit web.telegram.org and enter your phone number. Telegram will send you a text message and you can then create an account by following the instructions on the screen.

Once you have a Telegram account, you can register a new Telegram Bot by using BotFather.
Visit t.me/botfather and start a conversation with the “Telegram’s bot that creates other bots“.

To create a new bot, send the following command to Bot Father:

/newbot

You should get a reply instantly that asks you to choose a name for your Bot, so you can send the choosen name as chat message to BotFather.

BotFather will now ask you to pick a username for your Bot. This username has to end in bot, and be globally unique.

Now BotFather will send you a “Congratulations” message, which will include a token.

Take note of the token! :-)

2. Create the Microservice

First, register an account on Hook.io (or use your GitHub account) and login.

Then create a new hook simply visiting the Create Hook section and choosing a name for your service:

On the Hook Source panel you can choose your programming language and you can provide here the code that will be executed when webhook will be triggered:

Now choose “Python” and write your code! :-)

In other tutorial, i’ve find a simple pyhon code for an Echo Bot, like this:

import requests
message=Hook['params']['message']['text']
chatID=Hook['params']['message']['chat']['id']
URL='https://api.telegram.org/bot<TOKEN>/sendMessage'
req=requests.get(URL,verify=False,data={'chat_id':chatID,'text':message})

(where <TOKEN> is the API token send by BotFather)

The code simply retrieve the data from the webhook sended by telegram platform (the “Hook” object) and extract message and chatId of the sender.

Then create a request to Telegram API in order to send a message to the sender with the same text of original message.

However, in this code there is a tricky bug: in the webhook mode, Telegram servers send updates continuosly until receives an “200 Ok” response from the webhook page.
So, with this code, the microservice don’t send any response to the telegram platform, that continue to invoke the webhook page.

The result is a ‘bot loop’: your bot continuosly reply with the same message.

To solve this problem we need to write a code a little more complex, but with the ability to send a “200 Ok” response to Telegram servers, like this:

https://gist.github.com/andreafortuna/a39b24e62650a780267eceff2805b4c0

Now, the last step…

3. Connect the Bot with the Microservice

We have to tell the bot to use the newly created microservice.

To make this step, you can call, using cUrl or your browser, this link:

https://api.telegram.org/bot<TOKEN>/setWebhook?url=https://hook.io/<hook-user>/<hook-name>

where:

  • <TOKEN> is the token of your bot;
  • <hook-user> is the username created on hook.io;
  • <hook-name> is the name of the micro-service you created.

Once the URL is launched, if it’s okay, you’ll read something like this:

{"ok": true, "result": true, "description": "Webhook was set"}

And now the bot works correctly, without any loop:

Now have fun with your ‘Parrot BOT’!

References

SQLiv: a massive SQL injection scanner

SQLiv is a Python-based scanning tool that uses Google, Bing or Yahoo for targetted scanning, focused on reveal pages with SQL Injection vulnerabilities.

It uses known dorks in order to find vulnerable URLs.

Features

  1. multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo
  2. targetted scanning by providing specific domain (with crawling)
  3. reverse domain scanning

Installation

  1. Resolve some dependencies:
    pip install bs4 termcolor google
  2. Clone the git repository:
    git clone https://github.com/Hadesy2k/sqliv.git
  3. Start python setup:
    sudo python2 setup.py -i

Quick reference

python sqliv.py --help

usage: sqliv.py [-h] [-d D] [-e E] [-p P] [-t T] [-r]

optional arguments:
  -h, --help  show this help message and exit
  -d D        SQL injection dork
  -e E        search engine [Google only for now]
  -p P        number of websites to look for in search engine
  -t T        scan target website
  -r          reverse domain

Some usage examples

1. Multiple domain scanning with SQLi dork

  • it simply search multiple websites from given dork and scan the results one by one
python sqliv.py -d <SQLI DORK> -e <SEARCH ENGINE>  
python sqliv.py -d "inurl:index.php?id=" -e google

2. Targetted scanning

  • can provide only domain name or specifc url with query params
  • if only domain name is provided, it will crawl and get urls with query
  • then scan the urls one by one
python sqliv.py -t <URL>  
python sqliv.py -t www.example.com  
python sqliv.py -t www.example.com/index.php?id=1

3. Reverse domain and scanning

  • do reverse domain and look for websites that hosted on same server as target url
python sqliv.py -t <URL> -r

More information and downloads

Wifite 2: a complete rewrite of Wifite

A Python script for auditing wireless networks


Do you know Wifite
It’s a great wifi auditing tool, designed for use with pentesting distributions of Linux, such as Kali Linux, Pentoo, BackBox and any Linux distributions with wireless drivers patched for injection (so the script appears to also operate with Ubuntu 11/10, Debian 6, and Fedora 16).

The developer, Derv82, has recently released a new version of the tool, Wifite 2, designed entirely for the latest version of Kali Rolling release, with the support for the latest versions of Aircrack-ng suite, wash, reaver, tshark and cowpatty.


The new tool maintains the same interface and command line argument of the previous, but introduces a lot of changes:

  • Lots of files instead of “one big script”.
  • Cleaner process management — No longer leaves processes running in the background.
  • UX: Target access points are refreshed every second instead of every 5 seconds.
  • UX: Displays realtime Power level (in db) of currently-attacked target

So, the updated feature list is:

  • Reaver Pixie-Dust attack (--pixie)
    (The attack works by exploiting weaknesses in the generation of the E-S1 and E-S2 nonces which are used to produce the enrollee hash)
  • Reaver WPS PIN attack (--reaver)
    (A brute force attack against WPS registrar PINs in order to recover WPA/WPA2 passphrases)
  • WPA handshake capture (--no-reaver)
  • Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng
  • Various WEP attacks (replay, chopchop, fragment, etc)
  • 5Ghz support for wireless cards that support 5ghz (use -5 option)
  • Stores cracked passwords and handshakes to the current directory, with metadata about the access point (via --crackedcommand).
  • Decloaks hidden access points when channel is fixed (use -c <channel> option)
  • Provides commands to crack captured WPA handshakes (via --crack command)

Installation

As usual, installation is very simple:

git clone https://github.com/derv82/wifite2.git
cd wifite2
./Wifite.py

More information and downloads

https://github.com/derv82/wifite2

References

https://github.com/derv82/wifite2
https://github.com/derv82/wifite2
https://github.com/derv82/wifite2
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

Create a Github Gist with a simple Python script

How to share code snippets from command line

Gist.github.com is a great service provided by GitHub, useful to share code snippets.
You can share single files, parts of files, or full applications: every gist is a Git repository, which means that it can be forked and cloned.

I’ve developed this simple python script useful to share sourcecode on gist from command line:

https://gist.github.com/andreafortuna/bc5405026c933ff390134fec941fc9fc

 

Usage

Pretty simple!

For example, to publish the gist embed in this post, i’ve used this command:

python gist.py ./gist.py [GitHub Username] [GitHub Password]