evilbotnet
diff --git a/‎Defcon26/config.py
Lines changed: 12 additions & 0 deletions b/‎Defcon26/config.py
Lines changed: 12 additions & 0 deletions
diff --git a/‎Defcon26/db_test.py
Lines changed: 170 additions & 0 deletions b/‎Defcon26/db_test.py
Lines changed: 170 additions & 0 deletions
diff --git a/‎Defcon26/netflow_collectorDB.py
Lines changed: 86 additions & 0 deletions b/‎Defcon26/netflow_collectorDB.py
Lines changed: 86 additions & 0 deletions
@@ -0,0 +1,12 @@
+API_KEY = 'SHODAN_API_KEY'
+
+static_ip = "127.0.0.1"
+listening_port = 2303
+
+VirusTotalAPIKey = "VIRUS_TOTAL_API_KEY"
+
+# TWILIO Configuration Items
+# account_sid = "TWILIO SID"
+# auth_token = "TWILIO AUTH_TOKEN"
+# RECV NUMBER
+# TWILIO_NUMBER
@@ -0,0 +1,170 @@
+import requests
+from config import *
+import sqlite3
+from flask import Flask, render_template,  request
+app = Flask(__name__)
+
+# Edit database file to reflect the right name/location of the netflow DB
+conn = sqlite3.connect('netflow2.db')
+conn.row_factory = sqlite3.Row
+#conn.row_factory = sqlite3.Row
+c = conn.cursor()
+print("Deleting rows...")
+# Blacklist considers Google DNS malicious.. cuz.. bad guys use it...
+# Remove it from our database..
+c.execute("DELETE FROM shodan WHERE dest=?", ("8.8.8.8",))
+conn.commit()
+
+# Prints all of the junk in the shodan table.. for debugging.
+for i in c.execute("SELECT * FROM shodan"):
+    for j in i:
+        pass
+        #print(j)
+c.execute("SELECT name FROM sqlite_master WHERE type='table';")
+#print(c.fetchone())
+numSamples = 0
+'''
+# Converts 
+def dict_factory(cursor, row):
+    d = {}
+    for idx, col in enumerate(cursor.description):
+        d[col[0]] = row[idx]
+    return d
+'''
+
+portNumber = "*"
+def getData():
+    global result1
+    conn = sqlite3.connect('netflow2.db')
+    #conn.row_factory = sqlite3.Row
+    c = conn.cursor()
+    #print(numSamples)
+    c.execute("SELECT COUNT(*) FROM (SELECT DISTINCT dest, src FROM shodan LIMIT ?)", (numSamples,))
+    unique = c.fetchall()
+    for row in unique:
+        print("Total unique IP Addresses: " + str(row[0]))
+        unique_IPs = str(row[0])
+    bytes = 0
+    #c.execute("SELECT * FROM traffic WHERE src!=? ORDER BY time DESC LIMIT ?", (home, numSamples))
+    c.execute("SELECT * FROM shodan ORDER BY time DESC LIMIT ?", (numSamples,))
+        #print(result1)
+    result1 = [i for i in c.fetchall()]
+    #for i in result1:
+        #print(i)
+    #print(result1)
+    print("Outbound: " + humansize(bytes))
+    outbound = humansize(bytes)
+    bytes = 0
+    print(portNumber)
+    for row in c.execute("SELECT * FROM shodan WHERE dest!=? AND dport=? ORDER BY time DESC LIMIT ?", (home, portNumber, numSamples)):
+        totalbytes = int(row[3]) * int(row[2])
+        bytes = bytes + totalbytes
+        result2 = c.fetchall()
+        #print(result2)
+        result2 = {item[6]: item for item in result2}
+
+    print("Inbound: " + humansize(bytes))
+    inbound = humansize(bytes)
+    #print(inbound.split()[0])
+    total = float(inbound.split()[0]) + float(outbound.split()[0])
+    #print(str(total))
+    return unique_IPs, outbound.split()[0], outbound.split()[1], \
+           inbound.split()[0], inbound.split()[1], str(total)
+
+try:
+    home = requests.get('http://ipquail.com/ip').text.strip("\n\r")
+    print(home)
+except:
+    home = static_ip
+
+suffixes = ['B', 'KB', 'MB', 'GB', 'TB', 'PB']
+
+# Sweet function that converts bytes into readable form
+def humansize(nbytes):
+    i = 0
+    while nbytes >= 1024 and i < len(suffixes)-1:
+        nbytes /= 1024.
+        i += 1
+    f = ('%.2f' % nbytes).rstrip('0').rstrip('.')
+    return '%s %s' % (f, suffixes[i])
+
+# DO MATH.
+def sqlStats():
+    #for row in c.execute("SELECT COUNT (DISTINCT src) FROM traffic"):
+    for row in c.execute("SELECT COUNT(*) FROM (SELECT DISTINCT dest, src FROM shodan)"):
+        print("Total unique IP Addresses: " + str(row[0]))
+        unique_IPs = str(row[0])
+    bytes = 0
+
+    for row in c.execute("SELECT * FROM shodan WHERE src=?", (home,)):
+        totalbytes = int(row[3]) * int(row[2])
+        bytes = bytes + totalbytes
+    print("Outbound: " + humansize(bytes))
+    outbound = humansize(bytes)
+    bytes = 0
+    for row in c.execute("SELECT * FROM shodan WHERE src!=?", (home,)):
+        totalbytes = int(row[3]) * int(row[2])
+        bytes = bytes + totalbytes
+    print("Inbound: " + humansize(bytes))
+    inbound = humansize(bytes)
+    return unique_IPs, outbound, inbound
+
+#sqlStats()
+
+def maxRowsTable():
+    for row in c.execute("SELECT COUNT(time) FROM shodan"):
+        maxNumberRows=row[0]
+    return maxNumberRows
+
+## Flask Web Page Handling
+@app.route("/")
+def index():
+    unique_IPs, outbound, outlabel, inbound, inlabel, total = getData()
+    iframe = 'iframe.html'
+    templateData = {
+        'unique' : unique_IPs,
+        'outbound' : outbound,
+        'inbound' : inbound,
+        'total' : total,
+        'outlabel' : outlabel,
+        'inlabel' : inlabel,
+        'result1': result1,
+        'iframe' : iframe
+    }
+    return render_template('index.html', **templateData)
+
+@app.route('/', methods=['POST'])
+def formPost():
+    global numSamples
+    global portNumber
+    global IPAddress
+
+    try:
+        portNumber = int(request.form['portNumber'])
+    except:
+        portNumber = 8888
+    try:
+        numSamples = int(request.form['numSamples'])
+    except:
+        numSamples = "1000000000"
+    try:
+        IPAddress = str(request.form['IPAddress'])
+    except:
+        IPAddress = "*"
+    numMaxSamples = maxRowsTable()
+    if (int(numSamples) > int(numMaxSamples)):
+        numSamples = (int(numMaxSamples) -1)
+    unique_IPs, outbound, outlabel, inbound, inlabel, total = getData()
+    templateData = {
+        'unique': unique_IPs,
+        'outbound': outbound,
+        'inbound': inbound,
+        'total': total,
+        'outlabel': outlabel,
+        'inlabel': inlabel,
+        'result1': result1
+    }
+    return render_template('index.html', **templateData)
+
+if __name__ == "__main__":
+    app.run(host="0.0.0.0", port=80, debug=False)
@@ -0,0 +1,86 @@
+import socket, struct # Raw socket access
+import time # Time..
+from config import listening_port # uses config file to save configurable data
+import sqlite3 # SQLlite database interaction
+from socket import inet_ntoa # For parsing packets
+import requests # Makes web requests to retrieve WAN IP address
+
+# Retrieve WAN IP Address for later parsing
+try:
+    home = requests.get('http://ipquail.com/ip').text.strip("\n\r")
+    print(home)
+    with open("ip.txt", "w") as text_file:
+        print(home, file=text_file)
+except:
+    file = open("ip.txt","r")
+    home = file.readline()
+    print('Using old IP of ' + str(home))
+
+WAN_IP = home
+
+conn = sqlite3.connect('netflow.db')
+conn.execute("CREATE TABLE IF NOT EXISTS traffic (src text, sport int, packet int, \
+    bytes int, dest text, dport int , time text)")
+
+SIZE_OF_HEADER = 24
+SIZE_OF_RECORD = 48
+
+print("Collector started at: ", time.strftime("%H:%M:%S %d-%m-%Y"))
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.bind(('0.0.0.0', listening_port))
+current_day = time.strftime("%d-%b-%Y")
+
+
+while True:
+    buf, addr = s.recvfrom(1500)
+
+    (version, count) = struct.unpack('!HH',buf[0:4])
+    if version != 5:
+            print("Not NetFlow v5!")
+            continue
+
+    uptime = socket.ntohl(struct.unpack('I',buf[4:8])[0])
+    epochseconds = socket.ntohl(struct.unpack('I',buf[8:12])[0])
+
+    for i in range(0, count):
+        try:
+            base = SIZE_OF_HEADER+(i*SIZE_OF_RECORD)
+
+            data = struct.unpack('!IIIIHH',buf[base+16:base+36])
+            nfdata = {}
+            nfdata['saddr'] = inet_ntoa(buf[base + 0:base + 4])
+            nfdata['daddr'] = inet_ntoa(buf[base + 4:base + 8])
+            nfdata['pcount'] = data[0]
+            nfdata['bcount'] = data[1]
+            nfdata['stime'] = data[2]
+            nfdata['etime'] = data[3]
+            nfdata['sport'] = data[4]
+            nfdata['dport'] = data[5]
+            nfdata['protocol'] = inet_ntoa(buf[base + 39])
+        except:
+            continue
+    #print(nfdata)
+
+
+    current_day = time.strftime("%H:%M:%S %d-%m-%Y")
+    #print(current_day)
+    sourceIP = nfdata['saddr']
+    destIP = nfdata['daddr']
+
+    if sourceIP == WAN_IP:
+        sourceIP = 'HOME'
+    else:
+        destIP = 'HOME'
+    print("%s:%s %s bytes -> %s:%s" % (sourceIP, nfdata['sport'],
+                                           nfdata['bcount'], destIP,
+                                           nfdata['dport']))
+
+    conn.execute("INSERT INTO traffic VALUES (?, ?, ?, ?, ?, ?, ?)", (sourceIP, nfdata['sport'],
+                nfdata['pcount'], nfdata['bcount'],
+                destIP, nfdata['dport'],
+                current_day))
+    conn.commit()
+
+    #print("db write..")
+    #print("Wrote data to netflowData-" + current_day + ".csv at " + time.strftime("%H:%M:%S %d-%m-%Y"))