CiscoCXSecurity/NeoPI CiscoCXSecurity/NeoPI

  • Stars
    star
    462
  • Rank 91,729 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created about 13 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CiscoCXSecurity/NeoPI
github

CiscoCXSecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

What is NeoPI?

NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.

NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. It also presents a “general” score derived from file rankings within the individual tests.

Requirements

NeoPI is platform independent and can be run on any system with Python 2.6 or greater installed installed. The user running the script should have read access to all of the files that will be scanned.

How to use it

NeoPI is platform independent and will run on both Linux and Windows. To start using NeoPI first checkout the code from our github repository

git clone https://github.com/Neohapsis/NeoPI.git

The small NeoPI script is now in your local directory. We are going to go though a few examples on Linux and then switch over to Windows.

Let’s run neopi.py with the -h flag to see the options.

[sbehrens@WebServer2 opt]$ ./neopi.py -h
Usage: neopi.py [options] <start directory> <OPTIONAL: filename regex>

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -C FILECSV, --csv=FILECSV
						generate CSV outfile
  -a, --all             Run all tests [Entropy, Longest Word, Compression
  -e, --entropy         Run entropy Test
  -l, --longestword     Run longest word test
  -c, --ic              Run IC test
  -A, --auto            Run auto file extension tests

Let’s break down the options into greater detail.

-C FILECSV, --csv=FILECSV

This generates a CSV output file containing the results of the scan.

-a, --all

This runs all tests including entropy, longest word, and index of coincidence. In general, we suggest running all tests to build the most comprehensive list of possible web shells.

-e, --entropy

This flag can be set to run only the entropy test.

-l, --longestword

This flag can be set to run only the longest word test.

-c, --ic

This flag can be set to run only the Index of Coincidence test.

-A, --auto

This flag runs an auto generated regular expression that contains many common web application file extensions. This list is by no means comprehensive but does include a good ‘best effort’ scan if you are unsure of what web application languages your server is running. The current list of extensions are included below:

valid_regex = re.compile('\.php|\.asp|\.aspx|\.sh|\.bash|\.zsh|\.csh|\.tsch|\.pl|\.py|\.txt|\.cgi|\.cfm')

Now that we are familiar with the flags and we have downloaded a copy of the script from GIT, let’s go head and run it on a web server we think may be infected with obfuscated web shells.

[sbehrens@WebServer2 opt]$ sudo ./neopi.py -C scan1.csv -a -A /var/www/

The resulst of the scan we be displayed to console as well as written to 'scan1.csv'. Here is an example of the scan results:

[root@WebServer2 opt]# python neopi.py -a -A /var/www/html/

[[ Average IC for Search ]]
0.0372337579606

[[ Top 10 IC files ]]
  0.0156    /var/www/html/webmedia/shell3.php
  0.0178    /var/www/html/phpadmin/phpMyAdmin-3.3.8-all-languages/lang/chinese_simplified-utf-8.inc.php
  0.0184    /var/www/html/wordpress/wordpress/wp-admin/weevely.php
  0.0217    /var/www/html/joomla/templates/system/index.php
  0.0217    /var/www/html/joomla/administrator/templates/system/index.php
  0.0225    /var/www/html/wordpress/wordpress/wp-admin/js/revisions-js.php
  0.0229    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-ch.php
  0.0239    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh.php
  0.0240    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh_cn.php
  0.0248    /var/www/html/phpadmin/shell2.php

[[ Top 10 entropic files ]]
  6.3978    /var/www/html/phpadmin/phpMyAdmin-3.3.8-all-languages/lang/chinese_simplified-utf-8.inc.php
  6.0651    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-ch.php
  6.0061    /var/www/html/webmedia/shell3.php
  5.9870    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh.php
  5.9797    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh_cn.php
  5.9245    /var/www/html/phpadmin/shell2.php
  5.8895    /var/www/html/wordpress/wordpress/wp-admin/js/revisions-js.php
  5.8580    /var/www/html/phpadmin/phpMyAdmin-3.3.8-all-languages/lang/japanese-utf-8.inc.php
  5.8400    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-ja.php
  5.7602    /var/www/html/wordpress/wordpress/wp-admin/weevely.php

[[ Top 10 longest word files ]]
  111571    /var/www/html/webmedia/shell3.php
	2510    /var/www/html/webmedia/htdocs/templates/main.tpl.php
	1312    /var/www/html/joomla/shell.php
	 728    /var/www/html/wordpress/wordpress/wp-admin/js/revisions-js.php
	 536    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Libs/QuickForm/3.2.11/HTML/QuickForm/Rule/Email.php
	 522    /var/www/html/wordpress/wordpress/wp-includes/functions.php
	 516    /var/www/html/phpadmin/phpMyAdmin-3.3.8-all-languages/libraries/tcpdf/tcpdf.php
	 516    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Libs/PHPExcel/lib/PHPExcel/Shared/PDF/tcpdf.php
	 516    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Libs/TCPDF/tcpdf4/tcpdf.php
	 516    /var/www/html/joomla/libraries/tcpdf/tcpdf.php

[[ Highest Rank Files Based on test results ]]
	 83%    /var/www/html/webmedia/shell3.php
	 56%    /var/www/html/phpadmin/phpMyAdmin-3.3.8-all-languages/lang/chinese_simplified-utf-8.inc.php
	 43%    /var/www/html/wordpress/wordpress/wp-admin/js/revisions-js.php
	 36%    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-ch.php
	 26%    /var/www/html/webmedia/htdocs/templates/main.tpl.php
	 26%    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh.php
	 23%    /var/www/html/wordpress/wordpress/wp-admin/weevely.php
	 23%    /var/www/html/joomla/shell.php
	 20%    /var/www/html/joomla/templates/system/index.php
	 20%    /var/www/html/epesiBIM/epesi-1.1.3-rev7318/modules/Base/Mail/language/phpmailer.lang-zh_cn.php

We highly recommend that as a baseline, any file that is displayed in the Highest Rank Files list be investigated at a minimum. We also recommend investigating any files that show up in any of the tests listed above, as some methods are more effective at detecting certain shells than others.

Windows

The tool is cross compatible with windows as well. In the example below we use a regular expressing to just search for php and text files.

python neopi.py -a c:\temp\phpbb "php|txt"

Animal Shell

animal_shell_encoder.php and animal_shell_poc.php are two Proof-of-Concept-type examples scripts to implement an encoding that "should" evade many of the statistical tests NeoPI performs. They are poorly commented and the decoder large such that they are impractical.

More Repositories

1

enum4linux

enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts
Perl
936
star
2

bbqsql

SQL Injection Exploitation Tool
Python
673
star
3

linikatz

linikatz is a tool to attack AD on UNIX
C
425
star
4

creddump7

Python
357
star
5

rdp-sec-check

rdp-sec-check is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services)
Perl
166
star
6

suddensix

IPV6 MITM attack tool
Shell
92
star
7

udp-proto-scanner

udp-proto-scanner is a Perl script which discovers UDP services by sending triggers to a list of hosts
Perl
86
star
8

unix-audit

Framework for generating audit commands for Unix security audits
Shell
65
star
9

mptcp-abuse

A collection of tools and resources to explore MPTCP on your network. Initially released at Black Hat USA 2014.
Python
58
star
10

udpy_proto_scanner

udpy_proto_scanner is a Python script which discovers UDP services by sending triggers to a list of hosts
Python
40
star
11

QRCode-Video-Data-Exfiltration

Exfiltrate data with QR code videos generated from files by HTML5/JS.
JavaScript
35
star
12

presentations

Presentations from the CX Security Labs team
28
star
13

ssl-cipher-suite-enum

ssl-cipher-suite enum is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
28
star
14

sslxray

sslxray is an SSL/TLS scanning tool designed to detect a wide range of issues
Python
22
star
15

log4j

Detection rules to look for Log4J usage and exploitation
YARA
18
star
16

http-dir-enum

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.
Perl
15
star
17

httpShell

CoffeeScript
14
star
18

WXPolicyEnforcer

Injectable Windows DLL which enforces a W^X memory policy on a process
C
14
star
19

CVE-2015-5119_walkthrough

Archive from the article CVE-2015-5119 Flash ByteArray UaF: A beginner's walkthrough
ActionScript
13
star
20

sudo-parser

sudo-parser is a tool to audit complex sudoers files
Perl
13
star
21

evilarc

Python
13
star
22

tlsplayback

tlsplayback is a set of Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers by exploiting 0-RTT
Python
12
star
23

mat

MAT is a tool to assess mobile applications
HTML
5
star
24

secdump

secdump is a simple meterpreter module that uploads and runs gsecdump
Ruby
4
star
25

FreeRDP-pth

FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password
C
4
star
26

onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies
C
3
star
27

SSHatter

SSHatter is a Perl script to perform brute force attacks on SSH
Perl
3
star
28

UNIXSocketScanner

UNIXSocketScanner is a Perl script to scan UNIX domain sockets
Perl
2
star
29

cspCalculator

cspCalculator is a PoC implementation of a dynamic Content Security Policy creator
JavaScript
2
star
30

ms08-067-check

MS08-067 check is Python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability
Python
2
star
31

allthevhosts

allthevhosts is a tool to scrape a series of web applications (including Bing and You Get Signal’s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible
Python
2
star
32

detect-horizontal-user-brute-force-attack

PowerShell PoC for detecting horizontal user brute force attacks
PowerShell
1
star
33

rmiInfo

rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities
Java
1
star
34

bsql-brute-forcer

bsql-brute-forcer is a Perl script allows extraction of data from Blind SQL Injections
Perl
1
star
35

iker

iker is a Python script to analyse the security of the key exchange phase in IPsec based VPNs
Python
1
star
36

nbtscan

NBTscan is a program for scanning IP networks for NetBIOS name information
C
1
star
37

ownCloud_RCE_CVE-2013-0303

ownCloud PoC for CVE-2013-0303
Python
1
star
38

acccheck

acccheck is a Perl script is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol
Perl
1
star
39

massSSgrab

massSSgrab is a tool that uses the JCIFS library to grab copies of both system and SAM files from “C:\windows\repair\” directory from multiple hosts
Java
1
star
40

vessl

vessl is a bash script that can fetch and verify the SSL certificate of a remote server
Shell
1
star
41

protoanal

Protocol analysis is a Python module which can be used in scripted analysis or interactively using ipython
Python
1
star
42

crash

crash is a tool to catch crashes from OS X applications and print debugging information such as registers, disassembled code and a memory dump of the stack
C
1
star
43

apache-users

apache-users is a Perl script for finding user home directories that are exposed from Apache web server
Perl
1
star
44

openssl3-nov2022

Detection rules to look for OpenSSL 3.x usage and exploitation
1
star
45

tcpy_scanner

Fast cross-platform TCP Connect Scanner written in Python
Python
1
star
46

MIBparse

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’
Perl
1
star
47

viewstate

Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder
C
1
star
48

NVAPT

NVAPT is a set of shell scripts for a Not Very Advanced Persistent Threat PoC for iOS
Shell
1
star
49

AMES

AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI
Python
1
star
50

bannergrab

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services
C
1
star
51

HeaderCheck

HeaderCheck is a Python script used to check the security settings of various headers returned by web servers
Python
1
star
52

ManySSL

ManySSL is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
1
star
53

wordpress-build-review

WordPress Build Review is a tool to check the basic security settings in a WordPress installation
Shell
1
star
54

smaSHeM

smaSHeM is a System V shared memory segment manipulator
Shell
1
star
55

hoppy

hoppy is a Python script to probe HTTP options and perform scanning for information disclosure issues
Python
1
star
56

RPDscan

RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations
Python
1
star
57

mysql-bruteforcer

MySQL Bruteforcer is a Python script to assess the strength of the local MySQL access passwords
Python
1
star
58

whitepapers

Papers from the CX Security Labs team
1
star
59

get-dhcp-opts

get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options
Python
1
star
60

whoislikeaboss

whoislikeaboss is a tool that takes the IP addresses given in a file (one per line), and will give you the range and owner of each of the addresses (with duplicates removed) so you can spot anything that looks fishy before you start testing
Python
1
star
61

winlanfoe

winlanfoe is a tool that parses the output from enum4linux and displays Domain/Workgroup membership, IP address, Operating System (OS) information and if a host is a domain controller
Perl
1
star
62

osboxdeploy

OSBoxDeploy is a set of Ansible playbooks and associated artefacts to deploy OpenStack compute hosted Docker containers. It is work in progress, so do not expect too much, too soon
Python
1
star