{"id":428,"date":"2024-03-21T01:34:17","date_gmt":"2024-03-21T05:34:17","guid":{"rendered":"https:\/\/offensivepython.com\/?p=428"},"modified":"2024-03-21T17:37:33","modified_gmt":"2024-03-21T21:37:33","slug":"the-counter-dictionary","status":"publish","type":"post","link":"https:\/\/offensivepython.com\/index.php\/2024\/03\/21\/the-counter-dictionary\/","title":{"rendered":"The Counter Dictionary"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"428\" class=\"elementor elementor-428\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1b8a0ca6 e-flex e-con-boxed e-con e-parent\" data-id=\"1b8a0ca6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2c03c972 elementor-widget elementor-widget-text-editor\" data-id=\"2c03c972\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\u00a0 \u00a0 \u00a0If we need to find the most common thing in an environment and we have, or can easily obtain a list, we can then use the Counter dictionary class from the collections module.\u00a0 This is very useful on the defensive side, when it comes to counting hostnames, user agents, process names, and the like for incident response, forensics, or hunting use cases.\u00a0 \u00a0But there can be uses on the offensive side as well.\u00a0 Maybe we&#8217;ve collected a large listing of Apache versions and want to count that data.\u00a0 Here is an example below.<\/p><div><p><strong>from collections import Counter<\/strong><\/p><p><strong>versions = [&#8216;2.4.58&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.55&#8217;, &#8216;2.4.46&#8217;, &#8216;2.4.39&#8217;, &#8216;2.4.51&#8217;, &#8216;2.0.5&#8217;, &#8216;2.4.53&#8217;, &#8216;2.4.55&#8217;, &#8216;2.4.52&#8217;, &#8216;2.4.53&#8217;,\u00a0<\/strong><strong>&#8216;2.4.54&#8217;, &#8216;2.4.44&#8217;, &#8216;2.4.55&#8217;, &#8216;2.4.50&#8217;, &#8216;2.4.39&#8217;, &#8216;2.4.20&#8217;, &#8216;2.0.34&#8217;, &#8216;2.4.58&#8217;, &#8216;2.0.39&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.55&#8217;,\u00a0<\/strong><strong>&#8216;2.4.57&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.57&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.56&#8217;, &#8216;2.0.36&#8217;, &#8216;2.4.57&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.58&#8217;, &#8216;2.4.56&#8217;]<\/strong><\/p><p><strong># Initialize counter with values already obtained<\/strong><br \/><strong>counter = Counter(versions)<\/strong><\/p><p><strong># Or update the counter within your program as needed<\/strong><br \/><strong># counter.update(versions)<\/strong><\/p><p><strong># Obtain the most common entry and it&#8217;s count<\/strong><br \/><strong>print(counter.most_common(1))<\/strong><\/p><p><strong># Obtain the least common entry and it&#8217;s count<\/strong><br \/><strong>print(counter.most_common(100)[-1])<\/strong><\/p><p><strong># Obtain the 5 least common entries and their counts<\/strong><br \/><strong>print(counter.most_common(100)[-1:-6:-1])<\/strong><\/p><p>Now we have a clear picture of Apache in the organization.\u00a0 \u00a0Output from above prints:<\/p><p>[(&#8216;2.4.58&#8217;, 8)]<br \/>(&#8216;2.0.36&#8217;, 1)<br \/>[(&#8216;2.0.36&#8217;, 1), (&#8216;2.0.39&#8217;, 1), (&#8216;2.0.34&#8217;, 1), (&#8216;2.4.20&#8217;, 1), (&#8216;2.4.50&#8217;, 1)]<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>\u00a0 \u00a0 \u00a0If we need to find the most common thing in an environment and we have, or can easily obtain a list, we can then use the Counter dictionary class from the collections module.\u00a0 This is very useful on the defensive side, when it comes to counting hostnames, user agents, process names, and the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[27],"tags":[36],"class_list":["post-428","post","type-post","status-publish","format-standard","hentry","category-compound-data-types","tag-counter-dictionary"],"_links":{"self":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/comments?post=428"}],"version-history":[{"count":10,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/428\/revisions"}],"predecessor-version":[{"id":438,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/posts\/428\/revisions\/438"}],"wp:attachment":[{"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/media?parent=428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/categories?post=428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/offensivepython.com\/index.php\/wp-json\/wp\/v2\/tags?post=428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}