pycon - python for ethical hackers

Python For Ethical HackersMohammad reza Kamalifard

Ethical Hacker

Ethical Hacker

Penetration Tester

Ethical Hacker

Penetration TesterEthical Hacker = Penetration Tester

Why Python?Easy to learn

Easy to use

Clean syntax and code readability

Rich set of libraries

Tons of tools already written

Rapid prototyping – POC ( proof on concept )

Who is using PythonCore Impact – Comprehensive penetration testing solution

Immunity CANVAS – Exploit development framework

W3AF – Web Application Attack and Audit Framework

Sqlmap – Automatic SQL injection tool

Immunity Debugger – Powerful Debugger

Peach – Fuzzer

Sulley – Fully automated and unattended fuzzing framework

Paimei – Reverse engineering framework

Scapy – Packet manipulation tool

Easy File Handling>>> file_add = 'c:/users/reza/desktop/passwords.txt'>>> file_dis = open(file_add, 'r')>>> emails = file_dis.readlines()>>> for email in emails:

print email

[email protected][email protected][email protected]@[email protected]@[email protected]...

RequestsLibrary to deal with HTTP : HTTP for Humans>>> import requests>>> requests.get('http://kamalifard.ir')<Response [200]>>>> r = _>>> r.headersCaseInsensitiveDict({'content-length': '771', 'content-encoding': 'gzip', 'accept-ranges': 'bytes', 'vary': 'Accept-Encoding', 'server': 'Apache/2.2.16 (Debian)', 'last-modified': 'Sat, 21 Sep 2013 05:19:57 GMT', 'etag': '"15b565-62b-4e6ddf0165940"', 'date': 'Sun, 27 Oct 2013 14:23:54 GMT', 'content-type': 'text/html'})>>> r.textu'<!doctype html>\n<html lang="en">\n<head>\n\t<meta charset="UTF-8">\n\t<title>Mohammad rezaKamalifard</title>\n\t<link rel="stylesheet" href="style.css" />\n\n</head>\n<body>\n\t<div class="wrap">\n\t\t<h1>Mohammad reza Kamalifard</h1>\n\t\t<p>Software

Basic fuzzer

import requests as req

>>> url = 'http://kamalifard.ir/'

>>> file_add = 'c:/users/reza/desktop/dirss.txt'

>>> file_dis = open(file_add, 'r')

>>> dirs= file_dis.readlines()

>>> for x in dirs:

... resp = req.get(url + x)

... html = resp.text

hashlib

>>> import hashlib

>>> hashlib.algorithms

('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512')

>>> m = hashlib.md5()

>>> m.update('reza')

>>> m.digest()

'\xbb\x98\xb1\xd0\xb5#\xd5\xe7\x83\xf91U\rw\x02\xb6'

>>> m.hexdigest()

'bb98b1d0b523d5e783f931550d7702b6'

>>>

Sockets• TCP and UDP Sockets

• Regular Servers and Clients

• Raw Sockets• Sniffing and Injection

Port Scannerimport socket

def connScan(tgtHost, tgtPort):try:

tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.connect((tgtHost, tgtPort))tcp_socket.send(‘PyCon2013\r\n')results = tcp_socket.recv(100)print '%d/tcp open' % tgtPortprint str(results)

except:print '%d/tcp closed' % tgtPort

finally:tcp_socket.close()

ECHO Serverimport sockettcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)tcp_socket.bind(('127.0.0.1', 8000))tcp_socket.listen(2)print 'Waiting for client ...'(client, (ip, port)) = tcp_socket.accept()print 'Revived connection from : ', ipprint 'Starting ECHO output...'data = 'dummy'while len(data):

data = client.recv(2048)print 'Client send : ', dataclient.send(data)

client.close()

Clientimport socketimport sysif len(sys.argv) < 3 :

print 'Please Enter address and port'sys.exit()

tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.connect((sys.argv[1], int(sys.argv[2])))while True:

userInput = raw_input('Please Enter a Message! : ')tcp_socket.send(userInput)print 'Server Send back : ' + str(tcp_socket.recv(2048))

tcp_socket.close()

-----Client-----python client.py 127.0.0.1 8000Please Enter a Message! : SalamServer Send back : SalamPlease Enter a Message! : WELCOME TO PYCON 2013! Server Send back : WELCOME TO PYCON 2013!Please Enter a Message! : -----Server-----Waiting for client ...Revived connection from : 127.0.0.1Starting ECHO output...Client send : SalamClient send : WELCOME TO PYCON 2013!Client send : Closing Connection

SocketServer Framework • Framework in Python to create TCP and UDP servers

• Does all the basic steps for you in the background

• Comes in handy if you want to create a server to lure a client and

• analyze its behavior

SocketServer Framework import SocketServer

class EchoHandler(SocketServer.BaseRequestHandler):

def handle(self):

print 'Got Connection from : ', self.client_address

data = 'dummy'

while len(data):

data = self.request.recv(1024)

print 'Client sent :' + data

self.request.send(data)

print 'client left‘

server_address = ('127.0.0.1', 9050)

server = SocketServer.TCPServer(server_address, EchoHandler)

server.serve_forever()

Nmap

import nmap

tgtHost = '192.168.1.254'

tgtPort = '80'

nmapScan = nmap.PortScanner()

nmapScan.scan(tgtHost, tgtPort)

state=nmapScan[tgtHost]['tcp'][int(tgtPort)]['state']

print tgtHost + ' tcp/' +tgtPort + ' ' +state

Simple HTTP Server

import SocketServer

import SimpleHTTPServer

httpServer = SocketServer.TCPServer(('', 8080),

SimpleHTTPServer.SimpleHTTPRequestHandler)

httpServer.serve_forever()

Raw Socketsimport struct, socket, binascii

rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800))pkt = rawSocket.recvfrom(2048)ethernetHeader = pkt[0][0:14] eth_hdr = struct.unpack('!6s6s2s', ethernetHeader)binascii.hexlify(eth_hdr[0])binascii.hexlify(eth_hdr[1])binascii.hexlify(eth_hdr[2])ipHeader = pkt[0][14:34]ip_hdr = struct.unpack('!12s4s4s', ipHeader)print 'Source IP address : ' + socket.inet_ntoa(ip_hdr[1])print 'Destination IP address : ' + socket.inet_ntoa(ip_hdr[2])tcpHeader = pkt[0][34:54]tcp_hdr = struct.unpack('!HH16s', tcpHeader)

Packet Injection with Raw Sockets

import socket

import struct

rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW,

socket.htons(0x800))

rawSocket.bind(('wlan0', socket.htons(0x800)))

packet = struct.pack('!6s6s2s', '\xaa\xaa\xaa\xaa\xaa\xaa',

'\xbb\xbb\xbb\xbb\xbb\xbb' , '\x08\x00')

rawSocket.send(packet + 'Welcome to PYCON')

Scapy• Interactive packet manipulation tool

• Forge or decode packets

• Wide number of protocols

• Send Packet on the wire

• Capture Packet

• Match requests and replies

Scapyreza@kamalifard$ sudo scapy

WARNING: No route found for IPv6 destination :: (no default route?)

Welcome to Scapy (2.2.0)

>>>ls()

ARP : ARP

DHCP : DHCP options

DNS : DNS

GPRS : GPRSdummy

L2TP : None

PPPoE : PPP over Ethernet

[...]

Sniff>>> p = sniff(count = 5)

>>> p

<Sniffed: TCP:5 UDP:0 ICMP:0 Other:0>

>>> p.show()0000 Ether / IP / TCP 46.165.248.173:4948 > 192.168.1.2:47981 PA/ Raw

0001 Ether / IP / TCP 192.168.1.2:47981 > 46.165.248.173:4948 A

0002 Ether / IP / TCP 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw

0003 Ether / IP / TCP 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw

0004 Ether / IP / TCP 127.0.0.1:48852 > 127.0.0.1:mmcc A

>>>

Create Packet

>>> pkt = IP(dst ='192.168.1.254')/TCP(dport = 25)

>>> pkt

<IP frag=0 proto=tcp dst=192.168.1.254 |<TCP dport=smtp |>>

>>> print pkt

E(@�~��P

e

>>> str(pkt)

'E\x00\x00(\x00\x01\x00\x00@\x06\xf6~\xc0\xa8\x01\x02\xc0\xa8\x01\xfe\x00\x14\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x00\x0be\x00\x00'

>>> pkt.show()###[ IP ]###version= 4ihl= Nonetos= 0x0len= Noneid= 1flags= frag= 0ttl= 64proto= tcpchksum= Nonesrc= 192.168.1.2dst= 192.168.1.254\options\

###[ TCP ]###sport= ftp_datadport= smtpseq= 0ack= 0dataofs= Nonereserved= 0flags= Swindow= 8192chksum= Noneurgptr= 0options= {}

>>>

###[ IP ]###

version= 4

ihl= None

tos= 0x0

len= None

id= 1

flags=

frag= 0

ttl= 64

proto= tcp

chksum= None

src= 192.168.1.2

dst= 192.168.1.254

\options\

###[ TCP ]###

sport= ftp_data

dport= smtp

seq= 0

ack= 0

dataofs= None

reserved= 0

flags= S

window= 8192

chksum= None

urgptr= 0

options= {}

Send Packets

>>> pkt = IP(dst = 'google.com')/ICMP()/'Welcome to PyCon'

>>> pkt

<IP frag=0 proto=icmp dst=Net('google.com') |<ICMP |<Raw load='Welcome to PyCon' |>>>

>>>

>>> pkt.show()

###[ IP ]###

version= 4

ihl= None

tos= 0x0

len= None

id= 1

flags=

frag= 0

ttl= 64

proto= icmp

chksum= None

src= 192.168.1.2

dst= Net('google.com')

\options\

###[ ICMP ]###

type= echo-request

code= 0

chksum= None

id= 0x0

seq= 0x0

###[ Raw ]###

load= 'Welcome to PyCon'

>>>send(pkt)

.

send 1 packets.

Send and Recive>>> resp = sr(pkt)Begin emission:Finished to send 1 packets.*Received 1 packets, got 1 answers, remaining 0 packets>>> resp(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)>>> resp[0][0](<IP frag=0 proto=icmp dst=216.239.32.20 |<ICMP |<Raw load='Welcome to PyCon' |>>>, <IP version=4L ihl=5L tos=0x0 len=44 id=0 flags= frag=0L ttl=33 proto=icmp chksum=0xdf23 src=216.239.32.20 dst=192.168.1.2 options=[] |<ICMP type=echo-reply code=0 chksum=0xea37 id=0x0 seq=0x0 |<Raw load='Welcome to PyCon' |<Padding load='\x00\x00' |>>>>)>>>

>>> '?'

!میلیون نفر گرسنه در جهان وجود دارد ۷۵۰حدود

نفر ۸ک نفر از هر

بـرنـامـه جـهـانـی غـذاfa.wfp.orgمبارزه جهانی با گرسنگی

>>> '?'

>>> print contact_me

>>> ?

>>> print contact_me

Mohammad Reza Kamalifard

[email protected]

http://www.linkedin.com/in/itmard

My Python Courses :

http://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/

http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/

This work is product of DataSec Middle East(Ammniat Dadehaa Khavare miane) and licensed under the Creative Commons Attribution-NoDerivs 3.0 Unported License.Copyright 2013 Mohammad Reza Kamalifard All rights reserved.

http://kamalifard.irhttp://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/

pycon - python for ethical hackers

Education