python programming for hackers and pentesters - x-files hat python...black hat python python...

Download Python Programming for Hackers and Pentesters - X-Files Hat Python...Black Hat Python Python Programming for ... BLACK HAT PYTHON Python Programming for Hackers and Pentesters by Justin

Post on 21-Mar-2018

239 views

Category:

Documents

13 download

Embed Size (px)

TRANSCRIPT

  • Justin Seitz

    Foreword by Charlie Miller

    Black Hat Python

    Black Hat Python Python Programming for Hackers and Pentesters

    www.nostarch.com

  • BLACK HAT PYTHON

  • B L A C K H A T P Y T H O N

    P y t h o n P r o g r a m m i n g f o r H a c k e r s a n d P e n t e s t e r s

    by Just in Sei tz

    San Francisco

  • BLACK HAT PYTHON. Copyright 2015 by Justin Seitz.

    All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

    Printed in USA

    First printing

    18 17 16 15 14 1 2 3 4 5 6 7 8 9

    ISBN-10: 1-59327-590-0ISBN-13: 978-1-59327-590-7

    Publisher: William PollockProduction Editor: Serena YangCover Illustration: Garry Booth Interior Design: Octopod StudiosDevelopmental Editor: Tyler OrtmanTechnical Reviewers: Dan Frisch and Cliff JanzenCopyeditor: Gillian McGarveyCompositor: Lynn LHeureuxProofreader: James FraleighIndexer: BIM Indexing and Proofreading Services

    For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:

    No Starch Press, Inc.245 8th Street, San Francisco, CA 94103phone: 415.863.9900; info@nostarch.com www.nostarch.com

    Library of Congress Control Number: 2014953241

    No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

    The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

    www.nostarch.com

  • To Pat

    Although we never met, I am forever grateful for every member of your wonderful family you gave me.

    Canadian Cancer Society www.cancer.ca

  • About the Author

    Justin Seitz is a senior security researcher for Immunity, Inc., where he spends his time bug hunting, reverse engineering, writing exploits, and coding Python. He is the author of Gray Hat Python, the first book to cover Python for security analysis.

    About the Technical Reviewers

    Dan Frisch has over ten years of experience in information security. Currently, he is a senior security analyst in a Canadian law enforcement agency. Prior to that role, he worked as a consultant providing security assessments to financial and technology firms in North America. Because he is obsessed with technology and holds a 3rd degree black belt, you can assume (correctly) that his entire life is based around The Matrix.

    Since the early days of Commodore PET and VIC-20, technology has been a constant companion (and sometimes an obsession!) to Cliff Janzen. Cliff discovered his career passion when he moved to information security in 2008 after a decade of IT operations. For the past few years Cliff has been happily employed as a security consultant, doing everything from policy review to penetration tests, and he feels lucky to have a career that is also his favorite hobby.

  • B R I E F C O N T E N T S

    Foreword by Charlie Miller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

    Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii

    Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

    Chapter 1: Setting Up Your Python Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    Chapter 2: The Network: Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Chapter 3: The Network: Raw Sockets and Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

    Chapter 4: Owning the Network with Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    Chapter 5: Web Hackery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

    Chapter 6: Extending Burp Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

    Chapter 7: GitHub Command and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

    Chapter 8: Common Trojaning Tasks on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

    Chapter 9: Fun with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

    Chapter 10: Windows Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

    Chapter 11: Automating Offensive Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

    Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

  • C O N T E N T S I N D E T A I L

    FOREWORD by Charlie Miller xv

    PREFACE xvii

    ACKNOWLEDGMENTS xix

    1 SETTING UP YOUR PYTHON ENVIRONMENT 1

    Installing Kali Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2WingIDE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    2 THE NETWORK: BASICS 9

    Python Networking in a Paragraph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10TCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10UDP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11TCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Replacing Netcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Building a TCP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SSH with Paramiko. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29SSH Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

    3 THE NETWORK: RAW SOCKETS AND SNIFFING 35

    Building a UDP Host Discovery Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Packet Sniffing on Windows and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Decoding the IP Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Decoding ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

  • xii Contents in Detail

    4 OWNING THE NETWORK WITH SCAPY 47

    Stealing Email Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

    ARP Cache Poisoning with Scapy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

    PCAP Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

    5 WEB HACKERY 61

    The Socket Library of the Web: urllib2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Mapping Open Source Web App Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Brute-Forcing Directories and File Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Brute-Forcing HTML Form Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

    Kicking the Tires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

    6 EXTENDING BURP PROXY 75

    Setting Up. . . . . . . . . . . . . . . . . . .

Recommended

View more >