Pycon - Python for ethical hackers
1 like1,639 views
The document discusses using Python for ethical hacking and penetration testing. It provides reasons for using Python such as its ease of use, readable syntax, rich libraries, and existing tools. It then covers various Python libraries and frameworks used for tasks like reconnaissance, scanning, exploitation, and packet manipulation. Specific topics covered include file I/O, requests, sockets, scapy, and more.
![Requests
Library to deal with HTTP : HTTP for Humans
>>> import requests
>>> requests.get('http://kamalifard.ir')
<Response [200]>
>>> r = _
>>> r.headers
CaseInsensitiveDict({'content-length': '771', 'contentencoding': 'gzip', 'accept-ranges': 'bytes', 'vary': 'AcceptEncoding', 'server': 'Apache/2.2.16 (Debian)', 'last-modified':
'Sat, 21 Sep 2013 05:19:57 GMT', 'etag': '"15b565-62b4e6ddf0165940"', 'date': 'Sun, 27 Oct 2013 14:23:54 GMT',
'content-type': 'text/html'})
>>> r.text
u'<!doctype html>n<html lang="en">n<head>nt<meta
charset="UTF-8">nt<title>Mohammad reza
Kamalifard</title>nt<link rel="stylesheet" href="style.css"
/>nn</head>n<body>nt<div class="wrap">ntt<h1>Mohammad
reza Kamalifard</h1>ntt<p>Software](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-13-320.jpg)
![Client
import socket
import sys
if len(sys.argv) < 3 :
print 'Please Enter address and port'
sys.exit()
tcp_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
tcp_socket.connect((sys.argv[1], int(sys.argv[2])))
while True:
userInput = raw_input('Please Enter a Message! : ')
tcp_socket.send(userInput)
print 'Server Send back : ' +
str(tcp_socket.recv(2048))
tcp_socket.close()](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-19-320.jpg)
![Nmap
import nmap
tgtHost = '192.168.1.254'
tgtPort = '80'
nmapScan = nmap.PortScanner()
nmapScan.scan(tgtHost, tgtPort)
state=nmapScan[tgtHost]['tcp'][int(tgtPort)]['state']
print tgtHost + ' tcp/' +tgtPort + ' ' +state](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-23-320.jpg)
![Raw Sockets
import struct, socket, binascii
rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW,
socket.htons(0x800))
pkt = rawSocket.recvfrom(2048)
ethernetHeader = pkt[0][0:14]
eth_hdr = struct.unpack('!6s6s2s', ethernetHeader)
binascii.hexlify(eth_hdr[0])
binascii.hexlify(eth_hdr[1])
binascii.hexlify(eth_hdr[2])
ipHeader = pkt[0][14:34]
ip_hdr = struct.unpack('!12s4s4s', ipHeader)
print 'Source IP address : ' + socket.inet_ntoa(ip_hdr[1])
print 'Destination IP address : ' + socket.inet_ntoa(ip_hdr[2])
tcpHeader = pkt[0][34:54]
tcp_hdr = struct.unpack('!HH16s', tcpHeader)](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-25-320.jpg)
![Scapy
reza@kamalifard$ sudo scapy
WARNING: No route found for IPv6 destination :: (no
default route?)
Welcome to Scapy (2.2.0)
>>>ls()
ARP : ARP
DHCP : DHCP options
DNS : DNS
GPRS : GPRSdummy
L2TP : None
PPPoE : PPP over Ethernet
[...]](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-28-320.jpg)
![>>> pkt.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.1.2
dst= 192.168.1.254
options
###[ TCP ]###
sport= ftp_data
dport= smtp
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
>>>](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-31-320.jpg)
![###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.1.2
dst= 192.168.1.254
options](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-32-320.jpg)
![###[ TCP ]###
sport= ftp_data
dport= smtp
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-33-320.jpg)
![###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 192.168.1.2
dst= Net('google.com')
options](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-35-320.jpg)
![###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'Welcome to PyCon'
>>>send(pkt)
.
send 1 packets.](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-36-320.jpg)
![Send and Recive
>>> resp = sr(pkt)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> resp
(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0
UDP:0 ICMP:0 Other:0>)
>>> resp[0][0]
(<IP frag=0 proto=icmp dst=216.239.32.20 |<ICMP |<Raw
load='Welcome to PyCon' |>>>, <IP version=4L ihl=5L tos=0x0
len=44 id=0 flags= frag=0L ttl=33 proto=icmp chksum=0xdf23
src=216.239.32.20 dst=192.168.1.2 options=[] |<ICMP type=echoreply code=0 chksum=0xea37 id=0x0 seq=0x0 |<Raw load='Welcome
to PyCon' |<Padding load='x00x00' |>>>>)
>>>](https://image.slidesharecdn.com/pycon-kamalifard-pysec-140118125210-phpapp01/85/Pycon-Python-for-ethical-hackers-37-320.jpg)
Pycon - Python for ethical hackers
- 1. Python For Ethical Hackers Mohammad reza Kamalifard
- 4. Ethical Hacker Penetration Tester Ethical Hacker = Penetration Tester
- 5. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 6. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 7. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 8. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 9. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 10. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
- 11. Who is using Python Core Impact – Comprehensive penetration testing solution Immunity CANVAS – Exploit development framework W3AF – Web Application Attack and Audit Framework Sqlmap – Automatic SQL injection tool Immunity Debugger – Powerful Debugger Peach – Fuzzer Sulley – Fully automated and unattended fuzzing framework Paimei – Reverse engineering framework Scapy – Packet manipulation tool
- 12. Easy File Handling >>> >>> >>> >>> file_add = 'c:/users/reza/desktop/passwords.txt' file_dis = open(file_add, 'r') emails = file_dis.readlines() for email in emails: print email shahed_soltani@yahoo.com sir1_kabir@ymail.com peyman_dabir@yahoo.com sanaz808@iran.ir gity_hashemi@yahoo.com zeuos63@yahoo.com seyedali_rezaie@datasec.ir . . .
- 13. Requests Library to deal with HTTP : HTTP for Humans >>> import requests >>> requests.get('http://kamalifard.ir') <Response [200]> >>> r = _ >>> r.headers CaseInsensitiveDict({'content-length': '771', 'contentencoding': 'gzip', 'accept-ranges': 'bytes', 'vary': 'AcceptEncoding', 'server': 'Apache/2.2.16 (Debian)', 'last-modified': 'Sat, 21 Sep 2013 05:19:57 GMT', 'etag': '"15b565-62b4e6ddf0165940"', 'date': 'Sun, 27 Oct 2013 14:23:54 GMT', 'content-type': 'text/html'}) >>> r.text u'<!doctype html>n<html lang="en">n<head>nt<meta charset="UTF-8">nt<title>Mohammad reza Kamalifard</title>nt<link rel="stylesheet" href="style.css" />nn</head>n<body>nt<div class="wrap">ntt<h1>Mohammad reza Kamalifard</h1>ntt<p>Software
- 14. Basic fuzzer import requests as req >>> >>> >>> >>> >>> ... ... url = 'http://kamalifard.ir/' file_add = 'c:/users/reza/desktop/dirss.txt' file_dis = open(file_add, 'r') dirs= file_dis.readlines() for x in dirs: resp = req.get(url + x) html = resp.text
- 15. hashlib >>> import hashlib >>> hashlib.algorithms ('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512') >>> m = hashlib.md5() >>> m.update('reza') >>> m.digest() 'xbbx98xb1xd0xb5#xd5xe7x83xf91Urwx02xb6' >>> m.hexdigest() 'bb98b1d0b523d5e783f931550d7702b6' >>>
- 16. Sockets • TCP and UDP Sockets • Regular Servers and Clients • Raw Sockets • Sniffing and Injection
- 17. Port Scanner import socket def connScan(tgtHost, tgtPort): try: tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.connect((tgtHost, tgtPort)) tcp_socket.send(‘PyCon2013rn') results = tcp_socket.recv(100) print '%d/tcp open' % tgtPort print str(results) except: print '%d/tcp closed' % tgtPort finally: tcp_socket.close()
- 18. ECHO Server import socket tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) tcp_socket.bind(('127.0.0.1', 8000)) tcp_socket.listen(2) print 'Waiting for client ...' (client, (ip, port)) = tcp_socket.accept() print 'Revived connection from : ', ip print 'Starting ECHO output...' data = 'dummy' while len(data): data = client.recv(2048) print 'Client send : ', data client.send(data) client.close()
- 19. Client import socket import sys if len(sys.argv) < 3 : print 'Please Enter address and port' sys.exit() tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.connect((sys.argv[1], int(sys.argv[2]))) while True: userInput = raw_input('Please Enter a Message! : ') tcp_socket.send(userInput) print 'Server Send back : ' + str(tcp_socket.recv(2048)) tcp_socket.close()
- 20. -----Client----python client.py 127.0.0.1 8000 Please Enter a Message! : Salam Server Send back : Salam Please Enter a Message! : WELCOME TO PYCON 2013! Server Send back : WELCOME TO PYCON 2013! Please Enter a Message! : -----Server----Waiting for client ... Revived connection from : 127.0.0.1 Starting ECHO output... Client send : Salam Client send : WELCOME TO PYCON 2013! Client send : Closing Connection
- 21. SocketServer Framework • Framework in Python to create TCP and UDP servers • Does all the basic steps for you in the background • Comes in handy if you want to create a server to lure a client and • analyze its behavior
- 22. SocketServer Framework import SocketServer class EchoHandler(SocketServer.BaseRequestHandler): def handle(self): print 'Got Connection from : ', self.client_address data = 'dummy' while len(data): data = self.request.recv(1024) print 'Client sent :' + data self.request.send(data) print 'client left‘ server_address = ('127.0.0.1', 9050) server = SocketServer.TCPServer(server_address, EchoHandler) server.serve_forever()
- 23. Nmap import nmap tgtHost = '192.168.1.254' tgtPort = '80' nmapScan = nmap.PortScanner() nmapScan.scan(tgtHost, tgtPort) state=nmapScan[tgtHost]['tcp'][int(tgtPort)]['state'] print tgtHost + ' tcp/' +tgtPort + ' ' +state
- 24. Simple HTTP Server import SocketServer import SimpleHTTPServer httpServer = SocketServer.TCPServer(('', 8080), SimpleHTTPServer.SimpleHTTPRequestHandler) httpServer.serve_forever()
- 25. Raw Sockets import struct, socket, binascii rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800)) pkt = rawSocket.recvfrom(2048) ethernetHeader = pkt[0][0:14] eth_hdr = struct.unpack('!6s6s2s', ethernetHeader) binascii.hexlify(eth_hdr[0]) binascii.hexlify(eth_hdr[1]) binascii.hexlify(eth_hdr[2]) ipHeader = pkt[0][14:34] ip_hdr = struct.unpack('!12s4s4s', ipHeader) print 'Source IP address : ' + socket.inet_ntoa(ip_hdr[1]) print 'Destination IP address : ' + socket.inet_ntoa(ip_hdr[2]) tcpHeader = pkt[0][34:54] tcp_hdr = struct.unpack('!HH16s', tcpHeader)
- 26. Packet Injection with Raw Sockets import socket import struct rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800)) rawSocket.bind(('wlan0', socket.htons(0x800))) packet = struct.pack('!6s6s2s', 'xaaxaaxaaxaaxaaxaa', 'xbbxbbxbbxbbxbbxbb' , 'x08x00') rawSocket.send(packet + 'Welcome to PYCON')
- 27. Scapy • Interactive packet manipulation tool • Forge or decode packets • Wide number of protocols • Send Packet on the wire • Capture Packet • Match requests and replies
- 28. Scapy reza@kamalifard$ sudo scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.2.0) >>>ls() ARP : ARP DHCP : DHCP options DNS : DNS GPRS : GPRSdummy L2TP : None PPPoE : PPP over Ethernet [...]
- 29. Sniff >>> p = sniff(count = 5) >>> p <Sniffed: TCP:5 UDP:0 ICMP:0 Other:0> >>> p.show() 0000 0001 0002 0003 0004 >>> Ether Ether Ether Ether Ether / / / / / IP IP IP IP IP / / / / / TCP TCP TCP TCP TCP 46.165.248.173:4948 > 192.168.1.2:47981 PA/ Raw 192.168.1.2:47981 > 46.165.248.173:4948 A 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw 127.0.0.1:48852 > 127.0.0.1:mmcc A
- 30. Create Packet >>> pkt = IP(dst ='192.168.1.254')/TCP(dport = 25) >>> pkt <IP frag=0 proto=tcp dst=192.168.1.254 |<TCP dport=smtp |>> >>> print pkt E(@�~�����P e >>> str(pkt) 'Ex00x00(x00x01x00x00@x06xf6~xc0xa8x01x02 xc0xa8x01xfex00x14x00x19x00x00x00x00x00 x00x00x00Px02 x00x0bex00x00'
- 31. >>> pkt.show() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.2 dst= 192.168.1.254 options ###[ TCP ]### sport= ftp_data dport= smtp seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {} >>>
- 32. ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.2 dst= 192.168.1.254 options
- 33. ###[ TCP ]### sport= ftp_data dport= smtp seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {}
- 34. Send Packets >>> pkt = IP(dst = 'google.com')/ICMP()/'Welcome to PyCon' >>> pkt <IP frag=0 proto=icmp dst=Net('google.com') |<ICMP |<Raw load='Welcome to PyCon' |>>> >>> >>> pkt.show()
- 35. ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= icmp chksum= None src= 192.168.1.2 dst= Net('google.com') options
- 36. ###[ ICMP ]### type= echo-request code= 0 chksum= None id= 0x0 seq= 0x0 ###[ Raw ]### load= 'Welcome to PyCon' >>>send(pkt) . send 1 packets.
- 37. Send and Recive >>> resp = sr(pkt) Begin emission: Finished to send 1 packets. * Received 1 packets, got 1 answers, remaining 0 packets >>> resp (<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> resp[0][0] (<IP frag=0 proto=icmp dst=216.239.32.20 |<ICMP |<Raw load='Welcome to PyCon' |>>>, <IP version=4L ihl=5L tos=0x0 len=44 id=0 flags= frag=0L ttl=33 proto=icmp chksum=0xdf23 src=216.239.32.20 dst=192.168.1.2 options=[] |<ICMP type=echoreply code=0 chksum=0xea37 id=0x0 seq=0x0 |<Raw load='Welcome to PyCon' |<Padding load='x00x00' |>>>>) >>>
- 38. >>> '?'
- 39. ﺣﺪود ۰۵۷ ﻣﯿﻠﯿﻮن ﻧﻔﺮ ﮔﺮﺳﻨﻪ در ﺟﻬﺎن وﺟﻮد دارد! ﮏ ﻧﻔﺮ از ﻫﺮ ۸ ﻧﻔﺮ ﺑـﺮﻧـﺎﻣـﻪ ﺟـﻬـﺎﻧـﯽ ﻏـﺬا ﻣﺒﺎرزه ﺟﻬﺎﻧﯽ ﺑﺎ ﮔﺮﺳﻨﮕﯽ fa.wfp.org
- 40. >>> '?' >>> print contact_me
- 41. >>> ? >>> print contact_me Mohammad Reza Kamalifard Kamalifard@datasec.ir http://www.linkedin.com/in/itmard My Python Courses : http://www.webamooz.ir/home/courses/python-for-ethicalhackers-1/ http://www.webamooz.ir/home/courses/python-for-ethicalhackers-2/
- 42. This work is product of DataSec Middle East(Ammniat Dadehaa Khavare miane) and licensed under the Creative Commons Attribution-NoDerivs 3.0 Unported License. Copyright 2013 Mohammad Reza Kamalifard All rights reserved. http://kamalifard.ir http://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/ http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/