Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers Acquiring Editor: Chris Katsaropoulos Development. “This (Programming), of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with. Python. It is cleanly. Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers Using PyPDF to Parse PDF Metadata Let's use Python to quickly recreate the .
|Language:||English, Spanish, Dutch|
|Genre:||Politics & Laws|
|ePub File Size:||19.37 MB|
|PDF File Size:||8.31 MB|
|Distribution:||Free* [*Regsitration Required]|
!%2$!-.%7. 3!. 3YNGRESS. TJ. O'Connor. Violent Python. A Cookbook for Hackers,. Forensic Analysts,. Penetration Testers and. Security Engineers. hacking-books/Violent Python - A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security teshimaryokan.info Find file Copy path. @tanc7. Part V: The Part of Tens All For Dummies books include The Part of Tens. In this part, we give you Python For Dum Beginning Python - 7chan.
If everything succeeds, we now have access to a command prompt on the vulner- able target. Pxssh is a specialized script included the pexpect library. Nmap produces XML based output. In the following section, we will build a script to connect to a Web site, download all the images on the site, and then check them for Exif metadata. This handles instances of addresses not in the GeoLiteCity database or private IP addresses, such as
After importing the socket module, we instantiate a new variable s from the class socket class. Next, we use the connect method to make a network connection to the IP address and port. Once successfully connected, we can read and write from the socket. Introduction The recv method will read the next bytes on the socket.
We store the result of this method in a variable and then print the results to the server. Selection Like most programming languages, Python provides a method for conditional select statements. The IF statement evaluates a logical expression in order to make a decision based on the result of the evaluation. Continuing with our banner-grabbing script, we would like to know if the specific FTP server is vulnerable to attack.
To do this, we will compare our results against some known vulnerable FTP server versions. Consider the classic runtime error — division by zero. Because zero cannot divide a number, the Python interpreter displays a message informing the programmer of the error message.
This error ceases program execution. The Python language provides exception-handling capability to do just this. Let's update the previous example. Now, the program tries to execute the division by zero. When the error occurs, our exception handling catches the error and prints a message to the screen.
It might be useful to provide the user with an error message about the specific error that occurred. To do this, we will store the exception in a variable e to print the exception, then explicitly cast the variable e as a string. We will wrap the network connection code with exception handling. If we wait for the connection timeout, we see a message indicating the network connection operation timed out.
Our program can now continue. In order to cleanly illustrate the wide variety of concepts in the following pages, we have put minimal exception handling into the scripts in this book.
Feel free to update the scripts included on the companion website to add more robust exception handling. Functions In Python, functions provide organized blocks of reusable code. Typically, this allows a programmer to write a block of code to perform a single, related action. While Python provides many built-in functions, a programmer can create user- defined functions.
The keyword def begins a function. The programmer can place any variables inside the parenthesis. These variables are then passed by reference, meaning that any changes to these variables inside the function will affect their value from the calling function. Continuing with the previous FTP vulnerability-scanning example, let's create a function to perform just the action of connecting to the FTP server and returning the banner.
This also reflects a single, related function. The function checkVulns takes the variable banner as a parameter and then uses it to make a determination of the vulnerability of the server. Instead of writing the same thing three times, we might find it easier to use a for-loop to iterate through multiple elements.
Consider, for example: Instead of iterating through a range of numbers, we can iterate through an entire list of elements. Now our script will test all IP addresses on the Introduction s.
Each line in this file lists a specific service version with a previous vulnerability. Instead of constructing a huge IF statement, let's read in this text file and use it to make decisions if our banner is vulnerable.
Here, we will open the text file in read-only mode 'r'. We iterate through each line in the file using the method. For each line, we compare it against our banner. Notice that we must strip out the carriage return from each line using the method. If we detect a match, we print the vulnerable service banner. You can find more information on the Python online module documents available from http: Interacting with the sys module can prove very helpful in creating Python scripts.
We may, for example, want to parse command line arguments at runtime. Consider our vulnerability scanner: The list sys. The first index sys. The remaining items in the list contain all the fol- lowing command line arguments. Thus, if we are only passing one additional argument, sys. Take the time to exam- ine the entire sys module for the wealth of capabilities it provides to the programmer.
This module allows the program to independently interact with the OS environment, file-system, user database, and permissions. Con- sider, for example, the last section, where the user passed the name of a text file as a command line argument. It might prove valuable to check to see if that file exists and the current user has read permissions to that file. If either condition fails, it would be useful to display an appropriate error message to the user. Next, we create the specific filename and The Python Language successfully read it.
Finally, we restrict permission and see that our script cor- rectly prints the access-denied message. We can now reassemble all the various pieces and parts of our Python vulnerability-scanning script. Do not worry if it appears pseudo-complete, lacking the ability to use threads of execution or better command line option parsing. We will continue to build upon this script in the following chapter.
Import socket import os import sys def retBanner i p , port: Introduction does not exist. As we move forward, we will describe a few anecdotal stories that emphasize the need for our scripts. He also published a May article in Communications of the ACM describing the in-depth technical details of the attack and hunt Stoll, Fascinated by the attacker's methodology and actions, Stoll connected a printer to a compromised server and logged every keystroke the attacker made.
Dur- ing one recording, Stoll noticed something interesting at least in What use was this to the attacker? After all, the victim systems encrypted the user passwords using the UNIX crypt algorithm.
However, within a week of stealing the encrypted password files, Stoll saw the attacker log on with the stolen accounts. Confronting some of the victim users, he learned they had used common words from the dictionary as passwords Stoll, Upon learning this, Stoll realized that the hacker had used a dictionary attack to decrypt the encrypted passwords.
The hacker enumerated through all the words in a dictionary and encrypted them using the Unix Crypt func- tion.
After encrypting each password, the hacker compared it with the stolen encrypted password. The match translated to a successful password crack. Consider the following encrypted password file. The victim used a plaintext password egg and salt equal to the first two bytes or HX. Markus Hess: Firing up the Python interpreter, we see that the crypt library already exists in the Python standard library.
To calculate an encrypted UNIX password hash, we simply call the function crypt. This function returns the hashed password as a string. Returns the hashed password as a string, which will be composed of characters from the same alphabet as the salt. Let's quickly try hashing a password using the crypt function. After importing the library, we pass the password "egg" and the salt "HX" to the function. Now we can write a program to iterate through an entire dictionary, trying each word with the custom salt for the hashed password.
It proves a good programming practice to separate your program into separate functions, each with a specific purpose.
In the end, this allows us to reuse code and makes the program easier to read. Our main function opens the encrypted password file "passwords. For each line, it splits out the username and the hashed password.
For each indi- vidual hashed password, the main function calls the testPass function that tests passwords against a dictionary file. This function, testPass , takes the encrypted password as a parameter and returns either after finding the password or exhausting the words in the dictionary.
Notice that the function first strips out the salt from the first two characters of the encrypted password hash. Next, it opens the diction- ary and iterates through each word in the dictionary, creating an encrypted password hash from the dictionary word and the salt. If the result matches our encrypted password hash, the function prints a message indicating the found password and returns. Otherwise, it continues to test every word in the dictionary.
Thus, we know the system administrator root must be using a word not in our dictionary. No need to worry, we'll cover several other ways in this book to gain root access. The following example uses the SHA hashing algorithm. SHA functionality is provided by the Python hashlib library. Can you update the script to crack SHA hashes?
Throughout this book, you may initially find several of the example scripts somewhat offensive in nature. For example, take our last program that cracked passwords on Unix systems. An adversary could use the tool to gain unauthorized access to a system; however, could a programmer use this for good as well as evil? Certainly — let's expand. Fast-forward nineteen years from Clifford Stoll's discovery of the dictionary attack.
In early , the Brownsville, TX Fire Department received an anonymous tip that fifty-year-old John Craig Zimmerman browsed child por- nography using department resources Floyd, Almost immediately, the Brownsville Fire Department granted Brownsville police investigators access to Zimmerman's work computer and external hard drive Floyd, The police department brought in city programmer Albert Castillo to search the contents of Zimmerman's computer McCullagh, Castillo's initial investigation found several adult pornographic images but no child pornography.
Continuing to browse through the files, Castillo found some suspect files, including a password-protected ZIP file titled "Cindy 5. The resulting decrypted files showed a partially naked minor McCullagh, With this information, a judge granted investigators a warrant to search Zimmerman's home, where they discovered several additional pornographic images of chil- dren McCullagh, On April 3, , a federal grand jury returned an indictment, charging John Craig Zimmerman with four counts of possession and production of child pornography Floyd, Let's use the technique of brute-forcing a password learned in the last example program but apply it to zip files.
We will also use this example to expand upon some fundamental concepts of building our programmers. Opening the Python interpreter, we issue the command help 'zipfile' to learn more about the library and see the class ZipFile with a method extractall. This class and method will prove useful in writing our program to crack password-protected zip files.
Note how the method extractall has an optional parameter to specify a password. Your First Python Programs programmers python Python 2. After importing the library, we instantiate a new ZipFile class by specifying the filename of the password-protected zip file.
To extract the zip file, we utilize the extractall method and specify the optional parameter for the password. Zi pFi 1 e "evi 1. Notice that prior to execution, only the script and the zip file exist in our current working directory. We execute our script, which extracts the contents of evil.
This directory contains the files from the previously password-protected zip file. Is evil.
Let's add some exception handling to catch and display the error message from the script. After instantiating a ZipFile class, we open a dictionary file and iterate through and test each word in the dictionary. If the method extractall executes without error, we print a message indicat- ing the working password. However, if extractall throws a bad password exception, we ignore the exception and continue trying passwords in the dictionary.
Instead of having a linear pro- gram, we will modularize our script with functions. ZipFile 'evil. Instead of trying each word in the dictionary one at a time, we will utilize threads of execution to allow simultaneous testing of multiple passwords. For each word in the dictionary, we will spawn a new thread of execution. ZipFileC 'evil.
Introduction for line in passFi 1 e. To do this, we will import the optparse library. We will describe this library better in the next chapter. For the purposes of our script here, we only need to know that it parses flags and optional parameters following our script.
For our zip-file-cracker script, we will add two mandatory flags — zip file name and dictionary name. Success with a thirty- five-line script!
Next, we moved on and wrote our first two Python programs — a twenty-year-old UNIX pass- word cracker and a zip-file brute-force password cracker.
You now have the initial skills to write your own scripts. Hopefully, the following chapters will prove as exciting to read as they were to write. We will begin this journey by examining how to use Python to attack systems during a penetration test. References Floyd, J. Federal grand jury indicts fireman for production and possession of child por- nography.
John T. Floyd Law Firm Web site. McCullagh, D. Child porn defendant locked up after ZIP file encryption broken. CNET News.
Stoll, C. Tire cuckoo's egg: Tracking a spy through the maze of computer espionage. New York: Stalking the Wily Hacker. Communications of the ACM, 31 5 , Zatko, P. Cyber fast track. ShmooCon Retrieved June 13, The Morris. It is rather Threading the Scan 37 an endless struggle that will go on to the very last moment of our lives. Integrating the Nmap Nobody is born a warrior, in exactly the same way that nobody is born Port Scanner 39 an average man.
Passwords with Pxssh Robert Tappen Botnet 53 Morris Jr. While workstations and Web 56 seem trivial by today's standards, this figure represents ten percent of all com- Building an Anonymous u ju,- u u u FTP Scanner with puters that were connected to the Internet in So how did it work?
Penetration Testing with Python Using Ftplib to Brute Morris's worm used a three-pronged attack in order to compromise systems. Second, it Searching for Web exploited a separate vulnerability in the finger daemon used by Unix systems.
Pages on the FTP Finally, it attempted to connect to targets using the remote shell RSH proto- Server 59 col using a list of common usernames and passwords.
These questions provide the basis for the rest Trying Hard is of the chapter. Morris wrote the majority of his attack in the C programming Always Good language.
This provides with Metasploit 67 a much better platform of support and makes it considerably easier for most Writing Python to programmers to initiate attacks. An attacker Writing Your Own must discover where the vulnerabilities are before selecting and choosing Zero-Day Proof of exploits for a target.
In the following section, we will build a small reconnais- Concept Code 74 sance script that scans a target host for open TCP ports. The majority of Internet accessible applications reside on the TCP. To connect to any of these services in our target organization, an attacker must know both the Internet Protocol Address and the TCP port associated with the service.
While someone familiar with our target organization would probably have access to this information, an attacker may not. An attacker routinely performs a port scan in the opening salvo of any suc- cessful cyber assault. In contrast, a TCP Connect Scan uses the full three-way handshake to determine the availability of the ser- vice or port.
Let's examine a couple before proceeding. For a deeper understanding, view the Python Standard Library Documentation at: Finally, the protocol number is usually zero and is omitted in most cases. Additionally, it has the option of taking a timeout and source address.
In order to better understand how our TCP Port Scanner works, we will break our script into five unique steps and write Python code for each of them. First, we will input a hostname and a comma separated list of ports to scan. Next, we will translate the hostname into an IPv4 Internet address. For each port in the list, we will also connect to the target address and spe- cific port.
Finally, to determine the specific service running on the port, we will send garbage data and read the banner results sent back by the specific application. In our first step, we accept the hostname and port from the user. For this, our program utilizes the optparse library for parsing command-line options. The call to optparse. OptionPaser [usage message] creates an instance of an option parser.
Next, parser. Penetration Testing with Python for our script. The following example shows a quick method for parsing the target hostname and port to scan. The portScan func- tion takes the hostname and target ports as arguments.
It will first attempt to resolve an IP address to a friendly hostname using the gethostbyname func- tion. Next, it will print the hostname or IP address and enumerate through each individual port attempting to connect using the connScan function. The connScan function will take two arguments: If it is successful, connScan will print an open port message. If unsuccessful, it will print the closed port message.
After discovering an open port, we send a string of data to the port and wait for the response. Gathering this response might give us an indication of the application running on the target host and port.
Threading the Scan Depending on the timeout variable for a socket, a scan of each socket can take several seconds. While this appears trivial, it quickly adds up if we are scanning multiple hosts or ports. Ideally, we would like to scan sockets simultaneously as opposed to sequentially. Enter Python threading. Threading provides a way to perform these kinds of executions simultaneously.
To utilize this in our scan, we will modify the iteration loop in our portScan function. Notice how we call the connScan function as a thread. Each thread created in the iteration will now appear to execute at the same time. Our function connScan prints an output to the screen.
If multiple threads print an output at the same time, it could appear garbled and out of order.
In order to allow a function to have complete control of the screen, we will use a semaphore. A simple semaphore provides us a lock to pre- vent other threads from proceeding. Notice that prior to printing an output, we grabbed a hold of the lock using screenLock.
If open, the semaphore will grant us access to proceed and we will print to the screen. If locked, we will have to wait until the thread holding the semaphore releases the lock. By utiliz- ing this semaphore, we now ensure only one thread can print to the screen at any given point in time. In our exception handling code, the keyword finally executes the following code before terminating the block.
Penetration Testing with Python screenLock. The de facto standard for a port scanning toolkit, Nmap, delivers a rather extensive amount of functionality. This begs the question, why not just use Nmap?
Enter the true beauty of Python. Nmap produces XML based output. This provides us with the ability to utilize the full functionality of Nmap within a Python script. Before starting, you must install Python-Nmap, available at http: Ensure you take into consideration the developer's notes regarding the different versions of Python 3.
Other Types of Port Scans Consider a few other types of scans. While we lack the tools to craft packets with TCP options, we will cover this later in Chapter 5. At that time see if you can replicate some of these scan types in your port scanner. If a RST is received, it indicates the port is closed.
If a RST rs recerved, it indicates the port is closed. With Python-Nmap installed, we can now import Nmap into existing scripts and perform Nmap scans inline with your Python scripts. Creating a PortScan- ner class object will allow us the capability to perform a scan on that object. The PortScanner class has a function scan that takes a list of targets and ports as input and performs a basic Nmap scan.
Additionally, we can now index the object by target hosts and ports and print the status of the port. The following sections will build upon this ability to locate and identify targets. PortScanner nmScan. The server or a firewall is actually filtering access to TCP port The port is not necessarily closed as we initially thought. Using a full- fledged scanner like Nmap instead of a single TCP connect scan we were able to discover the filter.
The Morris Worm includes forcing common usernames and passwords against the remote shell RSH service as one of its three attack vectors.
In , RSH provided an excellent although not very secure method for a system administrator to remotely connect to a machine and manage it by performing a series of terminal com- mands on the host. However, this does very little to stop the same attack vector by forcing out common user names and passwords. SSH Worms have proven to be very successful and common attack vectors. Take a look at the intrusion detection system IDS log from our very own www.
Here, the attacker has attempted to connect to the machine using the accounts ucla, oxford, and matrix. These are interesting choices. Received From: Oct 13 Invalid user ucla from Penetration Testing with Python Oct 13 Invalid user ucl a from Invalid user oxford from Invalid user matrix from Because SSH clients require user interaction, our script must be able to wait and match for an expected output before sending further input commands.
Consider the following scenario. In this case, we must answer, "yes" before continuing. Next, the application asks us to enter a password before granting us a com- mand prompt. Finally, we execute our command uname -v to determine the kernel version running on our target. RSA key fingerprint is 5b: Permanently added ' Mon Oct 17 Tue Aug 9 Pexpect has the ability to interact with programs, watch for expected outputs, and then respond based on expected outputs.
This makes it an excellent tool of choice for automating the process of brute forcing SSH user credentials. This function takes a username, hostname, and password and returns an SSH connection resulting in an SSH spawned connection. Utilizing the pexpect library, it then waits for an expected output.
Three possible expected outputs can occur — a timeout, a message indicating that the host has a new public key, or a password prompt. If a timeout occurs, then the session. The following selection statement notices this and prints an error message before returning. If the child. This forces the function to send a message 'yes' to accept the new key.
Follow- ing this, the function waits for the password prompt before sending the SSH password. Penetration Testing with Python and command string as input. It then sends the command string to the session and waits for the command prompt. After catching the command prompt, it prints this output from the SSH session.
Try starting the SSH server and connecting to it with the script. Brute Forcing SSH Passwords with Pxssh While writing the last script really gave us a deep understanding of the capabili- ties of pexpect, we can really simplify the previous script using pxssh. Pxssh is a specialized script included the pexpect library. It contains the ability to directly interact with SSH sessions with pre-defined methods for loginQ, logout , prompt. Using pxssh, we can reduce our previous script to the following.
Penetration Testing with Python return s except: We only have a few minor modifications to get the script to automate the task of brute forcing SSH credentials. Other than adding some option parsing to read in the hostname, username, and password file, the only thing we need to do is slightly modify the connect function. If the login function succeeds without exception, we will print a message indicating that the password is found and update a global Boolean indicating so.
Otherwise, we will catch the exception. If the exception indi- cates that the password was ' refused', we know the password failed and we just return. Additionally, if the exception indicates that pxssh is hav- ing difficulty obtaining a command prompt, we will sleep for a second to allow it to do so.
Note that we include a Boolean release included in the connect function arguments. It is interesting to note the password found is 'alpine'. This is the default root password on iPhone devices. In late , a SSH worm attacked jail-bro- ken iPhones. While this proved extremely useful for some, several users were unaware of this new capability. The worm iKee took advantage this new capability by trying the default password against devices.
The authors of the worm did not intend any harm with the worm. Rather, they changed the background image of the phone to a picture of Rick Astley with the words "ikee never gonna give you up. Additionally, SSH provides the means to authenticate using public key cryptography. In this scenario, the server knows the public key and the user knows the private key.
Typically, this provides an excellent method for authentication. With the ability to generate bit, bit, or Building an SSH BotNet with Python bit keys, this authentication process makes it difficult to use brute force as we did with weak passwords. However, in something interesting happened with the Debian Linux Dis- tribution. A developer commented on a line of code found by an automated software analysis toolkit. The particular line of code ensured entropy in the cre- ation of SSH keys.
By commenting on the particular line of code, the size of the searchable key space dropped to bits of entropy Ahmad, Without only bits of entropy, this meant only 32, keys existed for each algorithm and size.
Moreover, he made them available for download at: You can download the bit keys to begin. After downloading and extracting the keys, go ahead and delete the public keys, since we will only need the private keys to test our connection.
If H1TP request sent, awaiting response Penetration Testing with Python bl68ba54c7c9ca22d9ebcad6f- As a result, it is accurate to state that quite a few servers were built with a weakened SSH service. It would be nice if we could build a tool to exploit this vulnerability.
However, with access to the key space, it is possible to write a small Python script to brute force through each of the 32, keys in order to authenticate to a passwordless SSH server that relies upon a public-key crypto- graph.
In fact, the Warcat Team wrote such a script and posted it to milwOrm within days of the vulnerability discovery. Exploit-DB archived the Warcat Team script at: However, lets write our own script utilizing the same pexpect library we used to brute force through password authentication.
The script to test weak keys proves nearly very similar to our brute force pass- word authentication. To authenticate to SSH with a key, we need to type ssh user host -i keyfile -o PasswordAuthentication—no. For the following script, we loop through the set of generated keys and attempt a connection. If the con- nection succeeds, we print the name of the keyfile to the screen. Additionally, we will use two global variables Stop and Fails. Fails will keep count of the number of failed connection we have had due to the remote host closing the connection.
If this number is greater than 5, we will terminate our script. If our scan has triggered a remote IPS that prevents our connection, there is no sense continuing. Our Stop global variable is a Boolean that lets us known that we have a found a key and the main function does not need to start any new connection threads.
Penetration Testing with Python print parser. Key Found. If the bit keys do not work, try downloading the keys as well and using them. Attackers often use collections of compromised computers for malicious purposes. We call this a botnet because the compromised computers act like bots to carry out instructions. In order to construct our botnet, we will have to introduce a new concept — a class.
The concept of a class serves as the basis for a programming model named, object oriented programming. In this system, we instantiate individual objects with associated methods. For our botnet, each individual bot or client will require the ability to connect, and issue a command. To build the client requires the hostname, username, and password or key. Notice that when we reference a variable belonging to a class, we call it self-followed by the variable name.
To construct the botnet, we build a global array named botnet and this array contains the individual client objects. Next, we build a function named addClientQ that takes a host, user, 5. As a collective, the members of Anonymous launch a distributed botnet attack against sites they deem adversaries. While arguably illegal, the acts of the Anony- mous group have had some notable and morally victorious successes.
In a recent operation, Operation Darknet, Anonymous used its voluntary botnet to overwhelm the hosting resources of a site dedicated to distributing child pornography.
Next, the botnetCommand function takes an argument of a command. This function iterates through the entire array and sends the command to each client in the botnet array.
This proves an excellent method for mass controlling targets. To test, we make three cop- ies of our current Backtrack 5 virtual machine and assign. We see we can the script iterate through these three hosts and issue simultaneous commands to each of the victims.
Once the infected server redirected the victims, the malicious Ukrai- nian host exploited victims in order to install a fake antivirus program that stole credit card information from the clients. The kytv attack proved to be a resounding success. In the following section, we will recreate this attack in Python. Examining the FTP logs of the infected servers, we can see exactly what hap- pened. An automated script connected to the target host in order to deter- mine if it contained a default page named index.
Next the attacker uploaded a new index. The infected server then exploited any vulnerable clients that visited its pages. Typically, users authenticate to FTP servers using a combination of a username and password. However, some sites provide the ability to authenticate anonymously. In this scenario, a user enters the username "anonymous" and submits an email address in lieu of a password.
However, many sites surprisingly provide legitimate rea- sons for this kind of FTP access such as promoting the idea that this enables a more enhanced means of accessing software updates. We can utilize the ftplib library in Python in order to build a small script to determine if a server offers anonymous logins. The function anonLogin takes a hostname and returns a Boolean that describes the availability of anonymous logins.
In order to deter- mine this Boolean, the function attempts to create an FTP connection with anon- ymous credentials. If it succeeds, it returns the value "True". If, in the process of creating a connection, the function throws an exception it returns it as "False". FTP hostname f tp. Using Ftplib to Brute Force FTP User Credentials While anonymous access grants one way to enter into systems, attackers also have been quite successful with using stolen credentials to gain access to legiti- mate FTP servers.
Storing passwords in cleartext in a default location allows custom malware to quickly steal credentials. Security experts have found FTP stealing credentials as recent malware. Penetration Testing with Python release allowing users to quickly scan for FTP credentials after exploiting a tar- get.
This function will take a host and password file as input and return the credentials that allow access to the host. Notice the function iterates through each line of the file, splitting each line at the colon. The function then takes the username and password and attempts to login to the FTP server. If it succeeds, it returns a tuple of a username, password. If it fails, it passes through the exception and continues to the next line.
If the function exhausted all lines and failed to successfully login, it returns a tuple of None,None. In order to test this, we will first list the contents of the FTP server's directory and search for default web pages. The function returnDefault takes an FTP connection as the input and returns an array of default pages it finds.
It does this by issuing the command NLST, which lists the directory contents. The function checks each file returned by NLST against default web page file names. It also appends any discovered default pages to an array called retList. After completing the iteration of these files, the function returns this array. Penetration Testing with Python f tp. We'll know move on to infecting these pages with our client side attack vector. We will use the Metasploit framework in order to quickly create a malicious server and page hosted at http: The page at From the command shell, we can now execute commands as the administrator of the infected victim.
Microsoft Windows XP [Version 5. To do this, we can download the default pages found on the benign server, inject an iframe, and upload the malicious pages back to the benign server. Look at the injectPage. The function injectPage takes an FTP connection, a page name, and a redirect iframe string as the input.
It then downloads a temporary copy of that page. Next, it appends the iframe redirect to our malicious server to that temporary file.
Finally, the function uploads the infected page back to the benign server. FTP host ftp. Penetration Testing with Python Running our code, we see it download the index. The attack func- tion takes a username, password, hostname, and redirect location as input. The function first logs onto the FTP server with the credentials.
Next, we have the script search for default web pages. For each of these pages, the script down- loads a copy and adds a malicious redirection. The script then uploads the infected page back to the FTP server, which will then infect any future victims that visit that web server. FTP tgtHost f tp. You'll notice we first try to gain anonymous access to the FTP server. If this fails, we then brute force credentials and run our attack against the discovered credentials.
While this represents only a hundred lines of code, this attack fully replicates the original attack vector of the kytv infection. FTP hostname ftp. Soon enough, We get a command shell on a client victim by infecting the webserver by way of the FTP server. Overall, Fake Antivirus captured the credit cards of over 43 million people by and continues to grow. Not bad for one hundred lines of Python code. In the next section, we rec- reate an attack that compromised over 5 million workstations in countries.
The Conficker or W32Downandllp Worm spread so rapidly that it infected five million computers in more than countries Markoff, While some of the advanced methods digital signatures, encrypted payloads, and alternative propagation schemes aided in the attack, Conficker at its very heart, holds some similarities in attack vectors to the Morris Worm of Nahorney, In the following pages, we will recreate the primary attack vectors for Conficker.
At its base infection routine, Conficker utilized two separate attack vectors. The Morris Worm used a password list of passwords. These two very successful attacks share 1 1 com- mon passwords on the list.
When building your attack list, it is definitely worth including these eleven passwords. While the activities resulting in these password attempts are undoubtedly illegal, these passwords dumps have proven interesting research for security experts. DARPA Cyber Fast Track Project Manager, Peiter Zatko aka Mudge made an entire room full of Army Brass blush when he asked them if they constructed their passwords using a combination of two capitalized words following by two special character and two numbers.
Additionally, the hacker group LulzSec released 26, passwords and personal information about users in a dump in early June In a coordinated strike, several of these passwords were reused to attack the social networking sites of the same individuals.
However, the most prolific attack was the release of over 1 million usemames and passwords for Gawker, a popular news and gossip blog. First, it utilized a zero-day exploit for the Windows server service vulnerability. Tak- ing advantage of this vulnerability allowed the worm to cause a stack corruption that executed shellcode and downloaded a copy of it to the infected host.
The open source com- puter security project, Metasploit, has risen to quick popularity to become the de facto exploitation toolkit over the last eight years. Championed and devel- oped by the legendary exploit writer, HD Moore, Metasploit allows penetration testers to launch thousands of different computer exploits from a standard- ized and scriptable environment. While attacks can be interactively driven using Metasploit, it also has the capability to read in a resource batch file.
Metasploit sequentially processes the commands for the batch file in order to execute an attack. Consider, for instance, if we want to attack a target at our victim host Finally, we told Metasploit to exploit the system. Saving the configuration file to the filename conficker.
This command will tell Metasploit to launch with the conficker. When successful, our attack returns a Windows command shell to control the machine.
Windows XP - Service Pack 2 - 1 ang: Channel 1 created. We built a configuration file, exploited a machine and gained a shell. Repeating this process for hosts might take us quite a bit of time in order to type out a configuration file, but if we use Python again, we can generate a quick script to scan for hosts that have TCP port open and then build a Metasploit resource file to attack all the vulnerable hosts.
First, lets use the Nmap-Python module from our previous portscanner exam- ple. Here, the function findTgts, takes an input of potential target hosts and returns all the hosts that have TCP port open.
By filtering only the hosts that have a TCP port open, our attack script can now target only valid ones. This will eliminate hosts that would ordinarily block our connection attempt. The function iterates through all hosts in the scan. If the function finds a host with a TCP open, it appends that host to an array. After completing the itera- tion, the function returns this array, containing all the hosts with TCP port open. This listener, or com- mand and control channel, will allow us to remotely interact with our tar- get hosts once they are exploited.
Metasploit provides an advanced and dynamic payload known as the Meterpreter.
Running on a remote machine, the Metasploit Meterpreter, calls back to our command and control host and provides a wealth of functionality to analyze and control the infected target. Penetration Testing with Python commands, route traffic through the infected host, install a key-logger, or dump the password hashes.
Additionally, we will set a global configura- tion DisablePayloadHandler to indicate that all future hosts do not need to set up a handler since we already have one listening. This function will input a Metasploit configuration file, a target, and the local address and ports for the exploit.
The function will write the particular exploit settings to the configuration file. Finally, it sends an instruction to exploit the machine under the context of a job -j and to not interact with the job immediately -z.
The script requires these particular options since it will exploit several targets and therefore cannot interact with all of them simultaneously. Thus, the script will require the second attack vector used in the Conficker Worm.
The function smbBrute takes the Metasploit configura- tion file, the target host, a second file containing a list of passwords, and the local address and port for the listener.
It sets the username as the default win- dows Administrator and then opens the password file. For each password in the file, the function builds a Metasploit resource configuration in order to use the remote process execution psexec exploit. Finally, we will add some option parsing back to the main function of the script and then call the previous written functions as required to wrap up the entire script.
The complete script follows. Penetration Testing with Python import nmap def findTgts subNet: However, what happens when you encounter a target with no known exploit? Penetration Testing with Python you build your own zero-day attack? In the following section, we will construct our own zero-day attack. While the Metasploit Framework contains over eight hun- dred unique exploits in its arsenal, you may encounter a time when you have to write your own remote code execution exploit.
This section explains how Python can help simplify that process. In order to do so, lets begin by under- standing stack-based buffer overflows. The Morris Worm succeeded in part because of a stack-based buffer overflow against the Finger service US v.
This class of exploits suc- ceeds because a program fails to sanitize or validate a user input. TAlthough the Morris Worm made use of a stack-based buffer overflow attack in , it was not until that Elias Levy a. If you feel unfamiliar with how stack-based buffer overflow attacks work or would like to learn more, consider reading Elias's paper. For our purposes, we Writing Your Own Zero-Day Proof of Concept Code '5 will take the time to illustrate only the key concepts behind a stack-based buf- fer overflow attack.
Stack-Based Buffer Overflow Attacks In the case of a stack-based buffer overflow, unchecked user data overwrites the next instruction pointer [EIP] to take control of a program's flow. The exploit directs the EIP register to point to a location containing shellcode inserted by the attacker. A series of machine code instructions, shellcode, can allow the exploit to add an additional user on to the target system, make a network connection with the attacker, or download a stand-alone executable.
Endless shellcode pos- sibilities exist, solely depending on the size of available space in memory. While many methods for writing exploits exist today, stack-based buffer over- flows provided the original exploit vector.
However, an abundance of these exploits exist today and continue to grow. In July of , an acquaintance of mine posted an exploit for a vulnerable FTP server to packetstorm Freyman, Although the development of the exploit may appear to be a complex task, the actual attack contains less than eighty lines of code including about thirty lines of shell code. Adding the Key Elements of the Attack Let's begin by building the key elements of our exploit.
First we set our shell- code variable to contain the hexadecimal encoding for a payload we created with the Metasploit Framework. Our return address variable points to an address location in kernel Our padding variable contains a series of NOP instructions. This builds our NOP-sled. Finally, we assemble all of these variables together into a variable we call crash. Essential elements of stack-based buffer overflow exploit Overflow: Return Address: The 4-byte address used to jump directly to the top of the stack.
A series of NOP no operation instructions that precedes the shellcode, allowing an attacker to guestimate the address location to jump directly to. If an attacker lands anywhere in the NOP-sled, he slides directly into the shellcode. A small piece of code written in assembly machine code. In the following example, we generated shellcode using the Metasploit framework.
If this connection succeeds, we will then authenticate to the host by sending an anonymous username and password. Meagan White Project Manager: Priya Kumaraguruparan Designer: All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. This book and the individual contributions contained in it are protected under copyright by the Publisher other than as may be noted herein.
Notices Knowledge and best practice in this field are constantly changing. As new research and experi- ence broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein.
In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
SK THE! Related Papers. By Fred Rickey. Violent Python. By rodrigo daniel. The Price of Peace.