TJ O'Connor is a Department of Defense expert on information security and a US Army paratrooper. While assigned as an assistant professor at the US Military Academy, TJ taught undergraduate courses on forensics, exploitation and information assurance. He twice co-coached the winning team at the National Security Agency's annual Cyber Defense Exercise and won the National Defense University's first annual Cyber Challenge. He has served on multiple red teams, including twice on the Northeast Regional Team for the National Collegiate Cyber Defense Competition.TJ holds a Master of Science degree in Computer Science from North Carolina State, a Master of Science degree in Information Security Engineering from the SANS Technical Institute, and a Bachelor of Science degree in Computer Science from the US Military Academy. He has published technical research at USENIX workshops, ACM conferences, security conferences, the SANS Reading Room, the Internet Storm Center, the Army Magazine, and the Armed Forces Journal. He holds expert cyber security credentials, including the prestigious GIAC Security Expert (GSE) and Offensive Security Certified Expert (OSCE). TJ is a member of the elite SANS Red and Blue Team Cyber Guardians.TJ O'Connor is an active duty Army Major and former faculty member at the United States Military Academy, where he taught courses on forensics, exploitation, and information assurance. He has published research at USENIX workshops, ACM Conferences, and spoken at various security conferences, including ShmooCon. He has participated in numerous cyber defense exercises, including winning the National Defense University Cyber Challenge, coaching the winning team at the National Security Agency's Cyber Defense Exercise and working as a red team member of the Northeast Regional Collegiate Cyber Defense Competition. He has earned the SANS Certifications GIAC Gold certifications in GCFA, GCIH, GSEC, GCIA, and holds other GIAC certifications.
Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation. Instead of relying on another attacker's tools, this book will teach you to forge your own weapons using the Python programming language. This book demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts. It also shows how to write code to intercept and analyze network traffic using Python, craft and spoof wireless frames to attack wireless and Bluetooth devices, and how to data-mine popular social media websites and evade modern anti-virus. - Demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts- Write code to intercept and analyze network traffic using Python. Craft and spoof wireless frames to attack wireless and Bluetooth devices- Data-mine popular social media websites and evade modern anti-virus
Half Title 2
Title page 4
Copyright 1
Trademarks 1
Acknowledgements 1
Dedication 1
Contents 1
Lead Author - TJ O’Connor 1
Contributing Author Bio - Rob Frost 1
Technical Editor Bio - Mark Baggett 1
Introduction 1
1 Introduction 28
Introduction: A Penetration Test with Python 28
Setting Up Your Development Environment 29
Installing Third Party Libraries 30
Interpreted Python Versus Interactive Python 32
The Python Language 33
Variables 34
Strings 34
Lists 35
Dictionaries 36
Networking 36
Selection 37
Exception Handling 37
Functions 39
Iteration 41
File I/O 43
Sys Module 44
OS Module 45
Your First Python Programs 47
Setting the Stage for Your First Python Program: The Cuckoo’s Egg 47
Your First Program, a UNIX Password Cracker 48
Setting the Stage for Your Second Program: Using Evil for Good 51
Your Second Program, a Zip-File Password Cracker 51
Chapter Wrap-Up 56
References 56
2 Penetration Testing with Python 58
Introduction: The Morris Worm—Would it Work Today? 58
Building a Port Scanner 59
TCP Full Connect Scan 60
Application Banner Grabbing 62
Threading the Scan 64
Integrating the Nmap Port Scanner 66
Building an SSH BotNet with Python 68
Interacting with SSH Through Pexpect 69
Brute Forcing SSH Passwords with Pxssh 72
Exploiting SSH Through Weak Private Keys 75
Constructing the SSH Botnet 80
Mass Compromise by Bridging FTP and Web 83
Building an Anonymous FTP Scanner with Python 84
Using Ftplib to Brute Force FTP User Credentials 84
Searching for Web Pages on the FTP Server 86
Adding a Malicious Inject to Web Pages 87
Bringing the Entire Attack Together 89
Conficker, Why Trying Hard is Always Good Enough 93
Attacking the Windows SMB Service with Metasploit 94
Writing Python to Interact with Metasploit 96
Remote Process Execution Brute Force 98
Putting it Back Together to Build Our Own Conficker 98
Writing Your Own Zero-Day Proof of Concept Code 101
Stack-Based Buffer Overflow Attacks 102
Adding the Key Elements of the Attack 102
Sending the Exploit 103
Assembling the Entire Exploit Script 104
Chapter Wrap Up 106
References 107
3 Forensic Investigations with Python 108
Introduction: How Forensics Solved the BTK Murders 108
Where Have You Been?—Analysis of Wireless Access Points in the Registry 109
Using WinReg to Read the Windows Registry 110
Using Mechanize to Submit the MAC Address to Wigle 112
Using Python to Recover Deleted Items in the Recycle Bin 116
Using the OS Module to Find Deleted Items 117
Python to Correlate SID to User 117
Metadata 120
Using PyPDF to Parse PDF Metadata 120
Understanding Exif Metadata 122
Downloading Images with BeautifulSoup 123
Reading Exif Metadata from Images with the Python Imaging Library 124
Investigating Application Artifacts with Python 127
Understanding the Skype Sqlite3 Database 127
Using Python and Sqlite3 to Automate Skype Database Queries 129
Parsing Firefox Sqlite3 Databases with Python 135
Investigating iTunes Mobile Backups with Python 143
Chapter Wrap-Up 149
References 149
4 Network Traffic Analysis with Python 152
Introduction: Operation Aurora and How the Obvious was Missed 152
Where is that IP Traffic Headed?—A Python Answer 153
Using PyGeoIP to Correlate IP to Physical Locations 154
Using Dpkt to Parse Packets 155
Using Python to Build a Google Map 159
Is Anonymous Really Anonymous? Analyzing LOIC Traffic 162
Using Dpkt to Find the LOIC Download 162
Parsing IRC Commands to the Hive 164
Identifying the DDoS Attack in Progress 165
How H. D. Moore Solved the Pentagon’s Dilemma 170
Understanding the TTL Field 171
Parsing TTL Fields with Scapy 173
Storm’s Fast-Flux and Conficker’s Domain-Flux 176
Does Your DNS Know Something You Don’t? 177
Using Scapy to Parse DNS Traffic 178
Detecting Fast Flux Traffic with Scapy 179
Detecting Domain Flux Traffic with Scapy 180
Kevin Mitnick and TCP Sequence Prediction 181
Your Very Own TCP Sequence Prediction 182
Crafting a SYN Flood with Scapy 183
Calculating TCP Sequence Numbers 184
Spoofing the TCP Connection 186
Foiling Intrusion Detection Systems with Scapy 189
Chapter Wrap Up 195
References 195
5 Wireless Mayhem with Python 198
Introduction: Wireless (IN)Security and the Iceman 198
Setting up Your Wireless Attack Environment 199
Testing Wireless Capture with Scapy 199
Installing Python Bluetooth Packages 200
The Wall of Sheep—Passively Listening to Wireless Secrets 201
Using Python Regular Expressions to Sniff Credit Cards 202
Sniffing Hotel Guests 205
Building a Wireless Google Key Logger 208
Sniffing FTP Credentials 211
Where Has Your Laptop Been? Python Answers 213
Listening for 802.11 Probe Requests 213
Finding Hidden Network 802.11 Beacons 214
De-cloaking Hidden 802.11 Networks 215
Intercepting and Spying on UAVs with Python 216
Intercepting the Traffic, Dissecting the Protocol 216
Crafting 802.11 Frames with Scapy 219
Finalizing the Attack, Emergency Landing The UAV 222
Detecting FireSheep 223
Understanding Wordpress Session Cookies 225
Herd the Sheep—Catching Wordpress Cookie Reuse 226
Stalking with Bluetooth and Python 228
Intercepting Wireless Traffic to Find Bluetooth Addresses 230
Scanning Bluetooth RFCOMM Channels 232
Using the Bluetooth Service Discovery Protocol 233
Taking Over a Printer with Python ObexFTP 234
BlueBugging a Phone with Python 235
Chapter Wrap Up 236
References 237
6 Web Recon with Python 238
Introduction: Social Engineering Today 238
Recon Prior to Attack 239
Using the Mechanize Library to Browse the Internet 239
Anonymity – Adding Proxies, User-Agents, Cookies 241
Finalizing Our AnonBrowser into a Python Class 244
Scraping Web Pages with AnonBrowser 246
Parsing HREF Links with Beautiful Soup 246
Mirroring Images with Beautiful Soup 249
Research, Investigate, Discovery 250
Interacting with the Google API in Python 250
Parsing Tweets with Python 254
Pulling Location Data Out of Tweets 256
Parsing Interests from Twitter Using Regular Expressions 258
Anonymous Email 263
Mass Social Engineering 264
Using Smtplib to Email Targets 264
Spear Phishing with Smtplib 266
Chapter Wrap-Up 269
References 269
7 Antivirus Evasion with Python 272
Introduction: Flame On! 272
Evading Antivirus Programs 273
Verifying Evasion 277
Wrap Up 282
References 283
Index 284
A 284
B 284
C 284
D 285
E 285
F 285
G 285
H 285
I 285
K 286
L 286
M 286
N 286
O 286
P 286
R 287
S 287
T 287
U 288
V 288
W 288
Z 289
Chapter 2
Penetration Testing with Python
Information in this chapter:
Building a Port Scanner
Constructing an SSH Botnet
Mass Compromise with FTP
Replicate Conficker
Your Own Zero Day Attack
To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other
—Kokoro by Natsume Sōsek, 1914, Japan.
Introduction: The Morris Worm—Would it Work Today?
Twenty-two years before the StuxNet worm crippled the Iranian nuclear power plants in Bushehr and Natantz (Albright, Brannan, & Walrond, 2010), a graduate student at Cornell launched the first digital munitions. Robert Tappen Morris Jr., son of the head of the NSA’s National Computer Security Center, infected six thousand workstations with a worm aptly dubbed, the Morris Worm (Elmer-Dewitt, McCarroll, & Voorst, 1988). While 6000 workstations seem trivial by today’s standards, this figure represents ten percent of all computers that were connected to the Internet in 1988. Rough estimates by the US Government Accountability Office put the cost somewhere between $10 and $100 million dollars to eradicate the damage left by Morris’s worm (GAO, 1989). So how did it work?
Morris’s worm used a three-pronged attack in order to compromise systems. It first took advantage of vulnerability in the Unix sendmail program. Second, it exploited a separate vulnerability in the finger daemon used by Unix systems. Finally, it attempted to connect to targets using the remote shell (RSH) protocol using a list of common usernames and passwords. If any of the three attack vectors succeeded, the worm would use a small program as a grappling hook to pull over the rest of the virus (Eichin & Rochlis, 1989).
Would a similar attack still work today and can we learn to write something that would be almost identical? These questions provide the basis for the rest of the chapter. Morris wrote the majority of his attack in the C programming language. However, while C is a very powerful language, it is also very challenging to learn. In sharp contrast to this, the Python programming language has a user-friendly syntax and a wealth of third party modules. This provides a much better platform of support and makes it considerably easier for most programmers to initiate attacks. In the following pages, we will use Python to recreate parts of the Morris Worm as well as some contemporary attack vectors.
Building a Port Scanner
Reconnaissance serves as the first step in any good cyber assault. An attacker must discover where the vulnerabilities are before selecting and choosing exploits for a target. In the following section, we will build a small reconnaissance script that scans a target host for open TCP ports. However, in order to interact with TCP ports, we will need to first construct TCP sockets.
Python, like most modern languages, provides access to the BSD socket interface. BSD sockets provide an application-programming interface that allows coders to write applications in order to perform network communications between hosts. Through a series of socket API functions, we can create, bind, listen, connect, or send traffic on TCP/IP sockets. At this point, a greater understanding of TCP/IP and sockets are needed in order to help further develop our own attacks.
The majority of Internet accessible applications reside on the TCP. For example, in a target organization, the web server might reside on TCP port 80, the email server on TCP port 25, and the file transfer server on TCP port 21. To connect to any of these services in our target organization, an attacker must know both the Internet Protocol Address and the TCP port associated with the service. While someone familiar with our target organization would probably have access to this information, an attacker may not.
An attacker routinely performs a port scan in the opening salvo of any successful cyber assault. One type of port scan includes sending a TCP SYN packet to a series of common ports and waiting for a TCP ACK response that will result in signaling an open port. In contrast, a TCP Connect Scan uses the full three-way handshake to determine the availability of the service or port.
TCP Full Connect Scan
So let’s begin by writing our own TCP port scanner that utilizes a TCP full connect scan to identify hosts. To begin, we will import the Python implementation of BSD socket API. The socket API provides us with some functions that will be useful in implementing our TCP port scanner. Let’s examine a couple before proceeding. For a deeper understanding, view the Python Standard Library Documentation at: http://docs.Python.org/library/socket.html.
socket.gethostbyname(hostname) – This function takes a hostname such as www.syngress.com and returns an IPv4 address format such as 69.163.177.2.
socket.gethostbyaddr(ip address) – This function takes an IPv4 address and returns a triple containing the hostname, alternative list of host names, and a list of IPv4/v6 addresses for the same interface on the host.
socket.socket([family[, type[, proto]]]) – This function creates an instance of a new socket given the family. Options for the socket family are AF_INET, AF_INET6, or AF_UNIX. Additionally, the socket can be specified as SOCK_STREAM for a TCP socket or SOCK_DGRAM for a UDP socket. Finally, the protocol number is usually zero and is omitted in most cases.
socket.create_connection(address[, timeout[, source_address]]) – This function takes a 2-tuple (host, port) and returns an instance of a network socket. Additionally, it has the option of taking a timeout and source address.
In order to better understand how our TCP Port Scanner works, we will break our script into five unique steps and write Python code for each of them. First, we will input a hostname and a comma separated list of ports to scan. Next, we will translate the hostname into an IPv4 Internet address. For each port in the list, we will also connect to the target address and specific port. Finally, to determine the specific service running on the port, we will send garbage data and read the banner results sent back by the specific application.
In our first step, we accept the hostname and port from the user. For this, our program utilizes the optparse library for parsing command-line options. The call to optparse. OptionPaser([usage message]) creates an instance of an option parser. Next, parser.add_option specifies the individual command line options for our script. The following example shows a quick method for parsing the target hostname and port to scan.
import optparse
parser = optparse.OptionParser(‘usage %prog –H’+/
‘<target host> -p <target port>’)
)
parser.add_option(‘-H’, dest=‘tgtHost’, type=‘string’, /
help=‘specify target host’)
parser.add_option(‘-p’, dest=‘tgtPort’, type=‘int’, /
help=‘specify target port’)
(options, args) = parser.parse_args()
tgtHost = options.tgtHost
tgtPort = options.tgtPort
if (tgtHost == None) | (tgtPort == None):
print parser.usage
exit(0)
Next, we will build two functions connScan and portScan. The portScan function takes the hostname and target ports as arguments. It will first attempt to resolve an IP address to a friendly hostname using the gethostbyname() function. Next, it will print the hostname (or IP address) and enumerate through each individual port attempting to connect using the connScan function. The connScan function will take two arguments: tgtHost and tgtPort and attempt to create a connection to the target host and port. If it is successful, connScan will print an open port message. If unsuccessful, it will print the closed port message.
import optparse
from socket import ∗
def connScan(tgtHost, tgtPort):
try:
connSkt = socket(AF_INET, SOCK_STREAM)
connSkt.connect((tgtHost, tgtPort))
print ‘[+]%d/tcp open’% tgtPort
connSkt.close()
except:
print ‘[-]%d/tcp closed’% tgtPort
def portScan(tgtHost, tgtPorts):
try:
tgtIP = gethostbyname(tgtHost)
except:
print...
| Erscheint lt. Verlag | 28.12.2012 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Mathematik / Informatik ► Informatik ► Programmiersprachen / -werkzeuge | |
| Mathematik / Informatik ► Informatik ► Web / Internet | |
| ISBN-10 | 1-59749-964-1 / 1597499641 |
| ISBN-13 | 978-1-59749-964-4 / 9781597499644 |
| Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 6,1 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 1,8 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
