LearningPenetrationTestingwithPython


TableofContents
LearningPenetrationTestingwithPython
Credits
Disclaimer
AbouttheAuthor
Acknowlegements
AbouttheReviewers
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmore
Whysubscribe?
FreeaccessforPacktaccountholders
Preface
Whatthisbookcovers
Whatyouneedforthisbook
Whothisbookisfor
Conventions
Readerfeedback
Customersupport
Downloadingtheexamplecode
Downloadingthecolorimagesofthisbook
Errata
Piracy
Questions
1.UnderstandingthePenetrationTestingMethodology
Anoverviewofpenetrationtesting
Understandingwhatpenetrationtestingisnot

Vulnerabilityassessments
Reverseengineeringengagements
Hacking
Assessmentmethodologies


Thepenetrationtestingexecutionstandard
Pre-engagementinteractions
WhiteBoxTesting
GreyBoxTesting
BlackBoxTesting
DoubleBlindTesting
Intelligencegathering
Threatmodeling
Vulnerabilityanalysis
Exploitation
Postexploitation
Reporting
Anexampleengagement
Penetrationtestingtools
NMAP
Metasploit
Veil
BurpSuite
Hydra
JohntheRipper
CrackingWindowspasswordswithJohn
oclHashcat
Ophcrack
MimikatzandIncognito

SMBexec
Cewl
Responder
theHarvesterandRecon-NG
pwdumpandfgdump
Netcat
Sysinternalstools


Summary
2.TheBasicsofPythonScripting
Understandingthedifferencebetweeninterpretedandcompiledlanguages
Python–thegoodandthebad
APythoninteractiveinterpreterversusascript
EnvironmentalvariablesandPATH
Understandingdynamicallytypedlanguages
ThefirstPythonscript
Developingscriptsandidentifyingerrors
Reservedwords,keywords,andbuilt-infunctions
Globalandlocalvariables
Understandinganamespace
Modulesandimports
Pythonformatting
Indentation
Pythonvariables
Debuggingvariablevalues
Stringvariables
Numbervariables
Convertingstringandnumbervariables
Listvariables

Tuplevariables
Dictionaryvariables
Understandingdefaultvaluesandconstructors
Passingavariabletoastring
Operators
Comparisonoperators
Assignmentoperators
Arithmeticoperators
Logicalandmembershipoperators
Compoundstatements


Theifstatements
Pythonloops
Thewhileloop
Theforloop
Thebreakcondition
Conditionalhandlers
Functions
Theimpactofdynamicallytypedlanguagesonfunctionsonfunctions
Curlybrackets
Howtocommentyourcode
ThePythonstyleguide
Classes
Functions
Variablesandinstancenames
Argumentsandoptions
Yourfirstassessorscript
Summary
3.IdentifyingTargetswithNmap,Scapy,andPython

Understandinghowsystemscommunicate
TheEthernetframearchitecture
Layer2inEthernetnetworks
Layer2inwirelessnetworks
TheIPpacketarchitecture
TheTCPheaderarchitecture
UnderstandinghowTCPworks
TheTCPthree-wayhandshake
TheUDPheaderarchitecture
UnderstandinghowUDPworks
UnderstandingNmap
InputtingthetargetrangesforNmap
Executingthedifferentscantypes


ExecutingTCPfullconnectionscans
ExecutingSYNscans
ExecutingACKscans
ExecutingUDPscans
ExecutingcombinedUDPandTCPscans
Skippingtheoperatingsystemscans
Differentoutputtypes
UnderstandingtheNmapGrepableoutput
UnderstandingtheNmapXMLoutput
TheNmapscriptingengine
BeingefficientwithNmapscans
Determiningyourinterfacedetailswiththenetifaceslibrary
NmaplibrariesforPython
TheScapylibraryforPython
Summary

4.ExecutingCredentialAttackswithPython
Thetypesofcredentialattacks
Definingtheonlinecredentialattack
Definingtheofflinecredentialattack
Identifyingthetarget
Creatingtargetedusernames
GeneratingandverifyingusernameswithhelpfromtheU.S.census
Generatingtheusernames
TestingforusersusingSMTPVRFY
CreatingtheSMTPVRFYscript
Summary
5.ExploitingServiceswithPython
Understandingthenewageofserviceexploitation
Understandingthechainingofexploits
Checkingforweak,default,orknownpasswords
Gainingrootaccesstothesystem


UnderstandingthecrackingofLinuxhashes
Testingforthesynchronizationofaccountcredentials
AutomatingtheexploittrainwithPython
Summary
6.AssessingWebApplicationswithPython
Identifyingliveapplicationsversusopenports
IdentifyinghiddenfilesanddirectorieswithPython
CredentialattackswithBurpSuite
Usingtwilltowalkthroughthesource
UnderstandingwhentousePythonforwebassessments
Understandingwhentousespecificlibraries
Beingefficientduringwebassessments

Summary
7.CrackingthePerimeterwithPython
Understandingtoday’sperimeter
Clear-textprotocols
Webapplications
Encryptedremoteaccessservices
VirtualPrivateNetworks(VPNs)
Mailservices
DomainNameService(DNS)
UserDatagramProtocol(UDP)services
Understandingthelinkbetweenaccountsandservices
CrackinginboxeswithBurpSuite
Identifyingtheattackpath
Understandingthelimitationsofperimeterscanning
DownloadingbackupfilesfromaTFTPserver
Determiningthebackupfilenames
CrackingCiscoMD5hashes
Gainingaccessthroughwebsites
Theexecutionoffileinclusionattacks


VerifyinganRFIvulnerability
ExploitingthehoststhroughRFI
Summary
8.ExploitDevelopmentwithPython,Metasploit,andImmunity
Gettingstartedwithregisters
Understandinggeneralpurposeregisters
TheEAX
TheEBX
TheECX

TheEDX
Understandingspecialpurposeregisters
TheEBP
TheEDI
TheEIP
TheESP
UnderstandingtheWindowsmemorystructure
Understandingthestackandtheheap
Understandingtheprogramimageanddynamic-linklibraries
Understandingtheprocessenvironmentblock
Understandingthethreadenvironmentblock
Kernel
Understandingmemoryaddressesandendianness
Understandingthemanipulationofthestack
Understandingimmunity
Understandingbasicbufferoverflow
Writingabasicbufferoverflowexploit
Understandingstackadjustments
Understandingthepurposeoflocalexploits
Understandingotherexploitscripts
Exploitingstandalonebinariesbyexecutingscripts
ExploitingsystemsbyTCPservice


ExploitingsystemsbyUDPservice
ReversingMetasploitmodules
Understandingprotectionmechanisms
Summary
9.AutomatingReportsandTaskswithPython
UnderstandinghowtoparseXMLfilesforreports

UnderstandinghowtocreateaPythonclass
CreatingaPythonscripttoparseanNmapXML
CreatingaPythonscripttogenerateExcelspreadsheets
Summary
10.AddingPermanencytoPythonTools
UnderstandingloggingwithinPython
Understandingthedifferencebetweenmultithreadingandmultiprocessing
CreatingamultithreadedscriptinPython
CreatingamultiprocessingscriptinPython
Buildingindustry-standardtools
Summary
Index



LearningPenetrationTestingwithPython



LearningPenetrationTestingwithPython
Copyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,
ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthe
publisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyofthe
informationpresented.However,theinformationcontainedinthisbookissoldwithout
warranty,eitherexpressorimplied.Neithertheauthor,norPacktPublishing,andits
dealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecaused
directlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthe

companiesandproductsmentionedinthisbookbytheappropriateuseofcapitals.
However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:September2015
Productionreference:1280915
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78528-232-4
www.packtpub.com



Credits
Author
ChristopherDuffy
Reviewers
SBoominathan
TajinderSinghKalsi
LukePresland
CommissioningEditor
SarahCrofton
AcquisitionEditor
VivekAnantharaman
ContentDevelopmentEditor
SiddheshSalvi
TechnicalEditor
UtkarshaS.Kadam
CopyEditors
TaniKothari

UlkaManjrekar
VikrantPhadke
ProjectCoordinator
KrantiBerde
Proofreader
SafisEditing
Indexer
TejalDaruwaleSoni
ProductionCoordinator
AparnaBhagat
CoverWork
AparnaBhagat



Disclaimer
Allthetechniquesshownherearebasedontheory,craft,situations,andteammembers
andIhaveencountered.Theyarenot,however,clonesoforganizations’environmentsthat
havebeenassessed.Instead,theypointoutsomeexamplesofcommoncybersecurity
issuesandbreakdownsinthesecuritystrategythatcanbetakenadvantageof.
Additionally,theseviewsareofmyownanddonotrepresentmycurrentorformer
employers.



AbouttheAuthor
ChristopherDuffycurrentlyleadscybersecurityandpenetrationtestingengagements
globally.Hehasaspecializationinadvancedtechnicaltesting,includingpenetration
testingandsecurityassessmentdonetoevaluateanorganization’ssecuritystrategyfroma
maliciousactor’sperspective.Hehasworkedalotwithbothnetworkandsystem

engineeringteamstoevaluatecriticalsystemdataflows,andidentifiedareaswhere
controlscanbeputinplacetopreventabreachofsensitiveorcriticaldata.Hisworkwith
multipleorganizationshasbeenkeytoprotectingresourcesbasedontheinformationthey
haveheld,whichhashelpedreduceriskswhilemaintainingresilientandcost-effective
securitypostures.
Chrishasover12yearsofexperienceintheinformationtechnologyandsecurityareas,
includingsecurityconsultation,withafocusonbusinessrisk.Hehashelpedbuild
advancedattackandpenetrationteams.Theworkthathisteamshavedonehas
encompassedeverythingfromthreatmodelingandpenetrationteststofirewallreviews
andFedRAMPreadinessassessments.
Chrishasled,managed,andexecutedover400engagementsforFortune500companies,
U.S.governmententities,medicalprovidersandpayers,educationalinstitutes,financial
services,researchorganizations,andcloudproviders.Foralmostadecadepriortoprivate
sectorwork,Chriswasacyberwarfarespecialist,seniorsystemsengineer,andnetwork
infrastructuresupervisorfortheUnitedStatesAirForce(USAF).
Hehasbeenhonoredwithnumeroustechnicalandleadershipawards.Someofthese
includethe(ISC)2InformationSecurityLeadershipAward(ISLA)fortheinformation
securitypractitionercategoryin2013,thenoncommissionedofficeroftheyear(bothat
thebaseandwinglevels)in2011,andthetoptechnicianwithinthecybertransportcareer
fieldfortheUnitedStatesAirForce(USAF)IntelligenceSurveillanceand
ReconnaissanceAgency.HeisadistinguishedgraduateofUSAFnetworkwarfaretraining
andhaspublicationstohiscreditinSANSReadingRoom,Hackin9magazine,eForensics
magazineandPenTestmagazine.Heholds23certifications,adegreeincomputerscience,
andamaster’sdegreeininformationsecurityandassurance.



Acknowlegements
Thisbookisformywife,Michelle,whohasenabledmetobetterourfamilyandchasemy
dreams.

Formychildren,AlexisandMaxwell,whomIhopetobuildabetterfuturefor.
FormyDadforteachingmetoleadfromthefrontandintroducingthedigitalworldtous,
firstwithaWangMainframeandthenteachingmehowtocreatehacksforgamestartup
scripts,discoveringBulletinBoardSystems(BBS)preWorldWideWeb(WWW)with
ProCommPlusandwardialing.
FormyMom,whoforcedmetostopandsmelltheroses.Sheprovidedmethatgianthelp
ofencouragementwheneveritseemedmostappropriate.
Finally,formyfriend,ChrisNewton,whoprovidedmevaluablefeedbackwithregardsto
whathewaslookingforinabooklikethis,andgavemeaccesstohisCiscolab.



AbouttheReviewers
S.Boominathanisahighlyproficientsecurityprofessionalwhohasmorethanthree
yearsofexperienceinthefieldofinformationsecurity,includingvulnerabilityassessment
andpenetrationtesting.HeiscurrentlyworkingwithanIndia-basedbellwetherMNC.He
hascertificationsofandknowledgeinN+,CCNA,CCSA,CEHV8,CHFIV4,andQCP
(QualysGuardcertifiedprofessional).Heisalsoawirelesspenetrationtestingexpert.
Boominathanfeelsverymuchprivilegedtoworkinhiscurrentcompany.Hehasworked
invariousfieldssimultaneously,suchasmalwareanalysis,vulnerabilityassessment,
networkpenetrationtesting,wirelesspenetrationtesting,andsoon.
Iwouldliketothankmyparents,SundaramandValli;mywife,Uthira;andmybrother,
Sriram,forhelpingmereviewthisbookthoroughly.Iwouldalsoliketothanktheauthor
andPacktPublishingforprovidingmewiththeopportunitytoreviewthisbook.
TajinderSinghKalsiisanentrepreneur.Heisthecofounderofandatechnicalevangelist
atVirscentTechnologies,withmorethansevenyearsofworkingexperienceinthefieldof
IT.HecommencedhiscareerwithWIPROasatechnicalassociate,andlaterbecameanIT
consultantcumtrainer.Asofnow,heconductsseminarsincollegesallacrossIndiaon
topicssuchasinformationsecurity,Androidapplicationdevelopment,website
development,andcloudcomputing.Tajinderhastaughtnearly9,500studentsinmorethan

125collegessofar.Apartfromtraining,healsomaintainsblogs(www.virscent.com/blog
andwhereheprovidesvarioushackingtricks.Hehas
earlierreviewedbookstitledWebApplicationPenetrationTestingwithKaliLinuxand
MasteringKaliLinuxforAdvancedPenetrationTesting.
YoucancontacthimonFacebookatorfollow
hiswebsiteat />IwouldliketothanktheteamatPacktPublishingfordiscoveringmethroughmyblog
andofferingmethisopportunityagain.Iwouldalsoliketothankmyfamilyandclose
friendsforallthesupporttheyhavegivenwhileIwasworkingonthisproject.
LukePreslandisacybersecurityspecialistcurrentlyworkingfortheDefenceScience
andTechnologyLaboratorywithintheUKMinistryofDefence.Previously,heworkedin
bothtechpublishingandtheonlinegamingindustry,withaspecializationinsocial
engineeringtechniquesandcountermeasures.
Hisinterestsincludemanyaspectsofsecurity,fromthesecurityofsystemsandembedded
devices,topenetrationtestingandthecombinationofsocialandtechnicalapproachesto
securityvulnerabilities.
Lukespendsmostofhistimeworkingouthowtobreakthingsandattemptingtofixthem.