E-Book, Englisch, 288 Seiten
O'Connor Violent Python
1. Auflage 2012
ISBN: 978-1-59749-964-4
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
E-Book, Englisch, 288 Seiten
ISBN: 978-1-59749-964-4
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation. Instead of relying on another attacker's tools, this book will teach you to forge your own weapons using the Python programming language. This book demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts. It also shows how to write code to intercept and analyze network traffic using Python, craft and spoof wireless frames to attack wireless and Bluetooth devices, and how to data-mine popular social media websites and evade modern anti-virus. - Demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artifacts - Write code to intercept and analyze network traffic using Python. Craft and spoof wireless frames to attack wireless and Bluetooth devices - Data-mine popular social media websites and evade modern anti-virus
TJ O'Connor is a Department of Defense expert on information security and a US Army paratrooper. While assigned as an assistant professor at the US Military Academy, TJ taught undergraduate courses on forensics, exploitation and information assurance. He twice co-coached the winning team at the National Security Agency's annual Cyber Defense Exercise and won the National Defense University's first annual Cyber Challenge. He has served on multiple red teams, including twice on the Northeast Regional Team for the National Collegiate Cyber Defense Competition.TJ holds a Master of Science degree in Computer Science from North Carolina State, a Master of Science degree in Information Security Engineering from the SANS Technical Institute, and a Bachelor of Science degree in Computer Science from the US Military Academy. He has published technical research at USENIX workshops, ACM conferences, security conferences, the SANS Reading Room, the Internet Storm Center, the Army Magazine, and the Armed Forces Journal. He holds expert cyber security credentials, including the prestigious GIAC Security Expert (GSE) and Offensive Security Certified Expert (OSCE). TJ is a member of the elite SANS Red and Blue Team Cyber Guardians.TJ O'Connor is an active duty Army Major and former faculty member at the United States Military Academy, where he taught courses on forensics, exploitation, and information assurance. He has published research at USENIX workshops, ACM Conferences, and spoken at various security conferences, including ShmooCon. He has participated in numerous cyber defense exercises, including winning the National Defense University Cyber Challenge, coaching the winning team at the National Security Agency's Cyber Defense Exercise and working as a red team member of the Northeast Regional Collegiate Cyber Defense Competition. He has earned the SANS Certifications GIAC Gold certifications in GCFA, GCIH, GSEC, GCIA, and holds other GIAC certifications.
Autoren/Hrsg.
Weitere Infos & Material
2;Half Title;2
3;Title page;4
4;Copyright;1
5;Trademarks;1
6;Acknowledgements;1
7;Dedication;1
8;Contents;1
9;Lead Author - TJ O’Connor;1
10;Contributing Author Bio - Rob Frost;1
11;Technical Editor Bio - Mark Baggett;1
12;Introduction;1
13;1 Introduction;28
13.1;Introduction: A Penetration Test with Python;28
13.2;Setting Up Your Development Environment;29
13.2.1;Installing Third Party Libraries;30
13.2.2;Interpreted Python Versus Interactive Python;32
13.3;The Python Language;33
13.3.1;Variables;34
13.3.2;Strings;34
13.3.3;Lists;35
13.3.4;Dictionaries;36
13.3.5;Networking;36
13.3.6;Selection;37
13.3.7;Exception Handling;37
13.3.8;Functions;39
13.3.9;Iteration;41
13.3.10;File I/O;43
13.3.11;Sys Module;44
13.3.12;OS Module;45
13.4;Your First Python Programs;47
13.4.1;Setting the Stage for Your First Python Program: The Cuckoo’s Egg;47
13.4.2;Your First Program, a UNIX Password Cracker;48
13.4.3;Setting the Stage for Your Second Program: Using Evil for Good;51
13.4.4;Your Second Program, a Zip-File Password Cracker;51
13.5;Chapter Wrap-Up;56
13.6;References;56
14;2 Penetration Testing with Python;58
14.1;Introduction: The Morris Worm—Would it Work Today?;58
14.2;Building a Port Scanner;59
14.2.1;TCP Full Connect Scan;60
14.2.2;Application Banner Grabbing;62
14.2.3;Threading the Scan;64
14.2.4;Integrating the Nmap Port Scanner;66
14.3;Building an SSH BotNet with Python;68
14.3.1;Interacting with SSH Through Pexpect;69
14.3.2;Brute Forcing SSH Passwords with Pxssh;72
14.3.3;Exploiting SSH Through Weak Private Keys;75
14.3.4;Constructing the SSH Botnet;80
14.4;Mass Compromise by Bridging FTP and Web;83
14.4.1;Building an Anonymous FTP Scanner with Python;84
14.4.2;Using Ftplib to Brute Force FTP User Credentials;84
14.4.3;Searching for Web Pages on the FTP Server;86
14.4.4;Adding a Malicious Inject to Web Pages;87
14.4.5;Bringing the Entire Attack Together;89
14.5;Conficker, Why Trying Hard is Always Good Enough;93
14.5.1;Attacking the Windows SMB Service with Metasploit;94
14.5.2;Writing Python to Interact with Metasploit;96
14.5.3;Remote Process Execution Brute Force;98
14.5.4;Putting it Back Together to Build Our Own Conficker;98
14.6;Writing Your Own Zero-Day Proof of Concept Code;101
14.6.1;Stack-Based Buffer Overflow Attacks;102
14.6.2;Adding the Key Elements of the Attack;102
14.6.3;Sending the Exploit;103
14.6.4;Assembling the Entire Exploit Script;104
14.7;Chapter Wrap Up;106
14.8;References;107
15;3 Forensic Investigations with Python;108
15.1;Introduction: How Forensics Solved the BTK Murders;108
15.2;Where Have You Been?—Analysis of Wireless Access Points in the Registry;109
15.2.1;Using WinReg to Read the Windows Registry;110
15.2.2;Using Mechanize to Submit the MAC Address to Wigle;112
15.3;Using Python to Recover Deleted Items in the Recycle Bin;116
15.3.1;Using the OS Module to Find Deleted Items;117
15.3.2;Python to Correlate SID to User;117
15.4;Metadata;120
15.4.1;Using PyPDF to Parse PDF Metadata;120
15.4.2;Understanding Exif Metadata;122
15.4.3;Downloading Images with BeautifulSoup;123
15.4.4;Reading Exif Metadata from Images with the Python Imaging Library;124
15.5;Investigating Application Artifacts with Python;127
15.5.1;Understanding the Skype Sqlite3 Database;127
15.5.2;Using Python and Sqlite3 to Automate Skype Database Queries;129
15.5.3;Parsing Firefox Sqlite3 Databases with Python;135
15.6;Investigating iTunes Mobile Backups with Python;143
15.7;Chapter Wrap-Up;149
15.8;References;149
16;4 Network Traffic Analysis with Python;152
16.1;Introduction: Operation Aurora and How the Obvious was Missed;152
16.2;Where is that IP Traffic Headed?—A Python Answer;153
16.2.1;Using PyGeoIP to Correlate IP to Physical Locations;154
16.2.2;Using Dpkt to Parse Packets;155
16.2.3;Using Python to Build a Google Map;159
16.3;Is Anonymous Really Anonymous? Analyzing LOIC Traffic;162
16.3.1;Using Dpkt to Find the LOIC Download;162
16.3.2;Parsing IRC Commands to the Hive;164
16.3.3;Identifying the DDoS Attack in Progress;165
16.4;How H. D. Moore Solved the Pentagon’s Dilemma;170
16.4.1;Understanding the TTL Field;171
16.4.2;Parsing TTL Fields with Scapy;173
16.5;Storm’s Fast-Flux and Conficker’s Domain-Flux;176
16.5.1;Does Your DNS Know Something You Don’t?;177
16.5.2;Using Scapy to Parse DNS Traffic;178
16.5.3;Detecting Fast Flux Traffic with Scapy;179
16.5.4;Detecting Domain Flux Traffic with Scapy;180
16.6;Kevin Mitnick and TCP Sequence Prediction;181
16.6.1;Your Very Own TCP Sequence Prediction;182
16.6.2;Crafting a SYN Flood with Scapy;183
16.6.3;Calculating TCP Sequence Numbers;184
16.6.4;Spoofing the TCP Connection;186
16.7;Foiling Intrusion Detection Systems with Scapy;189
16.8;Chapter Wrap Up;195
16.9;References;195
17;5 Wireless Mayhem with Python;198
17.1;Introduction: Wireless (IN)Security and the Iceman;198
17.2;Setting up Your Wireless Attack Environment;199
17.2.1;Testing Wireless Capture with Scapy;199
17.2.2;Installing Python Bluetooth Packages;200
17.3;The Wall of Sheep—Passively Listening to Wireless Secrets;201
17.3.1;Using Python Regular Expressions to Sniff Credit Cards;202
17.3.2;Sniffing Hotel Guests;205
17.3.3;Building a Wireless Google Key Logger;208
17.3.4;Sniffing FTP Credentials;211
17.4;Where Has Your Laptop Been? Python Answers;213
17.4.1;Listening for 802.11 Probe Requests;213
17.4.2;Finding Hidden Network 802.11 Beacons;214
17.4.3;De-cloaking Hidden 802.11 Networks;215
17.5;Intercepting and Spying on UAVs with Python;216
17.5.1;Intercepting the Traffic, Dissecting the Protocol;216
17.5.2;Crafting 802.11 Frames with Scapy;219
17.5.3;Finalizing the Attack, Emergency Landing The UAV;222
17.6;Detecting FireSheep;223
17.6.1;Understanding Wordpress Session Cookies;225
17.6.2;Herd the Sheep—Catching Wordpress Cookie Reuse;226
17.7;Stalking with Bluetooth and Python;228
17.7.1;Intercepting Wireless Traffic to Find Bluetooth Addresses;230
17.7.2;Scanning Bluetooth RFCOMM Channels;232
17.7.3;Using the Bluetooth Service Discovery Protocol;233
17.7.4;Taking Over a Printer with Python ObexFTP;234
17.7.5;BlueBugging a Phone with Python;235
17.8;Chapter Wrap Up;236
17.9;References;237
18;6 Web Recon with Python;238
18.1;Introduction: Social Engineering Today;238
18.1.1;Recon Prior to Attack;239
18.2;Using the Mechanize Library to Browse the Internet;239
18.2.1;Anonymity – Adding Proxies, User-Agents, Cookies;241
18.2.2;Finalizing Our AnonBrowser into a Python Class;244
18.3;Scraping Web Pages with AnonBrowser;246
18.3.1;Parsing HREF Links with Beautiful Soup;246
18.3.2;Mirroring Images with Beautiful Soup;249
18.4;Research, Investigate, Discovery;250
18.4.1;Interacting with the Google API in Python;250
18.4.2;Parsing Tweets with Python;254
18.4.3;Pulling Location Data Out of Tweets;256
18.4.4;Parsing Interests from Twitter Using Regular Expressions;258
18.5;Anonymous Email;263
18.6;Mass Social Engineering;264
18.6.1;Using Smtplib to Email Targets;264
18.6.2;Spear Phishing with Smtplib;266
18.7;Chapter Wrap-Up;269
18.8;References;269
19;7 Antivirus Evasion with Python;272
19.1;Introduction: Flame On!;272
19.2;Evading Antivirus Programs;273
19.3;Verifying Evasion;277
19.4;Wrap Up;282
19.5;References;283
20;Index;284
20.1;A;284
20.2;B;284
20.3;C;284
20.4;D;285
20.5;E;285
20.6;F;285
20.7;G;285
20.8;H;285
20.9;I;285
20.10;K;286
20.11;L;286
20.12;M;286
20.13;N;286
20.14;O;286
20.15;P;286
20.16;R;287
20.17;S;287
20.18;T;287
20.19;U;288
20.20;V;288
20.21;W;288
20.22;Z;289
Chapter 2
Penetration Testing with Python
Information in this chapter:
Building a Port Scanner Constructing an SSH Botnet Mass Compromise with FTP Replicate Conficker Your Own Zero Day Attack To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other —Kokoro by Natsume Sosek, 1914, Japan. Introduction: The Morris Worm—Would it Work Today?
Twenty-two years before the StuxNet worm crippled the Iranian nuclear power plants in Bushehr and Natantz (Albright, Brannan, & Walrond, 2010), a graduate student at Cornell launched the first digital munitions. Robert Tappen Morris Jr., son of the head of the NSA’s National Computer Security Center, infected six thousand workstations with a worm aptly dubbed, the Morris Worm (Elmer-Dewitt, McCarroll, & Voorst, 1988). While 6000 workstations seem trivial by today’s standards, this figure represents ten percent of all computers that were connected to the Internet in 1988. Rough estimates by the US Government Accountability Office put the cost somewhere between $10 and $100 million dollars to eradicate the damage left by Morris’s worm (GAO, 1989). So how did it work? Morris’s worm used a three-pronged attack in order to compromise systems. It first took advantage of vulnerability in the Unix sendmail program. Second, it exploited a separate vulnerability in the finger daemon used by Unix systems. Finally, it attempted to connect to targets using the remote shell (RSH) protocol using a list of common usernames and passwords. If any of the three attack vectors succeeded, the worm would use a small program as a grappling hook to pull over the rest of the virus (Eichin & Rochlis, 1989). Would a similar attack still work today and can we learn to write something that would be almost identical? These questions provide the basis for the rest of the chapter. Morris wrote the majority of his attack in the C programming language. However, while C is a very powerful language, it is also very challenging to learn. In sharp contrast to this, the Python programming language has a user-friendly syntax and a wealth of third party modules. This provides a much better platform of support and makes it considerably easier for most programmers to initiate attacks. In the following pages, we will use Python to recreate parts of the Morris Worm as well as some contemporary attack vectors. Building a Port Scanner
Reconnaissance serves as the first step in any good cyber assault. An attacker must discover where the vulnerabilities are before selecting and choosing exploits for a target. In the following section, we will build a small reconnaissance script that scans a target host for open TCP ports. However, in order to interact with TCP ports, we will need to first construct TCP sockets. Python, like most modern languages, provides access to the BSD socket interface. BSD sockets provide an application-programming interface that allows coders to write applications in order to perform network communications between hosts. Through a series of socket API functions, we can create, bind, listen, connect, or send traffic on TCP/IP sockets. At this point, a greater understanding of TCP/IP and sockets are needed in order to help further develop our own attacks. The majority of Internet accessible applications reside on the TCP. For example, in a target organization, the web server might reside on TCP port 80, the email server on TCP port 25, and the file transfer server on TCP port 21. To connect to any of these services in our target organization, an attacker must know both the Internet Protocol Address and the TCP port associated with the service. While someone familiar with our target organization would probably have access to this information, an attacker may not. An attacker routinely performs a port scan in the opening salvo of any successful cyber assault. One type of port scan includes sending a TCP SYN packet to a series of common ports and waiting for a TCP ACK response that will result in signaling an open port. In contrast, a TCP Connect Scan uses the full three-way handshake to determine the availability of the service or port. TCP Full Connect Scan
So let’s begin by writing our own TCP port scanner that utilizes a TCP full connect scan to identify hosts. To begin, we will import the Python implementation of BSD socket API. The socket API provides us with some functions that will be useful in implementing our TCP port scanner. Let’s examine a couple before proceeding. For a deeper understanding, view the Python Standard Library Documentation at: http://docs.Python.org/library/socket.html. socket.gethostbyname(hostname) – This function takes a hostname such as www.syngress.com and returns an IPv4 address format such as 69.163.177.2. socket.gethostbyaddr(ip address) – This function takes an IPv4 address and returns a triple containing the hostname, alternative list of host names, and a list of IPv4/v6 addresses for the same interface on the host. socket.socket([family[, type[, proto]]]) – This function creates an instance of a new socket given the family. Options for the socket family are AF_INET, AF_INET6, or AF_UNIX. Additionally, the socket can be specified as SOCK_STREAM for a TCP socket or SOCK_DGRAM for a UDP socket. Finally, the protocol number is usually zero and is omitted in most cases. socket.create_connection(address[, timeout[, source_address]]) – This function takes a 2-tuple (host, port) and returns an instance of a network socket. Additionally, it has the option of taking a timeout and source address. In order to better understand how our TCP Port Scanner works, we will break our script into five unique steps and write Python code for each of them. First, we will input a hostname and a comma separated list of ports to scan. Next, we will translate the hostname into an IPv4 Internet address. For each port in the list, we will also connect to the target address and specific port. Finally, to determine the specific service running on the port, we will send garbage data and read the banner results sent back by the specific application. In our first step, we accept the hostname and port from the user. For this, our program utilizes the optparse library for parsing command-line options. The call to optparse. OptionPaser([usage message]) creates an instance of an option parser. Next, parser.add_option specifies the individual command line options for our script. The following example shows a quick method for parsing the target hostname and port to scan. import optparse parser = optparse.OptionParser(‘usage %prog –H’+\ ‘
