Hacking Techniques & Intrusion Detection
description
Transcript of Hacking Techniques & Intrusion Detection
![Page 1: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/1.jpg)
Hacking Techniques & Intrusion Detection
Hacking Techniques & Intrusion Detection
Ali Al-Shemery(aka: B!n@ry)
arabnix at gmail dot com
Ali Al-Shemery(aka: B!n@ry)
arabnix at gmail dot com
![Page 2: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/2.jpg)
All materials is licensed under a Creative Commons “Share Alike” license.
• http://creativecommons.org/licenses/by-sa/3.0/
2
![Page 3: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/3.jpg)
Writing Basic Security Tools using Python
Writing Basic Security Tools using Python
Special lecture
![Page 4: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/4.jpg)
>>> import antigravity>>> import antigravity
Cited [1]
![Page 5: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/5.jpg)
Cited
[2]
![Page 6: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/6.jpg)
binary-zone.com 6
OutlineOutline
• About Python• Python Basics
– Types– Controls
• Python Functions and Modules• Python Tips and Tricks• Coding for Penetration Testers
• About Python• Python Basics
– Types– Controls
• Python Functions and Modules• Python Tips and Tricks• Coding for Penetration Testers
6
![Page 7: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/7.jpg)
binary-zone.com 7
About PythonAbout Python
• Python is an open source programming language.• Development started by Guido van Rossum in December
1989.– Conceived in the late 1980’s– Python 2.0 was release on October 16th, 2000– Python 3.0 was released on December 2008
• Name came from TV series “Monty Python’s Flying Circus”.
• Python is an open source programming language.• Development started by Guido van Rossum in December
1989.– Conceived in the late 1980’s– Python 2.0 was release on October 16th, 2000– Python 3.0 was released on December 2008
• Name came from TV series “Monty Python’s Flying Circus”.
![Page 8: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/8.jpg)
binary-zone.com 8
About Python – Cont.About Python – Cont.
• Python is cross platform– Linux (shipped out of the box)– Windows (easy to install)– Mac– Even work on your Droid!– etc
• Python is cross platform– Linux (shipped out of the box)– Windows (easy to install)– Mac– Even work on your Droid!– etc
![Page 9: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/9.jpg)
binary-zone.com 9
Why Learn Python?Why Learn Python?
• Lot of people always ask me “Why learn Python”? • The answer is simple:
– Simple and easy to learn– Free and Open Source– Powerful high-level programming language– Widely used (Google, NASA, Yahoo, etc)– Portable– HUGE number of Extensive Libraries!
• Lot of people always ask me “Why learn Python”? • The answer is simple:
– Simple and easy to learn– Free and Open Source– Powerful high-level programming language– Widely used (Google, NASA, Yahoo, etc)– Portable– HUGE number of Extensive Libraries!
![Page 10: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/10.jpg)
binary-zone.com 10
What is Python Good for?What is Python Good for?
• Ideal language for scripting and rapid application development in many areas on most platforms.
• All computer related subjects (IMO except system programming)
• Performing System Administration Tasks• Encouraging and Helping Children start programming
• Ideal language for scripting and rapid application development in many areas on most platforms.
• All computer related subjects (IMO except system programming)
• Performing System Administration Tasks• Encouraging and Helping Children start programming
![Page 11: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/11.jpg)
binary-zone.com 11
What About Security?What About Security?
• Extensive use in the information security industry– Exploit Development – Networking– Debugging– Encryption/Decription– Reverse Engineering– Fuzzing– Web– Forensics – Malware analysis
• Extensive use in the information security industry– Exploit Development – Networking– Debugging– Encryption/Decription– Reverse Engineering– Fuzzing– Web– Forensics – Malware analysis
Cited [2]
![Page 12: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/12.jpg)
binary-zone.com 12
Let’s Start WorkingLet’s Start Working
• Interactive Interpreter
• Text Editors– Vim, Nano, Geany (was my favorite),PyCharm (favorite),Gedit, Kate, Notepad++, etc
• Interactive Interpreter
• Text Editors– Vim, Nano, Geany (was my favorite),PyCharm (favorite),Gedit, Kate, Notepad++, etc
![Page 13: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/13.jpg)
binary-zone.com 13
Python BasicsPython Basics
• Integers (int)>>> httpPort=80>>> Subnet=24
• Floating Point (float)>>> 5.2/22.6
• Strings (str)>>> url=“http://www.linuxac.org/”
• Integers (int)>>> httpPort=80>>> Subnet=24
• Floating Point (float)>>> 5.2/22.6
• Strings (str)>>> url=“http://www.linuxac.org/”
![Page 14: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/14.jpg)
binary-zone.com 14
Playing with StringsPlaying with Strings
One of the most powerful capabilities of Python• String Slicing
>>> logFile=“/var/log/messages”>>> logFile[0]
‘/’>>> logFile[1:4]
‘var’>>> logFile[-8:]'messages'>>> logFile.split("/")['', 'var', 'log', 'messages']
One of the most powerful capabilities of Python• String Slicing
>>> logFile=“/var/log/messages”>>> logFile[0]
‘/’>>> logFile[1:4]
‘var’>>> logFile[-8:]'messages'>>> logFile.split("/")['', 'var', 'log', 'messages']
![Page 15: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/15.jpg)
binary-zone.com 15
Playing with Strings – Cont.Playing with Strings – Cont.
• String Concatenation>>> userName = “ali”>>> domainName = “ashemery.com”>>> userEmail = userName + “@” + domainName>>> userEmail'[email protected]‘
>>> website="http://www.ashemery.com/">>> param="?p=123">>> url = "".join([website,param])>>> url'http://www.ashemery.com/?p=123'
• String Concatenation>>> userName = “ali”>>> domainName = “ashemery.com”>>> userEmail = userName + “@” + domainName>>> userEmail'[email protected]‘
>>> website="http://www.ashemery.com/">>> param="?p=123">>> url = "".join([website,param])>>> url'http://www.ashemery.com/?p=123'
![Page 16: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/16.jpg)
binary-zone.com 16
Python ListsPython Lists
• Python lists are very useful when you have a collection of elements
>>> portList = [21,22,25,80]>>> portList[0]21
>>> portList.append(443)>>> portList[21, 22, 25, 80, 443]
>>> portList.remove(22)>>> portList[21, 25, 80, 443]
• Python lists are very useful when you have a collection of elements
>>> portList = [21,22,25,80]>>> portList[0]21
>>> portList.append(443)>>> portList[21, 22, 25, 80, 443]
>>> portList.remove(22)>>> portList[21, 25, 80, 443]
>>> portList.insert(1,22)>>> portList[21, 22, 25, 80, 443]
>>> portList = []>>> portList[]
Lists in Python can be of any mixed type, even list of variables!!!
![Page 17: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/17.jpg)
binary-zone.com 17
Python Controls - DecisionsPython Controls - Decisions
• IF, ELSE, and ELIF Statements>>> pList = [21,22,25,80]>>> if pList[0] == 21:... print("FTP Service")... elif pList[0] == 22:... print("SSH Service")... else:... print("Unknown Service")... FTP
• IF, ELSE, and ELIF Statements>>> pList = [21,22,25,80]>>> if pList[0] == 21:... print("FTP Service")... elif pList[0] == 22:... print("SSH Service")... else:... print("Unknown Service")... FTP
Important NOTE:• Python doesn’t use line
terminators (ex: semicolons), but Python forces you to use indents
• Ensures writing elegant code!
![Page 18: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/18.jpg)
binary-zone.com 18
Python Controls - LoopsPython Controls - Loops
• For and While Statements>>> for port in pList:... print "This is port : ", port... This is port : 21This is port : 22This is port : 25This is port : 80
• For and While Statements>>> for port in pList:... print "This is port : ", port... This is port : 21This is port : 22This is port : 25This is port : 80
![Page 19: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/19.jpg)
binary-zone.com 19
Python Tips and TricksPython Tips and Tricks
• Changing and checking data types>>> httpPort=80>>> httpPort80>>> type(httpPort)<type 'int'>>>> httpPort = str(httpPort)>>> type(httpPort)<type 'str'>>>> httpPort'80’
• Changing and checking data types>>> httpPort=80>>> httpPort80>>> type(httpPort)<type 'int'>>>> httpPort = str(httpPort)>>> type(httpPort)<type 'str'>>>> httpPort'80’
![Page 20: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/20.jpg)
binary-zone.com 20
Python Tips and Tricks – Cont.Python Tips and Tricks – Cont.
• Getting the length of an object>>> len(pList)4
• String formatting>>> pList = [21,22,25,80]>>> for member in pList:... print "This is port number %d" % member... This is port number 21This is port number 22This is port number 25This is port number 80
• Getting the length of an object>>> len(pList)4
• String formatting>>> pList = [21,22,25,80]>>> for member in pList:... print "This is port number %d" % member... This is port number 21This is port number 22This is port number 25This is port number 80
![Page 21: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/21.jpg)
binary-zone.com 21
Python Tips and Tricks – Cont.Python Tips and Tricks – Cont.
• Another String formatting example>>> ip = "192.168.1.1">>> mac = "AA:BB:CC:DD:EE:FF">>> print "The gateway has the following IP: %s and MAC: %s addresses" %
(ip, mac)
The gateway has the following IP: 192.168.1.1 and MAC: AA:BB:CC:DD:EE:FF addresses
• Another String formatting example>>> ip = "192.168.1.1">>> mac = "AA:BB:CC:DD:EE:FF">>> print "The gateway has the following IP: %s and MAC: %s addresses" %
(ip, mac)
The gateway has the following IP: 192.168.1.1 and MAC: AA:BB:CC:DD:EE:FF addresses
![Page 22: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/22.jpg)
binary-zone.com 22
Python Tips and Tricks – Cont.Python Tips and Tricks – Cont.
• Working with ASCII codes>>> x = '\x41‘>>> print xA• Converting to Hexadecimals>>> hex(255)'0xff'>>> hex(0)'0x0'>>> hex(10)'0xa'>>> hex(15)'0xf'
• Working with ASCII codes>>> x = '\x41‘>>> print xA• Converting to Hexadecimals>>> hex(255)'0xff'>>> hex(0)'0x0'>>> hex(10)'0xa'>>> hex(15)'0xf'
![Page 23: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/23.jpg)
binary-zone.com 23
Python User InputPython User Input
• Python can handle user input from different sources:– Directly from the user– From Files– From GUI (not covered in this lecture)
• Python can handle user input from different sources:– Directly from the user– From Files– From GUI (not covered in this lecture)
![Page 24: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/24.jpg)
binary-zone.com 24
Python User Input – Cont.Python User Input – Cont.
• Directly from the user using raw_input
>>> userEmail = raw_input("Please enter your email address: ")Please enter your email address: [email protected]
>>> userEmail'[email protected]'
>>> type(userEmail)<type 'str'>
• Directly from the user using raw_input
>>> userEmail = raw_input("Please enter your email address: ")Please enter your email address: [email protected]
>>> userEmail'[email protected]'
>>> type(userEmail)<type 'str'>
![Page 25: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/25.jpg)
binary-zone.com 25
Python User Input – Cont.Python User Input – Cont.
• From Text Files>>> f = open("./services.txt", "r")>>> for line in f:... print line... HTTP 80SSH 22FTP 21HTTPS 443SMTP 25POP 110
>>> f.close()
• From Text Files>>> f = open("./services.txt", "r")>>> for line in f:... print line... HTTP 80SSH 22FTP 21HTTPS 443SMTP 25POP 110
>>> f.close()
Other common file functions:• write• read• readline
![Page 26: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/26.jpg)
binary-zone.com 26
Creating FunctionsCreating Functions
• Whenever you need to repeat a block of code, functions comes helpful
• Creating a Python Function (syntax)
def fName( listOfArguments ):Line1Line2….Line nreturn something
• Whenever you need to repeat a block of code, functions comes helpful
• Creating a Python Function (syntax)
def fName( listOfArguments ):Line1Line2….Line nreturn something
![Page 27: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/27.jpg)
binary-zone.com 27
Creating Functions – Cont.Creating Functions – Cont.
• Basic function to check for valid port numbers
def checkPortNumber(port):if port > 65535 or port < 0:
return Falseelse:
return True
• Howto use the checkPortNumber function:print checkPortNumber(80) Trueprint checkPortNumber(66000) Falseprint checkPortNumber(-1) False
• Basic function to check for valid port numbers
def checkPortNumber(port):if port > 65535 or port < 0:
return Falseelse:
return True
• Howto use the checkPortNumber function:print checkPortNumber(80) Trueprint checkPortNumber(66000) Falseprint checkPortNumber(-1) False
![Page 28: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/28.jpg)
binary-zone.com 28
Working with ModulesWorking with Modules
• Modules in Python are simply any file containing Python statements!
• Python is distributed with many modules• To use a module:
– import module– import module1, module2, moduleN– import module as newname– from module import *– from module import <specific>
• Modules in Python are simply any file containing Python statements!
• Python is distributed with many modules• To use a module:
– import module– import module1, module2, moduleN– import module as newname– from module import *– from module import <specific>
![Page 29: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/29.jpg)
binary-zone.com 29
Common Used ModulesCommon Used Modules
• The most commonly used modules with security coding are:– string, re– os, sys, socket– hashlib– httplib, urllib2– Others? Please add …
• The most commonly used modules with security coding are:– string, re– os, sys, socket– hashlib– httplib, urllib2– Others? Please add …
![Page 30: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/30.jpg)
Modules and ExamplesModules and Examples
![Page 31: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/31.jpg)
binary-zone.com 31
Module “sys”Module “sys”
• Check Python path, and count themimport sysprint "path has", len(sys.path), "members“print "The members are:“for member in sys.path: print member
• Print all imported modules:>>> print sys.modules.keys()
• Print the platform type (linux, win32, mac, etc)>>> print sys.platform
• Check Python path, and count themimport sysprint "path has", len(sys.path), "members“print "The members are:“for member in sys.path: print member
• Print all imported modules:>>> print sys.modules.keys()
• Print the platform type (linux, win32, mac, etc)>>> print sys.platform
![Page 32: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/32.jpg)
binary-zone.com 32
Module “sys” – Cont.Module “sys” – Cont.
• Check application name, and list number of passed arguments
import sysprint “The application name is:", sys.argv[0]
if len(sys.argv) > 1: print “You passed", len(sys.argv)-1, "arguments. They are:" for arg in sys.argv[1:]: print argelse: print “No arguments passed!“
• Check application name, and list number of passed arguments
import sysprint “The application name is:", sys.argv[0]
if len(sys.argv) > 1: print “You passed", len(sys.argv)-1, "arguments. They are:" for arg in sys.argv[1:]: print argelse: print “No arguments passed!“
![Page 33: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/33.jpg)
binary-zone.com 33
Module “sys” – Cont.Module “sys” – Cont.
• Check the Python working version>>> sys.version
• Check the Python working version>>> sys.version
![Page 34: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/34.jpg)
binary-zone.com 34
Module “os”Module “os”
import os
• Check platform name (UNIX/Linux = posix, Windows = nt):>>> os.name
• Print the current working directory>>> os.getcwd()
• List files in specific directoryfList = os.listdir("/home")for f in fList:
print f
import os
• Check platform name (UNIX/Linux = posix, Windows = nt):>>> os.name
• Print the current working directory>>> os.getcwd()
• List files in specific directoryfList = os.listdir("/home")for f in fList:
print f
![Page 35: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/35.jpg)
binary-zone.com 35
Module “os” – Cont.Module “os” – Cont.
• Remove a file (delete)>>> os.remove(“file.txt")
• Check the platform line terminator (Windows = ‘\r\n’ , Linux = ‘\n’ , Mac = ‘\r’ )
>>> os.linesep
• Get the effective UID for current user>>> os.geteuid()
• Check if file and check if directory>>> os.path.isfile("/tmp") >>> os.path.isdir("/tmp")
• Remove a file (delete)>>> os.remove(“file.txt")
• Check the platform line terminator (Windows = ‘\r\n’ , Linux = ‘\n’ , Mac = ‘\r’ )
>>> os.linesep
• Get the effective UID for current user>>> os.geteuid()
• Check if file and check if directory>>> os.path.isfile("/tmp") >>> os.path.isdir("/tmp")
![Page 36: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/36.jpg)
binary-zone.com 36
Module “os” – Cont.Module “os” – Cont.
• Run a shell command>>> os.system("ping -c 2 127.0.0.1")
• Execute a command & return a file objectfiles = os.popen("ls -l /tmp")for i in files:
print i
• Run a shell command>>> os.system("ping -c 2 127.0.0.1")
• Execute a command & return a file objectfiles = os.popen("ls -l /tmp")for i in files:
print i
![Page 37: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/37.jpg)
binary-zone.com 37
Module “os” – Cont.Module “os” – Cont.
os.system() # Executing a shell commandos.stat() # Get the status of a fileos.environ() # Get the users environmentos.chdir() # Move focus to a different directoryos.getcwd() # Returns the current working directoryos.getgid() # Return the real group id of the current
processos.getuid() # Return the current process’s user idos.getpid() # Returns the real process ID of the current
processos.getlogin() # Return the name of the user loggedos.access() # Check read permissionsos.chmod() # Change the mode of path to the numeric
modeos.chown() # Change the owner and group idos.umask(mask) # Set the current numeric umaskos.getsize() # Get the size of a file
os.system() # Executing a shell commandos.stat() # Get the status of a fileos.environ() # Get the users environmentos.chdir() # Move focus to a different directoryos.getcwd() # Returns the current working directoryos.getgid() # Return the real group id of the current
processos.getuid() # Return the current process’s user idos.getpid() # Returns the real process ID of the current
processos.getlogin() # Return the name of the user loggedos.access() # Check read permissionsos.chmod() # Change the mode of path to the numeric
modeos.chown() # Change the owner and group idos.umask(mask) # Set the current numeric umaskos.getsize() # Get the size of a file
![Page 38: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/38.jpg)
binary-zone.com 38
Module “os” – Cont.Module “os” – Cont.
os.path.getmtime() # Last time a given directory was modifiedos.path.getatime() # Last time a given directory was accessedos.environ() # Get the users environmentos.uname() # Return information about the current OSos.chroot(path) # Change the root directory of the current
process to path
os.listdir(path) # List of the entries in the directory given by path
os.getloadavg() # Show queue averaged over the last 1, 5, and 15 minutes
os.path.exists() # Check if a path existsos.walk() # Print out all directories, sub-directories and
files
os.path.getmtime() # Last time a given directory was modifiedos.path.getatime() # Last time a given directory was accessedos.environ() # Get the users environmentos.uname() # Return information about the current OSos.chroot(path) # Change the root directory of the current
process to path
os.listdir(path) # List of the entries in the directory given by path
os.getloadavg() # Show queue averaged over the last 1, 5, and 15 minutes
os.path.exists() # Check if a path existsos.walk() # Print out all directories, sub-directories and
files
![Page 39: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/39.jpg)
binary-zone.com 39
Module “os” – Cont.Module “os” – Cont.
os.mkdir(path) # Create a directory named path with numeric mode
mode
os.makedirs(path) # Recursive directory creation functionos.remove(path) # Remove (delete) the file pathos.removedirs(path) # Remove directories recursivelyos.rename(src, dst) # Rename the file or directory src to dstos.rmdir(path) # Remove (delete) the directory path
os.mkdir(path) # Create a directory named path with numeric mode
mode
os.makedirs(path) # Recursive directory creation functionos.remove(path) # Remove (delete) the file pathos.removedirs(path) # Remove directories recursivelyos.rename(src, dst) # Rename the file or directory src to dstos.rmdir(path) # Remove (delete) the directory path
![Page 40: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/40.jpg)
binary-zone.com 40
Execute External ProgramsExecute External Programs
• Running external programs are very useful when you need to do automation (like in scripts)
• Execution could be categorized into:– Synchronous
• Invokes the external commands and waits for the return– Asynchronous
• Returns immediately and continue in the main thread
• Running external programs are very useful when you need to do automation (like in scripts)
• Execution could be categorized into:– Synchronous
• Invokes the external commands and waits for the return– Asynchronous
• Returns immediately and continue in the main thread
http://helloacm.com/execute-external-programs-the-python-ways/
![Page 41: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/41.jpg)
binary-zone.com 41
Execute External Programs – Cont.Execute External Programs – Cont.
• The easy was is to import the os module– Provides: popen(), system(), startfile()
>>> import os>>> print os.popen("echo Hello, World!").read()
• The os.popen() will treat the output (stdout, stderr) as file object, so you can capture the output of the external programs
• The easy was is to import the os module– Provides: popen(), system(), startfile()
>>> import os>>> print os.popen("echo Hello, World!").read()
• The os.popen() will treat the output (stdout, stderr) as file object, so you can capture the output of the external programs
![Page 42: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/42.jpg)
binary-zone.com 42
Execute External Programs – Cont.Execute External Programs – Cont.
• The os.system() is also synchronous, and could returns the exit-status
>>> import os>>> print os.system('notepad.exe')
• The os.system() is also synchronous, and could returns the exit-status
>>> import os>>> print os.system('notepad.exe')
![Page 43: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/43.jpg)
binary-zone.com 43
Execute External Programs – Cont.Execute External Programs – Cont.
• By acting like double-click in the file explorer, you can use os.startfile() to launch external program that is associated with this file– This is an asynchronous method
>>> import os>>> os.startfile('test.txt')
• It will throw out an exception if file is not found– WindowsError: [Error 2] The system cannot find the file specified:
• By acting like double-click in the file explorer, you can use os.startfile() to launch external program that is associated with this file– This is an asynchronous method
>>> import os>>> os.startfile('test.txt')
• It will throw out an exception if file is not found– WindowsError: [Error 2] The system cannot find the file specified:
![Page 44: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/44.jpg)
binary-zone.com 44
Execute External Programs – Cont.Execute External Programs – Cont.
• If you install the win32api package (not shipped by default), you can use the following asynchronous method:
import win32apitry: win32api.WinExec('notepad.exe')except: pass
• Windows platforms only.
• If you install the win32api package (not shipped by default), you can use the following asynchronous method:
import win32apitry: win32api.WinExec('notepad.exe')except: pass
• Windows platforms only.
![Page 45: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/45.jpg)
binary-zone.com 45
Execute External Programs – Cont.Execute External Programs – Cont.
• The subprocess package provides a syncrhonous and an asynchronous methods namely call and Popen
• Both methods take the first parameter as a list
import subprocesssubprocess.call(['notepad.exe', 'abc.txt'])subprocess.Popen(['notepad.exe'])# thread continues ...p.terminate()
• The subprocess package provides a syncrhonous and an asynchronous methods namely call and Popen
• Both methods take the first parameter as a list
import subprocesssubprocess.call(['notepad.exe', 'abc.txt'])subprocess.Popen(['notepad.exe'])# thread continues ...p.terminate()
![Page 46: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/46.jpg)
binary-zone.com 46
Execute External Programs – Cont.Execute External Programs – Cont.
• You can use wait() to synchronous the processes
import subprocessp = subprocess.Popen('ls', shell=True, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)for line in p.stdout.readlines(): print lineretval = p.wait()print retval
• You can use wait() to synchronous the processes
import subprocessp = subprocess.Popen('ls', shell=True, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)for line in p.stdout.readlines(): print lineretval = p.wait()print retval
![Page 47: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/47.jpg)
binary-zone.com 47
Module “socket”Module “socket”
import socket
• Creating a simple TCP client– Check simpleClient.py
• Creating a simple TCP server– Check simpleServer.py
• Create a malicious FTP Client– ftpClient.py
import socket
• Creating a simple TCP client– Check simpleClient.py
• Creating a simple TCP server– Check simpleServer.py
• Create a malicious FTP Client– ftpClient.py
![Page 48: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/48.jpg)
binary-zone.com 48
Module “socket” – Cont.Module “socket” – Cont.
• Create TCP Socket, then send and receive data from website using the socket
import sockets = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect(("www.ashemery.com", 80))s.send('GET / HTTP/1.1\r\nHost: www.ashemery.com\r\n\r\n')data = s.recv(2048)s.close()print data
• Create TCP Socket, then send and receive data from website using the socket
import sockets = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect(("www.ashemery.com", 80))s.send('GET / HTTP/1.1\r\nHost: www.ashemery.com\r\n\r\n')data = s.recv(2048)s.close()print data
Note: For UDP Sockets use SOCK_DGRAM instead of SOCK_STREAM
![Page 49: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/49.jpg)
binary-zone.com 49
Module “pcapy”Module “pcapy”
• Pcapy is a Python extension module that interfaces with the libpcap packet capture library.
• Pcapy enables python scripts to capture packets on the network.
• Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.
• Packet Capturing using pcapy example– pcapyPktCapture1.py– pcapyEx1.py– pcapyDumper.py
• Pcapy is a Python extension module that interfaces with the libpcap packet capture library.
• Pcapy enables python scripts to capture packets on the network.
• Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.
• Packet Capturing using pcapy example– pcapyPktCapture1.py– pcapyEx1.py– pcapyDumper.py
![Page 50: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/50.jpg)
binary-zone.com 50
Module “urllib” & “urllib2”Module “urllib” & “urllib2”
• urllib2 is a Python module for fetching URLs.• Offers a very simple interface, in the form of the urlopen
function.• Capable of fetching URLs using a variety of different protocols
(http, ftp, file, etc)• Also offers a slightly more complex interface for handling
common situations:– Basic authentication– Cookies– Proxies– etc
• urllib2 is a Python module for fetching URLs.• Offers a very simple interface, in the form of the urlopen
function.• Capable of fetching URLs using a variety of different protocols
(http, ftp, file, etc)• Also offers a slightly more complex interface for handling
common situations:– Basic authentication– Cookies– Proxies– etc
![Page 51: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/51.jpg)
binary-zone.com 51
urllib vs urllib2urllib vs urllib2
• Both modules do URL request related stuff, but they have different functionality.
• urllib2 can accept a Request object to set the headers for a URL request, urllib accepts only a URL.
• urllib provides the urlencode method which is used for the generation of GET query strings, urllib2 doesn't have such a function.
• Because of that urllib and urllib2 are often used together.
• Both modules do URL request related stuff, but they have different functionality.
• urllib2 can accept a Request object to set the headers for a URL request, urllib accepts only a URL.
• urllib provides the urlencode method which is used for the generation of GET query strings, urllib2 doesn't have such a function.
• Because of that urllib and urllib2 are often used together.
Cited [3]
![Page 52: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/52.jpg)
binary-zone.com 52
Example1Example1
import urllib2request = urllib2.Request('http://www.ashemery.com')response = urllib2.urlopen(request)payload = response.read()print(payload)
import urllib2request = urllib2.Request('http://www.ashemery.com')response = urllib2.urlopen(request)payload = response.read()print(payload)
Cited [3]
![Page 53: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/53.jpg)
binary-zone.com 53
Basic URL RequestBasic URL Request
import urllib2response = urllib2.urlopen('http://pythonforbeginners.com/')print response.info()html = response.read()response.close()
import urllib2response = urllib2.urlopen('http://pythonforbeginners.com/')print response.info()html = response.read()response.close()
Cited [3]
![Page 54: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/54.jpg)
binary-zone.com 54
Base64 & ROT13 EncodersBase64 & ROT13 Encoders
Base64#!/usr/bin/pythoncode = raw_input("Enter the data you wish to be encoded to Base64")answer=code.encode('base64','strict')print answer
Base64#!/usr/bin/pythoncode = raw_input("Enter the data you wish to be encoded to Base64")answer=code.encode('base64','strict')print answer
ROT13#!/usr/bin/pythoncode = raw_input("Enter the data you wish to apply ROT13 on")answer=code.encode(‘rot13','strict')print answer
ROT13#!/usr/bin/pythoncode = raw_input("Enter the data you wish to apply ROT13 on")answer=code.encode(‘rot13','strict')print answer
Cited [2]
![Page 55: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/55.jpg)
Packet Crafting with ScapyPacket Crafting with Scapy
![Page 56: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/56.jpg)
binary-zone.com 56
Scapy OverviewScapy Overview
• Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets
• This capability allows construction of tools that can probe, scan or attack networks
• It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark
• Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets
• This capability allows construction of tools that can probe, scan or attack networks
• It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark
![Page 57: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/57.jpg)
binary-zone.com 57
Scapy Overview – Cont.Scapy Overview – Cont.
• Scapy was created by Philippe Biondi and runs in Python:– Can be used interactively at a Python prompt– Included within Python scripts for more complex interactions
• Must run with root privileges to craft packets• Don’t need to be a Python Guru to use Scapy!
• Scapy was created by Philippe Biondi and runs in Python:– Can be used interactively at a Python prompt– Included within Python scripts for more complex interactions
• Must run with root privileges to craft packets• Don’t need to be a Python Guru to use Scapy!
![Page 58: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/58.jpg)
binary-zone.com 58
Scapy Basics - 1Scapy Basics - 1
• Supported protocols:>>> ls()
• Details about a specific protocol:>>> ls(TCP)
• Available commands/functions:>>> lsc()
• Supported protocols:>>> ls()
• Details about a specific protocol:>>> ls(TCP)
• Available commands/functions:>>> lsc()
![Page 59: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/59.jpg)
binary-zone.com 59
Scapy Basics - 2Scapy Basics - 2
• Crafting a SYN/ACK Packet>>> pkt = IP(dst="192.168.122.101")>>> pkt /= TCP(dport=80, flags="SA")
• Crafting ICMP Host Unreachable Packet>>> pkt = IP(dst="192.168.122.101")>>> pkt /= ICMP(type=3,code=1)
• Crafting a SYN/ACK Packet>>> pkt = IP(dst="192.168.122.101")>>> pkt /= TCP(dport=80, flags="SA")
• Crafting ICMP Host Unreachable Packet>>> pkt = IP(dst="192.168.122.101")>>> pkt /= ICMP(type=3,code=1)
![Page 60: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/60.jpg)
binary-zone.com 60
Scapy Basics - 3Scapy Basics - 3
Single Line:• ICMP echo request Packet>>> mypkt = IP(dst="192.168.122.101") /ICMP(code=0,type=8)
• TCP FIN, Port 22, Random Source Port, and Random Seq#>>> mypkt = IP(dst="192.168.122.101")
/TCP(dport=22,sport=RandShort(),seq=RandShort(),flags="F")
Single Line:• ICMP echo request Packet>>> mypkt = IP(dst="192.168.122.101") /ICMP(code=0,type=8)
• TCP FIN, Port 22, Random Source Port, and Random Seq#>>> mypkt = IP(dst="192.168.122.101")
/TCP(dport=22,sport=RandShort(),seq=RandShort(),flags="F")
![Page 61: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/61.jpg)
binary-zone.com 61
Sending and Receiving Packets – @L3Sending and Receiving Packets – @L3
• Send packet at layer 3>>> send(packet)
• Send packet at L3 and receive one response>>> resp = sr1(packet)
• Send packet at L3 and receive all responses>>> ans,unans = sr(packet)
• Send packet at layer 3>>> send(packet)
• Send packet at L3 and receive one response>>> resp = sr1(packet)
• Send packet at L3 and receive all responses>>> ans,unans = sr(packet)
![Page 62: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/62.jpg)
binary-zone.com 62
Sending and Receiving Packets – @L2Sending and Receiving Packets – @L2
• Send packet at layer 2>>> sendp(Ether()/packet)
• Send packet at L2 and receive one response>>> resp = srp1(packet)
• Send packet at L2 and receive all responses>>> ans,unans = srp(packet)
• Send packet at layer 2>>> sendp(Ether()/packet)
• Send packet at L2 and receive one response>>> resp = srp1(packet)
• Send packet at L2 and receive all responses>>> ans,unans = srp(packet)
![Page 63: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/63.jpg)
binary-zone.com 63
Displaying PacketsDisplaying Packets
• Get a summary of each packet:>>> pkts.summary()
• Get the whole packet list:>>> pkts.show()
• Get a summary of each packet:>>> pkts.summary()
• Get the whole packet list:>>> pkts.show()
![Page 64: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/64.jpg)
binary-zone.com 64
Scapy Host DiscoveryScapy Host Discovery
>>> ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.122.0/24"),timeout=2)
>>> ans.summary(lambda(s,r): r.sprintf("Ether: %Ether.src% \t\t Host: %ARP.psrc%"))
>>> ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.122.0/24"),timeout=2)
>>> ans.summary(lambda(s,r): r.sprintf("Ether: %Ether.src% \t\t Host: %ARP.psrc%"))
![Page 65: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/65.jpg)
binary-zone.com 65
Scapy Port ScanningScapy Port Scanning
• TCP SYN Scanner>>> sr1(IP(dst="192.168.122.101") /TCP(dport=90,flags="S"))
>>> a,u = sr(IP(dst="192.168.122.101") /TCP(dport=(80,100),flags="S"))
>>> a.summary(lambda(s,r): r.sprintf("Port: %TCP.sport% \t\t Flags: %TCP.flags%"))
• TCP SYN Scanner>>> sr1(IP(dst="192.168.122.101") /TCP(dport=90,flags="S"))
>>> a,u = sr(IP(dst="192.168.122.101") /TCP(dport=(80,100),flags="S"))
>>> a.summary(lambda(s,r): r.sprintf("Port: %TCP.sport% \t\t Flags: %TCP.flags%"))
![Page 66: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/66.jpg)
binary-zone.com 66
Scapy Sniffing - 1Scapy Sniffing - 1
• Scapy has powerful capabilities to capture and analyze packets.
• Configure the network interface to sniff packets from:>>> conf.iface="eth0“
Configure the scapy sniffer to sniff only 20 packets>>> pkts=sniff(count=20)
• Scapy has powerful capabilities to capture and analyze packets.
• Configure the network interface to sniff packets from:>>> conf.iface="eth0“
Configure the scapy sniffer to sniff only 20 packets>>> pkts=sniff(count=20)
![Page 67: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/67.jpg)
binary-zone.com 67
Scapy Sniffing - 2Scapy Sniffing - 2
• Sniff packets and stop after a defined time:>>> pkts=sniff(count=100,timeout=60)
• Sniff only packets based on a filter:>>> pkts = sniff(count=100,filter="tcp port 80")
• Sniff packets and stop after a defined time:>>> pkts=sniff(count=100,timeout=60)
• Sniff only packets based on a filter:>>> pkts = sniff(count=100,filter="tcp port 80")
![Page 68: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/68.jpg)
binary-zone.com 68
Scapy Sniffing - 3Scapy Sniffing - 3
>>> pkts = sniff(count=10,prn=lambda x:x.sprintf("SrcIP={IP:%IP.src% -> DestIP=%IP.dst%} | Payload={Raw:%Raw.load%\n}"))
• What is that doing ???
>>> pkts = sniff(count=10,prn=lambda x:x.sprintf("SrcIP={IP:%IP.src% -> DestIP=%IP.dst%} | Payload={Raw:%Raw.load%\n}"))
• What is that doing ???
![Page 69: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/69.jpg)
binary-zone.com 69
Exporting PacketsExporting Packets
• Sometimes it is very useful to save the captured packets in a PCAP file for future work:
>>> wrpcap(“file1.cap", pkts)
• Dumping packets in HEX format:>>> hexdump(pkts)
• Dump a single packet in HEX format:>>> hexdump(pkts[2])
• Convert a packet to hex string:>>> str(pkts[2])
• Sometimes it is very useful to save the captured packets in a PCAP file for future work:
>>> wrpcap(“file1.cap", pkts)
• Dumping packets in HEX format:>>> hexdump(pkts)
• Dump a single packet in HEX format:>>> hexdump(pkts[2])
• Convert a packet to hex string:>>> str(pkts[2])
![Page 70: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/70.jpg)
binary-zone.com 70
Importing PacketsImporting Packets
• To import from a PCAP file:>>> pkts = rdpcap(“file1.cap")
• Or use the scapy sniffer but with the offline argument:>>> pkts2 = sniff(offline="file1.cap")
• To import from a PCAP file:>>> pkts = rdpcap(“file1.cap")
• Or use the scapy sniffer but with the offline argument:>>> pkts2 = sniff(offline="file1.cap")
![Page 71: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/71.jpg)
binary-zone.com 71
Create your own toolsCreate your own tools
>>> def handler(packet):hexdump(packet.payload)
>>> sniff(count=20, prn=handler)
>>> def handler2(packet):sendp(packet)
>>> sniff(count=20, prn=handler2)
>>> def handler(packet):hexdump(packet.payload)
>>> sniff(count=20, prn=handler)
>>> def handler2(packet):sendp(packet)
>>> sniff(count=20, prn=handler2)
![Page 72: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/72.jpg)
binary-zone.com 72
YesmanYesman
#!/usr/bin/env pythonimport sysfrom scapy.all import *def findSYN(p): flags = p.sprintf("%TCP.flags%") if flags == "S": # Only respond to SYN Packets ip = p[IP] # Received IP Packet tcp = p[TCP] # Received TCP Segment i = IP() # Outgoing IP Packet i.dst = ip.src i.src = ip.dst t = TCP() # Outgoing TCP Segment t.flags = "SA" t.dport = tcp.sport t.sport = tcp.dport t.seq = tcp.ack new_ack = tcp.seq + 1 print ("SYN/ACK sent to ",i.dst,":",t.dport) send(i/t)
#!/usr/bin/env pythonimport sysfrom scapy.all import *def findSYN(p): flags = p.sprintf("%TCP.flags%") if flags == "S": # Only respond to SYN Packets ip = p[IP] # Received IP Packet tcp = p[TCP] # Received TCP Segment i = IP() # Outgoing IP Packet i.dst = ip.src i.src = ip.dst t = TCP() # Outgoing TCP Segment t.flags = "SA" t.dport = tcp.sport t.sport = tcp.dport t.seq = tcp.ack new_ack = tcp.seq + 1 print ("SYN/ACK sent to ",i.dst,":",t.dport) send(i/t)
sniff(prn=findSYN)
![Page 73: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/73.jpg)
Others (not categorized yet!)Others (not categorized yet!)
![Page 74: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/74.jpg)
binary-zone.com 74
Adding Time DelayAdding Time Delay
• Delay for 5 seconds>>> import time>>> time.sleep(5)
• Run something once a minute:import timewhile True:
print "This prints once a minute.”time.sleep(60)
• Delay for 5 seconds>>> import time>>> time.sleep(5)
• Run something once a minute:import timewhile True:
print "This prints once a minute.”time.sleep(60)
http://stackoverflow.com/questions/510348/how-can-i-make-a-time-delay-in-python
![Page 75: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/75.jpg)
binary-zone.com 75
Exploit DevelopmentExploit Development
#!/usr/bin/pythonimport sockethost = “target”port = <port#>cmd = “initial command”s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)buffer = “buffer to send“shellcode = “shellcode”Payload = cmd + buffer + shellcodeprint "\n Any status message \n“s.connect((host,port))data = s.recv(1024)s.send(payload +”\n”)s.close
#!/usr/bin/pythonimport sockethost = “target”port = <port#>cmd = “initial command”s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)buffer = “buffer to send“shellcode = “shellcode”Payload = cmd + buffer + shellcodeprint "\n Any status message \n“s.connect((host,port))data = s.recv(1024)s.send(payload +”\n”)s.close
![Page 76: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/76.jpg)
Python Tools for Penetration Testers
Python Tools for Penetration Testers
![Page 77: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/77.jpg)
binary-zone.com 77
Network ToolsNetwork Tools
• Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library• pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap• libdnet: low-level networking routines, including interface lookup and Ethernet frame
transmission • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols• Impacket: craft and decode network packets. Includes support for higher-level protocols
such as NMB and SMB• pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and
port scan detection• Dirtbags py-pcap: read pcap files without libpcap• flowgrep: grep through packet payloads using regular expressions• Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist• Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard
protocols on the fly• Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
• Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library• pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap• libdnet: low-level networking routines, including interface lookup and Ethernet frame
transmission • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols• Impacket: craft and decode network packets. Includes support for higher-level protocols
such as NMB and SMB• pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and
port scan detection• Dirtbags py-pcap: read pcap files without libpcap• flowgrep: grep through packet payloads using regular expressions• Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist• Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard
protocols on the fly• Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
Cited [5]
![Page 78: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/78.jpg)
binary-zone.com 78
Debugging and Reverse Engineering Tools
Debugging and Reverse Engineering Tools
• Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH• Immunity Debugger: scriptable GUI and command line debugger• mona.py: PyCommand for Immunity Debugger that replaces and
improves on pvefindaddr• IDAPython: IDA Pro plugin that integrates the Python programming
language, allowing scripts to run in IDA Pro• PyEMU: fully scriptable IA-32 emulator, useful for malware analysis• pefile: read and work with Portable Executable (aka PE) files• pydasm: Python interface to the libdasm x86 disassembling library
• Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH• Immunity Debugger: scriptable GUI and command line debugger• mona.py: PyCommand for Immunity Debugger that replaces and
improves on pvefindaddr• IDAPython: IDA Pro plugin that integrates the Python programming
language, allowing scripts to run in IDA Pro• PyEMU: fully scriptable IA-32 emulator, useful for malware analysis• pefile: read and work with Portable Executable (aka PE) files• pydasm: Python interface to the libdasm x86 disassembling library
Cited [5]
![Page 79: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/79.jpg)
binary-zone.com 79
Debugging and Reverse Engineering Tools – Cont.
Debugging and Reverse Engineering Tools – Cont.
• PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine• uhooker: intercept calls to API calls inside DLLs, and also arbitrary
addresses within the executable file in memory• diStorm: disassembler library for AMD64, licensed under the BSD license• python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call
to trace processes) written in Python• vdb / vtrace: vtrace is a cross-platform process debugging API
implemented in python, and vdb is a debugger which uses it• Androguard: reverse engineering and analysis of Android applications
• PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine• uhooker: intercept calls to API calls inside DLLs, and also arbitrary
addresses within the executable file in memory• diStorm: disassembler library for AMD64, licensed under the BSD license• python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call
to trace processes) written in Python• vdb / vtrace: vtrace is a cross-platform process debugging API
implemented in python, and vdb is a debugger which uses it• Androguard: reverse engineering and analysis of Android applications
Cited [5]
![Page 80: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/80.jpg)
binary-zone.com 80
Fuzzing ToolsFuzzing Tools
• Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
• Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
• antiparser: fuzz testing and fault injection API• TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-
deterministic network fuzzer • untidy: general purpose XML fuzzer• Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP
protocol based application fuzzer)• SMUDGE
• Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
• Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
• antiparser: fuzz testing and fault injection API• TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-
deterministic network fuzzer • untidy: general purpose XML fuzzer• Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP
protocol based application fuzzer)• SMUDGE
Cited [5]
![Page 81: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/81.jpg)
binary-zone.com 81
Fuzzing Tools – Cont.Fuzzing Tools – Cont.
• Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
• Fuzzbox: multi-codec media fuzzer • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file
systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
• Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
• WSBang: perform automated security testing of SOAP based web services• Construct: library for parsing and building of data structures (binary or
textual). Define your data structures in a declarative manner • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano• Fusil: Python library used to write fuzzing programs
• Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
• Fuzzbox: multi-codec media fuzzer • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file
systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
• Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
• WSBang: perform automated security testing of SOAP based web services• Construct: library for parsing and building of data structures (binary or
textual). Define your data structures in a declarative manner • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano• Fusil: Python library used to write fuzzing programs
Cited [5]
![Page 82: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/82.jpg)
binary-zone.com 82
Web ToolsWeb Tools
• Requests: elegant and simple HTTP library, built for human beings• HTTPie: human-friendly cURL-like command line HTTP client• ProxMon: processes proxy logs and reports discovered issues• WSMap: find web service endpoints and discovery files• Twill: browse the Web from a command-line interface. Supports
automated Web testing• Ghost.py: webkit web client written in Python• Windmill: web testing tool designed to let you painlessly automate and
debug your web application
• Requests: elegant and simple HTTP library, built for human beings• HTTPie: human-friendly cURL-like command line HTTP client• ProxMon: processes proxy logs and reports discovered issues• WSMap: find web service endpoints and discovery files• Twill: browse the Web from a command-line interface. Supports
automated Web testing• Ghost.py: webkit web client written in Python• Windmill: web testing tool designed to let you painlessly automate and
debug your web application
Cited [5]
![Page 83: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/83.jpg)
binary-zone.com 83
Web Tools – Cont.Web Tools – Cont.
• FunkLoad: functional and load web tester• spynner: Programmatic web browsing module for Python with
Javascript/AJAX support• python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript
engine; allows for the evaluation and calling of Javascript scripts and functions
• mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
• pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
• FunkLoad: functional and load web tester• spynner: Programmatic web browsing module for Python with
Javascript/AJAX support• python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript
engine; allows for the evaluation and calling of Javascript scripts and functions
• mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
• pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
Cited [5]
![Page 84: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/84.jpg)
binary-zone.com 84
Forensic ToolsForensic Tools
• Volatility: extract digital artifacts from volatile memory (RAM) samples
• LibForensics: library for developing digital forensics applications
• TrIDLib, identify file types from their binary signatures. Now includes Python binding
• aft: Android forensic toolkit
• Lots of others which you’ll see them very soon ;)
• Volatility: extract digital artifacts from volatile memory (RAM) samples
• LibForensics: library for developing digital forensics applications
• TrIDLib, identify file types from their binary signatures. Now includes Python binding
• aft: Android forensic toolkit
• Lots of others which you’ll see them very soon ;)
Cited [5]
![Page 85: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/85.jpg)
binary-zone.com 85
Malware Analysis ToolsMalware Analysis Tools
• pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
• Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
• pyClamAV: add virus detection capabilities to your Python software• jsunpack-n, generic JavaScript unpacker: emulates browser functionality
to detect exploits that target browser and browser plug-in vulnerabilities• yara-python: identify and classify malware samples• phoneyc: pure Python honeyclient implementation
• pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
• Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
• pyClamAV: add virus detection capabilities to your Python software• jsunpack-n, generic JavaScript unpacker: emulates browser functionality
to detect exploits that target browser and browser plug-in vulnerabilities• yara-python: identify and classify malware samples• phoneyc: pure Python honeyclient implementation
Cited [5]
![Page 86: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/86.jpg)
binary-zone.com 86
PDF ToolsPDF Tools
• Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF)
• Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
• Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
• pyPDF: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt...
• PDFMiner: extract text from PDF files• python-poppler-qt4: Python binding for the Poppler PDF
library, including Qt4 support
• Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF)
• Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
• Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
• pyPDF: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt...
• PDFMiner: extract text from PDF files• python-poppler-qt4: Python binding for the Poppler PDF
library, including Qt4 support
Cited [5]
![Page 87: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/87.jpg)
Lab Time!Lab Time!
![Page 88: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/88.jpg)
binary-zone.com 88
DIY DIY
This lab is a Do It Yourself (DIY) Lab that must done at home:[1] Create a TCP ACK Port Scanner[2] Create a TCP Replay Tool[3] Create a UDP Ping Tool[4] Create a Sniffer that filters based on user input[5] Create a tool for HTTP Basic Authentication
– Login– Bruteforce
[6] Create a basic Honeypot that logs all activity to a text file
This lab is a Do It Yourself (DIY) Lab that must done at home:[1] Create a TCP ACK Port Scanner[2] Create a TCP Replay Tool[3] Create a UDP Ping Tool[4] Create a Sniffer that filters based on user input[5] Create a tool for HTTP Basic Authentication
– Login– Bruteforce
[6] Create a basic Honeypot that logs all activity to a text file
![Page 89: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/89.jpg)
binary-zone.com 89
SUMMARYSUMMARY
• Discussed Why Learn Python• Discussed What is Python Good for?• Explained Python Basics• Some Quick Python Tips and Tricks• Python User Input• Howto Create Functions using Python• Working with Modules, and the Python Common Used Modules• Howto use the Python SYS and OS Modules• Using Python to work with Networks: Sockets, pcapy, etc• Using Python to work with the Web (urllib, urllib2)• Using Python to create simple Encoders• Howto use Python for Exploit Development• Craft your own packets using Scapy• Python tools for penetration testers
• Discussed Why Learn Python• Discussed What is Python Good for?• Explained Python Basics• Some Quick Python Tips and Tricks• Python User Input• Howto Create Functions using Python• Working with Modules, and the Python Common Used Modules• Howto use the Python SYS and OS Modules• Using Python to work with Networks: Sockets, pcapy, etc• Using Python to work with the Web (urllib, urllib2)• Using Python to create simple Encoders• Howto use Python for Exploit Development• Craft your own packets using Scapy• Python tools for penetration testers
![Page 90: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/90.jpg)
binary-zone.com 90
Citation of Used WorkCitation of Used Work
[1] Keith Dixon, @Tazdrumm3r, http://tazdrumm3r.wordpress.com/[2] Python Comic, http://xkcd.com/353/, [3] Live Packet Capture in Python with pcapy,
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/[4] How to use urllib2 in Python,
http://www.pythonforbeginners.com/python-on-the-web/how-to-use-urllib2-in-python/
[5] Python tools for penetration testers, http://www.dirk-loss.de/python-tools.htm
[1] Keith Dixon, @Tazdrumm3r, http://tazdrumm3r.wordpress.com/[2] Python Comic, http://xkcd.com/353/, [3] Live Packet Capture in Python with pcapy,
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/[4] How to use urllib2 in Python,
http://www.pythonforbeginners.com/python-on-the-web/how-to-use-urllib2-in-python/
[5] Python tools for penetration testers, http://www.dirk-loss.de/python-tools.htm
![Page 91: Hacking Techniques & Intrusion Detection](https://reader035.fdocuments.net/reader035/viewer/2022062301/56813ae8550346895da34b08/html5/thumbnails/91.jpg)
binary-zone.com 91
ReferencesReferences
[1] Coding for Penetration Testers Book,[2] Violent Python Book,[3] Scapy Documentation, http://www.secdev.org/projects/scapy/doc/[4] Python, http://www.python.org/[5] Python Infosec tools, http://www.dirk-loss.de/python-tools.htm[6] Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for
Forensic Analysis, http://www.sans.org/reading_room/whitepapers/incident/grow-forensic-tools-taxonomy-python-libraries-helpful-forensic-analysis_33453
[7] Python Docs, http://docs.python.org/[8] Python Tutorial, http://www.tutorialspoint.com/python/index.htm[9] pcapy,
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
[10] Basic Authentication Authentication with Python, http://www.voidspace.org.uk/python/articles/authentication.shtml
[11] Justin Searle, Python Basics for Web App Pentesters, InGuardians Inc
[1] Coding for Penetration Testers Book,[2] Violent Python Book,[3] Scapy Documentation, http://www.secdev.org/projects/scapy/doc/[4] Python, http://www.python.org/[5] Python Infosec tools, http://www.dirk-loss.de/python-tools.htm[6] Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for
Forensic Analysis, http://www.sans.org/reading_room/whitepapers/incident/grow-forensic-tools-taxonomy-python-libraries-helpful-forensic-analysis_33453
[7] Python Docs, http://docs.python.org/[8] Python Tutorial, http://www.tutorialspoint.com/python/index.htm[9] pcapy,
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
[10] Basic Authentication Authentication with Python, http://www.voidspace.org.uk/python/articles/authentication.shtml
[11] Justin Searle, Python Basics for Web App Pentesters, InGuardians Inc