I don’t even know where to start. This was one of a few times where a book was so interesting, I couldn’t put it down. On top of that, this is just so jam-packed full of interesting things – it was just a great read.
This was a fun… nah, a BLAST to read!! If you ever had “fun” programming, this book will re-introduce to that idea. The book is: Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
Why is it so great? I think because it has the magic formula of:
- Useful – Tons of practical, useful, interesting, and complete examples.
- Easy – They are easy to implement – even if you don’t know python. I don’t think any script goes over like 50 lines.
- Powerful – These are ridiculously powerful scripts. You can do a lot with a few lines of code.
That combination makes for a fun, fun read. So first, you should stop reading this – get the book ordered, and then come back and read this review! It is impossible for you to be disappointed.
What is this?
Python is a programming language that runs on any kind of computer. The computer language is very English-like, which makes it easy to write and understand. I’ve written a few blog posts about it, see here. For example:
return “Hello, “ + name
message = getString(“Jane”)
print(‘[+] ‘ + message)
if __name__ == ‘__main__’:
This book shows tons of examples of using 10-50 lines of code to do very powerful things to either test the security of your network/server/device/whatever – and also lots of useful things for computer forensics. That is, imagine you’ve been handed a laptop of a nefarious person and you are asked to get all of the useful data off of it. These forensic techniques can make it so you can very quickly glean a ridiculous amount of information about that person and what they’ve done via that computer (and even their phone).
This is unrelated to the book, but here is an example of someone setting up a BotNet with Python and they don’t even need to use a scroll bar to see all of the source code. See if you can follow along:
That’s just to give you a taste of how powerful yet simple Python can be.
After reading it, I reviewed it again – and to my eyes, I see this book separated into several sections:
- Setting up Python / Getting started.
- BEFORE – Penetration testing before an attack.
- DURING – Performing an attack / analyzing an attack in-progress.
- AFTER – Forensics to build a case after an attack.
- Wireless and Bluetooth hacks which can help all of the above (on both sides).
- Anonymity and reconnaissance during any of the above (on both sides).
With that said, the book isn’t laid out that way. Some of these topics are interspersed amongst other topics. So, below is my own organization – still chronological to the book – of the categories of information in the book.
Have I mentioned this book was jam-packed and full of a lot of great projects? OK, here’s a breakdown of some of the key elements in the book – many of them were totally giggle-worthy!
- Setting up your Python environment
- Get Python installed (on any platform: Windows, Mac, or Linux)
- Install the various modules needed for this book
- Beautifully done introduction to Python for newbs. Starts with single line scripts, then a few lines, then 8 lines – then puts together a function, then start chaining functions – the pace was quite remarkable. So, even if you’ve never even seen Python – even a non-programmer will likely easily grasp it.
- Intro to some key modules like: dealing with console input and output, getting info from the OS, file I/O,
- Later on, multi-threading is also introduced – very simply!
- Penetration Testing (before the event – test your network)
- Using Pxssh to brute-force SSH credentials.
- Exploiting SSH through weak keys. This was timely because just this week, we found out that GitHub STILL had this vulnerability from 2006! This gives a good analysis of that vulnerability and a script to exploit it.
- How to build an SSH BotNet, and an analysis of Low Orbit Ion Cannon (LOIC) voluntary BotNet used by hacktivists to attack a target.
- Using a vulnerable FTP server to update a web site on the same box, to introduce malware to end-users.
- Analysis of the Conficker worm.
- Analysis of “metasploit”, the off-the-shelf penetration tester that let’s you easily use over 800 pre-defined exploits from a friendly scripting environment! Then, having Python interact with metasploit.
- The book periodically pulls several the utilities listed below into one bigger script – which make up an attack, or a multi-faceted attack!
- Good history and analysis on “buffer overflow” attacks, and then example code of how to conduct one.
- Create a project to compromise a known-bad FTP server with a buffer overflow attack.
- Network Analysis (during the event – real-time tracking of bad stuff happening)
- Correlate IP address to geolocation/city using PyGeoIP and www.maxmind.com
- If you have a capture of network traffic, use Scapy, Dpkt, and pypcap to parse network packets
- Shows how you might monitor a LOIC attack – determine the person who initiated it in IRC, and the willing BotNet members.
- Identifying a Distributed Denial Of Service (DDOS) attack in-progress.
- Really interesting analysis of the solution to a DOD attack in 1999 – where there were countless spoof attacks to hide the real attack. The TTL was the key and it was solved by a 17 year old!
- Analysis of fast-flux, a technique to help hide the command/control servers during an attack by manipulating DNS requests. So build a script to detect and look up these values to help weed out the noise.
- Analysis of Kevin Mitnicks TCP Sequence Prediction attack – which let him inject himself between the target and the host without either side knowing.
- Analysis of the Snort Intrusion Detection System (IDS) – and how to trigger it. This can be used to generate fake alerts – overwhelming the security team. They have to pore over tons of detection alerts to figure out which one is the real one! Hint: the TTL tricks from above can help defend against this attack sometimes.
- Forensics (after the event – gather evidence)
- History and analysis of the BTK murders and how computer forensics made an airtight case against the killer. Hint: he sent the police an .rtf file that had metadata in it like his first name and location!
- Script the Windows registry to see all Wi-Fi networks that computer connected-to – returns SSID and MAC address.
- Use MASSIVE database of https://wigle.net/ which maps MAC addresses of known access points, to physical geolocations (latitude and longitude). This uses “mechanize” to programmatically go to that site and get raw data. Now, you can return SSID, MAC address, and longitude and latitude of everywhere that computer has connected to Wi-Fi.
- Using Python to restore deleted items/recycle bin.
- Metadata!! Scripts to pull out user-specific details, location, etc. from various files: .pdf, and EXIF data from images. EXIF data is typically camera model, camera settings, and exact GPS coordinates where the picture was taken.
- The data vacuum! Pull all the details of Skype, Firefox, and any iOS device that “backs up” to the Windows machine via iTunes. I mean you can get absolutely everything with a pretty simple script: GPS locations, calls, browser history, all text messages, etc., etc..
- Analysis of how LOIC anonymous members were caught, because it would be proven they downloaded the virus payload – and weren’t innocently infected like they claimed.
- Gather intel about the Wi-Fi environment, like broadcasting SSID’s, non-broadcasting, MAC addresses, etc. Also listen to network cards broadcasting SSID’s that they want to connect to (802.11 Probe Request).
- How to search for credit card numbers (or any pattern) in a stream of text or network traffic.
- Hilarious exploit of a silly security at a major hotel which lets someone charge things to other people’s room (this is illegal, of course). Great analysis though!
- Capture google search terms, by keystroke, as they go across the network.
- Very interesting analysis of insurgents caught by the U.S. used SkyGrabber to intercept UAV/drone images in real time. Then, the book covers how to do this instead with a hobbyist quadcopter AND control that drone.
- Analysis for Firesheep – which captures insecure cookies for social media sites; this allows those accounts to be compromised.
- Discover nearby Bluetooth devices – even when “Discovery” is not on!
- Some Bluetooth devices use unauthenticated RFCOMM – if it’s not locked down, you can compromise the device. The book covers the BlueBugging exploit.
- Use Bluetooth Service Discovery Protocol (SDP) to find available services to exploit – and how to exploit them.
- Anonymity and Recon
- Build a script around mechanize to allow you to use the web programmatically, and anonymously – spoofing much of your “signature”.
- Use BeautifulSoup to screen-scrape web pages.
- Crawl a website and download all of the images on the site.
- Make programmatic calls to do google searches – which leave no trace of you.
- Parsing tweets to pull links, images, hashtags, location data, etc. You can start to get a profile of a person.
- Walkthrough of social engineering, and how to engineer a mass e-mail phishing attack against an organization.
- Analysis of the “Flame” cyber attack which was undetectable by antivirus engines.
- Shows how to evade malware detection by putting the payload, encoded, and compiled and delivering a benign-looking executable. Use pyinstaller to make your Python script into a standalone executable with no outside dependencies (like Python needing to be installed).
Sorry for the long list, but EVERY one of these was very interesting and worth a mention. With that said, this book is jam-packed full of useful utilities – for all phases. If it helps (and I’m doing this for my benefit) – here’s a summary of the discrete scripts that are covered in the book (source is available too – link in the book):
- Pen Testing
- Re-create a Unix /etc/passwd cracker.
- Re-create a .zip file password cracker.
- Building a TCP full connect port scanner – this is easily detectable. This is where you try to make a complete connection to a port.
- Building a TCP SYN port scanner using NMap (via Python) – this is not as detectable. You ring the doorbell and hide. You listen for the response, but you don’t respond, to complete the connection. So, it doesn’t count as a “connection” because the handshake never completed.
- Building an SSH BotNet with Python – this was just amazing. Uses Pexpect over SSH to allow remote execution – so your affected machines open a port, wait for commands, and Pexpect executes those commands on ALL of the machines. Then – simplify the already simple program with Pxssh, a Python module that does even more for you, automatically. Sounds complicated but the script is logical and easy to follow.
- Building an anonymous FTP scanner to find FTP servers, and test for vulnerabilities.
- Scanning for web pages you might want to update on your compromised FTP server.
- Injecting/updating (malicious) code into a web page on the compromised FTP server (or local system).
- Building a script that uses metasploit to brute-force Windows/SMB passwords on a remote system.
- Building a buffer overflow exploit for a known-compromised FTP server.
- Build a script to translate IP addresses to a geolocation (lat/long) via www.maxmind.com
- Use pypcap to read packet details from a network capture, programmatically.
- All of the geolocation from these scripts? Write a script to generate a .KML file to visualize and put a labeled “pin” in Google Earth for each of the locations – good way to visual the locations involved!
- Build a script to monitor an anonymous LOIC attack – determine the person who initiated it in IRC, and the willing BotNet members.
- Build a script to quickly identify a DDOS attack in-progress.
- Build a script to test packet TTL’s to find out if they are legitimate – helps you wade through spoof attacks to find the REAL attack.
- Build a script to parse network packets and detect fast-flux DNS attacks.
- Build a SYN flood attack to keep a host busy, while you “answer” as that host (for TCP Sequence Prediction). Then, use that to spoof and intercept a TCP connection.
- Windows: Get a list of all of the Wi-Fi networks you’ve joined.
- Use mechanize to connect to wigle to translate MAC addresses to geolocation (lat/long), if possible. Will work for public hotspots.
- Recover deleted items from Recycle Bin in Windows
- Translate long SID to a Windows username.
- Pull metadata from PDF’s.
- Pull EXIF data from images (or send it tons of images and it will spit out whatever it finds).
- Pull ALL of the details from Skype on Windows (contact details, chat log, etc).
- Pull ALL of the details from Firefox on Windows (history, cookies, google searches, etc).
- Pull ALL of the details of an iOS device that backs up to a PC with iTunes (call log, all texts, all GPS locations of the phone throughout the day, etc)
- Use Scapy to analyze 802.11 traffic to glean environment details (SSID, MAC address, etc) – and preferred SSID’s that devices request (802.11 Probe Request).
- How to search for credit card numbers in a stream of text (like network traffic) – or really monitor for any patterns of text that come across the network, using regular expressions.
- Capture google search terms, by keystroke, as they go across the network.
- Intercepting and translating UAV communication with an external antenna – then issuing commands to the drone.
- Capturing a WordPress session, then replaying it later (Firesheep).
- Build a script to discover nearby Bluetooth devices – even when “Discovery” is not on!
- Scan for unsecured Bluetooth RFCOMM channels; use BlueBug exploit to compromise the device.
- Use Bluetooth Service Discovery Protocol (SDP) to find available services to exploit.
- Anonymity and Recon
- anonBrowser – Build a script around mechanize to allow you to use the web anonymously (control over the user-agent, and all cookies)
- Use anonBrowser with BeautifulSoup to screen-scrape web pages.
- Use anonBrowser to crawl a website and download all of the images on the site.
- Use anonBrowser to make programmatic calls to do google searches – which leave no trace of you.
- Parsing tweets to pull links, images, hash tags, location data, etc.
- Build a complete phishing attack (e-mail side, and the server side that distributes the malware).
- Build a script to evade malware detection by putting the payload, encoded, and compiled – use pyinstaller to make your Python script into a standalone executable.
I know that is a lot of stuff, but the book really is full of this many interesting/useful things!
What to do with this information?
Again, I almost don’t know where to start. My first reaction is this makes me want to unplug the network cable from my computer! There are just so, so many ways every kind of computing device is open to being exploited.
So, for me, my takeaways is this:
- Forensics – I would like to build up a library of utilities for this, just to have. If my computer is ever stolen and recovered, I’d want to capture everything I could from it, to make sure I wasn’t targeted again. If a loved one (God-forbid) ever went missing – I too would like to pull everything from their computer to help find them. Similarly at work or with a client, this would be an asset if I could quickly pull all of the useful data from a computer – for example if they had a malicious employee do something before they left. In ALL of these scenarios, the “need” for forensics comes on quickly – so it makes sense to have these utilities tested and ready, ahead of time. If I never use them, that’s fine, I know I will have a blast writing them! And in the unfortunate case where they are needed, I should be able to provide useful information.
- Pen testing – I would like to try several of these techniques to see if my “typical” Linux or Windows Server set up is safe or not. It would be very interesting to see if I can break into my own servers at my house (or a Raspberry Pi, for that matter – same difference!). Also, after seeing how exploitable an iPhone is, this makes me want to significantly hit my Windows Phone and see if similar data is as easily available.
- SSH BotNet – the very first thing I thought about here was when I want to update my Raspberry Pi’s, I need to manually log into each one of them and do the updates on each one. So, if I could use Pxssh – I could (legitimately) connect to ALL Linux servers and issue the same command to them all at the same time. I didn’t do that example in the book, but if I understand that correctly – that has significant systems managements implications!
That’s it really. I don’t have any interest is writing a virus or carrying out an attack of any sort, and given that I am not a pen tester by trade, that’s about as far as I’ll go with it, I think. I will say that I’m SUPER excited to dig into this though!
Ethics and Legal Stuff (seriously, we need to talk about this):
Please do not take this lightly. I mentioned some of this for the book review of Practical Packet Analysis. However, this really, really, really applies here. The lessons in this book can be used to increase security and privacy, it can be used for forensics to help build a legal case against someone, and it can be used for penetration testing of your own systems, or testing your own system so that you find your vulnerabilities before the “bad guys” do.
However, the things in this book could also be used for malicious or nefarious purposes. You could use this information to break into networks, steal computer information, bring down a network, or write malware. If you are considering that, I strongly encourage you in the most emphatic way – please do not go down that path!
WARNING: You should NEVER attempt any of these practices on a network you don’t own.
If you have glamorous visions of being a “hacker” and capturing public network traffic, and/or try to break into a network – understand that there are significant provisions in many laws to jail you or indefinitely detain you without a trial, including (but not limited to):
- USA PATRIOT Act (sections 209, 217, and 220 – at least)
- Computer Fraud and Abuse Act (the law)
- Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections 2510-2521, 2701-2710]
- Economic Espionage Act (EEA) (the law)
- Wire Fraud Act (overview of how this can apply)
- Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C. Section 1028(a)(7)]
Also consider that most states have state-specific laws too with which you can be charged – and the Department of Justice also has a long list of ways in which they can prosecute you too. You can easily be labeled a domestic terrorist and subject to indefinite detention with no trial and no charges.
In present day, if you’re caught, you could be sent to Gitmo to send people a message. Or, if you’re lucky, you’ll just go to prison for 25 years.
So please – only use these techniques on a network you OWN (like, at home) or one where you are responsible (like, at work – where you are a network administrator with permission to do these things). Otherwise, you credibly put yourself at serious risk of being jailed for the rest of your adult life. Be warned!
Also, even if you are a network administrator, you may still want to look into a Certified Ethical Hacker (CEH) certification for example, because if you accidentally bring down your company network, you may not be arrested – but you could end up getting fired. So be careful out there.
“With great power comes great responsibility.” –Uncle Ben (from Spiderman)
Lastly, if you don’t believe me – look in the book. I think almost-all of the exploits defined also cite the legal case against the offender (the exploit-writer), and most of those authors went to prison. So, this book exists because people were caught and went to prison. Something to think about…