This is one of a few more book recommendations I received from a colleague. This is a book on using Python (mostly) for pentesting or hacking attacks. The book is called: Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz.
What is this?
In short, Python is a very simple, English-based scripting language that can do wildly powerful things. In this case, it’s the language-of-choice for testing the defenses of a computer network – or attacking the defenses of a computer network.
This books covers several techniques for attacking/testing a network, using Python and related tools.
If you are interesting in this topic – this is a great book! It’s an easy read with pretty straight-forward, yet powerful examples. If this topic is something that interests you – this book definitely belongs on the bookshelf and will be one of your staples.
I just finished the books Practical Packet Analysis, and Violent Python – and this book gives yet another view or dimension of network and server security. Instead of looking lots and lots of tools, this book focuses a few powerful attacks which combined several disciplines. It also looks at the Burp Suite, which is a mature testing/attack tool – versus writing a script.
Some unique things that this book covers, which stood out to me are:
- Effectively sniffing the network for specific things – but from Python script instead of using Wireshark. This is significant because you might want to run that command-line sniffer remotely, on a compromised machine to see traffic on that remote network. This is something you couldn’t otherwise do with Wireshark, locally.
- Using Git to manage your trojan horse attacks – and have the various agents upload their findings automatically, back to Git!
- Using Tumblr (or twitter, or reddit) – or free public websites which let you post “stuff”, using that mechanism for your targeted machines to upload data.
- Deep dive into several Windows-specific exploits.
I get the sense too that the types of attacks which are covered in this book are specific, measured, and precise. This isn’t a virus that ruins your computer (the computer version of a teenager that goes down the street slashing tires) – these are attacks which quietly come in, and could capture data on an enterprise network indefinitely, and may never be detected.
The focus here is getting in, not setting off the Intrusion Detection System (IDS), and when you are on a Windows machine, lay low so you don’t trigger the anti-virus either. If you are looking at this from the defender side – this makes it all the more difficult to detect attacks like this – which makes this very interesting! OK, with that said, here a summary of the key things covered in the book:
- Python Setup and Getting Started
- Kali Linux – this is a pretty good “hacker” distro of Linux to start with, because it already has TONS of tools already installed. They bill it as a “penetration testing platform” – which I agree, it is! It’s Debian-based, which means it’s going to be very easy to use (just like Ubuntu, and Raspbian – if you are familiar).
- Installing Python and the related modules needed for the book.
- Installing and walking through Wing IDE, a very nice Python editor for Linux, Mac OS, and Windows. It’s a paid-product, but they also have a “personal” edition too which is scaled-down, but free.
- Network Basics
- Create a TCP and UDP client (~8 lines of code)
- Create a TCP server (~16 lines of code)
- Replace Netcat – create a server where you can connect and run commands on a remote machine.
- Create a TCP proxy – client sends data to the proxy, proxy forwards it onto the destination – and vice versa with the response.
- Using the Paramiko module to programmatically create an SSH server or client.
- Create an SSH tunnel server and client – so that the client can connect to a compromised server, and then have that server connect (from its’ visible network) to the target system.
- Create a reverse SSH tunnel – I didn’t get this working, and I’m not sure I fully understand it. I think it’s where have the target machine connect through the server, which then connects back to your client – however, I’m still not clear on how that connection is first initiated. I’ll need to loop back around to this again.
- Networking, sockets, and sniffing
- Use the socket module to sniff the network and manually parse packet information.
- Analysis of the netaddr module which let’s your work with IP addresses, as if they are first class citizens. For example, you can for..each through IP addresses in “192.168.1.0/24” – where “/24” means to apply a 255.255.255.0 subnet mask on the 192.168.1.0 network and give me every address within.
- Using UDP to passively find machines that are up, on a network segment.
- Using Scapy and Python to do everything from the last chapter, but much more simply!
- Using Scapy to elegantly apply ARP cache poisoning, to capture network traffic to/from a certain target. With a network switch (which is most-common), you won’t be able to observe the targets network traffic otherwise.
- Use Scapy to capture HTTP traffic; in that traffic look for images; for each image, run it through OpenCV to detect if there are any faces – if so, save that image.
- Web Recon
- Use urllib2 to programmatically scan a website for vulnerabilities.
- Programmatically brute-force a login page on a website.
- The Burp Suite
- A whole chapter on some of the key features of: Burp Suite
- Write a Burp “extender” which uses a Bing API to go get other information about the specified machine, ip, and domain.
- Write a Burp “extender” to crawl a website and generate a word list which might be used for a dictionary attack later.
- A whole chapter on using GitHub as your command/control for a Trojan attack. The scripts and configuration options are stored there. Bots go here to get their instructions, and return to GitHub to upload files or data they retrieved. This uses all native command-line git functionality.
- Modify Python’s “import” functionality so that if a module is missing, it will automatically go out to your git repository to retrieve it instead of failing.
- Common Trojan Attacks for Windows
- Write a basic keylogger. Quietly tracks the active window open by the user, then any keys that are pressed on the keyboard – then dumps it all to the screen, or a log file.
- Programmatically take a screenshot of the end-users desktop, and save it as a file.
- Use ctypes to download arbitrary shellcode from your website, and execute it locally.
- Sandbox detection – various techniques to determine if anti-virus software has detected your code, and put your executable in a sandbox.
- While we are monitoring keystrokes and mouse activity – use that to determine if the user is active. For example, you might want to take screenshots only while the user is actively using the computer.
- On Windows – Internet Explorer (sigh) hacks
- The author brings up a very good point that even though IE has a small market-share in the real world, it’s the default web browser in MOST enterprises. That, coupled with IE being… a trainwreck, makes it rife for exploitation!
- Man-In-The-Browser Attack – programmatically hijack IE and observe network activity made by the user, and also modify network traffic. For example, force them to log back into Facebook again – while your keylogger is running. You can then capture their credentials with them being none-the-wiser.
- Using IE for exfiltration – since IE is a trusted process (by the OS, firewall, and by antivirus), if you can use it to move data/files off of the local machine and upload them to a remote site – that won’t trigger any alarms.
- Use zlib to compress a file. Then, use RSA to generate a keypair, and also use one of the keys to encrypt the contents of a file – and upload it to Tumblr (but the technique could be used to upload it to any public service).
- On Windows – Privilege Escalation
- This chapter uses Windows Management Instrumentation (WMI) to monitor processes and check which processes might have escalated privileges.
- Many programs the run throughout the day will generate a file in the temp folder, execute it with elevated privileges, then delete the file. The author builds a script to detect when the file is created – lets you also inject your code to run – all before that elevated process runs it.
- Automating Offensive Forensics
- Use the very powerful Volatility framework to analyze the memory on a machine, to look for exploits.
- A script to pull the hashed passwords from a Windows computer (similar to /etc/passwd on Linux) – then you can take those hashes offline and see if you can crack them.
- Use Volatility to monitor a running app (like calc.exe), and give you the memory offset of a function (like, clicking the “=” button) – then replace that function pointer with a pointer to your shellcode. Once you’ve analyzed Calculator – this exploit would wait until the user launched the program into memory – your program would overwrite what the “=” button does, in memory. When the user presses that button, it runs YOUR code instead. Pretty interesting way to compromise a running program without touching the .exe!
So, as discussed – this book had a lot of interesting examples. Just being exposed to Kali Linux (which you should see what comes pre-loaded with it!), to Wing IDE, and Burp was really helpful. Then of course, these different exploits offer interesting and novel ways to potentially compromise a system.
Again, if you are interested in this topic – this is a great addition to your library, and I suspect will be a staple that you’d reference many times!
Ethics and Legal Stuff (no, seriously):
I mentioned this for previous book reviews on this topic, and I will say it again! Please do not take this lightly. The stuff covered in this book is serious!
The lessons in this book can be used to increase security and privacy, it can be used for forensics to help build a legal case against someone, and it can be used for penetration testing of your own systems, or testing your own system so that you find your vulnerabilities before the “bad guys” do.
However, the things in this book could also be used for malicious or nefarious purposes. You could use this information to break into networks, steal computer information, bring down a network, or write malware. If you are considering that, I strongly encourage you in the most emphatic way – please do not go down that path!
WARNING: You should NEVER attempt any of these practices on a network you don’t own.
If you have glamorous visions of being a “hacker” and capturing public network traffic, and/or try to break into a network – understand that there are significant provisions in many laws to jail you or indefinitely detain you without a trial, including (but not limited to):
- USA PATRIOT Act (sections 209, 217, and 220 – at least)
- Computer Fraud and Abuse Act (the law)
- Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections 2510-2521, 2701-2710]
- Economic Espionage Act (EEA) (the law)
- Wire Fraud Act (overview of how this can apply)
- Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C. Section 1028(a)(7)]
Also consider that most states have state-specific laws too with which you can be charged – and the Department of Justice also has a long list of ways in which they can prosecute you too. You can easily be labeled a domestic terrorist and subject to indefinite detention with no trial and no charges.
In present day, if you’re caught, you could be sent to Gitmo to send people a message. Or, if you’re lucky, you’ll just go to prison for 25 years.
So please – only use these techniques on a network you OWN (like, at home) or one where you are responsible (like, at work – where you are a network administrator with permission to do these things). Otherwise, you credibly put yourself at serious risk of being jailed for the rest of your adult life. Be warned!
Also, even if you are a network administrator, you may still want to look into a Certified Ethical Hacker (CEH) certification for example, because if you accidentally bring down your company network, you may not be arrested – but you could end up getting fired. So be careful out there.
“With great power comes great responsibility.” –Uncle Ben (from Spiderman)