Pycon - Python for ethical hackers

1,237 views
1,096 views

Published on

Pycon Iran 2013 - Mohammad Reza Kamalifard - IUST

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,237
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
154
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pycon - Python for ethical hackers

  1. 1. Python For Ethical Hackers Mohammad reza Kamalifard
  2. 2. Ethical Hacker
  3. 3. Ethical Hacker Penetration Tester
  4. 4. Ethical Hacker Penetration Tester Ethical Hacker = Penetration Tester
  5. 5. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  6. 6. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  7. 7. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  8. 8. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  9. 9. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  10. 10. Why Python? Easy to learn Easy to use Clean syntax and code readability Rich set of libraries Tons of tools already written Rapid prototyping – POC ( proof on concept )
  11. 11. Who is using Python Core Impact – Comprehensive penetration testing solution Immunity CANVAS – Exploit development framework W3AF – Web Application Attack and Audit Framework Sqlmap – Automatic SQL injection tool Immunity Debugger – Powerful Debugger Peach – Fuzzer Sulley – Fully automated and unattended fuzzing framework Paimei – Reverse engineering framework Scapy – Packet manipulation tool
  12. 12. Easy File Handling >>> >>> >>> >>> file_add = 'c:/users/reza/desktop/passwords.txt' file_dis = open(file_add, 'r') emails = file_dis.readlines() for email in emails: print email shahed_soltani@yahoo.com sir1_kabir@ymail.com peyman_dabir@yahoo.com sanaz808@iran.ir gity_hashemi@yahoo.com zeuos63@yahoo.com seyedali_rezaie@datasec.ir . . .
  13. 13. Requests Library to deal with HTTP : HTTP for Humans >>> import requests >>> requests.get('http://kamalifard.ir') <Response [200]> >>> r = _ >>> r.headers CaseInsensitiveDict({'content-length': '771', 'contentencoding': 'gzip', 'accept-ranges': 'bytes', 'vary': 'AcceptEncoding', 'server': 'Apache/2.2.16 (Debian)', 'last-modified': 'Sat, 21 Sep 2013 05:19:57 GMT', 'etag': '"15b565-62b4e6ddf0165940"', 'date': 'Sun, 27 Oct 2013 14:23:54 GMT', 'content-type': 'text/html'}) >>> r.text u'<!doctype html>n<html lang="en">n<head>nt<meta charset="UTF-8">nt<title>Mohammad reza Kamalifard</title>nt<link rel="stylesheet" href="style.css" />nn</head>n<body>nt<div class="wrap">ntt<h1>Mohammad reza Kamalifard</h1>ntt<p>Software
  14. 14. Basic fuzzer import requests as req >>> >>> >>> >>> >>> ... ... url = 'http://kamalifard.ir/' file_add = 'c:/users/reza/desktop/dirss.txt' file_dis = open(file_add, 'r') dirs= file_dis.readlines() for x in dirs: resp = req.get(url + x) html = resp.text
  15. 15. hashlib >>> import hashlib >>> hashlib.algorithms ('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512') >>> m = hashlib.md5() >>> m.update('reza') >>> m.digest() 'xbbx98xb1xd0xb5#xd5xe7x83xf91Urwx02xb6' >>> m.hexdigest() 'bb98b1d0b523d5e783f931550d7702b6' >>>
  16. 16. Sockets • TCP and UDP Sockets • Regular Servers and Clients • Raw Sockets • Sniffing and Injection
  17. 17. Port Scanner import socket def connScan(tgtHost, tgtPort): try: tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.connect((tgtHost, tgtPort)) tcp_socket.send(‘PyCon2013rn') results = tcp_socket.recv(100) print '%d/tcp open' % tgtPort print str(results) except: print '%d/tcp closed' % tgtPort finally: tcp_socket.close()
  18. 18. ECHO Server import socket tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) tcp_socket.bind(('127.0.0.1', 8000)) tcp_socket.listen(2) print 'Waiting for client ...' (client, (ip, port)) = tcp_socket.accept() print 'Revived connection from : ', ip print 'Starting ECHO output...' data = 'dummy' while len(data): data = client.recv(2048) print 'Client send : ', data client.send(data) client.close()
  19. 19. Client import socket import sys if len(sys.argv) < 3 : print 'Please Enter address and port' sys.exit() tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.connect((sys.argv[1], int(sys.argv[2]))) while True: userInput = raw_input('Please Enter a Message! : ') tcp_socket.send(userInput) print 'Server Send back : ' + str(tcp_socket.recv(2048)) tcp_socket.close()
  20. 20. -----Client----python client.py 127.0.0.1 8000 Please Enter a Message! : Salam Server Send back : Salam Please Enter a Message! : WELCOME TO PYCON 2013! Server Send back : WELCOME TO PYCON 2013! Please Enter a Message! : -----Server----Waiting for client ... Revived connection from : 127.0.0.1 Starting ECHO output... Client send : Salam Client send : WELCOME TO PYCON 2013! Client send : Closing Connection
  21. 21. SocketServer Framework • Framework in Python to create TCP and UDP servers • Does all the basic steps for you in the background • Comes in handy if you want to create a server to lure a client and • analyze its behavior
  22. 22. SocketServer Framework import SocketServer class EchoHandler(SocketServer.BaseRequestHandler): def handle(self): print 'Got Connection from : ', self.client_address data = 'dummy' while len(data): data = self.request.recv(1024) print 'Client sent :' + data self.request.send(data) print 'client left‘ server_address = ('127.0.0.1', 9050) server = SocketServer.TCPServer(server_address, EchoHandler) server.serve_forever()
  23. 23. Nmap import nmap tgtHost = '192.168.1.254' tgtPort = '80' nmapScan = nmap.PortScanner() nmapScan.scan(tgtHost, tgtPort) state=nmapScan[tgtHost]['tcp'][int(tgtPort)]['state'] print tgtHost + ' tcp/' +tgtPort + ' ' +state
  24. 24. Simple HTTP Server import SocketServer import SimpleHTTPServer httpServer = SocketServer.TCPServer(('', 8080), SimpleHTTPServer.SimpleHTTPRequestHandler) httpServer.serve_forever()
  25. 25. Raw Sockets import struct, socket, binascii rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800)) pkt = rawSocket.recvfrom(2048) ethernetHeader = pkt[0][0:14] eth_hdr = struct.unpack('!6s6s2s', ethernetHeader) binascii.hexlify(eth_hdr[0]) binascii.hexlify(eth_hdr[1]) binascii.hexlify(eth_hdr[2]) ipHeader = pkt[0][14:34] ip_hdr = struct.unpack('!12s4s4s', ipHeader) print 'Source IP address : ' + socket.inet_ntoa(ip_hdr[1]) print 'Destination IP address : ' + socket.inet_ntoa(ip_hdr[2]) tcpHeader = pkt[0][34:54] tcp_hdr = struct.unpack('!HH16s', tcpHeader)
  26. 26. Packet Injection with Raw Sockets import socket import struct rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800)) rawSocket.bind(('wlan0', socket.htons(0x800))) packet = struct.pack('!6s6s2s', 'xaaxaaxaaxaaxaaxaa', 'xbbxbbxbbxbbxbbxbb' , 'x08x00') rawSocket.send(packet + 'Welcome to PYCON')
  27. 27. Scapy • Interactive packet manipulation tool • Forge or decode packets • Wide number of protocols • Send Packet on the wire • Capture Packet • Match requests and replies
  28. 28. Scapy reza@kamalifard$ sudo scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.2.0) >>>ls() ARP : ARP DHCP : DHCP options DNS : DNS GPRS : GPRSdummy L2TP : None PPPoE : PPP over Ethernet [...]
  29. 29. Sniff >>> p = sniff(count = 5) >>> p <Sniffed: TCP:5 UDP:0 ICMP:0 Other:0> >>> p.show() 0000 0001 0002 0003 0004 >>> Ether Ether Ether Ether Ether / / / / / IP IP IP IP IP / / / / / TCP TCP TCP TCP TCP 46.165.248.173:4948 > 192.168.1.2:47981 PA/ Raw 192.168.1.2:47981 > 46.165.248.173:4948 A 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw 127.0.0.1:48852 > 127.0.0.1:mmcc A
  30. 30. Create Packet >>> pkt = IP(dst ='192.168.1.254')/TCP(dport = 25) >>> pkt <IP frag=0 proto=tcp dst=192.168.1.254 |<TCP dport=smtp |>> >>> print pkt E(@�~�����P e >>> str(pkt) 'Ex00x00(x00x01x00x00@x06xf6~xc0xa8x01x02 xc0xa8x01xfex00x14x00x19x00x00x00x00x00 x00x00x00Px02 x00x0bex00x00'
  31. 31. >>> pkt.show() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.2 dst= 192.168.1.254 options ###[ TCP ]### sport= ftp_data dport= smtp seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {} >>>
  32. 32. ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.2 dst= 192.168.1.254 options
  33. 33. ###[ TCP ]### sport= ftp_data dport= smtp seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {}
  34. 34. Send Packets >>> pkt = IP(dst = 'google.com')/ICMP()/'Welcome to PyCon' >>> pkt <IP frag=0 proto=icmp dst=Net('google.com') |<ICMP |<Raw load='Welcome to PyCon' |>>> >>> >>> pkt.show()
  35. 35. ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= icmp chksum= None src= 192.168.1.2 dst= Net('google.com') options
  36. 36. ###[ ICMP ]### type= echo-request code= 0 chksum= None id= 0x0 seq= 0x0 ###[ Raw ]### load= 'Welcome to PyCon' >>>send(pkt) . send 1 packets.
  37. 37. Send and Recive >>> resp = sr(pkt) Begin emission: Finished to send 1 packets. * Received 1 packets, got 1 answers, remaining 0 packets >>> resp (<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> resp[0][0] (<IP frag=0 proto=icmp dst=216.239.32.20 |<ICMP |<Raw load='Welcome to PyCon' |>>>, <IP version=4L ihl=5L tos=0x0 len=44 id=0 flags= frag=0L ttl=33 proto=icmp chksum=0xdf23 src=216.239.32.20 dst=192.168.1.2 options=[] |<ICMP type=echoreply code=0 chksum=0xea37 id=0x0 seq=0x0 |<Raw load='Welcome to PyCon' |<Padding load='x00x00' |>>>>) >>>
  38. 38. >>> '?'
  39. 39. ‫ﺣﺪود ۰۵۷ ﻣﯿﻠﯿﻮن ﻧﻔﺮ ﮔﺮﺳﻨﻪ در ﺟﻬﺎن وﺟﻮد دارد!‬ ‫ﮏ ﻧﻔﺮ از ﻫﺮ ۸ ﻧﻔﺮ‬ ‫ﺑـﺮﻧـﺎﻣـﻪ ﺟـﻬـﺎﻧـﯽ ﻏـﺬا‬ ‫ﻣﺒﺎرزه ﺟﻬﺎﻧﯽ ﺑﺎ ﮔﺮﺳﻨﮕﯽ‬ ‫‪fa.wfp.org‬‬
  40. 40. >>> '?' >>> print contact_me
  41. 41. >>> ? >>> print contact_me Mohammad Reza Kamalifard Kamalifard@datasec.ir http://www.linkedin.com/in/itmard My Python Courses : http://www.webamooz.ir/home/courses/python-for-ethicalhackers-1/ http://www.webamooz.ir/home/courses/python-for-ethicalhackers-2/
  42. 42. This work is product of DataSec Middle East(Ammniat Dadehaa Khavare miane) and licensed under the Creative Commons Attribution-NoDerivs 3.0 Unported License. Copyright 2013 Mohammad Reza Kamalifard All rights reserved. http://kamalifard.ir http://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/ http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/

×