Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Offensive Python for Pentesting

1,400 views

Published on

Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer

This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.

Published in: Technology
  • Be the first to comment

Offensive Python for Pentesting

  1. 1. Offensive Python for Pentesting Mike Felch, Joff Thyer
  2. 2. Who are we? • Mike Felch • Vuln Research/Exploit Dev/Reverse Engineering • Black Hills Information Security • Established circa ‘99 in the lost underground • Joff Thyer • Security Researcher, Pen Tester, Developer • Black Hills Information Security • Certified SANS Instructor of SEC573 - Automating Infosec with Python
  3. 3. What are we covering? • Attacking Cloud • AWS • Google • Microsoft Azure • Writing Malware • Evasion • Injection • Execution • Ways to weaponize • Libraries • Tooling/Frameworks
  4. 4. Attacking Cloud
  5. 5. Attacking Cloud: Overview • Infrastructure AND Services • SaaS Platforms: O365 vs G Suite • IaaS Platforms: AWS vs Azure vs Google • Overlooked rich attack surfaces • Customer: “We don’t use Azure, just O365” • Pentesters: “.. but we need DA!” • Developers: “Oops.. I checked in my .aws folder.” • Major providers released an SDK/API
  6. 6. Attacking Cloud: Auth Flow Standard Auth Flow • Creating a client • Need authorization to authorize • Need access token to resources • Auth on behalf of victim • …. • Profit!
  7. 7. Attacking Cloud: AWS Boto 3: The AWS SDK for Python • Client: • Low-level AWS access • Maps 1:1 to AWS services • Most (all?) operations supported • Resource/Sessions • CRUD-like Operations • Enumerate all the things.. • 219 services supported! Resource: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html
  8. 8. Attacking Cloud: AWS • SDK: pip install boto3 • Auth is easier w/ awscli installed • Requires access key & secret access key • Leak via SSRF • Source-code repos • Hard-coded credentials • Commonly misconfigured • S3, EBS, EC2, SQS, Lambda, IAM, etc
  9. 9. Attacking Cloud: AWS Searching S3 • public? • ro vs rw? • data!
  10. 10. Attacking Cloud: AWS Dump Secrets • creds • API keys • SSH keys • binaries
  11. 11. Attacking Cloud: Google • API Client: pip install oauth2client • Requires registering your app • Save the token.json • Auth is easier w/ logged in web session • Cache to credentials.json • Search files, pilfer email, and add backdoors • GMail, GDrive, Calendar, etc • Compute SDK(s): • https://cloud.google.com/python/setup Resource: https://oauth2client.readthedocs.io/en/latest/
  12. 12. Attacking Cloud: Google Backdoor • Persistence • Full access
  13. 13. Attacking Cloud: Azure • SDK: pip install azure (or individuals) • Auth is easier w/ az cli installed • Prompts web session for authorization • Just a bunch of API’s wrapped • Enumerate resources • Breaks services into smaller libraries • AzureAD, Storage, KeyVault, VMs, etc • Dump Users, Groups, Memberships Resource: https://docs.microsoft.com/en-us/azure/python/
  14. 14. Attacking Cloud: Azure
  15. 15. Attacking Cloud: Azure AzureAD • Users • Groups • Devices • Memberships • SPN’s
  16. 16. Attacking Cloud: Azure Freebie! • Portal access • Enabled by default • More attack surfaces • Just auth.. :)
  17. 17. Writing Malware
  18. 18. Writing Python Malware ● Evasion ○ Evading AMSI: Stripping PowerShell ● Injection ○ Injecting shellcode wi/ custom Python ● Execution ○ Creating an EXE from a Python script
  19. 19. 1)Evading AMSI: PowerStrip.py ● PowerShell detection by Anti-Malware Scan Interface (AMSI) ● Can be suboptimal and annoying on a test ● Evasion? ○ Invoke-Obfuscation by Daniel Bohannon is amazing ○ But… you really don’t have to go that far.
  20. 20. PowerStrip.py ● What if we just stripped comments, and changed a few applet names? No really… not kidding. ● https://github.com/yoda66/PowerStrip
  21. 21. No obfuscation = :( ● BUMMER!!!! AMSI busted me...
  22. 22. After PowerStripping... ● https://github.com/yoda66/PowerStrip
  23. 23. Hack on and profit.. ● And we only stripped the comments out.
  24. 24. Once again with stutter!
  25. 25. Applet Name Stuttering
  26. 26. 2) Python Malware ● Python has access to Windows kernel32 DLL calls through the “ctypes” module ○ Setting up the correct kernel32 DLL calls is a painstaking process. ● You can leverage this to run a shellcode of choice. ○ msfvenom, or cobalt strike generated shellcode for example. ● There are a huge number of different process injection techniques. ● There is a lot of BAD code floating around the Internet.
  27. 27. Steps for shellcode injection ● Three fundamental steps no matter whether you are creating a thread locally, or in remote process ○ Allocate Memory ○ Copy Shellcode to allocated memory ○ Create a running thread of code ● Notes: ○ We will not be using reflexive DLL injection which typically involves using LoadLibraryA() from DLL on disk. ○ Remote process injection requires opening a remote process handle ○ We will not address “Process Hollowing” either.
  28. 28. Injection: Memory Allocation ● Limited number of choices of kernel32 API call ○ VirtualAlloc() ■ allocate memory within same process ○ VirtualAllocEx() ■ allocate memory in a remote process ○ HeapCreate() then HeapAlloc() ■ allocate memory from heap within same process
  29. 29. Injection: Copy shellcode ● Two basic choices ○ RtlMoveMemory() ■ for local in-process activity ○ WriteProcessMemory() ■ for remote process activity ● Note: “ctypes” under Python3 will not allow you to copy a payload with NULL “x00” characters within it. ○ This nearly drove me nuts. As much as I hate to say it, use Python2 for now. ○ Alternative: Encode your shellcode but this has ramifications
  30. 30. Injection: Starting Thread ● Three possibilities ○ CreateThread() ■ in local process only ○ CreateRemoteThread() ■ in remote process ○ QueueUserAPC() ■ in remote process. ■ interesting variant...
  31. 31. Matching API Arg Types ● if you don’t do this, then the API calls will all assume a Windows MFC INT type, and you will fail. ○ Make sure to use “from ctypes.wintypes import DWORD, HANDLE … “ ○ This example as part of a Python Class. (yes I learned the hard way)
  32. 32. Same Process Example
  33. 33. Remote Process Injection ● You first need to find a process! ● Python “psutil” module is helpful and well… “svchost.exe”
  34. 34. Remote Process Injection Steps ● OpenProcess() - open the remote process handle ● VirtualAllocEx() - allocate memory within process ● WriteProcessMemory() - write shellcode to memory ● VirtualProtectEx() - change to READ_EXECUTE only ● CreateRemoteThread() - spin up remote process thread ● VirtualFreeEx() - free Virtual Memory ● CloseHandle() - close remote process handle
  35. 35. 3) Create EXE from Script ● A number of different methods ○ PyInstaller ○ Py2EXE ○ Possibly IronPython but its maintenance is lagging ● Pyinstaller install with “pip2” for Python2 C:> pip2 --install pyinstaller C:> pyinstaller.exe --onefile scriptname.py ● Resulting EXE will be within “dist” directory.
  36. 36. PyInjector Demo ● https://github.com/yoda66/PyInjector ● DEMO TIME!
  37. 37. Ways to Weaponize: Libraries
  38. 38. Libraries: Networks ● C2/DNS: socket ● Port scan (nmap wrapper): python-libnmap ● Packet Manipulation: scapy ● Packet Crafting/Parsing: dpkt ● PCAP interaction: pcapy ● Live host discovery: ping3 ● Network Protocols: impacket ● Exploit Development: pwntools
  39. 39. Libraries: Windows ● Win32 API: pywin32 ● DLL/Shared Libraries: ctypes ● Windows Management Instrumentation: wmi ● Windows Remote Management: pywinrm ● PowerShell Remoting: pypsrp
  40. 40. Libraries: Web & Cloud ● Internet recon: shodan ● Web requests/Password attacks: requests ● Attacking hipster web: requestium ● Parsing/Querying HTML (BeautifulSoup4): bs4 ● Cracking JSON Web Tokens: jwt ● Parsing SQLite: sqlite3 ● Processing XML/HTML: lxml ● AWS: boto3 ● Google Cloud: google-api-python-client ● Azure: azure
  41. 41. Ways to Weaponize: Tooling/Frameworks
  42. 42. Tooling/Frameworks ● ScoutSuite: https://github.com/nccgroup/ScoutSuite ● SilentTrinity: https://github.com/byt3bl33d3r/SILENTTRINITY ● FireProx: https://github.com/ustayready/fireprox ● CredSniper: https://github.com/ustayready/CredSniper ● Recon-ng: https://github.com/lanmaster53/recon-ng ● Veil: https://github.com/Veil-Framework/Veil
  43. 43. Go Get Started! ● pymeta.py ● powerstrip.py ● pyinjector.py ● pivot_winrm.py ● cloud_aws_s3.py ● cloud_aws_secrets.py ● cloud_azure_ad.py ● cloud_gsuite_backdoor.py ● cloud_gsuite_email.py ● crack_jwt.py ● live_host_discovery.py ● live_port_discovery.py ● passwords_attack.py ● pivot_psremoting.py ● pivot_wmi.py ● shodan_search.py ● socket_c2_client.py ● socket_c2_server.py ● web_brute.py ● web_robots.py ● web_sniff.py ● web_spa.py https://github.com/ustayready/python-pentesting Here’s some motivation...
  44. 44. End Slide • Mike Felch @ustayready • Joff Thyer @joff_thyer • Black Hills Information Security • http://www.blackhillsinfosec.com/ • Python Goodies! • https://github.com/ustayready/python-pentesting • Questions?

×