Python For Ethical HackersMohammad reza Kamalifard
Ethical Hacker
Ethical Hacker
Penetration Tester
Ethical Hacker
Penetration TesterEthical Hacker = Penetration Tester
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Why Python?Easy to learn
Easy to use
Clean syntax and code readability
Rich set of libraries
Tons of tools already written
Rapid prototyping – POC ( proof on concept )
Who is using PythonCore Impact – Comprehensive penetration testing solution
Immunity CANVAS – Exploit development framework
W3AF – Web Application Attack and Audit Framework
Sqlmap – Automatic SQL injection tool
Immunity Debugger – Powerful Debugger
Peach – Fuzzer
Sulley – Fully automated and unattended fuzzing framework
Paimei – Reverse engineering framework
Scapy – Packet manipulation tool
Easy File Handling>>> file_add = 'c:/users/reza/desktop/passwords.txt'>>> file_dis = open(file_add, 'r')>>> emails = file_dis.readlines()>>> for email in emails:
print email
[email protected][email protected][email protected]@[email protected]@[email protected]...
RequestsLibrary to deal with HTTP : HTTP for Humans>>> import requests>>> requests.get('http://kamalifard.ir')<Response [200]>>>> r = _>>> r.headersCaseInsensitiveDict({'content-length': '771', 'content-encoding': 'gzip', 'accept-ranges': 'bytes', 'vary': 'Accept-Encoding', 'server': 'Apache/2.2.16 (Debian)', 'last-modified': 'Sat, 21 Sep 2013 05:19:57 GMT', 'etag': '"15b565-62b-4e6ddf0165940"', 'date': 'Sun, 27 Oct 2013 14:23:54 GMT', 'content-type': 'text/html'})>>> r.textu'<!doctype html>\n<html lang="en">\n<head>\n\t<meta charset="UTF-8">\n\t<title>Mohammad rezaKamalifard</title>\n\t<link rel="stylesheet" href="style.css" />\n\n</head>\n<body>\n\t<div class="wrap">\n\t\t<h1>Mohammad reza Kamalifard</h1>\n\t\t<p>Software
Basic fuzzer
import requests as req
>>> url = 'http://kamalifard.ir/'
>>> file_add = 'c:/users/reza/desktop/dirss.txt'
>>> file_dis = open(file_add, 'r')
>>> dirs= file_dis.readlines()
>>> for x in dirs:
... resp = req.get(url + x)
... html = resp.text
hashlib
>>> import hashlib
>>> hashlib.algorithms
('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512')
>>> m = hashlib.md5()
>>> m.update('reza')
>>> m.digest()
'\xbb\x98\xb1\xd0\xb5#\xd5\xe7\x83\xf91U\rw\x02\xb6'
>>> m.hexdigest()
'bb98b1d0b523d5e783f931550d7702b6'
>>>
Sockets• TCP and UDP Sockets
• Regular Servers and Clients
• Raw Sockets• Sniffing and Injection
Port Scannerimport socket
def connScan(tgtHost, tgtPort):try:
tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.connect((tgtHost, tgtPort))tcp_socket.send(‘PyCon2013\r\n')results = tcp_socket.recv(100)print '%d/tcp open' % tgtPortprint str(results)
except:print '%d/tcp closed' % tgtPort
finally:tcp_socket.close()
ECHO Serverimport sockettcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)tcp_socket.bind(('127.0.0.1', 8000))tcp_socket.listen(2)print 'Waiting for client ...'(client, (ip, port)) = tcp_socket.accept()print 'Revived connection from : ', ipprint 'Starting ECHO output...'data = 'dummy'while len(data):
data = client.recv(2048)print 'Client send : ', dataclient.send(data)
client.close()
Clientimport socketimport sysif len(sys.argv) < 3 :
print 'Please Enter address and port'sys.exit()
tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)tcp_socket.connect((sys.argv[1], int(sys.argv[2])))while True:
userInput = raw_input('Please Enter a Message! : ')tcp_socket.send(userInput)print 'Server Send back : ' + str(tcp_socket.recv(2048))
tcp_socket.close()
-----Client-----python client.py 127.0.0.1 8000Please Enter a Message! : SalamServer Send back : SalamPlease Enter a Message! : WELCOME TO PYCON 2013! Server Send back : WELCOME TO PYCON 2013!Please Enter a Message! : -----Server-----Waiting for client ...Revived connection from : 127.0.0.1Starting ECHO output...Client send : SalamClient send : WELCOME TO PYCON 2013!Client send : Closing Connection
SocketServer Framework • Framework in Python to create TCP and UDP servers
• Does all the basic steps for you in the background
• Comes in handy if you want to create a server to lure a client and
• analyze its behavior
SocketServer Framework import SocketServer
class EchoHandler(SocketServer.BaseRequestHandler):
def handle(self):
print 'Got Connection from : ', self.client_address
data = 'dummy'
while len(data):
data = self.request.recv(1024)
print 'Client sent :' + data
self.request.send(data)
print 'client left‘
server_address = ('127.0.0.1', 9050)
server = SocketServer.TCPServer(server_address, EchoHandler)
server.serve_forever()
Nmap
import nmap
tgtHost = '192.168.1.254'
tgtPort = '80'
nmapScan = nmap.PortScanner()
nmapScan.scan(tgtHost, tgtPort)
state=nmapScan[tgtHost]['tcp'][int(tgtPort)]['state']
print tgtHost + ' tcp/' +tgtPort + ' ' +state
Simple HTTP Server
import SocketServer
import SimpleHTTPServer
httpServer = SocketServer.TCPServer(('', 8080),
SimpleHTTPServer.SimpleHTTPRequestHandler)
httpServer.serve_forever()
Raw Socketsimport struct, socket, binascii
rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800))pkt = rawSocket.recvfrom(2048)ethernetHeader = pkt[0][0:14] eth_hdr = struct.unpack('!6s6s2s', ethernetHeader)binascii.hexlify(eth_hdr[0])binascii.hexlify(eth_hdr[1])binascii.hexlify(eth_hdr[2])ipHeader = pkt[0][14:34]ip_hdr = struct.unpack('!12s4s4s', ipHeader)print 'Source IP address : ' + socket.inet_ntoa(ip_hdr[1])print 'Destination IP address : ' + socket.inet_ntoa(ip_hdr[2])tcpHeader = pkt[0][34:54]tcp_hdr = struct.unpack('!HH16s', tcpHeader)
Packet Injection with Raw Sockets
import socket
import struct
rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW,
socket.htons(0x800))
rawSocket.bind(('wlan0', socket.htons(0x800)))
packet = struct.pack('!6s6s2s', '\xaa\xaa\xaa\xaa\xaa\xaa',
'\xbb\xbb\xbb\xbb\xbb\xbb' , '\x08\x00')
rawSocket.send(packet + 'Welcome to PYCON')
Scapy• Interactive packet manipulation tool
• Forge or decode packets
• Wide number of protocols
• Send Packet on the wire
• Capture Packet
• Match requests and replies
Scapyreza@kamalifard$ sudo scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>>ls()
ARP : ARP
DHCP : DHCP options
DNS : DNS
GPRS : GPRSdummy
L2TP : None
PPPoE : PPP over Ethernet
[...]
Sniff>>> p = sniff(count = 5)
>>> p
<Sniffed: TCP:5 UDP:0 ICMP:0 Other:0>
>>> p.show()0000 Ether / IP / TCP 46.165.248.173:4948 > 192.168.1.2:47981 PA/ Raw
0001 Ether / IP / TCP 192.168.1.2:47981 > 46.165.248.173:4948 A
0002 Ether / IP / TCP 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw
0003 Ether / IP / TCP 127.0.0.1:mmcc > 127.0.0.1:48852 PA / Raw
0004 Ether / IP / TCP 127.0.0.1:48852 > 127.0.0.1:mmcc A
>>>
Create Packet
>>> pkt = IP(dst ='192.168.1.254')/TCP(dport = 25)
>>> pkt
<IP frag=0 proto=tcp dst=192.168.1.254 |<TCP dport=smtp |>>
>>> print pkt
E(@�~�����P
e
>>> str(pkt)
'E\x00\x00(\x00\x01\x00\x00@\x06\xf6~\xc0\xa8\x01\x02\xc0\xa8\x01\xfe\x00\x14\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x00\x0be\x00\x00'
>>> pkt.show()###[ IP ]###version= 4ihl= Nonetos= 0x0len= Noneid= 1flags= frag= 0ttl= 64proto= tcpchksum= Nonesrc= 192.168.1.2dst= 192.168.1.254\options\
###[ TCP ]###sport= ftp_datadport= smtpseq= 0ack= 0dataofs= Nonereserved= 0flags= Swindow= 8192chksum= Noneurgptr= 0options= {}
>>>
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.1.2
dst= 192.168.1.254
\options\
###[ TCP ]###
sport= ftp_data
dport= smtp
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
Send Packets
>>> pkt = IP(dst = 'google.com')/ICMP()/'Welcome to PyCon'
>>> pkt
<IP frag=0 proto=icmp dst=Net('google.com') |<ICMP |<Raw load='Welcome to PyCon' |>>>
>>>
>>> pkt.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 192.168.1.2
dst= Net('google.com')
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'Welcome to PyCon'
>>>send(pkt)
.
send 1 packets.
Send and Recive>>> resp = sr(pkt)Begin emission:Finished to send 1 packets.*Received 1 packets, got 1 answers, remaining 0 packets>>> resp(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)>>> resp[0][0](<IP frag=0 proto=icmp dst=216.239.32.20 |<ICMP |<Raw load='Welcome to PyCon' |>>>, <IP version=4L ihl=5L tos=0x0 len=44 id=0 flags= frag=0L ttl=33 proto=icmp chksum=0xdf23 src=216.239.32.20 dst=192.168.1.2 options=[] |<ICMP type=echo-reply code=0 chksum=0xea37 id=0x0 seq=0x0 |<Raw load='Welcome to PyCon' |<Padding load='\x00\x00' |>>>>)>>>
>>> '?'
!میلیون نفر گرسنه در جهان وجود دارد ۷۵۰حدود
نفر ۸ک نفر از هر
بـرنـامـه جـهـانـی غـذاfa.wfp.orgمبارزه جهانی با گرسنگی
>>> '?'
>>> print contact_me
>>> ?
>>> print contact_me
Mohammad Reza Kamalifard
http://www.linkedin.com/in/itmard
My Python Courses :
http://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/
http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/
This work is product of DataSec Middle East(Ammniat Dadehaa Khavare miane) and licensed under the Creative Commons Attribution-NoDerivs 3.0 Unported License.Copyright 2013 Mohammad Reza Kamalifard All rights reserved.
http://kamalifard.irhttp://www.webamooz.ir/home/courses/python-for-ethical-hackers-1/http://www.webamooz.ir/home/courses/python-for-ethical-hackers-2/