Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers !-34%2$!-s"/34/.s(%)$%,"%2's,/.$/. .%79/2+s/8&/2$s0!2)3s3!.$)%'/ 3!.&2!.#)3#/s3).'!0/2%s39$.%9s4/+9/ 3YNGRESSISAN)MPRINTOF%LSEVIER TJ. O’Connor Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers Acquiring Editor: Chris Katsaropoulos Development Editor: Meagan White Project Manager: Priya Kumaraguruparan Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrange- ments with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this eld are constantly changing. As new research and experi- ence broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-957-6 Printed in the United States of America 13 14 15 10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications visit our website at www.syngress.com v Trademarks %LSEVIER)NCTHE AUTHORSANDANYPERSONORlRMINVOLVEDINTHEWRITING EDITINGORPRODUCTIONCOLLECTIVELYh-AKERSvOF THISBOOKhTHE7ORKvDO NOTGUARANTEEORWARRANTTHERESULTSTOBEOBTAINEDFROMTHE7ORK 4HEREISNOGUARANTEEOFANYKINDEXPRESSEDORIMPLIEDREGARDINGTHE7ORKOR ITSCONTENTS4HE7ORKISSOLD!3)3AND7)4(/547!22!.499OUMAYHAVE OTHERLEGALRIGHTSWHICHVARYFROMSTATETOSTATE )NNOEVENTWILL-AKERS BELIABLETOYOUFORDAMAGESINCLUDINGANYLOSSOF PROlTSLOSTSAVINGSOROTHERINCIDENTALORCONSEQUENTIALDAMAGESARISINGOUT FROMTHE7ORKORITSCONTENTS"ECAUSESOMESTATESDONOTALLOWTHEEXCLUSION ORLIMITATIONOF LIABILITYFORCONSEQUENTIALORINCIDENTALDAMAGES THEABOVE LIMITATIONMAYNOTAPPLYTOYOU 9OUSHOULDALWAYSUSEREASONABLECAREINCLUDINGBACKUPANDOTHERAPPROPRI- ATEPRECAUTIONSWHENWORKINGWITHCOMPUTERSNETWORKSDATAANDlLES 3YNGRESS -EDIA 3YNGRESS h#AREER !DVANCEMENT 4HROUGH 3KILL %NHANCE- MENTv h!SK THE !UTHOR 50$!4%v AND h(ACK 0ROOlNGv ARE REGISTERED TRADEMARKS OF %LSEVIER )NCh3YNGRESS4HE $ElNITION OF A 3ERIOUS 3ECURITY ,IBRARYv4-h-ISSION#RITICAL4-vANDh4HE/NLY7AYTO3TOPA(ACKERISTO 4HINK,IKE/NE4-vARETRADEMARKSOF%LSEVIER)NC"RANDSANDPRODUCTNAMES MENTIONED IN THIS BOOK ARE TRADEMARKS OR SERVICE MARKS OF THEIR RESPECTIVE COMPANIES ix Dedication For my monkey and my ninja princess: anything is possible if you try hard enough. xvii Lead Author – TJ O’Connor 4*/#ONNORISA$EPARTMENTOF$EFENSEEXPERTONINFORMATIONSECURITYAND A 53 !RMY PARATROOPER 7HILE ASSIGNED AS AN ASSISTANT PROFESSOR AT THE 53 -ILITARY !CADEMY 4* TAUGHT UNDERGRADUATE COURSES ON FORENSICS EXPLOITA- TION AND INFORMATION ASSURANCE (E TWICE COCOACHED THE WINNING TEAM AT THE .ATIONAL 3ECURITY !GENCYSANNUAL #YBER $EFENSE %XERCISE AND WON THE .ATIONAL$EFENSE5NIVERSITYSlRSTANNUAL#YBER#HALLENGE(EHASSERVEDON MULTIPLEREDTEAMSINCLUDINGTWICEONTHE.ORTHEAST2EGIONAL4EAMFORTHE .ATIONAL#OLLEGIATE#YBER$EFENSE#OMPETITION 4*HOLDSA-ASTEROF3CIENCEDEGREEIN#OMPUTER3CIENCEFROM.ORTH#AROLINA 3TATE A -ASTER OF 3CIENCE DEGREE IN )NFORMATION 3ECURITY %NGINEERING FROM THE3!.34ECHNICAL)NSTITUTEANDA"ACHELOROF3CIENCEDEGREEIN#OMPUTER 3CIENCEFROMTHE53-ILITARY!CADEMY(EHASPUBLISHEDTECHNICALRESEARCHAT 53%.)8WORKSHOPS!#-CONFERENCESSECURITYCONFERENCESTHE3!.32EAD- ING2OOMTHE)NTERNET3TORM#ENTERTHEArmy MagazineANDTHEArmed Forces Journal(EHOLDSEXPERT CYBERSECURITYCREDENTIALS INCLUDINGTHEPRESTIGIOUS ')!#3ECURITY%XPERT'3%AND/FFENSIVE3ECURITY#ERTIlED%XPERT/3#% 4*ISAMEMBEROFTHEELITE3!.32EDAND"LUE4EAM#YBER'UARDIANS xix Contributing Author Bio – Rob Frost 2OBERT &ROST GRADUATED FROM THE 5NITED 3TATES -ILITARY !CADEMY IN COMMISSIONINGINTOTHE!RMY3IGNAL#ORPS(EHOLDSA"ACHELOROF3CIENCE DEGREE IN #OMPUTER 3CIENCE WITH HONORSWITHHIS THESIS WORK FOCUSING ON OPENSOURCEINFORMATIONGATHERING2OBWASINDIVIDUALLYRECOGNIZEDASONEOF THETOPTWOMEMBERSOFTHENATIONALCHAMPIONSHIPTEAMFORTHE#YBER $EFENSE%XERCISEDUETOHISABILITYTOCIRCUMVENTRULES2OBHASPARTICIPATEDIN ANDWONSEVERALCYBERSECURITYCOMPETITIONS xxi Technical Editor Bio – Mark Baggett -ARK"AGGETTISA#ERTIlED3!.3)NSTRUCTORANDTEACHESSEVERALCOURSESINTHE 3!.3 PENETRATION TESTING CURRICULUM -ARK IS THE PRIMARY CONSULTANT AND FOUNDER OF )N $EPTH $EFENSE )NC WHICH PROVIDES INCIDENTRESPONSE AND PENETRATIONTESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSEFOR3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELDAVARIETYOFPOSITIONSININFORMATIONSECURITYFORLARGEINTERNA- TIONALAND&ORTUNECOMPANIES(EHASBEENASOFTWAREDEVELOPERANET- WORKANDSYSTEMSENGINEERASECURITYMANAGERANDA#)3/!SA#)3/-ARK WASRESPONSIBLEFORPOLICYCOMPLIANCEINCIDENTRESPONSEANDALLOTHERASPECTS OFINFORMATIONSECURITYOPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION SECURITY PROFESSIONALS FACE TODAY IN SELLING IMPLEMENTING AND SUPPORTINGINFORMATIONSECURITY-ARKISANACTIVEMEMBEROFTHEINFORMATION SECURITYCOMMUNITYANDTHEFOUNDINGPRESIDENTOFTHE'REATER!UGUSTA)33! (EHOLDSSEVERALCERTIlCATIONSINCLUDING3!.3PRESTIGIOUS'3%-ARKBLOGS ABOUTVARIOUSSECURITYTOPICSATHTTPWWWPAULDOTCOMCOM xxiii Introduction 0YTHONISAHACKERSLANGUAGE 7ITHITSDECREASEDCOMPLEXITYINCREASED EFl- CIENCYLIMITLESSTHIRDPARTYLIBRARIESANDLOWBARTOENTRY0YTHONPROVIDESAN EXCELLENTDEVELOPMENTPLATFORMTOBUILDYOUROWNOFFENSIVETOOLS)FYOUARE RUNNING-AC/38OR,INUXODDSAREITISALREADYINSTALLEDONYOURSYSTEM 7HILEAWEALTHOFOFFENSIVETOOLSALREADYEXISTLEARNING0YTHONCANHELPYOU WITHTHEDIFlCULTCASESWHERETHOSETOOLSFAIL TARGET AUDIENCE %VERYONELEARNSDIFFERENTLY(OWEVERWHETHERYOUAREABEGINNERWHOWANTS TOLEARNHOWTOWRITE0YTHONORANADVANCEDPROGRAMMERWHOWANTSTOLEARN HOWTOAPPLYYOURSKILLSINPENETRATIONTESTINGTHISBOOKISFORYOU ORGANIZATION OF THE BOOK )NWRITINGTHISBOOKWEREALLYSETOUTTOWRITEANEVILCOOKBOOKOFEXAMPLES FOR THE DARKER SIDE OF 0YTHON 4HE FOLLOWING PAGES PROVIDE 0YTHON RECIPES FORPENETRATIONTESTINGWEBANALYSISNETWORKANALYSISFORENSICANALYSISAND EXPLOITINGWIRELESSDEVICES(OPEFULLYTHEEXAMPLESWILLINSPIRETHEREADERTO CREATEHISORHEROWN0YTHONSCRIPTS Chapter 1: Introduction )FYOUHAVENOTPROGRAMMEDIN0YTHONBEFORE#HAPTERPROVIDESBACKGROUND INFORMATION ABOUT THE LANGUAGE VARIABLES DATA TYPES FUNCTIONS ITERATION SELECTIONANDWORKINGWITHMODULESANDMETHODICALLYWALKSTHROUGHWRIT- INGAFEWSIMPLEPROGRAMS&EELFREETOSKIPITIFYOUAREALREADYCOMFORTABLE WITHTHE0YTHONPROGRAMMINGLANGUAGE!FTERTHElRSTCHAPTERTHEFOLLOWING SIXCHAPTERSAREFAIRLYINDEPENDENTFROMONEANOTHERFEELFREETOREADTHEMIN WHICHEVERORDERYOUPLEASEACCORDINGTOWHATSTRIKESYOURCURIOSITY xxiv Introduction Chapter 2: Penetration Testing with Python #HAPTER INTRODUCES THE IDEA OF USING THE 0YTHON PROGRAMMING LANGUAGE TOSCRIPTATTACKSFORPENETRATIONTESTING4HEEXAMPLESINTHECHAPTERINCLUDE BUILDINGAPORTSCANNERCONSTRUCTINGAN33(BOTNETMASSCOMPROMISINGVIA &40REPLICATING#ONlCKERANDWRITINGANEXPLOIT Chapter 3: Forensic Investigations with Python #HAPTERUTILIZES0YTHONFORDIGITALFORENSICINVESTIGATIONS4HISCHAPTERPRO- VIDESEXAMPLESFORGEOLOCATINGINDIVIDUALSRECOVERINGDELETEDITEMSEXTRACT- INGARTIFACTSFROMTHE7INDOWSREGISTRYEXAMININGMETADATAINDOCUMENTSAND IMAGESANDINVESTIGATINGAPPLICATIONANDMOBILEDEVICEARTIFACTS Chapter 4: Network Traffic Analysis with Python #HAPTERUSES0YTHONTOANALYZENETWORKTRAFlC4HESCRIPTSINTHISCHAPTER GEOLOCATE)0ADDRESSESFROMPACKETCAPTURESINVESTIGATEPOPULAR$$O3TOOL- KITSDISCOVERDECOYSCANSANALYZEBOTNETTRAFlCANDFOILINTRUSIONDETECTION SYSTEMS Chapter 5: Wireless Mayhem with Python #HAPTERCREATESMAYHEMFORWIRELESSAND"LUETOOTHDEVICES4HEEXAMPLESIN THISCHAPTERSHOWHOWTOSNIFFANDPARSEWIRELESSTRAFlCBUILDAWIRELESSKEY- LOGGERIDENTIFYHIDDENWIRELESSNETWORKSREMOTELYCOMMAND5!6SIDENTIFY MALICIOUS WIRELESS TOOLKITS IN USE STALK "LUETOOTH RADIOS AND EXPLOIT "LUE- TOOTHVULNERABILITIES Chapter 6: Web Recon With Python #HAPTER EXAMINES USING 0YTHON TO SCRAPE THE WEB FOR INFORMATION 4HE EXAMPLESINTHISCHAPTERINCLUDEANONYMOUSLYBROWSINGTHEWEBVIA0YTHON WORKINGWITHDEVELOPER!0)SSCRAPINGPOPULARSOCIALMEDIASITESANDCREATING ASPEARPHISHINGEMAIL Chapter 7: Antivirus Evasion with Python )NTHE&INALCHAPTER#HAPTERWEBUILDAPIECEOFMALWARETHATEVADESANTIVI- RUSSYSTEMS!DDITIONALLYWEBUILDASCRIPTFORUPLOADINGOURMALWAREAGAINST ANONLINEANTIVIRUSSCANNER Introduction [...]... called easy_install Running the easy installer module followed by the name of the package to install will search through Python repositories to find the package, download it if found, and install it automatically programmer:∼ # easy_install python- nmap Searching for python- nmap Readinghttp://pypi .python. org/simple /python- nmap/ Readinghttp://xael.org/norman /python/ python-nmap/ Best match: python- nmap... of pairs of items that contain a key and value Let’s continue with our example of a vulnerability scanner to illustrate a Python dictionary When scanning specific TCP ports, it may prove useful to have a dictionary that contains the common service names for each port Creating a dictionary, we can lookup a key like ftp and return the associated value 21 for that port When constructing a dictionary, each... need for our scripts Setting the Stage for Your First Python Program: The Cuckoo’s Egg A system administrator at Lawrence Berkley National Labs, Clifford Stoll, documented his personal hunt for a hacker (and KGB informant) who broke into various United States national research laboratories, army bases, defense contractors, and academic institutions in The Cuckoo’s Egg: Tracking a Spy Through the Maze... file “passwords.txt” and reads the contents of each line in the password file For each line, it splits out the username and the hashed password For each individual hashed password, the main function calls the testPass() function that tests passwords against a dictionary file This function, testPass(), takes the encrypted password as a parameter and returns either after finding the password or exhausting... Systems If you are running Mac OS X or Linux, odds are the Python interpreter is already installed on your system Downloading an installer provides a programmer with the Python interpreter, the standard library, and several built-in modules The Python standard library and built-in modules provide an extensive range of capabilities, including built-in data types, exception handling, numeric, and math modules,... Backtrack, you can install the additional required libraries with easy_install by issuing the following command This will install most of the required libraries for the examples under Linux programmer:∼ # easy_install pyPdf python- nmap pygeoip mechanize BeautifulSoup4 Chapter five requires some specific Bluetooth libraries that are not available from easy_install You can use the aptitude package manager... Party Libraries In Chapter two, we will utilize the python- nmap package to handle parsing of nmap results The following example depicts how to download and install the python- nmap package (or any package, really) Once we have saved the package to a local file, we uncompress the contents and change into the uncompressed directory From that working directory, we issue the command python setup.py install, which... install, which installs the python- nmap package Installing most third-party packages will follow the same steps of downloading, uncompressing, and then issuing the command python setup.py install programmer:∼# wget http://xael.org/norman /python/ python-nmap/pythonnmap-0.2.4.tar.gz-On map.tar.gz 2012-04-24 15:51:51 http://xael.org/norman /python/ python-nmap/ python- nmap-0.2.4.tar.gz Resolving xael.org 194.36.166.10... see that the crypt library already exists in the Python standard library To calculate an encrypted UNIX password hash, we simply call the function crypt.crypt() and pass it the password and salt as parameters This function returns the hashed password as a string Programmer$ python >>> help('crypt') Help on module crypt: NAME crypt FILE /System/Library/Frameworks /Python. framework/Versions/2.7/lib/ python2 .7/lib-dynload/crypt.so... Python Program, a Zipfile Brute-Force Cracker To me, the extraordinary aspect of martial arts lies in its simplicity The easy way is also the right way, and martial arts is nothing at all special; the closer to the true way of martial arts, the less wastage of expression there is – Master Bruce Lee, Founder, Jeet Kune Do INTRODUCTION: A PENETRATION TEST WITH PYTHON Recently, a friend of mine penetration . AND PENETRATION TESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSE FOR 3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELD A VARIETYOFPOSITIONSININFORMATION SECURITY FOR LARGEINTERNA- TIONAL AND &ORTUNECOMPANIES(EHASBEEN A SOFTWAREDEVELOPER A NET- WORK AND SYSTEMSENGINEER A SECURITY MANAGER AND A #)3/!S A #)3/-ARK WASRESPONSIBLE FOR POLICYCOMPLIANCEINCIDENTRESPONSE AND ALLOTHERASPECTS OFINFORMATION SECURITY OPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION. AND PENETRATION TESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSE FOR 3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELD A VARIETYOFPOSITIONSININFORMATION SECURITY FOR LARGEINTERNA- TIONAL AND &ORTUNECOMPANIES(EHASBEEN A SOFTWAREDEVELOPER A NET- WORK AND SYSTEMSENGINEER A SECURITY MANAGER AND A #)3/!S A #)3/-ARK WASRESPONSIBLE FOR POLICYCOMPLIANCEINCIDENTRESPONSE AND ALLOTHERASPECTS OFINFORMATION SECURITY OPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION. Python #HAPTERUTILIZES0YTHON FOR DIGITAL FORENSIC INVESTIGATIONS4HISCHAPTERPRO- VIDESEXAMPLES FOR GEOLOCATINGINDIVIDUALSRECOVERINGDELETEDITEMSEXTRACT- INGARTIFACTSFROMTHE7INDOWSREGISTRYEXAMININGMETADATAINDOCUMENTS AND IMAGES AND INVESTIGATINGAPPLICATION AND MOBILEDEVICEARTIFACTS Chapter 4: Network Traffic Analysis with Python #HAPTERUSES0YTHONTOANALYZENETWORKTRAFlC4HESCRIPTSINTHISCHAPTER GEOLOCATE)0ADDRESSESFROMPACKETCAPTURESINVESTIGATEPOPULAR$$O3TOOL- KITSDISCOVERDECOYSCANSANALYZEBOTNETTRAFlC AND FOILINTRUSIONDETECTION SYSTEMS Chapter