Learning Penetration Testing with Python Table of Contents Learning Penetration Testing with Python Credits Disclaimer About the Author Acknowlegements About the Reviewers www.PacktPub.com Support files, eBooks, discount offers, and more Why subscribe? Free access for Packt account holders Preface What this book covers What you need for this book Who this book is for Conventions Reader feedback Customer support Downloading the example code Downloading the color images of this book Errata Piracy Questions Understanding the Penetration Testing Methodology An overview of penetration testing Understanding what penetration testing is not Vulnerability assessments Reverse engineering engagements Hacking Assessment methodologies The penetration testing execution standard Pre-engagement interactions White Box Testing Grey Box Testing Black Box Testing Double Blind Testing Intelligence gathering Threat modeling Vulnerability analysis Exploitation Post exploitation Reporting An example engagement Penetration testing tools NMAP Metasploit Veil Burp Suite Hydra John the Ripper Cracking Windows passwords with John oclHashcat Ophcrack Mimikatz and Incognito SMBexec Cewl Responder theHarvester and Recon-NG pwdump and fgdump Netcat Sysinternals tools Summary The Basics of Python Scripting Understanding the difference between interpreted and compiled languages Python – the good and the bad A Python interactive interpreter versus a script Environmental variables and PATH Understanding dynamically typed languages The first Python script Developing scripts and identifying errors Reserved words, keywords, and built-in functions Global and local variables Understanding a namespace Modules and imports Python formatting Indentation Python variables Debugging variable values String variables Number variables Converting string and number variables List variables Tuple variables Dictionary variables Understanding default values and constructors Passing a variable to a string Operators Comparison operators Assignment operators Arithmetic operators Logical and membership operators Compound statements The if statements Python loops The while loop The for loop The break condition Conditional handlers Functions The impact of dynamically typed languages on functions on functions Curly brackets How to comment your code The Python style guide Classes Functions Variables and instance names Arguments and options Your first assessor script Summary Identifying Targets with Nmap, Scapy, and Python Understanding how systems communicate The Ethernet frame architecture Layer 2 in Ethernet networks Layer 2 in wireless networks The IP packet architecture The TCP header architecture Understanding how TCP works The TCP three-way handshake The UDP header architecture Understanding how UDP works Understanding Nmap Inputting the target ranges for Nmap Executing the different scan types Executing TCP full connection scans Executing SYN scans Executing ACK scans Executing UDP scans Executing combined UDP and TCP scans Skipping the operating system scans Different output types Understanding the Nmap Grepable output Understanding the Nmap XML output The Nmap scripting engine Being efficient with Nmap scans Determining your interface details with the netifaces library Nmap libraries for Python The Scapy library for Python Summary Executing Credential Attacks with Python The types of credential attacks Defining the online credential attack Defining the offline credential attack Identifying the target Creating targeted usernames Generating and verifying usernames with help from the U.S census Generating the usernames Testing for users using SMTP VRFY Creating the SMTP VRFY script Summary Exploiting Services with Python Understanding the new age of service exploitation Understanding the chaining of exploits Checking for weak, default, or known passwords Gaining root access to the system Understanding the cracking of Linux hashes Testing for the synchronization of account credentials Automating the exploit train with Python Summary Assessing Web Applications with Python Identifying live applications versus open ports Identifying hidden files and directories with Python Credential attacks with Burp Suite Using twill to walk through the source Understanding when to use Python for web assessments Understanding when to use specific libraries Being efficient during web assessments Summary Cracking the Perimeter with Python Understanding today’s perimeter Clear-text protocols Web applications Encrypted remote access services Virtual Private Networks (VPNs) Mail services Domain Name Service (DNS) User Datagram Protocol (UDP) services Understanding the link between accounts and services Cracking inboxes with Burp Suite Identifying the attack path Understanding the limitations of perimeter scanning Downloading backup files from a TFTP server Determining the backup filenames Cracking Cisco MD5 hashes Gaining access through websites The execution of file inclusion attacks Verifying an RFI vulnerability Exploiting the hosts through RFI Summary Exploit Development with Python, Metasploit, and Immunity Getting started with registers Understanding general purpose registers The EAX The EBX The ECX The EDX Understanding special purpose registers The EBP The EDI The EIP The ESP Understanding the Windows memory structure Understanding the stack and the heap Understanding the program image and dynamic-link libraries Understanding the process environment block Understanding the thread environment block Kernel Understanding memory addresses and endianness Understanding the manipulation of the stack Understanding immunity Understanding basic buffer overflow Writing a basic buffer overflow exploit Understanding stack adjustments Understanding the purpose of local exploits Understanding other exploit scripts Exploiting standalone binaries by executing scripts Exploiting systems by TCP service O Object-oriented (OO) about / Python – the good and the bad oclHashcat / oclHashcat offline credential attack defining / Defining the offline credential attack online credential attack defining / Defining the online credential attack OO programming about / Python – the good and the bad Open Source Intelligence (OSINT) / Black Box Testing, theHarvester and Recon-NG Open Systems Interconnect (OSI) model about / Understanding how systems communicate Open Web Application Security Project’s (OWASP) / Building industry-standard tools Operating System (OS) / Generating the usernames Operating Systems (OS) about / Understanding the difference between multithreading and multiprocessing operating system scans skipping / Skipping the operating system scans operators about / Operators reference link / Operators comparison operators / Comparison operators assignment operators / Assignment operators arithmetic operators / Arithmetic operators logical operators / Logical and membership operators membership operators / Logical and membership operators Ophcrack / Ophcrack options about / Arguments and options Outlook Web Access (OWA) about / Cracking inboxes with Burp Suite P Packet Capture (PCAP) / Verifying an RFI vulnerability Pass-the-Hash (PtH) about / Understanding the Nmap Grepable output Pass-the-Hash (PtH) attack / An example engagement Pass-the-Hash attack (PtH) about / Testing for the synchronization of account credentials PATH environmental variable about / Environmental variables and PATH penetration testing overview / An overview of penetration testing Aabout / Understanding what penetration testing is not tools / Penetration testing tools PeppingTom about / Identifying live applications versus open ports perimeter scanning limitations / Understanding the limitations of perimeter scanning Perl function example / Curly brackets pivoting about / Understanding the new age of service exploitation Point-to-Point Tunneling Protocol (PPTP) about / Virtual Private Networks (VPNs) Portable Executable (PE) / Understanding the program image and dynamic-link libraries post exploitation modules, Metasploit reference link / Understanding the Nmap Grepable output pre-engagement interactions, PTES categories / Pre-engagement interactions White Box testing / White Box Testing Grey Box format / Grey Box Testing Black Box / Black Box Testing Double Blind tests / Double Blind Testing Pretty Good Privacy (PGP) / Pre-engagement interactions print function about / Python – the good and the bad Process Environment Block (PEB) about / Understanding the process environment block Process Execution (PSEXEC) attack about / Understanding the Nmap Grepable output Process Identifier (PID) about / Gaining root access to the system program image about / Understanding the program image and dynamic-link libraries PE header / Understanding the program image and dynamic-link libraries text / Understanding the program image and dynamic-link libraries rdata / Understanding the program image and dynamic-link libraries data / Understanding the program image and dynamic-link libraries rsrc / Understanding the program image and dynamic-link libraries prohibited about / Reserved words, keywords, and built-in functions protection mechanisms about / Understanding protection mechanisms pseudorandom number generator (PRNG) / John the Ripper psexec module about / Testing for the synchronization of account credentials PTES about / The penetration testing execution standard pre-engagement interactions / Pre-engagement interactions intelligence gathering / Intelligence gathering threat modeling / Threat modeling vulnerability analysis / Vulnerability analysis exploitation / Exploitation post exploitation / Post exploitation reporting / Reporting example engagement / An example engagement PtH about / Understanding the Nmap Grepable output pwdump / pwdump and fgdump Python about / Understanding the difference between interpreted and compiled languages overview / Python – the good and the bad exploit train, automating with / Automating the exploit train with Python used, for identifying hidden files and directories / Identifying hidden files and directories with Python using, for web assessments / Understanding when to use Python for web assessments specific libraries, using / Understanding when to use specific libraries multithreaded script, creating in / Creating a multithreaded script in Python multiprocessing script, creating in / Creating a multiprocessing script in Python Python class creating / Understanding how to create a Python class Python classes reference link / Understanding how to create a Python class Python formatting about / Python formatting indentation / Indentation Pythonic about / Python – the good and the bad Python multiprocessing reference link / Creating a multiprocessing script in Python Python nmap library URL / Nmap libraries for Python Python script creating, for parsing Nmap XML / Creating a Python script to parse an Nmap XML creating, for generating Excel spreadsheets / Creating a Python script to generate Excel spreadsheets Python script, GitHub page reference link / Creating a Python script to parse an Nmap XML R Recon-NG / theHarvester and Recon-NG registers about / Getting started with registers general purpose registers / Understanding general purpose registers special purpose registers / Understanding special purpose registers Reiser File System (ReiserFS) about / Gaining root access to the system Remote and Local File Inclusion (RFI/LFI) about / Gaining access through websites Remote Code Execution (RCE) about / Assignment operators, Understanding basic buffer overflow Remote Desktop Protocol (RDP) about / Encrypted remote access services remote file inclusion references / The execution of file inclusion attacks reports XML files, parsing for / Understanding how to parse XML files for reports request-based script reference link / Understanding when to use specific libraries Request For Comment (RFC) / Creating a Python script to parse an Nmap XML Request for Proposal (RFP) / Pre-engagement interactions request library / Understanding when to use specific libraries reserved words about / Reserved words, keywords, and built-in functions Responder / Responder Return-Oriented Programming (ROP) chaining about / Understanding protection mechanisms RFI hosts, exploring through / Exploiting the hosts through RFI RFI vulnerability verifying / Verifying an RFI vulnerability S scan types executing / Executing the different scan types TCP connection scan, executing / Executing TCP full connection scans, Executing ACK scans SYN scans, executing / Executing SYN scans ACK scans, executing / Executing ACK scans UDP scans, executing / Executing UDP scans Scapy library, for Python about / The Scapy library for Python script versus interactive interpreter / A Python interactive interpreter versus a script about / The first Python script developing / Developing scripts and identifying errors Secure Copy (SCP) / Gaining root access to the system Secure Hashing Algorithm 1 (SHA-1) / Defining the offline credential attack Secure Shell (SSH) / Hydra about / Nmap libraries for Python, Checking for weak, default, or known passwords, Encrypted remote access services Security Accounts Manager (SAM) about / Testing for the synchronization of account credentials Security by obscurity about / Understanding how systems communicate Security Identifier (SID) / An example engagement Server Message Block (SMB) / An example engagement about / Understanding the Nmap Grepable output, Testing for the synchronization of account credentials, The execution of file inclusion attacks service exploitation about / Understanding the new age of service exploitation Service Pack (SP) / Understanding the program image and dynamic-link libraries Service Set Identifier (SSID) about / Layer 2 in wireless networks Set User Identifier (SUID) / Gaining root access to the system shared memory reference link / Creating a multiprocessing script in Python simple-requests reference link / Creating a multithreaded script in Python Simple Mail Transfer Protocol (SMTP) / Identifying the target Simple Network Management Protocol (SNMP) about / User Datagram Protocol (UDP) services SMBexec / SMBexec SMTP VRFY script used, for testing users / Testing for users using SMTP VRFY creating / Creating the SMTP VRFY script URL / Creating the SMTP VRFY script special purpose registers about / Understanding special purpose registers EBP / The EBP EDI / The EDI EIP / The EIP ESP / The ESP SpiderLabs msfrpc library reference link / Automating the exploit train with Python SQLi lists, for common injection types reference link / Being efficient during web assessments sqlmap about / Being efficient during web assessments stack adjustments about / Understanding stack adjustments stack manipulation about / Understanding the manipulation of the stack Standard Error (STDERR) about / Understanding logging within Python Standard Input (STDIN) about / Inputting the target ranges for Nmap Standard Out (STDOUT) about / Reserved words, keywords, and built-in functions, Understanding Nmap Standard Output (STDOUT) about / Understanding logging within Python Statement of Work (SOW) / Pre-engagement interactions string variable, passing to / Passing a variable to a string string variables about / String variables converting / Converting string and number variables Structured Exception Handling (SEH) about / Understanding protection mechanisms Structured Query Language (SQL) about / Gaining access through websites Structured Query Language injection (SQLi) about / Gaining access through websites style guide about / The Python style guide reference link / The Python style guide SYN scans executing / Executing SYN scans Sysinternals tools / Sysinternals tools system communication about / Understanding how systems communicate System Development Life cycle (SDLC) about / Python – the good and the bad T target identifying / Identifying the target targeted usernames creating / Creating targeted usernames URLs / Creating targeted usernames generating, with U.S census / Generating and verifying usernames with help from the U.S census verifying, with U.S census / Generating and verifying usernames with help from the U.S census generating / Generating the usernames excel spreadsheet, URL / Generating the usernames script download, URL / Generating the usernames target ranges inputting, for nmap / Inputting the target ranges for Nmap TCP working / Understanding how TCP works TCP/IP stack about / Understanding how systems communicate TCP full connection scans executing / Executing TCP full connection scans TCP header architecture about / The TCP header architecture TCP three-way handshake about / The TCP three-way handshake TFTP server backup files, downloading from / Downloading backup files from a TFTP server theHarvester / theHarvester and Recon-NG Thread Environment Block (TEB) about / Understanding the thread environment block thread safe about / Creating a multithreaded script in Python tools, penetration testing about / Penetration testing tools Network Mapper (Nmap) / NMAP Metasploit / Metasploit Veil / Veil Burp Suite / Burp Suite Hydra / Hydra John the Ripper (JtR) / John the Ripper oclHashcat / oclHashcat Ophcrack / Ophcrack Mimikatz / Mimikatz and Incognito Incognito / Mimikatz and Incognito SMBexec / SMBexec Cewl / Cewl Responder / Responder theHarvester / theHarvester and Recon-NG Recon-NG / theHarvester and Recon-NG pwdump / pwdump and fgdump fgdump / pwdump and fgdump Netcat / Netcat Sysinternals tools / Sysinternals tools Transmission Control Protocol (TCP) / NMAP about / Understanding how to parse XML files for reports Trivial File Transfer Protocol (TFTP) about / User Datagram Protocol (UDP) services tuple variables about / Tuple variables twill using / Using twill to walk through the source twill library / Understanding when to use specific libraries U Ubuntu TFTP server reference link / User Datagram Protocol (UDP) services UDP working / Understanding how UDP works UDP header architecture about / The UDP header architecture UDP scans executing / Executing UDP scans Uniform Resource Locator (URL) about / Identifying live applications versus open ports, The execution of file inclusion attacks Uniform Resource Locators (URLs) about / Understanding the new age of service exploitation Universal Serial Bus (USB) / Ophcrack about / Testing for the synchronization of account credentials Universal Serial Bus (USB) drive / Understanding the program image and dynamiclink libraries User Datagram Protocol (UDP) about / Understanding how systems communicate, Understanding how to parse XML files for reports User Datagram Protocol (UDP) services about / User Datagram Protocol (UDP) services V variable passing, to string / Passing a variable to a string variables about / Python variables string variables / String variables number variables / Number variables list variables / List variables tuple variables / Tuple variables dictionary variables / Dictionary variables variables names about / Variables and instance names variable values debugging / Debugging variable values Veil / Veil reference link / Testing for the synchronization of account credentials Virtual Local Area Networks (VLANs) about / The Scapy library for Python Virtual Machines (VMs) about / Understanding the difference between interpreted and compiled languages Virtual Private Networks (VPNs) about / Virtual Private Networks (VPNs) Vulnerability Assessment (VA) / Vulnerability assessments Vulnerability Management Solution (VMS) / An overview of penetration testing W Web Application Firewalls (WAFs) about / Being efficient during web assessments web applications about / Web applications web assessments Python, using for / Understanding when to use Python for web assessments efficiency feature / Being efficient during web assessments Web Proxy AutoDiscovery (WPAD) / Responder while loop about / The while loop White Box testing (Clear Box testing) / White Box Testing Windows Active Directory password complexity requirements reference link / Understanding the chaining of exploits Windows memory structure about / Understanding the Windows memory structure stack / Understanding the stack and the heap heap / Understanding the stack and the heap program image / Understanding the program image and dynamic-link libraries dynamic-link libraries / Understanding the program image and dynamic-link libraries process environment block / Understanding the process environment block thread environment block / Understanding the thread environment block kernel / Kernel X XML files parsing, for reports / Understanding how to parse XML files for reports XSS lists reference link / Being efficient during web assessments Z Zed Attack Proxy (ZAP) / Burp Suite about / Understanding the difference between interpreted and compiled languages Zelster URL / Understanding the new age of service exploitation ... Creating a multiprocessing script in Python Building industry-standard tools Summary Index Learning Penetration Testing with Python Learning Penetration Testing with Python Copyright © 2015 Packt Publishing... Learning Penetration Testing with Python Table of Contents Learning Penetration Testing with Python Credits Disclaimer About the Author Acknowlegements... Assessment methodologies The penetration testing execution standard Pre-engagement interactions White Box Testing Grey Box Testing Black Box Testing Double Blind Testing Intelligence gathering