Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ethical hacking with Python tools at Europython...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for jmortegac jmortegac
July 22, 2016
Programming
660
1

Ethical hacking with Python tools at Europython 2016

Ethical hacking with Python tools at Europython 2016

Avatar for jmortegac

jmortegac

July 22, 2016

More Decks by jmortegac

See All by jmortegac
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
Avatar for jmortegac jmortega
0
23
Seguridad en la nube: defensa para activos digitales
Avatar for jmortegac jmortega
0
24
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
Avatar for jmortegac jmortega
1
47
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
Avatar for jmortegac jmortega
1
55
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
Avatar for jmortegac jmortega
1
130
Security and auditing tools in Large Language Models (LLM)
Avatar for jmortegac jmortega
1
89
Beyond the hype: The reality of AI security
Avatar for jmortegac jmortega
1
96
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
Avatar for jmortegac jmortega
1
130
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
Avatar for jmortegac jmortega
1
81

Other Decks in Programming

See All in Programming
The ROI of Quarkus for Spring Boot Applications
Avatar for Holly Cummins hollycummins
0
100
Contextとはなにか
Avatar for chiroruxx chiroruxx
0
140
運用エージェントは "作る" から "育てる" へ - 記憶と自己進化の3層設計パターン / self-evolving-agents-three-layer-agent-design
Avatar for geeawa gawa
12
3.6k
AIで効率化できた業務・日常
Avatar for Ochtum ochtum
0
120
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
Avatar for hirokuni-maeta hirokunimaeta
0
520
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
Avatar for Yuku Kotani yukukotani
3
3.4k
Hunting Vulnerabilities in Symfony with LLMs
Avatar for Vincent Amstoutz vinceamstoutz
0
520
AI時代のUIはどこへ行く?その2!
Avatar for Yusuke Wada yusukebe
19
6.9k
フロントエンドとバックエンドで「1文字」を揃えよう
Avatar for てきめん tekimen youkidearitai
PRO
0
230
Make SRE Operations Easier with Azure SRE Agent
Avatar for KAMEGAWA Kazushi kkamegawa
0
4.8k
Swiftのレキシカルスコープ管理
Avatar for kntk kntkymt
0
220
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
Avatar for Daisuke Garaike contour_gara
0
510

Featured

See All Featured
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
280
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
28
3.5k
Tips & Tricks on How to Get Your First Job In Tech
Avatar for Honza Javorek honzajavorek
1
540
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Claude Code のすすめ
Avatar for schroneko schroneko
67
230k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
66
8.5k
It's Worth the Effort
Avatar for 3n 3n
188
29k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
400
30 Presentation Tips
Avatar for Ian Lurie portentint
PRO
1
320
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
6k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
320

Transcript

  1. JOSE MANUEL ORTEGA @JMORTEGAC Ethical hacking with Python tools

  2. https://speakerdeck.com/jmortega

  3. INDEX  Introduction Python pentesting  Modules(Sockets,Requests,BeautifulSoup,Shodan)  Analysis metadata

     Port scanning & Checking vulnerabilities  Advanced tools  Pentesting-tool

  4. Python Pentesting  Multi platform  Prototypes and proofs of

    concept(POC)  Many tools and libraries focused on security  OSINT and Pentesting tools  Very good documentation

  5. Python Pentesting

  6. http://sparta.secforce.com/

  7. The Harvester

  8. The Harvester

  9. W3AF

  10. Tools  Scapy  Capturing and analysing network packets 

    FiMap  Detecting RFI/LFI vulnerabilites  XSScrapy  Detecting XSS vulnerabilites

  11. Sockets Port scan import socket #TCP sock = socket(socket.AF_INET,socket.SOCK_STREAM) result

    = sock.connect_ex(('127.0.0.1',80)) if result == 0: print "Port is open" else: print "Port is filtered"

  12. Sockets Port scan

  13. Socket resolving IP/domain

  14. Banner server

  15. Banner server

  16. Requests

  17. Checking headers

  18. Checking headers

  19. Requests import requests http_proxy = "http://10.10.10.10:3000" https_proxy = "https://10.10.10.10:3000" proxyDict

    = { "http" : http_proxy, "https" : https_proxy } r = requests.get(url,proxies=proxyDict)

  20. Requests Authentication

  21. BeautifulSoup

  22. Internal/external links

  23. Internal/external links

  24. Extract images and documents

  25. Scrapy

  26. Web Scraping

  27. Shodan

  28. https://developer.shodan.io

  29. Shodan import shodan SHODAN_API_KEY = "insert your API key here"

    api = shodan.Shodan(SHODAN_API_KEY)

  30. Shodan

  31. https://www.shodan.io/host/136.243.32.71

  32. Shodan

  33. Shodan

  34. BuiltWith  pip install builtwith  builtwith.parse(‘https://ep2016.europython.eu’)

  35. Analysis metadata

  36. Analysis metadata

  37. Analysis metadata

  38. Port Scanning

  39. Python-nmap  Automating port scanning  Synchronous and asynchronous modes

    import nmap # Synchronous nm = nmap.PortScanner() # nm.scan(‘ip/range’,’port_list’) results = nm.scan('127.0.0.1', '22,25,80,443')

  40. NmapScanner

  41. NmapScanner for port in port_list: NmapScanner().nmapScan(ip, port)

  42. NmapScanner Async #Asynchronous nm_async = nmap.PortScannerAsync() def callback_result(host, scan_result): print

    '------------------' print host, scan_result nm_async.scan(hosts='192.168.1.0/30', arguments='-sP', callback=callback_result) while nm_async .still_scanning(): print("Waiting >>>") nm_async.wait(2)

  43. NmapScanner Async

  44. Scripts Nmap

  45. Scripts Nmap  Programming routines allow to find potential vulnerabilities

    in a given target  First check if the port is open  Detect vulnerabilities in the service port openned nm.scan(arguments="-n -A -p3306 -- script=/usr/share/nmap/scripts/mysql- info.nse")

  46. Mysql Scripts Nmap

  47. Check FTP Login Anonymous

  48. Check FTP Login Anonymous

  49. Check Webs sites  pip install pywebfuzz  https://github.com/disassembler/pywebfuzz

  50. PyWebFuzz from pywebfuzz import fuzzdb import requests logins = fuzzdb.Discovery.PredictableRes.Logins

    domain = "http://192.168.56.101" for login in logins: print “Checking... "+ domain + login response = requests.get(domain + login) if response.status_code == 200: print "Login Resource: " +login

  51. PyWebFuzz

  52. Heartbleed  Vulnerability in OpenSSL V1.0.1  Multi-threaded tool for

    scanning hosts for CVE- 2014-0160.  https://github.com/musalbas/heartbleed-masstest  https://filippo.io/Heartbleed

  53. Heartbleed

  54. Heartbleed

  55. Advanced tools

  56. Metasploit python-msfrpc

  57. Metasploit API call Calls in msgpack format

  58. Nexpose  Tool developed by Rapid7 for scanning and vulnerability

    discovery.  It allows programmatic access to other programs via HTTP/s requests.  BeautifulSoup to obtain data from vulnerabilities server

  59. Nexpose

  60. Pentesting tool

  61. https://github.com/jmortega/python-pentesting

  62. https://github.com/jmortega/europython_ethical_hacking

  63. References & libs  http://docs.shodanhq.com  http://docs.python-requests.org/en/master/  http://scrapy.org 

    http://xael.org/pages/python-nmap-en.html  http://www.pythonsecurity.org/libs  https://github.com/dloss/python-pentest-tools  http://kali-linux.co/2016/07/12/python-tools-for- penetration-testers%E2%80%8B/  https://github.com/PacktPublishing/Effective-Python- Penetration-Testing

  64. Books

  65. Books

  66. THANK YOU!