Security and Privacy in a Networked World/Too easy to misuse
Easy enough
[edit]Today's topic was inspired by the book Violent Python by TJ O'Connor - but similar easy recipes can also be found online (see links below). The book is definitely recommended, as it introduces using Python for a diverse array of security-related tasks (cracking passwords or Skype database, snooping at wireless connections etc) while only demanding programming skills ranging from very basic to intermediate.
Due to the open nature of our course, this topic will not contain anything that is not already openly available on Internet. Rather than "teaching new tricks", the point of the topic in our course is to make people aware of these simple techniques. Advanced folks can however find some more specific tips from the links provided.
Python (continued)
[edit]Strings
[edit]Manipulation of strings (textual values) is a common task for security-related scripts in Python - e.g. a web page URL (web address), an IP address or a serial number are all handled as strings. Finding, extracting and relocating substrings (e.g. replace the last block of an IP address with another) are all common.
A typical example is checking if a substring exists in a longer expression:
signature = "MyServer version 5.05 Enterprise edition" target = "5.05" if (target in signature): print "This version can be attacked" else: print "This server is secure"
Noteː this simulates a version-based check on a server - a signature about its software is obtained from a server, which is then compared to a version known be vulnerable.
READ MORE at http://docs.python.org/2/library/stdtypes.html#string-methods
Modules
[edit]One of the strong points of Python is modularity - one can link specific modules to his/her program to access a multitude of additional functions. The modules are linked to the program using the "import" directive.
We will briefly look at the socket module. Other useful modules in security context are os and sys that contain many useful function to access file systems of different operating systems (including all three major flavours in use today).
READ MORE at http://docs.python.org/2/tutorial/stdlib.html
The socket module
[edit]This module contains many handy tools to handle networking. While the full description is available here, let us just stop at some simple uses:
- socket.socket() - in simple terms, this defines a new network connection. To connect to a specific IP address and port, we need to define a connection to a variable. The following example defines a variable "netcon" and creates a connection to an FTP port of a local network computer:
import socket netcon = socket.socket() netcon.connect(("192.168.1.10", 21))
- recv() - asks for a given number of bytes from an open connection. E.g. the previous example may be added something like this:
import socket netcon = socket.socket() netcon.connect(("192.168.1.10", 21)) reply = netcon.recv(1024) if ("Old FTP server SomeOldVersion" in reply): print "A good target!" else: print "Sorry, no luck."
Notes:
- Some servers would refuse to answer but many will do it. Typically, the first kilobyte (1024 bytes) of the reply will contain some information about the server - and in many cases, this includes the name and version of the software in use. Now, combining this with a known vulnerability database like SecurityFocus may produce a lot of possibilities.
- Most web servers tend to refuse connection or ignore it, resulting in timeout (these should be handled by programs too, these examples here are very basic). However, other services (SSH, FTP, e-mail servers) are often more revealing.
- It is possible to use basic Python (e.g. simple iterations) to automate similar scripts to scan large address blocks for a given vulnerability. E.g.
port = 21 for x in range(1,255): print "Checking "192.168.1."+str(x)+":"+str(port) ...
More examples to study
[edit]Noteː these examples contain somewhat more advanced use of Python.
- http://pentesterscript.wordpress.com/2013/07/26/zip-file-password-cracker-python-script/
- http://jaysitsecurity.blogspot.com/2013/04/cracking-passwords-with-python.html
- http://null-byte.wonderhowto.com/how-to/generate-word-lists-with-python-for-dictionary-attacks-0132761/
- http://jackal777.wordpress.com/2012/03/02/ssh-brute-force-attack-script-using-python/
Additional reading and links
[edit]- O'CONNOR, TJ. Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers. Syngress 2013.
- https://github.com/dloss/python-pentest-tools (serious penetration testing tools using Python)
- http://pytesting.blogspot.com/ (a blog on penetration testing using Python)
- http://docs.python.org/2/tutorial/
- http://www.binarytides.com/python-socket-programming-tutorial/
- http://www.ftp-sites.org/ (old, but some sites still work)
- https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Study and Blog
[edit]- This week's task will be given only to the course participants during the weekly chat session.