2ND EDITION

Black Hat Python

Python Programming for Hackers and Pentesters

Justin Seitz and Tim Arnold Foreword by Charlie Miller

no starch press

PRAISE FOR THE FIRST EDITION OF BLACK HAT PYTHON

“Another incredible Python book. With a minor tweak or two many of these

programs will have at least a ten-year shelf life, and that is rare for a security book.”

—STEPHEN NoRTHCUTT, founding president of the SANS Technology Institute

“A great book using Python for offensive security purposes.”

—ANDREW Casg, Volatility core developer and coauthor of The Art of Memory Forensics

“If you truly have a hacker’s mindset, a spark is all you need to make it your own and do something even more amazing. Justin Seitz offers plenty of sparks.”

—ETHICAL HACKER

“Whether youre interested in becoming a serious hacker/penetration tester or just want to know how they work, this book is one you need to read. Intense, technically sound, and eye-opening.”

—SANDRA HENRY-STOCKER, IT World

“Definitely a recommended read for the technical security professional with some basic previous exposure to Python.”

—RICHARD AUSTIN, IEEE Cipher

BLACK HAT PYTHON 2nd Edition

Python Programming for Hackers and Penteatera

by Justin Seitz and Tim Arnold

©

no starch press

San Francisco

BLACK HAT PYTHON, 2ND EDITION. Copyright © 2021 by Justin Seitz and Tim Arnold.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-13: 978-1-7185-0112-6 (print) ISBN-13: 978-1-7185-0113-3 (ebook)

Publisher: William Pollock

Executive Editor: Barbara Yien

Production Editor: Dapinder Dosanjh Developmental Editor: Frances Saux

Cover Illustration: Garry Booth

Interior Design: Octopod Studios

Technical Reviewer: Cliff Janzen

Copyeditor: Bart Reed

Compositor: Jeff Lytle, Happenstance Type-O-Rama Proofreader: Sharon Wilkey

For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103

phone: 1-415-863-9900; info@nostarch.com

www.nostarch.com

Library of Congress Control Number: 2014953241

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

[S]

To my beautiful wife, Clare. I love you. —Justin

About the Authors

Justin Seitz is a renowned cybersecurity and open source intelligence prac- titioner and the co-founder of Dark River Systems Inc., a Canadian security and intelligence company. His work has been featured in Popular Science, Motherboard, and Forbes. Justin has authored two books on developing hacking tools. He created the AutomatingOSINT.com training platform and Hunchly, an open source intelligence collection tool for investigators. Justin is also a contributor to the citizen journalism site Bellingcat, a mem- ber of the International Criminal Court’s Technical Advisory Board, and a Fellow at the Center for Advanced Defense Studies in Washington, DC.

Tim Arnold is currently a professional Python programmer and statisti- cian. He spent much of his early career at North Carolina State University as a respected international speaker and educator. Among his accomplishments, he has ensured that educational tools are accessible to underserved commu- nities worldwide, including making mathematical documentation accessible to the blind.

For the past many years, Tim has worked at SAS Institute as a principal software developer, designing and implementing a publishing system for technical and mathematical documentation. He has served on the board of the Raleigh ISSA and as a consultant to board of the International Statistical Institute. He enjoys working as an independent educator, making infosec and Python concepts available to new users and elevating those with more advanced skills. Tim lives in North Carolina with his wife, Treva, and a villain- ous cockatiel named Sidney. You can find him on Twitter at @jtimarnold.

About the Technical Reviewer

Since the early days of Commodore PET and VIC-20, technology has been a constant companion to Cliff Janzen—and sometimes an obsession! Cliff spends a majority of his workday managing and mentoring a great team of security professionals, striving to stay technically relevant by tackling everything from security policy reviews and penetration testing to incident response. He feels lucky to have a career that is also his favorite hobby and a wife who supports him. He is grateful to Justin for including him on the first edition of this wonderful book and to Tim for leading him to finally make the move to Python 3. And special thanks to the fine people at No Starch Press.

BRIEF CONTENTS

Foreword! 26x duhasistotaneh deh Que Pane wha end hed Gh thd Steep Roark Gee ae Bak Baybee xv Pretaee irs oferta ako acer tiie ait get abe UAT acct PRS cee ae Ae aretae ttre abe Gea ol xvii Acknowledgments: .0s.055 ¢os:t4 tect to ethene de tpas Meee eed vadaddoead xix Chapter 1: Setting Up Your Python Environment.......... 00.00: c eee eee eee eee 1 Chapter 2: Basic Networking Tools .. 0.0.6... eee eee eee 9 Chapter 3: Writing a Sniffer... ete eens 35 Chapter 4: Owning the Network with Scapy... 0.0.0... cece eee eee eee 53 Chapter:5: Web: Hackety 2.5. 2a.0h toner aa ut esaa tease eee degen 7 Chapter 6: Extending Burp Proxy... 0... 2. eect eee 93 Chapter 7: GitHub Command and Control... 0... 2. ee 117 Chapter 8: Common Trojaning Tasks on Windows... ..... 00.0000 cece eee eee ee 127 Chapter 9: Fun with Exfiltration 0... eee eens 139 Chapter 10: Windows Privilege Escalation. ... 0.0.0.0... cece eee eee 153 Chapter 11: Offensive Forensics .. 0.0... eee eet ne 169

CONTENTS IN DETAIL

FOREWORD XV PREFACE XVil ACKNOWLEDGMENTS XIX 1 SETTING UP YOUR PYTHON ENVIRONMENT 1 Installing: Kali lihtxe ws. 212 ca aes Reta te ee Ae De eR ee, 2 Setting Up: Python 3.235. 62 224 stn see Paha eA Rade pease Gate eee aet eate Re Pie BS 3 Installing‘aniIDE: aloes ele netsh hdc win eeitie ate vae Winvehectnls BiG ie whe analy decal 5 Codey giene satis wiht et att BM et SAN at oe Ms oleh nO te ak ae kes 5 2 BASIC NETWORKING TOOLS 9 Python Networking ina Paragraph .... 0.0... cece eee eee nee 10 TGP Clientise v2 suis a ota Modes wih bee pee hid teeta aay BA eh A a 10 WDP: Clignite ss ivstaseh alt et NA BIR A Ah kd ae ceed Oe ak och S he cack Nk 1] TCR SOIVer 2 saa re tio Shcnn tte tty Gale Ot prdety Mines oa oe geen es eS 12 Replacing Netcat 3. i<ces 2 aa kA Leto nas Anche og teh Ath ace gaded aN oleate 13 Kickifig. the Tires..c. ct: sas eed wail ae Ab s.b gai bate ed woes haut Pace 17 Building:a, TCPProxy” 2s a0-6 a0 etna ead cee ee dak be eeeotd obi ian klas 19 Kicking: the Tires. <.s:.hg cag Vededd aagaearadeage engeedake weano ds 24 SSH with! Pardmikos. 2.0.4 cass oer MG ede ee es tae eed 26 Kicking the Tiresisss 2 sasehien gard arte atau Sear bagie 6 watiet eutnetead sets 30 SSH MUNN ClING Sas ta aie he haa state h et th ne atncts age Besant. B sdenaset auth Aout tare 30 Kicking the Tires“. 2 cs.% 3 .cefec's nab Gc ihe gottngb ace ice usted etd a dail eer 34 3 WRITING A SNIFFER 35 Building a UDP Host Discovery Tool... 1.2... . eee eet ene 36 Packet Sniffing on Windows and Linux... 0... tenes 36 Kickingithe Tires'..s:0.0h8ueowies sys oo cap ne Weve awls aged eae obs 38 Decoding the: IP:Layetn ce. boc aot aise PR eee ee gee nee la 38 Thevctypes: Module wits. oie a uek aod g peerage Wee mote aetna ne et 39 The:struct: Module is ..0.4di.se te heb et ce Saved did inka woe aaa a dots Al Writing the IP Decoder ... 6... 1... eee eet ee A3 Kicking the Tires: 22.54 gen tu,5 oy aes 3 tad ave Wale agua ace A5 DécodingsIGMP xii: sues sa ahs ie Ri ths ASL cee 8 om ek neh S eal oct NS 46

Kicking'the Tiressn.20 aw daoesies bye sesh ie Meee aaa dg Oey ee Se oes 50

4

OWNING THE NETWORK WITH SCAPY 53 Stealing Email Credentials... 2... 0. eee eee 54 Kicking the Tires: tose scenes eed he et ula ale hs Pa ala wees 57 ARP Cache Poisoning with Scapy..... 0.0... cece ete eens 57 Kicking the Tires: 2 fn. arom tds crak tev tcs pleads acare ciel & oRecka mee ahs 62 PCGP Processing: 2% cnty1 5 Vi layns 5 ata} Sok Mahe a et age had Sehciur waht WR ghaus uate Ata. stacks 63 Kicking; the’ Tires: ici 2%5 ro tact cid te 0 eel oa'y etd gawhted aatesaog uae 69 5 WEB HACKERY 71 Wsinig Webslibranieseis% gvictne Ste Sutdohe cet de gh hb Wer Grae bags Sea ea es 72 The urllib2 Library for Python 2.x 2.2... eects 72 The urllib Library for Python 3.x 0.0... eee eects 73 The“requests: libraryes. (nov. Sots deter dn staf ae ecg age a pes goles 74 The Ixml and BeautifulSoup Packages .......... 0.0 cece eee eee eee 74 Mapping Open Source Web App Installations... 2... 0... eee ee 76 Mapping the WordPress Framework .. 0.0.0.0... eee eee 76 Testing the Live Target... 0... eee ees 80 Kicking:therTires: \o.ute naval eaten Sanad eae ooadiy dag nee yodes Arad 81 Brute-Forcing Directories and File Locations... ...... 0.0... cece eee eee 82 Kicking the Tires.c cen ge ta-eebGt es Goede wad ihe be ade HOMES 85 Brute-Forcing HTML Form Authentication... 0.0.0... eect eee 85 Kicking: the:Tires 1 y)a¢aiq-tne tart, whee nai eatin eae acne waa goa es 90 6 EXTENDING BURP PROXY 93 Setting Ups cS ate se deate. betel ca ee asd esl ales Sth Ge gees eeue 4 le a he athe 94 BUND FUZZING i. whic an Ge ae ye Hates ee Aaa MEERA ote bite MOA ae alae Se 95 Kickingthe Tires. naucwkn kG wane nee cen ade soaker ean sd pies 101 Using Bing for Burp sc. sae ee eacet i goe di bn ee ptavay he vee ewe Oa teed 104 Kicking :the. Tiesto ans ie See Ae BS de el a 108 Turning Website Content into Password Gold ......... 0.0.0 ce eee eee eee 110 Kicking ithe Tites.. <2 sv. ces keine tea ole due Aes gg el a 113 7 GITHUB COMMAND AND CONTROL 117 Setting Up a GitHub Account... 2... tte eee 118 Creating‘Modules (5. 2.8a0S ee ow neath mate eae Wien Sete ae 119 Contiguring: the Mojar. 2 s.c-f20¢ doa ace La ee aradh od dig ed ace Ae Sh als a wna 120 Building a GitHub-Aware Trojan . 1.1... eee teeta 121 Hacking Python’s import Functionality ..... 2.0.0... eee eee 123 Kicking: the Tires: isco siete 3h k-neved tuba we dd atte ee eee 124

xii Contents in Detail

8 COMMON TROJANING TASKS ON WINDOWS

Keylogging for Fun and Keystrokes... ....... 00.0 ce eee eens Kicking the Tirese.-sc etek es Aa ois Steak oath Taking “Screenshotss..2 20.02 sae den Sc eet notte ena dees Pythonic Shellcode Execution... 0... 0.0... eee eee eee eee Kickinigthe Tires: .siic:cac. cag lade sida eaiemne kde ads Sandbox Detection... 0... eee eee ee

9 FUN WITH EXFILTRATION

Encrypting and Decrypting Files... 2.2.0... eee eee eee EmailiExtilifatiOn: secccr en eee snot ek oh eas de hs See oe aes File Transfer Exfiltration. 2... 0. eee Exfiltration via a Web Server... 0.00... eee Putting. It All Together 2.0. akong cow habia deed Se See alee

Kicking the Tirésis.c.cescuhteosass heaieh phos bactot sors Bass

10 WINDOWS PRIVILEGE ESCALATION

Installing the Prerequisites... 2... 0... cece eee eee Creating the Vulnerable BlackHat Service... ......... 0000 ce eee Creating a Process Monitor... 2... 0... eee eee ee Process Monitoring with WMI........... 0.0000 e ee eee Kickitig:the Tires: 0.4. eae dene gays Pani eee eee es Windows Token Privileges. ......... 0.0. cece eee ee eee Winning :the Race 0! at ova ede oe cod bne ale saetielea leans <a ages Kicking :the: Tires: %.ticiciase ee a Sh to Ld el Shea e wade Code Injections 23.4 geheed 229 eed hg a eee ed dee aes teah dh ylade gaa Kickirig the: Tires: 2 isoxacstcjhg lentes vin Rok abe tn es

11 OFFENSIVE FORENSICS

Installation 20.56 2).4 2 el hits ead ty Be ee ees RARE 8 General Reconnaissance. ... 6... 0... eee tees User Reconnaissance ...... 0... eee teen ee Vulnerability Reconnaissance. ... 2... 0... eee eee ee The volshell Interface... 2... eee Custom Volatility Plug-Ins... 2... cee

Kicking the Tires:<.c.-t5:cat ios Lada s ite eedd eats

INDEX

Contents in Detail xiii

FOREWORD

It has been six years since I wrote the foreword to the very successful first edition of Black Hat Python. Much has changed in the world during this time, but one thing hasn't: I still write an awful lot of Python code. In the field of computer security, you will still come across tools written in a variety of lan- guages, depending on the task. You'll see C code written for a kernel exploit, JavaScript code written for a JavaScript fuzzer, or a proxy written in a newer “hipper” language like Rust. But Python is still the workhorse in this indus- try. For my money, it is still the easiest language with which to get started, and with the large number of libraries available, it is the best language for quickly writing code to perform complex tasks in a simple way. The major- ity of computer security tools and exploits are still written in Python. This includes everything from exploit frameworks like CANVAS to classic fuzzers like Sulley.

Prior to the publication of the first edition of Black Hat Python, I had written many fuzzers and exploits in Python. These included exploits against Safari for Mac OS X, iPhone and Android phones, and even Second Life. (You may have to Google that last one.)

Anyway, since then, I’ve written a pretty special exploit, with help of Chris Valasek, that was able to remotely compromise a 2014 Jeep Cherokee and other cars. Of course, this exploit was written in Python, using the dbus-python module. All of the tools we wrote, which eventually allowed

xvi

Foreword

us to remotely control the steering, brakes, and acceleration of the com- promised vehicle, were also written in Python. You could say, in a way, that Python was responsible for the recall of 1.4 million Fiat Chrysler vehicles.

If you are interested in tinkering with information security tasks, Python is a great language to learn because of the large number of reverse engineering and exploitation libraries available for your use. Now, if only the Metasploit developers would come to their sense and switch from Ruby to Python, our community would be united.

In this new edition to what has become a beloved classic, Justin and Tim have updated all the code to Python 3. Personally, I’m a dinosaur who is hanging onto Python 2 for as long as possible, but as useful libraries finish migrating to Python 3, even I will soon have to learn it. This edition manages to cover a large range of topics that an enterprising young hacker would need to get started, from the basics of how to read and write network pack- ets to anything you might need for web application auditing and attacking.

In general, Black Hat Python is a fun read written by experts with years of experience who are willing to share the secrets they have learned along the way. While It might not immediately turn you into a super stunt hacker like me, it will certainly get you started down the correct path.

Remember, the difference between script kiddies and professional hackers is that the former uses other people’s tools.

The latter can write their own.

Charlie Miller Security Researcher St. Louis, Missouri October 2020

PREFACE

Python hacker, Python programmer. You could use either of those terms to describe us. Justin has spent a great deal of time penetration testing, which requires the ability to rapidly develop Python tools, with a focus on delivering results (not necessarily on prettiness, optimization, or even stability). Tim’s mantra is “make it work, make it understandable, make it fast—in that order.” When your code is readable, it becomes understandable to those you share it with, but also to yourself when you look at it a few months down the road. Throughout this book, you will learn that this is how we code: hacking is our final purpose, and clean, understandable code is the method we use to get there. We hope that this philosophy and style helps you as well.

Since the first edition of this book appeared, much has happened in the Python world. Python 2 reached its end-of-life in January 2020. Python 3 has become the recommended platform for coding and teaching. Therefore, this second edition refactors the code and ports it to Python 3 using the latest packages and libraries. It also takes advantage of the syntax changes provided by Python 3.6 and higher versions of Python 3, such as Unicode strings, context managers, and f-strings. Lastly, we’ve updated this second edition with additional explanations of coding and networking concepts, such as the use of context managers, Berkeley Packet Filter syntax, and a comparison of the ctypes and struct libraries.

As you progress through the book, you will realize that we don’t take deep dives into any single topic. This is by design. We want to give you the basics, with a little flavor, so that you gain foundational knowledge in the

xviii

Preface

world of hacking tool development. With that in mind, we’ve sprinkled explanations, ideas, and homework assignments throughout the book to kickstart you in your own direction. We encourage you to explore these ideas, and we would love to hear about any tooling you’ve completed on your own.

As with any technical book, readers at different skill levels will experi- ence this book differently. Some of you may simply grab it and nab chapters that are pertinent to your latest consulting gig. Others may read it cover to cover. If you are a novice-to-intermediate Python programmer, we recom- mend that you start at the beginning of the book and read the chapters in order. You will pick up some good building blocks along the way.

To start, we lay down networking fundamentals in Chapter 2. Then we slowly work our way through raw sockets in Chapter 3 and using Scapy in Chapter 4 for some more interesting network tooling. The next section of the book deals with hacking web applications, starting with your own cus- tom tooling in Chapter 5 and then extending the popular Burp Suite in Chapter 6. From there, we will spend a great deal of time talking about tro- jans, beginning with using GitHub for command and control in Chapter 7, all the way through Chapter 10, where we will cover some Windows privilege escalation tricks. The final chapter is about the Volatility memory forensics library, which helps you understand how the defensive side thinks and shows how you can leverage their tools for offense.

We try to keep the code samples short and to the point, and the same goes for the explanations. If you are relatively new to Python, we encourage you to punch out every line to get that coding muscle memory going. All of the source code examples from this book are available at https://nostarch.com/ black-hat-python2E/.

Here we go!

ACKNOWLEDGMENTS

Tim offers a big thank you to his wife, Treva, for her enduring support. If

it were not for several serendipitous incidents, he would not have had the opportunity to work on this book. He thanks the Raleigh ISSA, especially Don Elsner and Nathan Kim, for supporting and encouraging him to teach

a local class using the first edition of this book. Teaching that class and work- ing with his students led to his love for the book. And to his local hacker community, not least the Oak City Locksports folks, he offers thanks for their encouragement, and for providing a sounding board for his ideas.

Justin would like to thank his family—his beautiful wife, Clare, and his five children, Emily, Carter, Cohen, Brady, and Mason—for all of the encour- agement and tolerance while he spent a year and a half of his life writing this book. He loves them all very much. To all his friends in the cyber and OSINT community who share drinks, laughs, and Tweets: thanks for letting him piss and moan to you on the daily.

Another huge thank you to Bill Pollock of No Starch Press and to our patient editor, Frances Saux, for helping make the book so much better. Thanks to the rest of the team at No Starch—including Tyler, Serena, and Leigh—for all of the hard work you put into this book and the rest in your collection. We both appreciate it. We would also like to thank our technical reviewer, Cliff Janzen, who provided absolutely amazing support throughout the whole process. Anyone who is writing an infosec book should really get him on board; he was amazing and then some.

SETTING UP YOUR PYTHON ENVIRONMENT

This is the least fun, but nevertheless criti- cal, part of the book, where we walk through setting up an environment in which to write and test Python. We’ll do a crash course in set- ting up a Kali Linux virtual machine (VM), creating a virtual environment for Python 3, and installing a nice integrated development environment (IDE) so that you have everything you need to develop code. By the end of this chapter, you should be ready to tackle the exer- cises and code examples in the remainder of the book.

Before you get started, if you don’t have a hypervisor virtualization client such as VMware Player, VirtualBox, or Hyper-V, download and install one. We also recommend that you have a Windows 10 VM at the ready. You can get an evaluation Windows 10 VM here: hitps://developer.microsoft.com/en-us/ windows/downloads/virtual-machines/.

2

Installing Kali Linux

Chapter 1

Kali, the successor to the BackTrack Linux distribution, was designed by Offensive Security as a penetration testing operating system. It comes with a number of tools preinstalled and is based on Debian Linux, so you'll be able to install a wide variety of additional tools and libraries.

You will use Kali as your guest virtual machine. That is, you'll download a Kali virtual machine and run it on your host machine using your hypervisor of choice. You can download the Kali VM from hitps://www.kali.org/downloads/ and install it in your hypervisor of choice. Follow the instructions given in the Kali documentation: https://www.kali.org/docs/installation/.

When you've gone through the steps of the installation, you should have the full Kali desktop environment, as shown in Figure 1-1.

BY OFFENSIVE SECURITY

Figure 1-1: The Kali Linux desktop

Because there may have been important updates since the Kali image was created, let’s update the machine with the latest version. In the Kali shell (Applications > Accessories > Terminal), execute the following:

tim@kali:~$ sudo apt update tim@kali:~$ apt list --upgradable tim@kali:~$ sudo apt upgrade tim@kali:~$ sudo apt dist-upgrade tim@kali:~$ sudo apt autoremove

Setting Up Python 3

The first thing we’ll do is ensure that the correct version of Python is installed. (The projects in this book use Python 3.6 or higher.) Invoke Python from the Kali shell and have a look:

tim@kali:~$ python

This is what it looks like on our Kali machine:

Python 2.7.17 (default, Oct 19 2019, 23:36:22)

[GCC 9.2.1 20191008] on linux2

Type "help", "copyright", "credits" or "license" for more information. >>>

Not exactly what we’re looking for. At the time of this writing, the default version of Python on the current Kali installation is Python 2.7.18. But this isn’t really a problem; you should have Python 3 installed as well:

tim@kali:~$ python3

Python 3.7.5 (default, Oct 27 2019, 15:43:29)

[GCC 9.2.1 20191022] on linux

Type "help", "copyright", "credits" or "license" for more information. >>>

The version of Python listed here is 3.7.5. If yours is lower than 3.6, upgrade your distribution with the following:

$ sudo apt-get upgrade python3

We will use Python 3 with a virtual environment, which is a self-contained directory tree that includes a Python installation and the set of any extra packages you install. The virtual environment is among the most essential tools for a Python developer. Using one, you can separate projects that have different needs. For example, you might use one virtual environment for proj- ects involving packet inspection and a different one for projects on binary analysis.

By having separate environments, you keep your projects simple and clean. This ensures that each environment can have its own set of dependencies and modules without disrupting any of your other projects.

Let’s create a virtual environment now. To get started, we need to install the python3-venv package:

tim@kali:~$ sudo apt-get install python3-venv [sudo] password for tim:

Setting Up Your Python Environment 3

4

Chapter 1

Now we can create a virtual environment. Let’s make a new directory to work in and create the environment:

tim@kali:~$ mkdir bhp

tim@kali:~$ cd bhp

tim@kali:~/bhp$ python3 -m venv venv3 tim@kali:~/bhp$ source venv3/bin/activate (venv3) tim@kali:~/bhp$ python

That creates a new directory, bhp, in the current directory. We create a new virtual environment by calling the venv package with the -m switch and the name you want the new environment to have. We’ve called ours venv3, but you can use any name you like. The scripts, packages, and Python executable for the environment will live in that directory. Next, we activate the environment by running the activate script. Notice that the prompt changes once the environment is activated. The name of the environment is prepended to your usual prompt (venv3 in our case). Later on, when youre ready to exit the environment, use the command deactivate.

Now you have Python set up and have activated a virtual environment. Since we set up the environment to use Python 3, when you invoke Python, you no longer have to specify python3—just python is fine, since that is what we installed into the virtual environment. In other words, after activation, every Python command will be relative to your virtual environment. Please note that using a different version of Python might break some of the code examples in this book.

We can use the pip executable to install Python packages into the virtual environment. This is much like the apt package manager because it enables you to directly install Python libraries into your virtual environment without having to manually download, unpack, and install them.

You can search for packages and install them into your virtual environ- ment with pip:

(venv3) tim@kali:~/bhp: pip search hashcrack

Let’s do a quick test and install the 1xml module, which we’ll use in Chapter 5 to build a web scraper. Enter the following into your terminal:

(venv3) tim@kali:~/bhp: pip install 1xml

You should see output in your terminal indicating that the library is being downloaded and installed. Then drop into a Python shell and vali- date that it was installed correctly:

(venv3) tim@kali:~/bhp$ python

Python 3.7.5 (default, Oct 27 2019, 15:43:29)

[GCC 9.2.1 20191022] on linux

Type "help", "copyright", "credits" or "license" for more information. >>> from lxml import etree

>>> exit()

(venv3) tim@kali:~/bhp$

If you get an error or a version of Python 2, make sure you followed all the preceding steps and that you have the up-to-date version of Kali.

Keep in mind that for most examples throughout this book, you can develop your code in a variety of environments, including macOS, Linux, and Windows. You may also want to set up a different virtual environment for separate projects or chapters. Some chapters are Windows specific, which we'll make sure to mention at the beginning of the chapter.

Now that we have our hacking virtual machine and a Python 3 virtual environment set up, let’s install a Python IDE for development.

Installing an IDE

An integrated development environment (IDE) provides a set of tools for coding. Typically, it includes a code editor, with syntax highlighting and automatic linting, and a debugger. The purpose of the IDE is to make it eas- ier to code and debug your programs. You don’t have to use one to program in Python; for small test programs, you might use any text editor (such as vim, nano, Notepad, or emacs). But for larger, more complex project, an IDE will be of enormous help to you, whether by indicating variables you have defined but not used, finding misspelled variable names, or locating missing package imports.

In a recent Python developer survey, the top two favorite IDEs were PyCharm (which has commercial and free versions available) and Visual Studio Code (free). Justin is a fan of WingIDE (commercial and free ver- sions available), and Tim uses Visual Studio Code (VS Code). All three IDEs can be used on Windows, macOS, or Linux.

You can install PyCharm from hitps://wwwjetbrains.com/pycharm/download/ or WingIDE from https://wingware.com/downloads/ You can install VS Code from the Kali command line:

tim@kali#: apt-get install code

Or, to get the latest version of VS Code, download it from https://code .visualstudio.com/download/ and install with apt-get:

tim@kali#: apt-get install -f ./code_1.39.2-1571154070_amd64.deb

The release number, which is part of the filename, will likely be differ- ent from the one shown here, so make sure the filename you use matches the one you downloaded.

Code Hygiene

No matter what you use to write your programs, it is a good idea to follow a code-formatting guideline. A code style guide provides recommendations to improve the readability and consistency of your Python code. It makes it eas- ier for you to understand your own code when you read it later or for others if

Setting Up Your Python Environment 5

6

Chapter 1

you decide to share it. The Python community has a such a guideline, called PEP 8. You can read the full PEP 8 guide here: https://www.python. org/deu/peps/ pep-0008/.

The examples in this book generally follow PEP 8, with a few differ- ences. You'll see that the code in this book follows a pattern like this:

from lxml import etree from subprocess import Popen

import argparse import os

def get_ip(machine_name): pass

class Scanner: def init__(self): pass if name == ' main_': scan = Scanner() print(‘hello')

At the top of our program, we import the packages we need. The first import block @ is in the form of from XXX import YYY type. Each import line is in alphabetical order.

The same holds true for the module imports—they, too, are in alphabet- ical order @. This ordering lets you see at a glance whether you’ve imported a package without reading every line of imports, and it ensures that you don’t import a package twice. The intent is to keep your code clean and lessen the amount you have to think when you reread your code.

Next come the functions ®, then class definitions @, if you have any. Some coders prefer to never have classes and rely only on functions. There’s no hard-and-fast rule here, but if you find you're trying to maintain state with global variables or passing the same data structures to several func- tions, that may be an indication that your program would be easier to understand if you refactor it to use a class.

Finally, the main block at the bottom © gives you the opportunity to use your code in two ways. First, you can use it from the command line. In this case, the module’s internal name is _main__ and the main block is executed. For example, if the name of the file containing the code is scan.py, you could invoke it from the command line as follows:

python scan.py

This will load the functions and classes in scan.py and execute the main block. You would see the response hello on the console.

Second, you can import your code into another program with no side effects. For example, you would import the code with

import scan

Since its internal name is the name of the Python module, scan, and not __main_, you have access to all the module’s defined functions and classes, but the main block is not executed.

You'll also notice we avoid variables with generic names. The better you get at naming your variables, the easier it will be to understand the program.

You should have a virtual machine, Python 3, a virtual environment, and an IDE. Now let’s get into some actual fun!

Setting Up Your Python Environment 7

BASIC NETWORKING TOOLS

The network is and always will be the sexi- est arena for a hacker. An attacker can do almost anything with simple network access, such as scan for hosts, inject packets, sniff data, and remotely exploit hosts. But if you’ve worked your way into the deepest depths of an enterprise target, you may find yourself in a bit of a conundrum: you have no tools to execute network attacks. No netcat. No Wireshark. No compiler, and no means to install one. However, you might be surprised to find that in many cases, you'll have a Python install. So that’s

where we’ll begin.

10

This chapter will give you some basics on Python networking using the socket module (The full socket documentation can be found here: hitp:// docs.python.org/3/library/socket.html.). Along the way, we’ll build clients, servers, and a TCP proxy. We’ll then turn them into our very own netcat, complete with a command shell. This chapter is the foundation for subsequent chap- ters, in which we’ll build a host discovery tool, implement cross-platform sniffers, and create a remote trojan framework. Let’s get started.

Python Networking in a Paragraph

Programmers have a number of third-party tools to create networked serv- ers and clients in Python, but the core module for all of those tools is socket. This module exposes all of the necessary pieces to quickly write Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) clients and servers, use raw sockets, and so forth. For the purposes of breaking in or maintaining access to target machines, this module is all you really need. Let’s start by creating some simple clients and servers—the two most com- mon quick network scripts you'll write.

TCP Client

Chapter 2

Countless times during penetration tests, we (the authors) have needed to whip up a TCP client to test for services, send garbage data, fuzz, or per- form any number of other tasks. If you are working within the confines of large enterprise environments, you won't have the luxury of using network- ing tools or compilers, and sometimes you'll even be missing the absolute basics, like the ability to copy/paste or connect to the internet. This is where being able to quickly create a TCP client comes in extremely handy. But enough jabbering—let’s get coding. Here is a simple TCP client:

import socket

target_host = "www.google.com" target_port = 80

# create a socket object client = socket.socket(socket.AF_INET, socket.SOCK STREAM)

# connect the client client.connect((target_host,target_port))

# send some data client.send(b"GET / HTTP/1.1\r\nHost: google.com\r\n\r\n")

# receive some data response = client.recv(4096)

print (response. decode()) client.close()

We first create a socket object with the AF_INET and SOCK_STREAM param- eters ®. The AF_INET parameter indicates we’ll use a standard IPv4 address or hostname, and SOCK_STREAM indicates that this will be a TCP client. We then connect the client to the server @ and send it some data as bytes ®. The last step is to receive some data back and print out the response @ and then close the socket. This is the simplest form of a TCP client, but it’s the one you'll write most often.

This code snippet makes some serious assumptions about sockets that you definitely want to be aware of. The first assumption is that our con- nection will always succeed, and the second is that the server expects us to send data first (some servers expect to send data to you first and await your response). Our third assumption is that the server will always return data to us in a timely fashion. We make these assumptions largely for simplic- ity’s sake. While programmers have varied opinions about how to deal with blocking sockets, exception-handling in sockets, and the like, it’s quite rare for pentesters to build these niceties into their quick-and-dirty tools for recon or exploitation work, so we’ll omit them in this chapter.

UDP Client

A Python UDP client is not much different from a TCP client; we need to make only two small changes to get it to send packets in UDP form:

import socket

"127.0.0.1" 9997

target_host target_port

# create a socket object @ client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

# send some data ® client.sendto(b"AAABBBCCC", (target_host, target_port))

# receive some data © data, addr = client.recvfrom(4096)

print (data. decode()) client.close()

As you can see, we change the socket type to SOCK_DGRAM ® when creat- ing the socket object. The next step is to simply call sendto() @, passing in the data and the server you want to send the data to. Because UDP is a con- nectionless protocol, there is no call to connect() beforehand. The last step is to call recvfrom() © to receive UDP data back. You will also notice that it returns both the data and the details of the remote host and port.

Again, we’re not looking to be superior network programmers; we want it to be quick, easy, and reliable enough to handle our day-to-day hacking tasks. Let’s move on to creating some simple servers.

Basic Networking Tools 1]

TCP Server

Creating TCP servers in Python is just as easy as creating a client. You might want to use your own TCP server when writing command shells or crafting a proxy (both of which we’ll do later). Let’s start by creating a standard multi- threaded TCP server. Crank out the following code:

import socket

import threading

IP = '0.0.0.0'

PORT = 9998

def main():

server

socket.socket(socket.AF_INET, socket.SOCK_STREAM)

server.bind((IP, PORT)) ® server.listen(5) @

print (f'[

while True:

*] Listening on {IP}:{PORT}')

client, address = server.accept() ®

print(f'[*] Accepted connection from {address[0]}:{address[1]}') client_handler = threading.Thread(target=handle client, args=(client, )) client_handler.start() @

def handle client(client_socket): ®

with client_socket as sock: request = sock.recv(1024) print(#'[*] Received: {request.decode("utf-8")}') sock.send(b'ACK')

if

name

main

main()

12

Chapter 2

To start off, we pass in the IP address and port we want the server to lis- ten on @. Next, we tell the server to start listening @, with a maximum back- log of connections set to 5. We then put the server into its main loop, where it waits for an incoming connection. When a client connects ®, we receive the client socket in the client variable and the remote connection details in the address variable. We then create a new thread object that points to our handle_client function, and we pass it the client socket object as an argument. We then start the thread to handle the client connection @, at which point the main server loop is ready to handle another incoming connection. The handle _client function ® performs the recv() and then sends a simple mes- sage back to the client.

If you use the TCP client that we built earlier, you can send some test packets to the server. You should see output like the following:

[*] Listening on 0.0.0.0:9998 [*] Accepted connection from: 127.0.0.1:62512 [*] Received: ABCDEF

That’s it! While pretty simple, this is a very useful piece of code. We’ll extend it in the next couple of sections, when we build a netcat replacement and a TCP proxy.

Replacing Netcat

Netcat is the utility knife of networking, so it’s no surprise that shrewd sys- tems administrators remove it from their systems. Such a useful tool would be quite an asset if an attacker managed to find a way in. With it, you can read and write data across the network, meaning you can use it to execute remote commands, pass files back and forth, or even open a remote shell. On more than one occasion, we’ve run into servers that don’t have netcat installed but do have Python. In these cases, it’s useful to create a simple net- work client and server that you can use to push files, or a listener that gives you command line access. If you’ve broken in through a web application, it’s definitely worth dropping a Python callback to give you secondary access without having to first burn one of your trojans or backdoors. Creating a tool like this is also a great Python exercise, so let’s get started writing netcat.py:

import argparse import socket import shlex import subprocess import sys

import textwrap import threading

def execute(cmd): cmd = cmd.strip() if not cmd: return ® output = subprocess.check_output(shlex.split(cmd), stderr=subprocess.STDOUT) return output.decode()

Here, we import all of our necessary libraries and set up the execute function, which receives a command, runs it, and returns the output as a string. This function contains a new library we haven’t covered yet: the subprocess library. This library provides a powerful process-creation inter- face that gives you a number of ways to interact with client programs. In this case @, we’re using its check_output method, which runs a command on the local operating system and then returns the output from that command.

Now let’s create our main block