Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers !-34%2$!-s"/34/.s(%)$%,"%2's,/.$/. .%79/2+s/8&/2$s0!2)3s3!.$)%'/ 3!.&2!.#)3#/s3).'!0/2%s39$.%9s4/+9/ 3YNGRESSISAN)MPRINTOF%LSEVIER TJ. O’Connor Violent Python A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers Acquiring Editor: Chris Katsaropoulos Development Editor: Meagan White Project Manager: Priya Kumaraguruparan Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrange- ments with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this eld are constantly changing. As new research and experi- ence broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-957-6 Printed in the United States of America 13 14 15 10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications visit our website at www.syngress.com v Trademarks %LSEVIER)NCTHE AUTHORSANDANYPERSONORlRMINVOLVEDINTHEWRITING EDITINGORPRODUCTIONCOLLECTIVELYh-AKERSvOF THISBOOKhTHE7ORKvDO NOTGUARANTEEORWARRANTTHERESULTSTOBEOBTAINEDFROMTHE7ORK 4HEREISNOGUARANTEEOFANYKINDEXPRESSEDORIMPLIEDREGARDINGTHE7ORKOR ITSCONTENTS4HE7ORKISSOLD!3)3AND7)4(/547!22!.499OUMAYHAVE OTHERLEGALRIGHTSWHICHVARYFROMSTATETOSTATE )NNOEVENTWILL-AKERS BELIABLETOYOUFORDAMAGESINCLUDINGANYLOSSOF PROlTSLOSTSAVINGSOROTHERINCIDENTALORCONSEQUENTIALDAMAGESARISINGOUT FROMTHE7ORKORITSCONTENTS"ECAUSESOMESTATESDONOTALLOWTHEEXCLUSION ORLIMITATIONOF LIABILITYFORCONSEQUENTIALORINCIDENTALDAMAGES THEABOVE LIMITATIONMAYNOTAPPLYTOYOU 9OUSHOULDALWAYSUSEREASONABLECAREINCLUDINGBACKUPANDOTHERAPPROPRI- ATEPRECAUTIONSWHENWORKINGWITHCOMPUTERSNETWORKSDATAANDlLES 3YNGRESS -EDIA 3YNGRESS h#AREER !DVANCEMENT 4HROUGH 3KILL %NHANCE- MENTv h!SK THE !UTHOR 50$!4%v AND h(ACK 0ROOlNGv ARE REGISTERED TRADEMARKS OF %LSEVIER )NCh3YNGRESS4HE $ElNITION OF A 3ERIOUS 3ECURITY ,IBRARYv4-h-ISSION#RITICAL4-vANDh4HE/NLY7AYTO3TOPA(ACKERISTO 4HINK,IKE/NE4-vARETRADEMARKSOF%LSEVIER)NC"RANDSANDPRODUCTNAMES MENTIONED IN THIS BOOK ARE TRADEMARKS OR SERVICE MARKS OF THEIR RESPECTIVE COMPANIES ix Dedication For my monkey and my ninja princess: anything is possible if you try hard enough. xvii Lead Author – TJ O’Connor 4*/#ONNORISA$EPARTMENTOF$EFENSEEXPERTONINFORMATIONSECURITYAND A 53 !RMY PARATROOPER 7HILE ASSIGNED AS AN ASSISTANT PROFESSOR AT THE 53 -ILITARY !CADEMY 4* TAUGHT UNDERGRADUATE COURSES ON FORENSICS EXPLOITA- TION AND INFORMATION ASSURANCE (E TWICE COCOACHED THE WINNING TEAM AT THE .ATIONAL 3ECURITY !GENCYSANNUAL #YBER $EFENSE %XERCISE AND WON THE .ATIONAL$EFENSE5NIVERSITYSlRSTANNUAL#YBER#HALLENGE(EHASSERVEDON MULTIPLEREDTEAMSINCLUDINGTWICEONTHE.ORTHEAST2EGIONAL4EAMFORTHE .ATIONAL#OLLEGIATE#YBER$EFENSE#OMPETITION 4*HOLDSA-ASTEROF3CIENCEDEGREEIN#OMPUTER3CIENCEFROM.ORTH#AROLINA 3TATE A -ASTER OF 3CIENCE DEGREE IN )NFORMATION 3ECURITY %NGINEERING FROM THE3!.34ECHNICAL)NSTITUTEANDA"ACHELOROF3CIENCEDEGREEIN#OMPUTER 3CIENCEFROMTHE53-ILITARY!CADEMY(EHASPUBLISHEDTECHNICALRESEARCHAT 53%.)8WORKSHOPS!#-CONFERENCESSECURITYCONFERENCESTHE3!.32EAD- ING2OOMTHE)NTERNET3TORM#ENTERTHEArmy MagazineANDTHEArmed Forces Journal(EHOLDSEXPERT CYBERSECURITYCREDENTIALS INCLUDINGTHEPRESTIGIOUS ')!#3ECURITY%XPERT'3%AND/FFENSIVE3ECURITY#ERTIlED%XPERT/3#% 4*ISAMEMBEROFTHEELITE3!.32EDAND"LUE4EAM#YBER'UARDIANS xix Contributing Author Bio – Rob Frost 2OBERT &ROST GRADUATED FROM THE 5NITED 3TATES -ILITARY !CADEMY IN  COMMISSIONINGINTOTHE!RMY3IGNAL#ORPS(EHOLDSA"ACHELOROF3CIENCE DEGREE IN #OMPUTER 3CIENCE WITH HONORSWITHHIS THESIS WORK FOCUSING ON OPENSOURCEINFORMATIONGATHERING2OBWASINDIVIDUALLYRECOGNIZEDASONEOF THETOPTWOMEMBERSOFTHENATIONALCHAMPIONSHIPTEAMFORTHE#YBER $EFENSE%XERCISEDUETOHISABILITYTOCIRCUMVENTRULES2OBHASPARTICIPATEDIN ANDWONSEVERALCYBERSECURITYCOMPETITIONS xxi Technical Editor Bio – Mark Baggett -ARK"AGGETTISA#ERTIlED3!.3)NSTRUCTORANDTEACHESSEVERALCOURSESINTHE 3!.3 PENETRATION TESTING CURRICULUM -ARK IS THE PRIMARY CONSULTANT AND FOUNDER OF )N $EPTH $EFENSE )NC WHICH PROVIDES INCIDENTRESPONSE AND PENETRATIONTESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSEFOR3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELDAVARIETYOFPOSITIONSININFORMATIONSECURITYFORLARGEINTERNA- TIONALAND&ORTUNECOMPANIES(EHASBEENASOFTWAREDEVELOPERANET- WORKANDSYSTEMSENGINEERASECURITYMANAGERANDA#)3/!SA#)3/-ARK WASRESPONSIBLEFORPOLICYCOMPLIANCEINCIDENTRESPONSEANDALLOTHERASPECTS OFINFORMATIONSECURITYOPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION SECURITY PROFESSIONALS FACE TODAY IN SELLING IMPLEMENTING AND SUPPORTINGINFORMATIONSECURITY-ARKISANACTIVEMEMBEROFTHEINFORMATION SECURITYCOMMUNITYANDTHEFOUNDINGPRESIDENTOFTHE'REATER!UGUSTA)33! (EHOLDSSEVERALCERTIlCATIONSINCLUDING3!.3PRESTIGIOUS'3%-ARKBLOGS ABOUTVARIOUSSECURITYTOPICSATHTTPWWWPAULDOTCOMCOM xxiii Introduction 0YTHONISAHACKERSLANGUAGE 7ITHITSDECREASEDCOMPLEXITYINCREASED EFl- CIENCYLIMITLESSTHIRDPARTYLIBRARIESANDLOWBARTOENTRY0YTHONPROVIDESAN EXCELLENTDEVELOPMENTPLATFORMTOBUILDYOUROWNOFFENSIVETOOLS)FYOUARE RUNNING-AC/38OR,INUXODDSAREITISALREADYINSTALLEDONYOURSYSTEM 7HILEAWEALTHOFOFFENSIVETOOLSALREADYEXISTLEARNING0YTHONCANHELPYOU WITHTHEDIFlCULTCASESWHERETHOSETOOLSFAIL TARGET AUDIENCE %VERYONELEARNSDIFFERENTLY(OWEVERWHETHERYOUAREABEGINNERWHOWANTS TOLEARNHOWTOWRITE0YTHONORANADVANCEDPROGRAMMERWHOWANTSTOLEARN HOWTOAPPLYYOURSKILLSINPENETRATIONTESTINGTHISBOOKISFORYOU ORGANIZATION OF THE BOOK )NWRITINGTHISBOOKWEREALLYSETOUTTOWRITEANEVILCOOKBOOKOFEXAMPLES FOR THE DARKER SIDE OF 0YTHON 4HE FOLLOWING PAGES PROVIDE 0YTHON RECIPES FORPENETRATIONTESTINGWEBANALYSISNETWORKANALYSISFORENSICANALYSISAND EXPLOITINGWIRELESSDEVICES(OPEFULLYTHEEXAMPLESWILLINSPIRETHEREADERTO CREATEHISORHEROWN0YTHONSCRIPTS Chapter 1: Introduction )FYOUHAVENOTPROGRAMMEDIN0YTHONBEFORE#HAPTERPROVIDESBACKGROUND INFORMATION ABOUT THE LANGUAGE VARIABLES DATA TYPES FUNCTIONS ITERATION SELECTIONANDWORKINGWITHMODULESANDMETHODICALLYWALKSTHROUGHWRIT- INGAFEWSIMPLEPROGRAMS&EELFREETOSKIPITIFYOUAREALREADYCOMFORTABLE WITHTHE0YTHONPROGRAMMINGLANGUAGE!FTERTHElRSTCHAPTERTHEFOLLOWING SIXCHAPTERSAREFAIRLYINDEPENDENTFROMONEANOTHERFEELFREETOREADTHEMIN WHICHEVERORDERYOUPLEASEACCORDINGTOWHATSTRIKESYOURCURIOSITY xxiv Introduction Chapter 2: Penetration Testing with Python #HAPTER  INTRODUCES THE IDEA OF USING THE 0YTHON PROGRAMMING LANGUAGE TOSCRIPTATTACKSFORPENETRATIONTESTING4HEEXAMPLESINTHECHAPTERINCLUDE BUILDINGAPORTSCANNERCONSTRUCTINGAN33(BOTNETMASSCOMPROMISINGVIA &40REPLICATING#ONlCKERANDWRITINGANEXPLOIT Chapter 3: Forensic Investigations with Python #HAPTERUTILIZES0YTHONFORDIGITALFORENSICINVESTIGATIONS4HISCHAPTERPRO- VIDESEXAMPLESFORGEOLOCATINGINDIVIDUALSRECOVERINGDELETEDITEMSEXTRACT- INGARTIFACTSFROMTHE7INDOWSREGISTRYEXAMININGMETADATAINDOCUMENTSAND IMAGESANDINVESTIGATINGAPPLICATIONANDMOBILEDEVICEARTIFACTS Chapter 4: Network Traffic Analysis with Python #HAPTERUSES0YTHONTOANALYZENETWORKTRAFlC4HESCRIPTSINTHISCHAPTER GEOLOCATE)0ADDRESSESFROMPACKETCAPTURESINVESTIGATEPOPULAR$$O3TOOL- KITSDISCOVERDECOYSCANSANALYZEBOTNETTRAFlCANDFOILINTRUSIONDETECTION SYSTEMS Chapter 5: Wireless Mayhem with Python #HAPTERCREATESMAYHEMFORWIRELESSAND"LUETOOTHDEVICES4HEEXAMPLESIN THISCHAPTERSHOWHOWTOSNIFFANDPARSEWIRELESSTRAFlCBUILDAWIRELESSKEY- LOGGERIDENTIFYHIDDENWIRELESSNETWORKSREMOTELYCOMMAND5!6SIDENTIFY MALICIOUS WIRELESS TOOLKITS IN USE STALK "LUETOOTH RADIOS AND EXPLOIT "LUE- TOOTHVULNERABILITIES Chapter 6: Web Recon With Python #HAPTER  EXAMINES USING 0YTHON TO SCRAPE THE WEB FOR INFORMATION 4HE EXAMPLESINTHISCHAPTERINCLUDEANONYMOUSLYBROWSINGTHEWEBVIA0YTHON WORKINGWITHDEVELOPER!0)SSCRAPINGPOPULARSOCIALMEDIASITESANDCREATING ASPEARPHISHINGEMAIL Chapter 7: Antivirus Evasion with Python )NTHE&INALCHAPTER#HAPTERWEBUILDAPIECEOFMALWARETHATEVADESANTIVI- RUSSYSTEMS!DDITIONALLYWEBUILDASCRIPTFORUPLOADINGOURMALWAREAGAINST ANONLINEANTIVIRUSSCANNER Introduction [...]... called easy_install Running the easy installer module followed by the name of the package to install will search through Python repositories to find the package, download it if found, and install it automatically programmer:∼ # easy_install python- nmap Searching for python- nmap Readinghttp://pypi .python. org/simple /python- nmap/ Readinghttp://xael.org/norman /python/ python-nmap/ Best match: python- nmap... of pairs of items that contain a key and value Let’s continue with our example of a vulnerability scanner to illustrate a Python dictionary When scanning specific TCP ports, it may prove useful to have a dictionary that contains the common service names for each port Creating a dictionary, we can lookup a key like ftp and return the associated value 21 for that port When constructing a dictionary, each... need for our scripts Setting the Stage for Your First Python Program: The Cuckoo’s Egg A system administrator at Lawrence Berkley National Labs, Clifford Stoll, documented his personal hunt for a hacker (and KGB informant) who broke into various United States national research laboratories, army bases, defense contractors, and academic institutions in The Cuckoo’s Egg: Tracking a Spy Through the Maze... file “passwords.txt” and reads the contents of each line in the password file For each line, it splits out the username and the hashed password For each individual hashed password, the main function calls the testPass() function that tests passwords against a dictionary file This function, testPass(), takes the encrypted password as a parameter and returns either after finding the password or exhausting... Systems If you are running Mac OS X or Linux, odds are the Python interpreter is already installed on your system Downloading an installer provides a programmer with the Python interpreter, the standard library, and several built-in modules The Python standard library and built-in modules provide an extensive range of capabilities, including built-in data types, exception handling, numeric, and math modules,... Backtrack, you can install the additional required libraries with easy_install by issuing the following command This will install most of the required libraries for the examples under Linux programmer:∼ # easy_install pyPdf python- nmap pygeoip mechanize BeautifulSoup4 Chapter five requires some specific Bluetooth libraries that are not available from easy_install You can use the aptitude package manager... Party Libraries In Chapter two, we will utilize the python- nmap package to handle parsing of nmap results The following example depicts how to download and install the python- nmap package (or any package, really) Once we have saved the package to a local file, we uncompress the contents and change into the uncompressed directory From that working directory, we issue the command python setup.py install, which... install, which installs the python- nmap package Installing most third-party packages will follow the same steps of downloading, uncompressing, and then issuing the command python setup.py install programmer:∼# wget http://xael.org/norman /python/ python-nmap/pythonnmap-0.2.4.tar.gz-On map.tar.gz 2012-04-24 15:51:51 http://xael.org/norman /python/ python-nmap/ python- nmap-0.2.4.tar.gz Resolving xael.org 194.36.166.10... see that the crypt library already exists in the Python standard library To calculate an encrypted UNIX password hash, we simply call the function crypt.crypt() and pass it the password and salt as parameters This function returns the hashed password as a string Programmer$ python >>> help('crypt') Help on module crypt: NAME crypt FILE /System/Library/Frameworks /Python. framework/Versions/2.7/lib/ python2 .7/lib-dynload/crypt.so... Python Program, a Zipfile Brute-Force Cracker To me, the extraordinary aspect of martial arts lies in its simplicity The easy way is also the right way, and martial arts is nothing at all special; the closer to the true way of martial arts, the less wastage of expression there is – Master Bruce Lee, Founder, Jeet Kune Do INTRODUCTION: A PENETRATION TEST WITH PYTHON Recently, a friend of mine penetration . AND PENETRATION TESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSE FOR 3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELD A VARIETYOFPOSITIONSININFORMATION SECURITY FOR LARGEINTERNA- TIONAL AND &ORTUNECOMPANIES(EHASBEEN A SOFTWAREDEVELOPER A NET- WORK AND SYSTEMSENGINEER A SECURITY MANAGER AND A #)3/!S A #)3/-ARK WASRESPONSIBLE FOR POLICYCOMPLIANCEINCIDENTRESPONSE AND ALLOTHERASPECTS OFINFORMATION SECURITY OPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION. AND PENETRATION TESTINGSERVICES4ODAYINHISROLEASTHETECHNICALADVISORTOTHE $EPARTMENTOF$EFENSE FOR 3!.3-ARKISFOCUSEDONTHEPRACTICALAPPLICATION OF3!.3RESOURCESINTHEDEVELOPMENTOFMILITARYCAPABILITIES -ARKHASHELD A VARIETYOFPOSITIONSININFORMATION SECURITY FOR LARGEINTERNA- TIONAL AND &ORTUNECOMPANIES(EHASBEEN A SOFTWAREDEVELOPER A NET- WORK AND SYSTEMSENGINEER A SECURITY MANAGER AND A #)3/!S A #)3/-ARK WASRESPONSIBLE FOR POLICYCOMPLIANCEINCIDENTRESPONSE AND ALLOTHERASPECTS OFINFORMATION SECURITY OPERATIONS-ARKKNOWSlRSTHANDTHECHALLENGESTHAT INFORMATION. Python #HAPTERUTILIZES0YTHON FOR DIGITAL FORENSIC INVESTIGATIONS4HISCHAPTERPRO- VIDESEXAMPLES FOR GEOLOCATINGINDIVIDUALSRECOVERINGDELETEDITEMSEXTRACT- INGARTIFACTSFROMTHE7INDOWSREGISTRYEXAMININGMETADATAINDOCUMENTS AND IMAGES AND INVESTIGATINGAPPLICATION AND MOBILEDEVICEARTIFACTS Chapter 4: Network Traffic Analysis with Python #HAPTERUSES0YTHONTOANALYZENETWORKTRAFlC4HESCRIPTSINTHISCHAPTER GEOLOCATE)0ADDRESSESFROMPACKETCAPTURESINVESTIGATEPOPULAR$$O3TOOL- KITSDISCOVERDECOYSCANSANALYZEBOTNETTRAFlC AND FOILINTRUSIONDETECTION SYSTEMS Chapter