Python for Penetration Testers: How to stop worrying about tools & start scripting
by Bharath (speaking)
Objective
This talk will focus on:
- What makes Python a perfect language for security scripting?
- How to leverage Python to write custom scripts/tools for improvising a penetration test.
- Walk-through the layers of TCP/IP protocol suite & How Python could be used at each layer from security perspective.
- Scripts that demonstrate Python efficiency in accomplishing offensive/defensive tasks involved in a Pen test.
Description
In the wake of high profile security breaches, Penetration testing is gaining momentum in security field & Python for other reasons is gaining popularity in programming field. There is an interesting place where this two worlds meet.
In last couple of years Python has become penetration testers aka 'hackers'(media loves that word) favorite scripting language.
The fact that Python is getting popular in security circles is evident from the tools, books and course-ware that got published in last couple of years on this topic.
There are various reasons for Python's popularity in security programming:
- Batteries included.
- Powerful third party libraries.
- Python saves a lot of 'programmer's time'(which is of essence in a pen test)
- Simple Learning curve
Why this talk?
-
Network security is overwhelmed with tools(automated/semi-automated) but using tools does not guarantee success always. Improvisation is heart of pen testing, there are always tasks that need to be automated or to be done in a different way. A successful real world pen test needs a lot of custom coding
-
Often many people(including me) getting into security scene spends most of their time in choosing right programming language for their security needs.
-
Pen testing is a field where time is of essence, so a programming language thats quick and powerful is necessary
Now there is a clear need for a programming language that could deal with about mentioned factors and Python turns out to fit right in.
What's on this talk?
This talk looks at factors that made Python popular among penetration testers, We'll walk through phases of penetration testing and look at how Python could be used for specific tasks and we'll also look at scripts that will demonstrate the power of Python.
This talk could be roughly broken down into following steps:
- Why Python is awesome for security scripting?
- Python for Open Source Intelligence gathering(OSINT) tasks.
- Network Layer hacks(using Python).
- Application layer scripting(esp. HTTP).
- Wireless Network hacks.
- LAN attacks.
- Some offensive/defensive scripts for a pen test.
We'll look some fun stuff like: Creating word-lists out of target websites, simple port scanners, playing with DNS records, Wireless sniffer/scanners, fun with packets(ARP, ICMP..)
Requirements
What's expected out of audience?
Audience would get max. out of the talk with an understanding of:
- Networking basics(Understanding of TCP/IP protocol suite will do)
- Penetration testing basics (Understanding of phases involved in Pen testing. http://www.pentest-standard.org/)
- Python basics(Data types, Data structures, Sockets)
Software requirements
If you'd like to try scripts yourself, you'd need:
Linux 2.6.x / 3.0.x (any Linux distro will do but Back|Track5 or Kali Linux makes life easier)
Python 2.7
Libraries: Scapy, Mitmproxy, pythonwifi, httplib2 (you can install all this libraries using PIP)
Speaker bio
I am interested in Network Security & Software exploitation. I have been coding in Python for security tasks & academics from past 3 years. About to graduate from Asia Pacific University, Kuala Lumpur in Information Systems Security(ISS) major.
Links
- *I'll be uploading my slides & finished scripts in a week*
- Twitter: https://twitter.com/hurtl0cker
- Pentesting basics: http://www.pentest-standard.org/
- How to use pip: http://www.pythonforbeginners.com/basics/python-pip-usage/
- Scapy: http://secdev.org/projects/scapy/
- Mitmproxy: mitmproxy.org
- Pythonwifi: http://pythonwifi.wikispot.org/
1
▼
I haven't seen any talk focusing on Information security, looking forward to it