Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Copy of The Life of Py

No description
by

Justin Seitz

on 2 November 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of The Life of Py

The Life of Py
Why Python?
The Network
nearly everything can be done through socket
port scanners, proxies, fuzzers, and more
Scapy is a mature and robust packet crafting framework
Social Engineering - aka Stalking Karim
there are Python API's for Twitter, Facebook, Googley things
combine aforementioned web hackery and you can mine LinkedIn, and more
automatically collect intelligence about your target
use sentiment analysis, NLTK (Natural Language ToolKit) or the Google Prediction API to hone your models
QA your phishing attempts against your collected model
Visualization
excellent for mapping out social networks (aka stalking Karim)
Ero Carrera's pydot by far the easiest graphing library
Python Imaging Library (PIL) excellent for all sorts of other fancy pictures
Debugger Automation
Immunity Debugger - exploit development / interactive debugging, hookers are your friend
pydbg / PaiMei- fuzzing frameworks, other non-interactive tasks
pykd - WinDbg binding, great for driver reversing / xDev
@jms_dot_py
The Vortex
the network
the web
social engineering
visualization
debugger automation
offensive forensics
Windows privilege escalation
Justin Seitz
Immunity Inc.

Windows Privilege Escalation
critical during pentests or real APT/ODB/GDP/HST/WTF
no privs = no love
doesn't always require nailing a kernel bug or driver
I suck at Linux xDev so we're doing Windows

Check out Insomnia Security's Encyclopedia
http://www.insomniasec.com/releases
widely supported - great for "deserted island" scenarios common to enterprise networks
widely implemented (Immunity, CORE, Google, et. al.)
Saskatchewan farmboy friendly
bindings for other languages (Java, .NET)
low level support for C-like goodness (ctypes)
socket
import socket

sock = socket.socket()
sock.connect(("www.target.com",80))
sock.send("HAI!")
buffer = sock.recv(4096)
9 Line Port Scanner
import socket

sock = socket.socket()
sock.settimeout(1)
for i in range(0,1024):
try:
sock.connect( ( "target", i ))
print "Port open: %d" % i
except:
pass
Web Hacking
urllib2 is the socket library of webby things
lots of webhacking tools in Python: sqlmap, w3af, etc.
getting good with urllib2 = lots different tools, not just pentesting (RESTful API's, JSONRPC, etc.)
various HTML parsing (HTMLParser, BeautifulSoup) capabilities

DIY El Jefe
process monitoring framework
helps discover malware, or exploits in progress
Mark Wuergler and I used it for finding flawed SYSTEM services, unsecured schedule tasks and inappropriate privilege assignments
utilizes a hooking DLL to trap CreateProcess* calls (does not play nice with others)

http://eljefe.immunityinc.com
WMI FTW
# instantiate the WMI interface
c = wmi.WMI()

# create our process monitor
process_monitor = c.Win32_Process.watch_for("creation")
WMI FTW
while True:
try:
new_process = process_monitor()
print new_process.GetOwner(),
print new_process.ExecutablePath
print new_process.CommandLine
except:
pass
Win32Api FTW
# obtain a handle to the target process
hproc = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION,False,pid)

# open the main process token
htok = win32security.OpenProcessToken(hproc,win32con.TOKEN_QUERY)

# retrieve the list of privileges enabled
privs = win32security.GetTokenInformation(htok, win32security.TokenPrivileges)

# iterate over all privileges and output the ones that are enabled
priv_list = ""
for i in privs:
# check if the privilege is enabled
if i[1] == 3:
priv_list += "%s|" % win32security.LookupPrivilegeName(None,i[0])
Sniffing With Scapy
from scapy.all import *


def sniffer_callback(packet):
# do things!


sniff(filter="tcp port 80",prn=sniffer_callback)
Disclaimer
this is not a talk of cutting edge research
this is all about the most common uses in our day jobs as attackers/defenders
get you to take the Python Plunge (tm) if you haven't already
Not exhaustive (no IDAPython, pefile, etc.)
Dave made me use Prezi. I'm so very sorry.
ARP Poisoning
from scapy.all import *

poison = ARP()
poison.psrc = "192.168.1.1"
poison.pdst = "192.168.1.21"

while True:
send(poison)

Drinking Games!
errors in code, miscounts, etc.
whoever catches me unintentionally using catchphrases or acronyms
first come first serve
OS App Fingerprinter
import os
import urllib2

for r,d,f in os.walk("joomla-1.3"):
for files in f:
remote_path = "%s/%s" % (r,files)
web_paths.append(remote_path)

for path in web_paths:
request = urllib2.Request(path)

try:
response = urllib2.urlopen(request)
print "Yay! %s exists!" % path
response.close()
except urllib2.HTTPError as error:
pass
Memory Forensics
Volatility framework is the king of open source memory forensics
Works on memory images from Windows, Linux, Mac, Android
Lots of offensive capabilities - dump hashes, climb inside virtual machines for example
Excellent for testing rootkit techniques without writing a driver
Scapy + pygeoip + pyKML
Scapy + pygeoip + pyKML
Volatility
./vol.py pslist -f Win2k3-abc.vmem --profile=profile=Win2003SP2x86
Offset Name PID PPID Thds Handles
0x89d99648 System 4 0 73 1844
0x8996fd88 smss.exe 312 4 3 19
0x8930ad88 csrss.exe 360 312 12 586
0x892fed88 winlogon.exe 384 312 21 576
Process: 3252 explorer.exe
Cache type "URL " at 0x1996600
Record length: 0x100
Location: Visited: Administrator@http://www.google.ca/q=karim+nathoo+hot+pics
Last modified: 2013-09-17 20:13:18 UTC+0000
Last accessed: 2013-09-17 20:13:18 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xe8
./vol.py iehistory -f Win2k3-abc.vmem --profile=profile=Win2003SP2x86
ID PyCommands
from immlib import *

def main(args):
# do things

return "Happy Message"
Hooking
def main(args):

imm = Debugger()

calc = imm.getModule("calc.exe")
imm.analyseCode(calc.getCodebase())

functions = imm.getAllFunctions(calc.getCodebase())

hooker = cc_hook()

for function in functions:
hooker.add("%08x" % function, function)

return "Tracking %d functions." % len(functions)
Hooking Pt. 2
class cc_hook(LogBpHook):

def __init__(self):

LogBpHook.__init__(self)
self.imm = Debugger()

def run(self,regs):

self.imm.log("%08x" % regs['EIP'],regs['EIP'])
self.imm.deleteBreakpoint(regs['EIP'])

return

Other Stuff
class cc_hook(LogBpHook):

def __init__(self):

LogBpHook.__init__(self)
self.imm = Debugger()

def run(self,regs):

self.imm.log("%08x" % regs['EIP'],regs['EIP'])
self.imm.deleteBreakpoint(regs['EIP'])

return

python-twitter
# https://github.com/bear/python-twitter

import twitter

api = twitter.Api(consumer_key, consumer_secret, access_token_key, access_token_secret)

user = api.GetUsersSearch("@karimnathoo")[0]
statuses = api.GetUserTimeline(user.id)
followers = api.GetFollowerIDs(user.id)
following = api.GetFriendIDs(user.id)

for status in statuses:
print status.text
python-twitter
RT @cmeasurecon: #cmeasurecon is next week! Still time to register for training or the conference: http://t.co/5gQhnMTj2Z

@mrsues I'm just wondering if I can get a cissp in time.

I am going to be a risk management weenie for Halloween.

I wonder if there is a "mr booyah" http://t.co/56Kp4mELZi
mine secondary links
scrape photos for metadata
establish conversation links between users
python-twitter
Each Status object exposes a lot of data:
status.contributors
status.coordinates
status.created_at
status.created_at_in_seconds
status.favorited
status.favorite_count
status.geo
status.id
status.in_reply_to_screen_name
status.in_reply_to_user_id
status.in_reply_to_status_id
status.lang
status.place
status.retweet_count
status.relative_created_at # read only
status.source
status.text
status.truncated
status.location
status.user
status.urls
status.user_mentions
status.hashtags
Sentiment Analysis
Sentiment140.com - REST API
"2","RT @cmeasurecon: #cmeasurecon is next week! Still time to register for training or the conference: http://t.co/5gQhnMTj2Z"
"2","@mrsues I'm just wondering if I can get a cissp in time."
"2","I am going to be a risk management weenie for Halloween."
"2","I wonder if there is a ""mr booyah"" http://t.co/56Kp4mELZi"
"0","Too bad this doesn't coincide with @cmeasurecon http://t.co/8aPlhq2PrF"
"4","@darryl_macleod Cool, what was your time?"
"2","@programmerchick @darryl_macleod @kellman seems reasonable."
"2","@kellman @darryl_macleod I will come if you don't make me kiss any more fish"
"0","@programmerchick I wish I was but I couldn't get away this year. Next year :)"
"2","RT @ryanhuber: Classic carb loading. http://t.co/mJGs13Mhti"
"4","RT @ramblinpeck: In absolutely amazing company, I'll be speaking @cmeasurecon"
"4","RT @cmeasurecon: Don't forget to sign up for #cmeasurecon before prices go up today! http://t.co/E2AV9yV5kM"
"2","@CanSec office politics are usually like a lame version of House of Cards, so I try to avoid them."
"4","RT @Dynetics: @PaulCoggin has been invited to speak at Canada's @cmeasurecon in November. Impressive lineup. http://t.co/9ow5MNWknV"
"4","RT @ryanhuber: Looking forward to talking about App DoS mitigation at @cmeasurecon in November: http://t.co/QQINMbKUjS"
Total Tweets: 19
Average Sentiment: 2.31578947368
Graph Theory
nodes = circles
Neckbeard definition:

In mathematics and computer science, graph theory is the study of graphs, which are mathematical structures used to model pairwise relations between objects. (Wikipedia)
edges = lines
Saskatchewan farmboy definition:
Full transcript