Penetration Testing in Python Like the Pros

Penetration Testing in Python

How is Python Used for Penetration Testing?

Python is the leading language in penetration testing and information security. There are many Python-based tools that provide proxy services, which can generate random data to find errors and vulnerabilities, and even complete exploit frameworks. 

 

If you are an advanced penetration tester interested in customizing or developing your own tooling, Python is an ideal language to learn. It has easy-to-read code, modular design, and 

numerous libraries you can use as a basis to build your own security tools—from modules that perform simple I/O actions, to libraries that generate API calls for specific systems.

 

This article will help you discover advanced tools and books that can help you become a Python penetration testing pro.

 

In this article:

Python Tools for Pentesters

 

Exploit Libraries 

  • Python Nmap—analyzes Nmap scan results programmatically and launches custom attacks against specific hosts.
  • Requests—lets you send HTTP/1.1 requests with no manual work and no need for encoding. 
  • BeautifulSoup—extracts data from HTML and XML files. Can be used to launch attacks on custom payloads and web applications, and can quickly isolate the important details of a response.
  • Monda—an “immunity debugger” that can help develop exploit programs. Simplifies tasks such as identifying offsets, deformed characters, return oriented programming (ROP) gadgets, and generates code that can be readily used in exploits.
  • Scapy—packet processing tool and library that can forge or decode packets across multiple protocols, send them over the network, capture them, and match requests and responses. Provides programmatic access to functionality like that provided by Nmap, Wireshark, hping, arpspoof and tcpdump. Can also be used for fuzzing thick clients.

 

Network Utilities

  • pypcap, Pcapy, pylibpcap—Python wrappers for the popular libpcap (tcpdumb) library.
  • dpkt—data packet generation and analysis using basic TCP/IP protocol definitions.
  • Impacket—creates and decodes network packets. Includes support for protocols like SMB.
  • flowgrep—performs grep through packet payload with regular expressions.
  • Knock subdomain scan—returns list of subdomains of the target domain via word list technique.
  • SubBrute—a fast subdomain enumeration tool.
  • Mallory—scalable TCP/UDP proxy supporting on-the-fly changes to non-standard protocols.
  • Spoodle—scans subdomains and poodle vulnerabilities.
  • SMBMap—scans Samba shared drives across domains.

 

Forensics

  • Volatility—scans RAM and extracts forensic data.
  • Rekall—Google-developed framework for memory scanning and analysis.
  • LibForensics—library for developing digital forensic applications.
  • TrlDLib—uses binary signatures to identify file types, including Python bindings.
  • aft—android forensics toolkit.

 

Malware Analysis

  • pyew—command line hex editor and disassembler primarily used for malware analysis.
  • Exefilter—filters file types for emails, web pages or files. It can detect many popular file types and delete active content.
  • pyClamAV—adds virus detection to Python tools.
  • Jsunpack-n—a JavaScript unpacker, detects vulnerabilities for browser and browser plugin vulnerabilities by simulating browser functionality.
  • phoneyc—honeclient implementation fully implemented in Python.
  • CapTipper—analyzes, investigates and recovers malicious HTTP traffic by analyzing PCAP files.

 

4 Python Scripts To Speed Up Your Pen-Testing

Automating security assessment with custom payload scripts can help you extend the depth and scope of application testing within a test cycle. Below are four scripts written in Python, which generate payloads you can use to perform custom attacks on web applications and web hosts.

These scripts can be customized for different types of attacks, by fuzzing parameters, performing brute force password cracking, and page ID search.

 

IP-to-Number Conversion

Script on Github: https://github.com/python/cpython/blob/master/Lib/ipaddress.py 

Repository: CPython

 

The script converts the IP address to a common numeric format. This is especially useful when performing URL redirect attacks. Applications often redirect users to another page, and in some cases, the target page is specified with unverified parameters, allowing an attacker to modify the target. If the application ignores the URL/IP address provided to the user, the attacker only needs to specify an integer as the request parameter in the HTTP request, by converting the desired target IP to a number, and can cause the system to redirect to the malicious page.

 

App Specific Password Brute Forcer 

Script on Github: https://github.com/Broham/PassGen 

Repository: Abe Miessler

 

Brute-force password attacks are generally inefficient because they use large universal dictionaries, not specific words used in applications or web pages. This script uses specific strings retrieved from different types of applications, thus narrowing down the application-specific dictionary. It is created based on user behavioral patterns, in which words and concepts used in the application environment are used to set passwords.

 

Metasploit (MSF) Payload Generator 

Script on Github: https://github.com/g0tmi1k/msfpc 

Repository: g0tmi1k

 

This MSF script creates a payload that can be added to an exploit program, and can compromise Windows systems. During the exploit phase, the tester must configure a listener to access the Meterpreter shell. This is usually done manually, but it can be time consuming. The script generates the payload with minimal user input and automatically configures the listener. For example, in a CSV injection scheme, an attacker can use this script to inject malicious commands that execute an MSF-generated payload on the victim’s system.

 

Custom Wordlist Generator 

Script on Github: https://github.com/r3nt0n/bopscrk 

Repository: r3nt0n

 

This script is useful for brute force attacks during the mapping phase of a penetration test. For example, in an intrusion attack, brute forcing only requires a payload of numbers, alphanumeric characters, or letters. The script uses combinations of numbers, uppercase letters, lowercase letters, numeric and uppercase, numeric and lowercase, etc. with various sorting techniques to generate the required payload.

 

Conclusion

Python is a powerful language for penetration testers, and packs many libraries and tools that can make a penetration tester’s life easier, and can be used as a basis to build custom tools and exploits. 

 

We covered the following Python tools for penetration testers:

 

  • Exploit libraries including Nmap, Requests and BeautifulSoup
  • Network utilities including pypcap and dpkt
  • Forensic tools including Volatility and LibForensics
  • Malware analysis tools including pyew and exeFilter
  • Four Python scripts that can be extremely useful for brute forcing IPs and passwords in a penetration test

 

We hope this article will help you become a Python penetration testing pro – and use your skills to help organizations prevent cyberattacks and defeat cybercriminals. 

 

Gilad David Maayan / About Author

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

LinkedIn