Hands-On Penetration Testing with Python

Book Description

Implement defensive techniques in your ecosystem successfully with Python

Key Features

  • Identify and expose vulnerabilities in your infrastructure with Python
  • Learn custom exploit development .
  • Make robust and powerful cybersecurity tools with Python

Book Description

With the current technological and infrastructural shift, penetration testing is no longer a process-oriented activity. Modern-day penetration testing demands lots of automation and innovation; the only language that dominates all its peers is Python. Given the huge number of tools written in Python, and its popularity in the penetration testing space, this language has always been the first choice for penetration testers.

Hands-On Penetration Testing with Python walks you through advanced Python programming constructs. Once you are familiar with the core concepts, you'll explore the advanced uses of Python in the domain of penetration testing and optimization. You'll then move on to understanding how Python, data science, and the cybersecurity ecosystem communicate with one another. In the concluding chapters, you'll study exploit development, reverse engineering, and cybersecurity use cases that can be automated with Python.

By the end of this book, you'll have acquired adequate skills to leverage Python as a helpful tool to pentest and secure infrastructure, while also creating your own custom exploits.

What you will learn

  • Get to grips with Custom vulnerability scanner development
  • Familiarize yourself with web application scanning automation and exploit development
  • Walk through day-to-day cybersecurity scenarios that can be automated with Python
  • Discover enterprise-or organization-specific use cases and threat-hunting automation
  • Understand reverse engineering, fuzzing, buffer overflows , key-logger development, and exploit development for buffer overflows.
  • Understand web scraping in Python and use it for processing web responses
  • Explore Security Operations Centre (SOC) use cases
  • Get to understand Data Science, Python, and cybersecurity all under one hood

Who this book is for

If you are a security consultant , developer or a cyber security enthusiast with little or no knowledge of Python and want in-depth insight into how the pen-testing ecosystem and python combine to create offensive tools , exploits , automate cyber security use-cases and much more then this book is for you. Hands-On Penetration Testing with Python guides you through the advanced uses of Python for cybersecurity and pen-testing, helping you to better understand security loopholes within your infrastructure .

Publisher Resources

Download Example Code

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Penetration Testing with Python
  3. Dedication
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  7. Introduction to Python
    1. Technical requirements
    2. Why Python?
      1. About Python – compiled or interpreted
      2. Installing Python
    3. Getting started
      1. Variables and keywords
      2. Variable naming conventions
      3. Python keywords
    4. Python data types
      1. Numbers
      2. String types
      3. String indexes
      4. String operations through methods and built-in functions
        1. The replace( ) method
        2. Substrings or string slicing
        3. String concatenation and replication
        4. The strip(), lstrip(), and rstrip() methods
        5. The split() method
        6. The find(), index(), upper(), lower(), len(), and count() methods
        7. The in and not in methods
        8. The endswith(), isdigit(), isalpha(), islower(), isupper(), and capitalize() methods
      5. List types
        1. Slicing the lists
        2. Merging and updating lists
        3. Copying lists
        4. Removing elements from lists
        5. Replication with len(), max(), and min()
        6. in and not in
      6. Tuples in Python
      7. Dictionaries in Python
    5. Python operators
    6. Summary
    7. Questions
  8. Building Python Scripts
    1. Technical requirements
    2. Indentation
    3. Conditional statements
      1. The if condition
      2. The if...else condition
      3. The if...elif condition
    4. Loops
      1. The while loop
      2. The for loop
        1. Iteration, iterable, and iterator
          1. A closer look at for loops
    5. Functions and methods in Python
    6. Modules and packages
    7. Generators and comprehensions
      1. Comprehensions
        1. Map, Lambda, zip, and filters
    8. Summary
    9. Questions
    10. Further reading
  9. Concept Handling
    1. Object-oriented programming in Python
      1. Classes and objects
      2. Class relationships
        1. Inheritance
        2. Access modifiers in Python
        3. Composition
        4. Association
        5. Aggregation
      3. Abstract classes
      4. Polymorphism
        1. Polymorphism with functions
        2. Polymorphism with classes (abstract classes)
      5. Static, instance, and class methods in Python
    2. Files, directories, and I/O access
      1. File access and manipulation
      2. Renaming and deleting files and accessing directories
      3. Console I/O
    3. Regular expressions in Python
    4. Data manipulation and parsing with XML, JSON, and CSV data
      1. XML data manipulation
      2. JSON data manipulation
      3. CSV
    5. Exception handling
    6. Summary
    7. Questions
    8. Further reading
  10. Advanced Python Modules
    1. Multitasking with threads
      1. Demonic and non-demonic threads
      2. Thread joins and enumeration
      3. Intercommunication between threads
      4. Thread concurrency control
    2. Multitasking with processes 
      1. Demonic and non-demonic processes
      2. Process joins, enumeration, and termination
      3. Multiprocess pooling
    3. Subprocesses
    4. Socket programming basics
    5. Reverse TCP shells with Python
    6. Summary
    7. Questions
    8. Further reading
  11. Vulnerability Scanner Python - Part 1
    1. Introducing Nmap
    2. Building a network scanner with Python
      1. Controlling the Nmap output with the script
      2. Using the Nmap module to conduct Nmap port scanning
        1. Objective and architectural overview
          1. Port scanning
          2. Service scanning
        2. A closer look at the code
          1. Getting started
        3. Executing the code
        4. Database schema for the port scanning portion of the vulnerability scanner
    3. Summary
    4. Questions
    5. Further reading
  12. Vulnerability Scanner Python - Part 2
    1. Architectural overview
      1. A closer look at the code
        1. Driver_scanner.py
        2. driver_meta.py
          1. main()
          2. parse_and_process()
          3. launchConfiguration()
          4. launchExploits()
        3. auto_commands.py
          1. Pexpect – automating terminal: <SSH, Telnet, Wireshark, w3af>
          2. custom_meta() – automating Metasploit
          3. singleLineCommands_Timeout() – automating Java , Ruby, Perl, NSE, Python, Bash scripts
          4. general_interactive() – automating interactive terminal scripts (test_ssl.sh)
          5. generalCommands_Tout_Sniff() – automating Tshark
          6. HTTP_based() – automating web specific use-cases
        4. Storing details in database
        5. Executing the code
        6. Database schema for the service-scanning portion of the vulnerability scanner
        7. GUI version of vulnerability scanner
    2. Usage [PTO-GUI]
      1. Scanning modules
        1. Sequential mode
        2. Reconfiguration after discovery is finished
        3.  Concurrent mode
        4.  Sequential default mode
    3.  Pausing and resuming scans
      1. Downloading reports or analyzing when scan would be completed  
    4. Reporting 
    5. Summary
    6. Questions
    7. Further reading
  13. Machine Learning and Cybersecurity
    1. Machine Learning
      1. Setting up a Machine Learning environment in Kali Linux
    2. Regression-based machine learning models
      1. Simple linear regression
        1. How does the regression model work?
      2. Multiple linear regression
    3. Classification models
      1. Naive Bayes classifier
        1. Summarizing the Naive Bayes classifier
        2. Implementation code
    4. Natural language processing
      1. Using natural language processing with penetration testing reports
        1. Step 1 – tagging the raw data
        2. Step 2 – writing the code to train and test our model
    5. Summary
    6. Questions
    7. Further reading
  14. Automating Web Application Scanning - Part 1
    1. Automating web application scanning with Burp Suite
      1. Burp automation with Python
      2. SQL injection
      3. Automatic detection of SQL injection with Python
    2. Summary
    3. Questions
    4. Further reading
  15. Automated Web Application Scanning - Part 2
    1. XSS
      1. Stored or Type 1 XSS attacks
      2. Reflected or Type 2 XSS attacks
      3. DOM-based or Type 0 XSS attacks
      4. Automatic detection of XSS with Python
        1. Script in action
    2. CSRF
      1. Automatically detecting CSRF with Python
        1. Script in action
    3. Clickjacking
      1. X-Frame-Options
      2. Automatically detecting clickjacking with Python
    4. SSL stripping (missing HSTS header)
      1. Automatically detecting missing HSTS with Python
    5. Summary
    6. Questions
    7. Further reading
  16. Building a Custom Crawler
    1. Setup and installations
    2. Getting started
      1. Crawler code
      2. Urls.py and Views.py code snippet
        1. Code explanation
          1. Driver code – run_crawler.py
          2. Crawler code – crawler.py
    3. Execution of code
    4. Summary
    5. Questions
    6. Further reading
  17. Reverse Engineering Linux Applications
    1. Debugger
    2. Fuzzing Linux applications
      1. Fuzzing in action
      2. Linux and assembly code
    3. Stack buffer overflow in Linux
      1. Exploiting a buffer overflow
      2. Heap buffer overflow in Linux
    4. String format vulnerabilities
    5. Summary
    6. Questions
    7. Further reading
  18. Reverse Engineering Windows Applications
    1. Debuggers
    2. Fuzzing Windows applications
      1. Windows and assembly
    3. Exploiting buffer overflows in Windows
    4. Summary
    5. Questions
    6. Further reading
  19. Exploit Development
    1. Scripting exploits over web-based vulnerabilities
      1. Manually executing an LFI exploit
        1. Reverse shell with Netcat
        2. Reverse shell with Python
      2. Exploit development (LFI + RFI)
        1. LFI/RFI exploit code
        2. Executing the LFI exploit
        3. Executing the RFI exploit
    2. Developing a Metasploit module to exploit a network service
    3. Encoding shell codes to avoid detection
      1. Downloading and installing Veil
    4. Summary
    5. Questions
    6. Further reading
  20. Cyber Threat Intelligence
    1. Introduction to cyber threat intelligence
      1. Manual threat intelligence
      2. Automated threat intelligence
    2. Cyber threat intelligence platforms
    3. Tools and API
      1. MISP
        1. Installing MISP
        2. Threat scoring capability
        3. MISP UI and API
          1. MISP API (PyMISP)
    4. Threat scoring
      1. Threat scoring weighed file
      2. Threat scoring algorithm
        1. Executing the code
    5. STIX and TAXII and external lookups
      1. External lookups
    6. Summary
    7. Questions
    8. Further reading
  21. Other Wonders of Python
    1. Report parsers
      1. Nmap parser
        1. Running the code
      2. Nessus parser
        1. Running the code
      3. The need to have custom parsers
    2. Keylogger and exfiltration via sockets
      1. pyxhook – a Linux based Keylogger
      2. pyhook – a Windows-based keylogger
    3. Parsing Twitter tweets
    4. Stealing browser passwords with Python
    5. Python for antivirus-free persistence shells
    6. Summary
    7. Questions
    8. Further reading
  22. Assessments
    1. Chapter 1, Introduction to Python
    2. Chapter 2, Building Python Scripts
    3. Chapter 3, Concept Handling
    4. Chapter 4, Advanced Python Modules
    5. Chapter 5, Vulnerability Scanner Python - Part 1
    6. Chapter 6, Vulnerability Scanner Python - Part 2
    7. Chapter 7, Machine Learning and Cybersecurity
    8. Chapter 8, Automating Web Application Scanning - Part 1
    9. Chapter 9, Automating Web Application Scanning - Part 2
    10. Chapter 10, Building a Custom Crawler
    11. Chapter 11, Reverse Engineering Linux Applications
    12. Chapter 12, Reverse Engineering Windows Applications
    13. Chapter 13, Exploit Development
    14. Chapter 14, Cyber Threat Intelligence
    15. Chapter 15, Other Wonders of Python
  23. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product Information

  • Title: Hands-On Penetration Testing with Python
  • Author(s): Furqan Khan
  • Release date: January 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781788990820