Black Hat Python

1. The Art of Offensive Forensics: Turning the Tables

The network is and always will be the sexiest arena for a hacker.

Reversing the Script. Offensive forensics involves using forensic techniques not for defense, but for attack. It's about understanding how forensic tools and investigators work to better evade detection and maintain access. This approach allows attackers to anticipate responses and tailor their actions accordingly.

Understanding the Enemy. By studying forensic methodologies, incident response procedures, and common security tools, attackers can identify vulnerabilities in the investigative process. This knowledge can be used to create more effective and stealthy attacks. For example:

• Knowing which artifacts are commonly analyzed can help attackers avoid leaving those traces.
• Understanding how memory forensics works can help attackers craft shellcode that avoids detection.

Proactive Evasion. Offensive forensics is not just about reacting to investigations, but about proactively shaping the digital landscape to make investigations more difficult. This might involve:

• Planting false evidence to mislead investigators
• Tampering with logs to obscure activity
• Using encryption to protect sensitive data

2. Keylogging: A Classic Technique for Modern Threats

Countless times during penetration tests, we (the authors) have needed to whip up a TCP client to test for services, send garbage data, fuzz, or perform any number of other tasks.

Capturing Sensitive Information. Keylogging remains a highly effective method for capturing credentials, conversations, and other sensitive data. By recording keystrokes, attackers can gain access to accounts, systems, and networks.

PyWinHook for Windows Keylogging:

• Leverages the native Windows function SetWindowsHookEx to trap keyboard events.
• Provides information about the active window and process associated with each keystroke.
• Allows for the capture of both ASCII characters and special keys.

Beyond Basic Keystrokes. Modern keyloggers can also capture clipboard data, providing access to passwords, credit card numbers, and other sensitive information that users copy and paste. This expands the scope of potential data breaches.

3. Screenshots: Capturing Visual Intelligence

Programmers have a number of third-party tools to create networked servers and clients in Python, but the core module for all of those tools is socket.

Visual Confirmation. Screenshots provide visual confirmation of user activity, capturing images, video frames, and other sensitive data that might not be accessible through other means. This can be particularly useful for gathering evidence of specific actions or behaviors.

PyWin32 for Screenshot Capture:

• Uses the Windows Graphics Device Interface (GDI) to capture the entire screen.
• Provides a way to grab images, video frames, or other sensitive data.
• Can be used to monitor user activity and gather intelligence.

Beyond Simple Screenshots. Advanced screenshot techniques can include:

• Capturing screenshots at regular intervals to create a timeline of user activity.
• Triggering screenshots based on specific events, such as the opening of a particular application.
• Using optical character recognition (OCR) to extract text from screenshots.

4. Shellcode Execution: Remote Code Injection

The network is and always will be the sexiest arena for a hacker.

Direct Code Execution. Shellcode execution allows attackers to inject and run arbitrary code on a target system without touching the filesystem. This can be used to establish a reverse shell, deploy additional malware, or perform other malicious activities.

ctypes for Shellcode Execution:

• Uses the ctypes module to allocate memory, copy shellcode into memory, and create a function pointer to the shellcode.
• Allows for the execution of raw shellcode without writing it to disk.
• Can be used to bypass security measures that rely on file-based scanning.

Beyond Basic Shellcode. Advanced shellcode techniques can include:

• Using position-independent code (PIC) to ensure that shellcode can run at any memory address.
• Encrypting shellcode to evade detection.
• Using multi-stage shellcode to download and execute larger payloads.

5. Sandbox Detection: Evading Automated Analysis

You might use one for forwarding traffic to bounce from host to host, or when assessing network-based software.

Evading Automated Defenses. Sandbox detection involves identifying and avoiding automated analysis environments used by antivirus software and security researchers. By detecting sandbox environments, attackers can prevent their malware from being analyzed and detected.

Techniques for Sandbox Detection:

• Monitoring user input: Checking for keyboard and mouse activity.
• Detecting virtual machine artifacts: Looking for specific files, registry keys, or processes associated with virtual machines.
• Analyzing system uptime: Comparing the system's uptime to the last user input.

Beyond Basic Detection. Advanced sandbox detection techniques can include:

• Using timing-based attacks to detect virtual machine environments.
• Checking for the presence of specific security tools or processes.
• Analyzing the system's hardware configuration.

6. Encryption: Securing Exfiltrated Data

On more than one occasion, I’ve run into servers that don’t have netcat installed but do have Python.

Protecting Sensitive Information. Encryption is essential for protecting sensitive data during exfiltration. By encrypting data before it leaves the target system, attackers can prevent unauthorized access to the information even if it is intercepted.

PyCryptodomeX for Encryption:

• Provides a variety of encryption algorithms, including AES and RSA.
• Allows for the creation of hybrid encryption systems that combine the speed of symmetric encryption with the security of asymmetric encryption.
• Can be used to encrypt files, network traffic, or other sensitive data.

Beyond Basic Encryption. Advanced encryption techniques can include:

• Using steganography to hide encrypted data within images or other files.
• Using multiple layers of encryption to increase security.
• Using ephemeral keys to ensure that data cannot be decrypted even if the attacker's keys are compromised.

7. Exfiltration Methods: Blending in to Get Out

The network is and always will be the sexiest arena for a hacker.

Stealth and Evasion. Choosing the right exfiltration method is crucial for avoiding detection. Attackers must consider the target network's security posture and choose a method that blends in with normal traffic.

Common Exfiltration Methods:

• Email: Sending encrypted data as attachments or within the body of emails.
• File transfer: Using FTP or other file transfer protocols to upload encrypted data to a remote server.
• Web server: Posting encrypted data to a web server using HTTP or HTTPS.

Beyond Basic Exfiltration. Advanced exfiltration techniques can include:

• Using steganography to hide encrypted data within images or other files.
• Using covert channels to transmit data over seemingly innocuous protocols.
• Using distributed exfiltration to spread data across multiple destinations.

Last updated: February 17, 2025