Violent Python

1. Python: The Essential Security Tool

Forging your own weapons to solve your own problems makes you a true penetration tester.

Python's power. Python is presented as the ideal language for security professionals – hackers, forensic analysts, penetration testers, and security engineers – due to its simplicity, efficiency, vast libraries, and low barrier to entry. It's often already installed on Linux and Mac systems, making it immediately accessible for scripting custom tools. While many security tools exist, Python empowers users to build bespoke solutions for unique or difficult challenges where off-the-shelf options fail.

Cookbook approach. The book adopts a "cookbook" style, offering practical Python "recipes" for various security domains. These examples cover offensive tools, web analysis, network analysis, forensic analysis, and wireless device exploitation. The goal is to inspire readers to adapt and create their own scripts, fostering a mindset of building custom solutions rather than solely relying on existing ones.

Real-world impact. Anecdotes, like the penetration tester who compromised over a thousand machines with a small Python script or the forensic investigator who solved a decades-old murder using metadata, highlight the tangible impact custom Python tools can have. These stories underscore the value of being able to quickly develop scripts to react to dynamic situations and solve specific problems encountered in the field.

2. Python Basics for Security Scripting

The real strength of the Python programming language lies in the wide array of standard and third-party libraries.

Foundational concepts. Chapter 1 provides a crash course in Python fundamentals necessary for security scripting. It covers core concepts like variables, standard data types (strings, integers, booleans), and complex data structures such as lists and dictionaries, explaining how Python automatically handles typing. Understanding these building blocks is crucial before diving into more advanced applications.

Control flow and functions. Essential programming constructs like selection (if/elif/else) and iteration (for loops) are introduced, enabling scripts to make decisions and process data efficiently. Functions are emphasized as organized, reusable blocks of code, improving readability and modularity, a practice demonstrated by building simple programs like password crackers. Exception handling (try/except) is also covered, allowing scripts to gracefully manage runtime errors like network timeouts.

Essential modules. Key built-in modules are highlighted for interacting with the system and network.

• socket: For making network connections (TCP/UDP).
• os: For interacting with the operating system (file paths, permissions).
• sys: For accessing interpreter-specific objects (command-line arguments).
• _winreg (Windows): For interacting with the Windows Registry.
• sqlite3: For interacting with SQLite databases.
  These modules, along with third-party libraries, form the backbone of Python's power in security tasks.

3. Crafting Penetration Testing Tools

A small Python script granted him access to over one thousand workstations.

Reconnaissance first. Penetration testing begins with reconnaissance, often involving port scanning to identify open services. Python's socket module allows building basic TCP connect scanners, while integrating libraries like python-nmap provides access to more advanced scanning techniques and output parsing. This initial step helps attackers discover potential entry points.

Exploiting common services. Python scripts can automate attacks against widely used protocols.

• SSH: Using libraries like pexpect or pxssh for brute-forcing passwords or exploiting weak private keys to gain remote command execution and build botnets.
• FTP: Scripting anonymous logins, brute-forcing credentials, and injecting malicious code into web pages hosted on compromised FTP servers, replicating real-world mass compromises.
• SMB: Interacting with Metasploit via resource scripts to automate exploitation of vulnerabilities like MS08-067 or perform brute-force attacks against administrative shares (psexec).

Zero-day potential. Python can even be used to develop proof-of-concept code for zero-day vulnerabilities, such as stack-based buffer overflows. By crafting packets with specific payloads, overflow buffers, return addresses, and NOP sleds using libraries like scapy and struct, attackers can demonstrate remote code execution, highlighting Python's capability in advanced exploit development.

4. Python for Digital Forensics

A 31-year investigation that had exhausted 100,000 man hours ended with Mr. Stone’s examination of metadata (Regan, 2006).

Uncovering system artifacts. Python is a powerful tool for digital forensic investigations, enabling analysts to extract valuable information from operating system artifacts. This includes analyzing the Windows Registry using _winreg to uncover previously connected wireless networks and their MAC addresses, which can then be geo-located using services like Wigle.net via libraries like mechanize.

Investigating deleted data. Scripts can be written to examine the Recycle Bin across different Windows versions (C:\Recycler, C:\Recycled, C:\$Recycle.Bin) using the os module. By correlating user SIDs found in Recycle Bin directories with usernames stored in the Registry, investigators can determine who deleted specific files, aiding in reconstructing user activity.

Extracting application data. Many modern applications store data in SQLite databases, which Python can easily parse using the sqlite3 library. Examples include extracting:

• Skype profile information, contacts, call logs, and messages from main.db.
• Firefox download history, cookies, browsing history, and even Google search queries from databases like downloads.sqlite, cookies.sqlite, and places.sqlite.
• Text messages and other data from iTunes mobile device backups by identifying and querying the relevant SQLite files.
  These techniques allow investigators to automate the extraction of forensically rich data from user applications.

5. Analyzing Network Traffic with Python

Even a rudimentary piece of network visualization software could have identified this behavior.

Geo-locating traffic. Python can analyze network traffic captures (PCAPs) to understand the physical origin and destination of packets. Using libraries like dpkt to parse packet layers (Ethernet, IP, TCP/UDP) and pygeoip with the GeoLiteCity database, scripts can correlate IP addresses to geographic locations. This data can even be formatted into KML files for visualization in Google Earth, revealing traffic patterns that might indicate malicious activity, as demonstrated by the missed opportunities during Operation Aurora.

Detecting malicious activity. Python scripts can identify specific attack patterns within network traffic.

• DDoS Toolkits: Parsing HTTP requests for known toolkit downloads (like LOIC) or analyzing IRC traffic for command-and-control messages (!lazor). Detecting high volumes of traffic from specific sources can also indicate an attack in progress.
• Decoy Scans: Analyzing the Time-to-Live (TTL) field of IP packets using scapy and comparing the received TTL to the actual hop count (determined by sending ICMP probes) can reveal spoofed source addresses used in decoy network scans, a technique used by H.D. Moore to defend the Pentagon.
• Flux Networks: Examining DNS traffic (scapy) to detect Fast-Flux (multiple IPs for one domain with short TTLs) or Domain-Flux (frequent requests for non-existent domains), techniques used by botnets like Storm and Conficker to evade takedown.

Protocol analysis and manipulation. Python allows deep inspection and crafting of network packets. Analyzing TCP sequence numbers (scapy) can reveal predictable patterns exploitable for session hijacking, as demonstrated by Kevin Mitnick's attack. Furthermore, scapy can be used to craft packets with specific flags, ports, and payloads to test Intrusion Detection Systems (IDS) and potentially generate overwhelming noise to mask a real attack.

6. Wireless and Bluetooth Exploitation & Analysis

Sniffing unencrypted wireless Internet connections proved to be one of the methods he used to gain access to credit card information.

Wireless sniffing. Python, combined with libraries like scapy and a wireless adapter in monitor mode, can passively intercept wireless traffic. This allows for sniffing sensitive information transmitted over unencrypted networks, such as:

• Credit card numbers using regular expressions.
• Hotel guest names and room numbers from unauthenticated login pages.
• Google search queries from unencrypted HTTP traffic.
• FTP credentials (usernames and passwords) sent in plaintext.
  These examples highlight the risks of using unencrypted wireless networks and the ease with which sensitive data can be captured.

Identifying hidden networks. Scripts can analyze 802.11 management frames to discover wireless networks. By listening for Probe Requests, attackers can identify preferred networks stored on client devices. Analyzing Beacon frames, including those with blank SSIDs, helps detect hidden networks. Waiting for a Probe Response matching a hidden network's MAC address can reveal its name.

Active wireless attacks. Python enables crafting and injecting 802.11 frames for offensive purposes. Demonstrating control over an Unmanned Aerial Vehicle (UAV) by sniffing its communication protocol (UDP), duplicating packet layers (scapy), and injecting spoofed commands (like emergency landing) shows the potential for taking over vulnerable wireless devices. Detecting tools like Firesheep is also possible by identifying the reuse of session cookies from different IP addresses.

Bluetooth security. Python's bluetooth and python-obexftp libraries allow scanning and exploiting Bluetooth devices. Scripts can discover nearby devices, scan for open RFCOMM channels, and browse services using SDP. Exploits like OBEX Object Push (sending files to printers) or BlueBugging (issuing AT commands to phones via unauthenticated RFCOMM channels) demonstrate how Python can be used to interact with and compromise Bluetooth-enabled devices.

7. Web Reconnaissance and Social Engineering Automation

No matter how sophisticated or deadly a cyber attack becomes, the presence of effective social engineering will always increase the attack’s effectiveness.

Anonymous browsing. Web reconnaissance often requires anonymity to avoid detection. Python's mechanize library allows stateful web browsing, handling cookies and forms. By extending the Browser class, custom scripts can automate anonymity techniques like rotating proxies, spoofing user-agent strings, and clearing cookies, making it harder for websites to track activity.

Web scraping. Extracting information from websites is crucial for reconnaissance. Libraries like BeautifulSoup excel at parsing HTML and XML, making it easy to find specific elements like links (<a> tags) and images (<img> tags). Scripts can download website content, parse it locally, and even mirror images, reducing repeated requests to the target server.

Leveraging web APIs. Many online services provide APIs for programmatic access to data. Python can interact with these APIs to gather information efficiently.

• Google API: Querying Google search results programmatically to find information about target companies or individuals.
• Twitter API: Scraping tweets, retweets, and profile information for a given handle. Analyzing tweet content using regular expressions can reveal interests (links, hashtags, mentioned users) and potentially locations (geo-tags, city names in text), building a detailed profile of the target.

Automated social engineering. The gathered information can be used to craft highly targeted social engineering attacks, such as spear-phishing emails. Python's smtplib allows sending emails programmatically. By combining collected data (like interests, location, or contacts) with email automation, attackers can create personalized messages that are more likely to be opened and acted upon, increasing the success rate of the attack.

Last updated: May 14, 2025