Earlier this year, I wrote of my long love affair with Ruby coming to an end and my desire to get back to python in order to build additional skills for the purposes of defense and response. That first step back into python resulted in the article, Book Review: Gray Hat Python by Justin Seitz. That book was one of the more interesting ones that I’ve reviewed, so when I had the opportunity to look at his latest work, Black Hat Python: Python Programming for Hackers and Pentesters, I was really excited.
Python has been the language of choice in the pen testing universe for a while now, and so having a good reference for building attack and analysis tools for use during attack exercises is really important. The back cover of the book ponders the question of how the magic of creating these tools happens and offers that, “…you’ll explore the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more.” Sounds perfect. Let’s take a closer look and see if it delivers.
Details of Black Hat Python
Black Hat Python starts with a forward from Charlie Miller, a well known hacker in the industry, and then moves into the good stuff. Chapter 1 covers the setup of python and WingIDE. This chapter is the basic intro chapter to get you running, but I was impressed that Seitz used Kali for this as it’s already on most pen testers systems. Nothing earth-shattering happened in this chapter, but it did go through the details of what needed to be done to get up and running.
With the setup stuff complete, Seitz moves into the thing that is required for almost all pen testing exercises: networking. After introducing how to build a TCP and UDP client and then server, we get brought into an example of a netcat replacement using Python. As netcat isn’t available on every system, this is an incredibly handy thing to have around.
Next the networking chapter moves into building a TCP proxy for traffic analysis. This section has good explanations of code, but at this point, I realized that the book is going to act as more of a cookbook than concept learning. Each of the areas of the code are explained well in order to see what is happening, but the why of what is happening is not always there. With the depth and large numbers of examples, there really isn’t room, so a few topics may take some additional outside research to fully figure it out.
Chapter 2 finishes with some great work with creating SSH clients and servers using python and how to allow tunneling. Pivoting is one of the most important areas in pen testing, and so having some tools to deal with this area is a huge benefit. Being able to easily tunnel traffic makes getting to resources inside other portions of the network much easier, so this was a great way to end Chapter 2.
Chapter 3 is kind of odd. It has some great information about an area that is very interesting to me: incorporating C style data structures in Python. There are a number of things done with raw sockets in Chapter 3. The downside is that there wasn’t much done in Chapter 3 that can’t be done easier in Scapy or some of the other packet/socket manipulation libraries. That being said, if you are getting deep into packet things, this chapter will provide some great benefit, just due to the simple fact of how the code is being written and explained.
Chapter 4 is on Scapy. Most of the things from Chapter 3 that we did with networking are all happening in the background of Scapy, but some great things are done in Chapter 4 with ARP Spoofing and then PCAP carving. Packet tools are some of the most useful tools when network analysis is necessary on a pen test. Having some basic tools to control exactly what is happening and grabbing the data that matters is handy. The image carving tool for PCAP file can easily be modified to carve lots of other file types that may be useful in real world scenarios from credit card track data to email attachments.
Web testing is another area that attackers need to know well. Chapter 5 digs into web testing with a number of brute force tools including brute forcing users, directory structure, and mapping web pages. These are all useful things, and the libraries used are going to be important for way more than brute force. The methods used make a lot of sense, and Seitz gives the reader a quick tutorial on using the methods of the HTML parser class which are heavy in events. Using a threaded brute forcer, the reader ends the chapter by brute forcing a Joomla login using just Python.
Burp is part of almost every pen tester’s arsenal, so having a chapter on extending Burp was a great idea. Throughout Chapter 6, three different extensions for Burp were investigated. The first was a fuzzer for use with Burp Intruder. This module acts as an easy framework for customizable fuzzing. While not extremely novel for the example, this is a great framework to use for building anything else that doesn’t already have a fuzzer for Burp.
Next a Bing module was created. I’m not going to lie, I’m changing this and adding it into my Burp suite. Bing allows you to search for information based on IP address easily and get additional information like vhosts on an IP address. This was a great example and maybe one of the most relevant ones in the chapter.
The third example was a wordlist generator from website content. Since there are other tools to do this, this wasn’t a huge revelation, but being able to do this from within Burp is very handy. Adding an extension for this was pretty easy to do with Python and Burp Extender, so it was an example that was nice to have in the chapter.
Chapter 7 is on creating a command and control (C2) Trojan using Github. If you are as big a dork as I am, you are probably thinking AWESOME. Ok, so after playing with it, it has some neat stuff, but what the chapter really does is show you how to build some modular code. That’s also awesome, and, while I don’t see myself ever using a github based C2 server, I do know that I am more likely to build modular code after reading this.
Chapter 8 was my favorite chapter in the whole book. It’s not even why I wanted to read the book, so this was pretty much bonus awesome. I hadn’t seen or done a lot before with utilizing Windows API calls within Python, but in this chapter we get to look at keyloggers, screenshot tools, and other Windows tools. These are kind of neat on their own, but looking at the potential of Python in Windows sparked a lot of cool ideas. If you have ever written tools for Windows, check this out, you may look at moving some of the things to Python.
With some of the basics of Windows API usage in Python under our belt, Chapter 9 digs into how to hook APIs in Internet Explorer. This technique can be used for debugging, grabbing real-time information, exfiltrating data, or a number of other tasks. There wasn’t anything super exciting added here for me, but the ability to use IE could be handy if you are on a system with IE and want to do things with a specific user’s web browser (and have time to whip up some code to take over the browser).
Chapter 10 is more Windows goodness and focuses on Windows privilege escalation. The escalation stuff is interesting and Seitz walks the reader through monitoring processes, files, and even injecting code. The big thing I got out of this was some more of the things that you could do with WMI and other Windows APIs inside Python for more advanced tools. There are some great code snippets here for iterating through file information and process information.
Chapter 11 is titled “Automated Offensive Forensics”, but I think it’s really mislabeled. There is some of that in here where Seitz walks the reader through grabbing password hashes from a memory image with Volatility, however the chapter is also heavy in code injection using Volatility and Immunity debugger. Using Volatility, traditionally a forensics tool, for offensive things is really cool, but I enjoyed seeing how to incorporate external things into Immunity Debugger a lot more. For me, that was the big take away from this chapter.
I was excited when I started the Black Hat Python knowing what would be covered, and I was additionally excited about new things when I finished the book. I even bought another hardcopy of the book, so that I could have it handy when I needed it. Published back in December of 2014, this is an up-to-date work and yet another quality tome by No Starch Press.
In the end, no matter how you use Python, you are going to find some things in this book that spark some neat ideas. Being an intermediate to advanced book, that is the prerequisite… you must already be using python. If you’ve never used Python, you’re going to have a bad time with this book. Once you do have some Python coding under your belt, reading through this book a few times should give you some neat new tricks during each read. And if you truly have a hacker’s mindset, a spark is all you need to make it your own and do some even more amazing. Justin Seitz offers plenty of sparks.
Review by Ryan Linn, columnist for EH-Net. For more from Ryan, please see his column by using the menu above or simply click his name.Tags: book review forensics linn pentest programming python