Python has rapidly become a popular language for security professionals. It’s human readable with an easy syntax, has a comprehensive standard library and easily importable external libraries, is multi-platform, and is suitable for both larger programs and smaller scripts alike. Python is easy to learn for novice programmers yet robust enough for seasoned developers. What makes it such an effective tool for security professionals is the support of extensive libraries specifically designed for penetration testing. For that reason, it makes perfect sense for the SANS Institute to add SEC573 Python for Penetration Testers to their vast list of InfoSec courses.
“SANS SEC573 Python for Penetration Testers” is a five-day class that teaches the basics of the Python language then builds on that knowledge to show how to utilize its specialized libraries to perform network capture and analysis, SQL injection, Metasploit integration, password guessing and much more. You also learn how to use Python to create an encoded backdoor to evade IDS and antivirus controls. This article presents an extensive day-by-day review of the in-person course taught by Mark Baggett, the author of SANS Python for Penetration Testers course and the pyWars gaming environment.
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_05
Python for Penetration Testers – The Basics
Who Should Take Python for Penetration Testers?
It is assumed that the participating student has a basic understanding of at least one programming or scripting language and has a background in Information Technology. It doesn’t absolutely require one to be a programmer, but it would be very difficult to keep up in the class without at least some basic programming knowledge. Having some experience in penetration testing, incident response or security assessment is helpful, since the class is aimed at furthering one’s skill in exploiting common vulnerabilities.
Why Take Python For Penetration Testers?
At some point during penetration testing, you’re going to hit a wall; a tool doesn’t quite go far enough or isn’t flexible enough, you need to test security controls using evasion techniques, or you need exploit code to prove exploitability of a vulnerability. Python for Penetration Testers will help you develop the skills to customize existing tools, develop your own tools, and see different ways of solving problems. Grasping the programming logic alone goes a long way in gaining an understanding of the anatomy of an attack. Having this skill extends your ethical hacking arsenal and simply makes you a better penetration tester.
How Python for Penetration Testers is Taught?
Teaching Python as a penetration testing tool rather than teaching it from the ground up means instructing an audience with varying levels of programming and Python-specific proficiency. How do you refresh those with little programming experience on the basics of programming, teach experienced programmers the Python syntax, all while not boring the advanced students into an early death? Such scenarios could easily lead to spit-wad throwing behavior, or worse – the dreaded student-attempting-to-teach-the-class trick! The answer that Python for Penetration Testers provides to this dilemma is PyWars! SANS describes PyWars this way: “PyWars is a 4-day Capture the Flag competition that runs parallel to the course material. It will challenge your existing programming skills and help you develop new skills at your own individualized pace. This allows experienced programmers to quickly progress to more advanced concepts while novice programmers spend time building a strong foundation.”
So while remedial students (like myself) get a refresher on programming logic, the more experienced programmers and Python gurus occupy themselves by working on increasingly complex challenges available in a Linux virtual machine provided by SANS. Each student can begin working on PyWars challenges at any point where the class material becomes too basic for their skill level. Eventually, everyone is brought up to speed on the essentials and the class moves forward to the goal of knowing how to utilize Python as an efficient and effective weapon in penetration testing. It’s not only an excellent solution to the problem of having diverse skill levels in one class, but it also makes the class very hands-on. Aside from PyWars, there are labs at the end of each section of the course material to give each student the opportunity to put into practice what they’ve just learned. Finished code is available if the student gets stuck at any point.
The Lab Environment
A DVD is provided that includes:
- A Linux virtual machine based on the BackTrack R5.1 distro
- Working example code
- Python files and libraries needed for both Linux and Windows systems
- Cheat sheets for various tools and APIs
The Windows install features module and language references and a tutorial to help beginners develop programs. The class does require access to a Windows system with administrator privileges, since the labs involve moving between both operating systems to demonstrate working exploits as well as Python’s flexibility and portability. The PyWars exercises are done within the Linux virtual machine with the exercises being hosted on the instructor’s PyWars server. The virtual machine also includes a “PyWars Lite” server with 18 challenges that the student can play offline after the course.
As with most SANS courses, Python for Penetration Testers requires the student to bring their own laptop. It qualifies for 30 CPE/CMUs and is currently only being offered in a live setting. vLive offerings are not yet on the schedule, but I’m sure it is only a matter of time. A full Course Syllabus for Python for Penetration Testers as well as plenty of other additional information is available for your perusal. Here’s a day-by-day account of my experience.
Day 1 - SEC573.1: Essentials Workshop
Our instructor, Mark Baggett, is a seasoned penetration tester who owns an independent consulting firm specializing in incident response and penetration testing. He is technical editor of the book, “Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers” (See Book Review on EH-Net). As an added bonus, each student received a copy, autograph optional. Mark is also the Technical Advisor to the Department of Defense for SANS Institute. As I’ve come to expect from all SANS instructors, Mark knows the subject matter inside and out. He’s approachable, helpful, and has a passion for teaching others his craft. He made the class interesting and fun and made himself available to all 20 students during breaks.
The first two days are titled “The Essentials Workshop” and cover the basics of the Python language. The topics and associated labs are designed to teach tool design concepts to students new to software development, while teaching experienced programmers shortcuts that make Python more efficient and effective for penetration testing.
We began Day 1 by setting up our personal laptops using the provided DVD to copy and configure the BackTrack Linux virtual machine and to install Python in the Windows environment. We moved on to review the history of the Python language, the built-in help function, and current Python versions and their differences. PyWars was also introduced early during the first session, so students could begin the PyWars exercises at any time. The morning quickly proceeded to cover the three different methods for running Python and then on to variables, integers, math operators, strings, importing modules/libraries, functions, modules, If/elif/else, and introspection.
The class was very fast paced, so it required my complete attention. Since I don’t program on a daily basis, it was a good review of programming basics. During this time the experienced programmers began working on the PyWars exercises. There were a couple of very proficient Python programmers in the class, and by the end of the day they had solved all 40 of the PyWars challenges. As a result, our instructor had to team up with another SANS instructor that evening to develop more PyWars challenges. This is not only a great example of the value you get at a SANS event, but it also illustrates the benefit of having the courseware developer also be the instructor. At the end of the Day 1 we saved our virtual machine session, so we could quickly hit the ground running on Tuesday.
Day 2 - SEC573.2: Essentials Workshop
The morning began by covering Python Lists (similar to arrays in other languages), list comprehension, dictionaries and dictionary comprehension, then loops and file input/output. At this point we now had all of the elements necessary to move beyond just writing scripts to writing a small program, so our next exercise was to write a JTR Password Word Mangler. This program reads in a John the Ripper password file then mangles each word based on our criteria to create a new password file customized to our target. Parts of the program had already been completed, so we just had to complete the missing parts. More advanced students could start from scratch, if they wanted more of a challenge. We used our newly acquired skills in string and list methods to sort, slice, and join output, which will prove useful as we move forward into data gathering and analysis.
During the afternoon of Day 2, we learned about the Python Debugger and finally reading CLI options. Our last exercise was to develop a SQL Injector. Again, parts of the program were already written, and our assignment was to complete the code.
Quickly covering the basics made for a long two days, and, as with any learning process, one must be patient during the building phase. The concepts we’ve covered have finally allowed us to begin using Python today for the fun stuff – penetration testing.
By the end of the day the two Python gurus in our class solved the extra PyWars challenges Mark Baggett had written the night before, so he spent the evening writing more challenges for them. At least we know he now has a stockpile of additional challenges for future courses attended by more gurus.
Day 3 - SEC573.3: Pentesting Applications
The third day left the foundational skills in the dust and continued to put our hard-earned Python skills to practical use. We started the day off by creating a Python reverse shell that we’ll place on the Windows system as a backdoor and listen for it using Netcat on our Linux systems. We were given some pseudo-code as a guide and then walked through building each piece. We used the Python Sockets module to easily create the TCP connection piece, then added exception handling code for disconnects. We had to make our backdoor distributable to a Windows system not running Python and make it invisible to the user when launched, so we used pyInstaller for these tasks. This little tool creates a small .exe file that contains the Python interpreter and all of the modules used by our script. It also has the –noconsole option that allowed us to build the executable, so the program launches and runs silently in the background.
Once our backdoor was in place, we were able to run commands on the Windows system from the Linux system. Sometimes you need to do more, so we learned to include Metasploit’s Meterpreter payload in our backdoor. Since msfpayload’s C format is compatible with Python’s hexadecimal strings, we used them in our Python scripts. We also learned that we could encode our payload using Python to evade antivirus software.
The second half of the day was dedicated to developing a SQL injection tool that is particularly useful for automating the repetitiveness needed for blind SQL injection. Additionally, we learned how to make our program faster using the Thread and Threading modules.
Overall it was a fun day, and we finally got to see just what Python could do. Everything we learned was now falling into place.
Day 4 - SEC573.4: Pentesting Applications
When there aren’t any vulnerabilities on a target system, guessing default or easy passwords can make all the difference in the success of a penetration test. So we continued to put our Python skills to practical use by building an HTTP password guessing application. While there are several good password guessing tools available, they often fall short when dealing with a customized website. Like before, portions of this program were already written, and we had to fill in the rest. We used the urllib module to perform HTTP POST and GET requests and modify HTTP headers. We used the cookielib module for handling cookies. We covered Regular Expressions for use in matching on failed login strings and to determine when our password guessing was successful.
Our final topic of the day was using Python for network reconnaissance. As we’ve already learned, the vast number of third-party libraries for Python can make complex tasks such as interfacing with web sites and networks much simpler and reduce them to just a few lines of code. For network reconnaissance we used the SCRAPY module to recursively crawl websites and extract data. We again were given pseudo code as a guide for writing the network recon tool, then we walked through creating each piece. We used Python’s sorted() function to sort captured packets and the For loop to eliminate duplicate packets. While the modules are great for making complex tasks simple, it’s neat to see how the fundamental parts of the language can manipulate the data into useable chunks.
Before Day 4 came to an end, we were introduced to the Python Image Library (PIL) that is installed in Backtrack 5. It allows you to crop and resize images, but we used it to read the GPS coordinates from image metadata captured during our web crawl. We then used it to produce a Google Maps URL that pulls up the location where the image was taken. Cool trick to end a cool day of hacking.
Day 5 - SEC573.5: Capture the Flag
As has become a standard practice for numerous SANS courses, the final day is reserved for an in-class Capture-the-Flag (CtF) Exercise. But as you could most likely guess, we were divided into five teams for a special PyWars version of the contest. There were 20 increasingly difficult challenges, and the team who finished first won shirts… or something… (I honestly didn’t pay attention to what they won, because our team didn’t win…and no, I’m not bitter!). It was very easy to get lost in the exercises. I even skipped lunch, because I was so engrossed in the challenges. It was a fun way to put into practice all we had learned, and it had the added bonus of building confidence in our ability to use Python.
“SANS SEC573 Python for Penetration Testers” provided me with an excellent starting point for utilizing Python for every phase of a penetration testing from recon to shell. It will take some practice for me to become proficient with the language, but this class clearly demonstrated how Python becomes a powerful tool in the hands of a skilled tester. The exercises only scratched the surface of how Python can be used for security testing, but the solid examples helped the student see how it can be applied to the various tasks the security professional regularly performs.
There isn’t a certification available yet, since the class is fairly new. But the PyWars Lite included in the virtual image of the provided DVD is a great tool for continued hands-on practice, should the day come when a certification exam is made available.
The rumblings in the world of InfoSec is always that SANS is more expensive than most courses. But when one considers the quality of the content, the mastery on display by the expert instructor and the flexibility to modify the content on the fly and on their own time, it becomes the epitome of the phrase, “You get what you pay for.” In fact, Python for Penetration Testers offers something that is not only worth more than the course price itself but also presents a unique learning experience not available from any other source on the planet.
Other Helpful Resources:
- Get Python and start playing!
- Python for Kids: A Playful Introduction to Programming – Excellent intro even for grownups with no coding experience.
- Psexec Python Rocks! – Article by Mark Baggett about a script using the IMPACKET Python module.
- Anti-Virus Evasion: A Peek Under the Veil – Another article by Mark that walks you through using Python for Anti-virus evasion as done in the course.
- Coding for Penetration Testers – Great book that covers other languages in addition to Python.
- Python libraries specific to penetration testing – Lengthy list to keep your Python for Penetration Testing skills evolving.
Leslie Ryan, CISSP, GCUX is a seasoned professional with almost 20 years of experience in network and systems administration working on everything from NT to UNIX. She is a Sr. Information Security Analyst with Limited Brands, Inc. where she’s been employed for over 10 years, and her duties include web security assessments, architectural review, penetration testing, vulnerability scans using Qualys, analyze risk in the environment and recommend solutions; PCI Compliance, writing security policies and procedures, and writing acquisition requests. She is a member of OWASP and InfraGard.