Python: Penetration Testing for Developers

Unleash the power of Python scripting to execute effective and efficient penetration tests

Preview in Mapt

Code Files

Python: Penetration Testing for Developers

Christopher Duffy et al.

October 2016

3 customer reviews

Unleash the power of Python scripting to execute effective and efficient penetration tests

Quick links: > Table of contents > What will you learn? > Product reviews

Mapt Subscription

FREE

$29.99/m after trial

eBook

$10.00

RRP $67.99

Save 85%

Print + eBook

$84.99

RRP $84.99

What do I get with a Mapt Pro subscription?

Unlimited access to all Packt’s 5,000+ eBooks and Videos
Early Access content, Progress Tracking, and Assessments
1 Free eBook or Video to download and keep every month after trial

What do I get with an eBook?

Download this book in EPUB, PDF, MOBI formats
DRM FREE - read and interact with your content when you want, where you want, and how you want
Access this title in the Mapt reader

What do I get with Print & eBook?

Get a paperback copy of the book delivered to you
Download this book in EPUB, PDF, MOBI formats
DRM FREE - read and interact with your content when you want, where you want, and how you want
Access this title in the Mapt reader

What do I get with a Video?

Download this Video course in MP4 format
DRM FREE - read and interact with your content when you want, where you want, and how you want
Access this title in the Mapt reader

$0.00

$10.00

$84.99

$29.99 p/m after trial

RRP $67.99

RRP $84.99

Subscription

eBook

Print + eBook

Start 14 Day Trial

Frequently bought together

Python: Penetration Testing for Developers

$ 67.99

$ 10.00

Python: Penetration Testing for Developers

Oct 2016

650 pages

$ 10.00

Natural Language Processing: Python and NLTK

$ 67.99

$ 10.00

Natural Language Processing: Python and NLTK

Nov 2016

702 pages

$ 10.00

Buy 2 for $20.00
Save $115.98

Add to Cart

Book Details

ISBN 139781787128187

Paperback650 pages

Book Description

Cybercriminals are always one step ahead, when it comes to tools and techniques. This means you need to use the same tools and adopt the same mindset to properly secure your software. This course shows you how to do just that, demonstrating how effective Python can be for powerful pentesting that keeps your software safe. Comprising of three key modules, follow each one to push your Python and security skills to the next level.

In the first module, we’ll show you how to get to grips with the fundamentals. This means you’ll quickly find out how to tackle some of the common challenges facing pentesters using custom Python tools designed specifically for your needs. You’ll also learn what tools to use and when, giving you complete confidence when deploying your pentester tools to combat any potential threat.

In the next module you’ll begin hacking into the application layer. Covering everything from parameter tampering, DDoS, XXS and SQL injection, it will build on the knowledge and skills you learned in the first module to make you an even more fluent security expert.

Finally in the third module, you’ll find more than 60 Python pentesting recipes. We think this will soon become your trusted resource for any pentesting situation.

This Learning Path combines some of the best that Packt has to offer in one complete, curated package. It includes content from the following Packt products:

Learning Penetration Testing with Python by Christopher Duffy
Python Penetration Testing Essentials by Mohit
Python Web Penetration Testing Cookbook by Cameron Buchanan,Terry Ip, Andrew Mabbitt, Benjamin May and Dave Mound

Chapter 1: Understanding the Penetration Testing Methodology

An overview of penetration testing

Understanding what penetration testing is not

Assessment methodologies

The penetration testing execution standard

Penetration testing tools

Summary

Chapter 2: The Basics of Python Scripting

Understanding the difference between interpreted and compiled languages

Python – the good and the bad

A Python interactive interpreter versus a script

Environmental variables and PATH

Understanding dynamically typed languages

The first Python script

Developing scripts and identifying errors

Python formatting

Python variables

Operators

Compound statements

Functions

The Python style guide

Arguments and options

Your first assessor script

Summary

Chapter 3: Identifying Targets with Nmap, Scapy, and Python

Understanding how systems communicate

Understanding Nmap

Nmap libraries for Python

The Scapy library for Python

Summary

Chapter 4: Executing Credential Attacks with Python

The types of credential attacks

Identifying the target

Creating targeted usernames

Testing for users using SMTP VRFY

Summary

Chapter 5: Exploiting Services with Python

Understanding the new age of service exploitation

Understanding the chaining of exploits

Automating the exploit train with Python

Summary

Chapter 6: Assessing Web Applications with Python

Identifying live applications versus open ports

Identifying hidden files and directories with Python

Credential attacks with Burp Suite

Using twill to walk through the source

Understanding when to use Python for web assessments

Summary

Chapter 7: Cracking the Perimeter with Python

Understanding today's perimeter

Understanding the link between accounts and services

Cracking inboxes with Burp Suite

Identifying the attack path

Gaining access through websites

Summary

Chapter 8: Exploit Development with Python, Metasploit, and Immunity

Getting started with registers

Understanding the Windows memory structure

Understanding memory addresses and endianness

Understanding the manipulation of the stack

Understanding immunity

Understanding basic buffer overflow

Writing a basic buffer overflow exploit

Understanding stack adjustments

Understanding the purpose of local exploits

Understanding other exploit scripts

Reversing Metasploit modules

Understanding protection mechanisms

Summary

Chapter 9: Automating Reports and Tasks with Python

Understanding how to parse XML files for reports

Understanding how to create a Python class

Summary

Chapter 10: Adding Permanency to Python Tools

Understanding logging within Python

Understanding the difference between multithreading and multiprocessing

Building industry-standard tools

Summary

Chapter 11: Python with Penetration Testing and Networking

Introducing the scope of pentesting

Approaches to pentesting

Introducing Python scripting

Understanding the tests and tools you'll need

Learning the common testing platforms with Python

Network sockets

Server socket methods

Client socket methods

General socket methods

Moving on to the practical

Summary

Chapter 12: Scanning Pentesting

How to check live systems in a network and the concept of a live system

What are the services running on the target machine?

Summary

Chapter 13: Sniffing and Penetration Testing

Introducing a network sniffer

Implementing a network sniffer using Python

Learning about packet crafting

Introducing ARP spoofing and implementing it using Python

Testing the security system using custom packet crafting and injection

Summary

Chapter 14: Wireless Pentesting

Wireless SSID finding and wireless traffic analysis by Python

Wireless attacks

Summary

Chapter 15: Foot Printing of a Web Server and a Web Application

The concept of foot printing of a web server

Introducing information gathering

Information gathering of a website from SmartWhois by the parser BeautifulSoup

Banner grabbing of a website

Hardening of a web server

Summary

Chapter 16: Client-side and DDoS Attacks

Introducing client-side validation

Tampering with the client-side parameter with Python

Effects of parameter tampering on business

Introducing DoS and DDoS

Summary

Chapter 17: Pentesting of SQLI and XSS

Introducing the SQL injection attack

Types of SQL injections

Understanding the SQL injection attack by a Python script

Learning about Cross-Site scripting

Summary

Chapter 18: Gathering Open Source Intelligence

Introduction

Gathering information using the Shodan API

Scripting a Google+ API search

Downloading profile pictures using the Google+ API

Harvesting additional results from the Google+ API using pagination

Getting screenshots of websites with QtWebKit

Screenshots based on a port list

Spidering websites

Chapter 19: Enumeration

Introduction

Performing a ping sweep with Scapy

Scanning with Scapy

Checking username validity

Brute forcing usernames

Enumerating files

Brute forcing passwords

Generating e-mail addresses from names

Finding e-mail addresses from web pages

Finding comments in source code

Chapter 20: Vulnerability Identification

Introduction

Automated URL-based Directory Traversal

Automated URL-based Cross-site scripting

Automated parameter-based Cross-site scripting

Automated fuzzing

jQuery checking

Header-based Cross-site scripting

Shellshock checking

Chapter 21: SQL Injection

Introduction

Checking jitter

Identifying URL-based SQLi

Exploiting Boolean SQLi

Exploiting Blind SQL Injection

Encoding payloads

Chapter 22: Web Header Manipulation

Introduction

Testing HTTP methods

Fingerprinting servers through HTTP headers

Testing for insecure headers

Brute forcing login through the Authorization header

Testing for clickjacking vulnerabilities

Identifying alternative sites by spoofing user agents

Testing for insecure cookie flags

Session fixation through a cookie injection

Chapter 23: Image Analysis and Manipulation

Introduction

Hiding a message using LSB steganography

Extracting messages hidden in LSB

Hiding text in images

Extracting text from images

Enabling command and control using steganography

Chapter 24: Encryption and Encoding

Introduction

Generating an MD5 hash

Generating an SHA 1/128/256 hash

Implementing SHA and MD5 hashes together

Implementing SHA in a real-world scenario

Generating a Bcrypt hash

Cracking an MD5 hash

Encoding with Base64

Encoding with ROT13

Cracking a substitution cipher

Cracking the Atbash cipher

Attacking one-time pad reuse

Predicting a linear congruential generator

Identifying hashes

Chapter 25: Payloads and Shells

Introduction

Extracting data through HTTP requests

Creating an HTTP C2

Creating an FTP C2

Creating an Twitter C2

Creating a simple Netcat shell

Chapter 26: Reporting

Introduction

Converting Nmap XML to CSV

Extracting links from a URL to Maltego

Extracting e-mails to Maltego

Parsing Sslscan into CSV

Generating graphs using plot.ly

What You Will Learn

Familiarize yourself with the generation of Metasploit resource files and use the Metasploit Remote Procedure Call to automate exploit generation and execution
Exploit the Remote File Inclusion to gain administrative access to systems with Python and other scripting languages
Crack an organization's Internet perimeter and chain exploits to gain deeper access to an organization's resources
Explore wireless traffic with the help of various programs and perform wireless attacks with Python programs
Gather passive information from a website using automated scripts and perform XSS, SQL injection, and parameter tampering attacks
Develop complicated header-based attacks through Python

Authors

Christopher Duffy

Christopher Duffy currently leads cybersecurity and penetration testing engagements globally. He has a specialization in advanced technical testing, including penetration testing and security assessment done to evaluate an organization's security strategy from a malicious actor's perspective. He has worked a lot with both network and system engineering teams to evaluate critical system data flows, and identified areas where controls can be put in place to prevent a breach of sensitive or critical data. His work with multiple organizations has been key to protecting resources based on the information they have held, which has helped reduce risks while maintaining resilient and cost-effective security postures.

Chris has over 12 years of experience in the information technology and security areas, including security consultation, with a focus on business risk. He has helped build advanced attack and penetration teams. The work that his teams have done has encompassed everything from threat modeling and penetration tests to firewall reviews and FedRAMP readiness assessments.

Chris has led, managed, and executed over 400 engagements for Fortune 500 companies, U.S. government entities, medical providers and payers, educational institutes, financial services, research organizations, and cloud providers. For almost a decade prior to private sector work, Chris was a cyber warfare specialist, senior systems engineer, and network infrastructure supervisor for the United States Air Force (USAF).

He has been honored with numerous technical and leadership awards. Some of these include the (ISC)2 Information Security Leadership Award (ISLA) for the information security practitioner category in 2013, the noncommissioned officer of the year (both at the base and wing levels) in 2011, and the top technician within the cyber transport career field for the United States Air Force (USAF) Intelligence Surveillance and Reconnaissance Agency. He is a distinguished graduate of USAF network warfare training and has publications to his credit in SANS Reading Room, Hackin9 magazine, eForensics magazine and PenTest magazine. He holds 23 certifications, a degree in computer science, and a master's degree in information security and assurance.

Mohit

Mohit is a Python programmer with a keen interest in the field of information security. He has completed his bachelor's degree in technology in computer science from Kurukshetra University, Kurukshetra, and master’s in engineering (2012) in computer science from Thapar University, Patiala. He is a C|EH, ECSA from EC-Council USA and a former IBMer. He currently works in Sapient. He has published several articles in national and international magazines. He is the author of Python Penetration Testing Essentials and Python: Penetration Testing for Developers, also by Packt.

Chapter 1: Understanding the Penetration Testing Methodology

An overview of penetration testing

Understanding what penetration testing is not

Assessment methodologies

The penetration testing execution standard

Penetration testing tools

Summary

Chapter 2: The Basics of Python Scripting

Understanding the difference between interpreted and compiled languages

Python – the good and the bad

A Python interactive interpreter versus a script

Environmental variables and PATH

Understanding dynamically typed languages

The first Python script

Developing scripts and identifying errors

Python formatting

Python variables

Operators

Compound statements

Functions

The Python style guide

Arguments and options

Your first assessor script

Summary

Chapter 3: Identifying Targets with Nmap, Scapy, and Python

Understanding how systems communicate

Understanding Nmap

Nmap libraries for Python

The Scapy library for Python

Summary

Chapter 4: Executing Credential Attacks with Python

The types of credential attacks

Identifying the target

Creating targeted usernames

Testing for users using SMTP VRFY

Summary

Chapter 5: Exploiting Services with Python

Understanding the new age of service exploitation

Understanding the chaining of exploits

Automating the exploit train with Python

Summary

Chapter 6: Assessing Web Applications with Python

Identifying live applications versus open ports

Identifying hidden files and directories with Python

Credential attacks with Burp Suite

Using twill to walk through the source

Understanding when to use Python for web assessments

Summary

Chapter 7: Cracking the Perimeter with Python

Understanding today's perimeter

Understanding the link between accounts and services

Cracking inboxes with Burp Suite

Identifying the attack path

Gaining access through websites

Summary

Chapter 8: Exploit Development with Python, Metasploit, and Immunity

Getting started with registers

Understanding the Windows memory structure

Understanding memory addresses and endianness

Understanding the manipulation of the stack

Understanding immunity

Understanding basic buffer overflow

Writing a basic buffer overflow exploit

Understanding stack adjustments

Understanding the purpose of local exploits

Understanding other exploit scripts

Reversing Metasploit modules

Understanding protection mechanisms

Summary

Chapter 9: Automating Reports and Tasks with Python

Understanding how to parse XML files for reports

Understanding how to create a Python class

Summary

Chapter 10: Adding Permanency to Python Tools

Understanding logging within Python

Understanding the difference between multithreading and multiprocessing

Building industry-standard tools

Summary

Chapter 11: Python with Penetration Testing and Networking

Introducing the scope of pentesting

Approaches to pentesting

Introducing Python scripting

Understanding the tests and tools you'll need

Learning the common testing platforms with Python

Network sockets

Server socket methods

Client socket methods

General socket methods

Moving on to the practical

Summary

Chapter 12: Scanning Pentesting

How to check live systems in a network and the concept of a live system

What are the services running on the target machine?

Summary

Chapter 13: Sniffing and Penetration Testing

Introducing a network sniffer

Implementing a network sniffer using Python

Learning about packet crafting

Introducing ARP spoofing and implementing it using Python

Testing the security system using custom packet crafting and injection

Summary

Chapter 14: Wireless Pentesting

Wireless SSID finding and wireless traffic analysis by Python

Wireless attacks

Summary

Chapter 15: Foot Printing of a Web Server and a Web Application

The concept of foot printing of a web server

Introducing information gathering

Information gathering of a website from SmartWhois by the parser BeautifulSoup

Banner grabbing of a website

Hardening of a web server

Summary

Chapter 16: Client-side and DDoS Attacks

Introducing client-side validation

Tampering with the client-side parameter with Python

Effects of parameter tampering on business

Introducing DoS and DDoS

Summary

Chapter 17: Pentesting of SQLI and XSS

Introducing the SQL injection attack

Types of SQL injections

Understanding the SQL injection attack by a Python script

Learning about Cross-Site scripting

Summary

Chapter 18: Gathering Open Source Intelligence

Introduction

Gathering information using the Shodan API

Scripting a Google+ API search

Downloading profile pictures using the Google+ API

Harvesting additional results from the Google+ API using pagination

Getting screenshots of websites with QtWebKit

Screenshots based on a port list

Spidering websites

Chapter 19: Enumeration

Introduction

Performing a ping sweep with Scapy

Scanning with Scapy

Checking username validity

Brute forcing usernames

Enumerating files

Brute forcing passwords

Generating e-mail addresses from names

Finding e-mail addresses from web pages

Finding comments in source code

Chapter 20: Vulnerability Identification

Introduction

Automated URL-based Directory Traversal

Automated URL-based Cross-site scripting

Automated parameter-based Cross-site scripting

Automated fuzzing

jQuery checking

Header-based Cross-site scripting

Shellshock checking

Chapter 21: SQL Injection

Introduction

Checking jitter

Identifying URL-based SQLi

Exploiting Boolean SQLi

Exploiting Blind SQL Injection

Encoding payloads

Chapter 22: Web Header Manipulation

Introduction

Testing HTTP methods

Fingerprinting servers through HTTP headers

Testing for insecure headers

Brute forcing login through the Authorization header

Testing for clickjacking vulnerabilities

Identifying alternative sites by spoofing user agents

Testing for insecure cookie flags

Session fixation through a cookie injection

Chapter 23: Image Analysis and Manipulation

Introduction

Hiding a message using LSB steganography

Extracting messages hidden in LSB

Hiding text in images

Extracting text from images

Enabling command and control using steganography

Chapter 24: Encryption and Encoding

Introduction

Generating an MD5 hash

Generating an SHA 1/128/256 hash

Implementing SHA and MD5 hashes together

Implementing SHA in a real-world scenario

Generating a Bcrypt hash

Cracking an MD5 hash

Encoding with Base64

Encoding with ROT13

Cracking a substitution cipher

Cracking the Atbash cipher

Attacking one-time pad reuse

Predicting a linear congruential generator

Identifying hashes

Chapter 25: Payloads and Shells

Introduction

Extracting data through HTTP requests

Creating an HTTP C2

Creating an FTP C2

Creating an Twitter C2

Creating a simple Netcat shell

Chapter 26: Reporting

Introduction

Converting Nmap XML to CSV

Extracting links from a URL to Maltego

Extracting e-mails to Maltego

Parsing Sslscan into CSV

Generating graphs using plot.ly

Book Details

ISBN 139781787128187

Paperback650 pages

From 3 reviews

Recommended for You

Natural Language Processing: Python and NLTK

$ 67.99

$ 10.00

Natural Language Processing: Python and NLTK

Nov 2016

702 pages

$ 10.00

Python: Deeper Insights into Machine Learning

$ 71.99

$ 10.00

Python: Deeper Insights into Machine Learning

Aug 2016

901 pages

$ 10.00

Python: End-to-end Data Analysis

$ 71.99

$ 10.00

Python: End-to-end Data Analysis

May 2017

931 pages

$ 10.00

Flask: Building Python Web Services

$ 79.99

$ 10.00

Flask: Building Python Web Services

Mar 2017

770 pages

$ 10.00

IoT Penetration Testing Cookbook

$ 31.99

$ 10.00

IoT Penetration Testing Cookbook

Nov 2017

452 pages

$ 10.00

Penetration Testing: A Survival Guide

$ 69.99

$ 10.00

Penetration Testing: A Survival Guide

Nov 2016

1045 pages

$ 10.00

Python: Penetration Testing for Developers

Python: Penetration Testing for Developers

Frequently bought together

Book Details

Book Description

Table of Contents

What You Will Learn

Authors

Christopher Duffy

Mohit

Cameron Buchanan

Terry Ip

Andrew Mabbitt

Benjamin May

Dave Mound

Table of Contents

Book Details

Recommended for You

Contact Us

Help & Support

Alerts & Offers

Mar	APR	May
	28
2017	2018	2019

Log in to your account

Not yet a member?

Python: Penetration Testing for Developers

Python: Penetration Testing for Developers

Frequently bought together

Book Details

Book Description

Table of Contents

What You Will Learn

Authors

Christopher Duffy

Mohit

Cameron Buchanan

Terry Ip

Andrew Mabbitt

Benjamin May

Dave Mound

Table of Contents

Book Details

Recommended for You

Contact Us

Help & Support

Alerts & Offers

Series & Level

Learning

Beginner's Guide

Essentials

Cookbook

Blueprints

Mastering

Starting

Progressing