Python Web Penetration Testing Cookbook

Table of Contents

Python Web Penetration Testing Cookbook

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Disclamer

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Gathering Open Source Intelligence

Introduction

Gathering information using the Shodan API

Getting ready

How to do it…

How it works…

There's more…

Scripting a Google+ API search

Getting ready

How to do it…

How it works…

See also…

There's more…

Downloading profile pictures using the Google+ API

How to do it

How it works

Harvesting additional results from the Google+ API using pagination

How to do it

How it works

Getting screenshots of websites with QtWebKit

Getting ready

How to do it…

How it works…

There's more…

Screenshots based on a port list

Getting ready

How to do it…

How it works…

There's more…

Spidering websites

Getting ready

How to do it…

How it works…

There's more…

2. Enumeration

Introduction

Performing a ping sweep with Scapy

How to do it…

How it works…

Scanning with Scapy

How to do it…

How it works…

There's more…

Checking username validity

Getting ready

How to do it…

How it works…

There's more…

See also

Brute forcing usernames

Getting ready

How to do it…

How it works…

See also

Enumerating files

Getting ready

How to do it…

How it works…

Brute forcing passwords

Getting ready

How to do it…

How it works…

See also

Generating e-mail addresses from names

Getting ready

How to do it…

How it works…

There's more…

See also

Finding e-mail addresses from web pages

Getting ready

How to do it…

How it works…

There's more…

See also

Finding comments in source code

How to do it…

How it works…

There's more…

3. Vulnerability Identification

Introduction

Automated URL-based Directory Traversal

Getting ready

How to do it…

How it works…

There's more

Automated URL-based Cross-site scripting

How to do it…

How it works…

There's more…

Automated parameter-based Cross-site scripting

How to do it…

How it works…

There's more…

Automated fuzzing

Getting ready

How to do it…

How it works…

There's more…

See also

jQuery checking

How to do it…

How it works…

There's more…

Header-based Cross-site scripting

Getting ready

How to do it…

How it works…

See also

Shellshock checking

Getting ready

How to do it…

How it works…

4. SQL Injection

Introduction

Checking jitter

How to do it…

How it works…

There's more…

Identifying URL-based SQLi

How to do it…

How it works…

There's more…

Exploiting Boolean SQLi

How to do it…

How it works…

There's more…

Exploiting Blind SQL Injection

How to do it…

How it works…

There's more…

Encoding payloads

How to do it…

How it works…

There's more…

5. Web Header Manipulation

Introduction

Testing HTTP methods

How to do it…

How it works…

There's more…

Fingerprinting servers through HTTP headers

How to do it…

How it works…

There's more…

Testing for insecure headers

Getting ready

How to do it…

How it works…

Brute forcing login through the Authorization header

Getting ready

How to do it…

How it works…

There's more…

See also

Testing for clickjacking vulnerabilities

How to do it…

How it works…

Identifying alternative sites by spoofing user agents

How to do it…

How it works…

See also

Testing for insecure cookie flags

How to do it…

How it works…

There's more…

Session fixation through a cookie injection

Getting ready

How to do it…

How it works…

There's more…

6. Image Analysis and Manipulation

Introduction

Hiding a message using LSB steganography

Getting ready

How to do it…

How it works…

There's more…

See also

Extracting messages hidden in LSB

How to do it…

How it works…

There's more…

Hiding text in images

How to do it…

How it works…

There's more…

Extracting text from images

How to do it…

How it works…

There's more…

Enabling command and control using steganography

Getting ready

How to do it…

How it works…

7. Encryption and Encoding

Introduction

Generating an MD5 hash

Getting ready

How to do it…

How it works…

Generating an SHA 1/128/256 hash

Getting ready

How to do it…

How it works…

Implementing SHA and MD5 hashes together

Getting ready

How to do it…

How it works…

Implementing SHA in a real-world scenario

Getting ready

How to do it…

How it works…

Generating a Bcrypt hash

Getting ready

How to do it…

How it works…

Cracking an MD5 hash

Getting ready

How to do it…

How it works…

Encoding with Base64

Getting ready

How to do it…

How it works…

Encoding with ROT13

Getting ready

How to do it…

How it works…

Cracking a substitution cipher

Getting ready

How to do it…

How it works…

Cracking the Atbash cipher

Getting ready

How to do it…

How it works…

Attacking one-time pad reuse

Getting ready

How to do it…

How it works…

Predicting a linear congruential generator

Getting ready

How to do it…

How it works…

Identifying hashes

Getting ready

How to do it…

How it works…

8. Payloads and Shells

Introduction

Extracting data through HTTP requests

Getting Ready

How to do it…

How it works…

Creating an HTTP C2

Getting Started

How to do it…

How it works…

Creating an FTP C2

Getting Started

How to do it…

How it works…

Creating an Twitter C2

Getting Started

How to do it…

How it works…

Creating a simple Netcat shell

How to do it…

How it works…

9. Reporting

Introduction

Converting Nmap XML to CSV

Getting ready

How to do it…

How it works…

Extracting links from a URL to Maltego

How to do it…

How it works…

There’s more…

Extracting e-mails to Maltego

How to do it…

How it works…

Parsing Sslscan into CSV

How to do it…

How it works…

Generating graphs using plot.ly

Getting ready

How to do it…

How it works…

Index

Python Web Penetration Testing Cookbook

Python Web Penetration Testing Cookbook

Copyright © 2015 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2015

Production reference: 1180615

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78439-293-2

www.packtpub.com

Credits

Authors

Cameron Buchanan

Terry Ip

Andrew Mabbitt

Benjamin May

Dave Mound

Reviewers

Sam Brown

James Burns

Rejah Rehim

Ishbir Singh

Matt Watkins

Commissioning Editor

Sarah Crofton

Acquisition Editor

Sam Wood

Content Development Editor

Riddhi Tuljapur

Technical Editor

Saurabh Malhotra

Copy Editors

Ameesha Green

Rashmi Sawant

Sameen Siddiqui

Project Coordinator

Kinjal Bari

Proofreader

Safis Editing

Indexer

Hemangini Bari

Graphics

Sheetal Aute

Disha Haria

Production Coordinator

Nitesh Thakur

Cover Work

Nitesh Thakur

About the Authors

Cameron Buchanan is a penetration tester by trade and a writer in his spare time. He has performed penetration tests around the world for a variety of clients across many industries. Previously, he was a member of the RAF. In his spare time, he enjoys doing stupid things, such as trying to make things fly, getting electrocuted, and dunking himself in freezing cold water. He is married and lives in London.

Terry Ip is a security consultant. After nearly a decade of learning how to support IT infrastructure, he decided that it would be much more fun learning how to break it instead. He is married and lives in Buckinghamshire, where he tends to his chickens.

Andrew Mabbitt is a penetration tester living in London, UK. He spends his time beating down networks, mentoring, and helping newbies break into the industry. In his free time, he loves to travel, break things, and master the art of sarcasm.

Benjamin May is a security test engineer from Cambridge. He studied computing for business at Aston University. With a background in software testing, he recently combined this with his passion for security to create a new role in his current company. He has a broad interest in security across all aspects of the technology field, from reverse engineering embedded devices to hacking with Python and participating in CTFs. He is a husband and a father.

Dave Mound is a security consultant. He is a Microsoft Certified Application Developer but spends more time developing Python programs these days. He has been studying information security since 1994 and holds the following qualifications: C|EH, SSCP, and MCAD. He recently studied for OSCP certification but is still to appear for the exam. He enjoys talking and presenting and is keen to pass on his skills to other members of the cyber security community.

When not attached to a keyboard, he can be found tinkering with his 1978 Chevrolet Camaro. He once wrestled a bear and was declared the winner by omoplata.

This book has been made possible through the benevolence and expertise of the Whitehatters Academy.

About the Reviewers

Sam Brown is a security researcher based in the UK and has a background in software engineering and electronics. He is primarily interested in breaking things, building tools to help break things, and burning himself with a soldering iron.

James Burns is currently a security consultant, but with a technology career spanning over 15 years, he has held positions ranging from a helpdesk phone answerer to a network cable untangler, to technical architect roles. A network monkey at heart, he is happiest when he is up to his elbows in packets but has been known to turn his hand to most technical disciplines.

When not working as a penetration tester, he has a varied range of other security interests, including scripting, vulnerability research, and intelligence gathering. He also has a long-time interest in building and researching embedded Linux systems. While he's not very good at them, he also enjoys the occasional CTF with friends. Occasionally, he gets out into the real world and pursues his other hobby of cycling.

I would like to thank my parents for giving me the passion to learn and the means to try. I would also like to thank my fantastic girlfriend, Claire, for winking at me once; never before has a wink led to such a dramatic move. She continues to support me in all that I do, even at her own expense. Finally, I should like to thank the youngest people in my household, Grace and Samuel, for providing me with the ultimate incentive for always trying to improve myself. These are the greatest joys that a bloke could wish for.

Rejah Rehim is currently a software engineer for Digital Brand Group (DBG), India and is a long-time preacher of open source. He is a steady contributor to the Mozilla Foundation and his name has featured in the San Francisco Monument made by the Mozilla Foundation.

He is part of the Mozilla Add-on Review Board and has contributed to the development of several node modules. He has also been credited with the creation of eight Mozilla add-ons, including the highly successful Clear Console add-on, which was selected as one of the best Mozilla add-ons of 2013. With a user base of more than 44,000, it has registered more than 4,50,000 downloads till date. He successfully created the world's first one-of-the-kind Security Testing Browser Bundle, PenQ, which is an open source Linux-based penetration testing browser bundle, preconfigured with tools for spidering, advanced web searching, fingerprinting, and so on.

He is also an active member of the OWASP and the chapter leader of OWASP, Kerala. He is also one of the moderators of the OWASP Google+ group and an active speaker at Coffee@DBG, one of the premier monthly tech rendezvous in Technopark, Kerala. Besides currently being a part of the Cyber Security division of DBG and QBurst in previous years, he is also a fan of process automation and has implemented it in DBG.

Ishbir Singh is studying computer engineering and computer science at the Georgia Institute of Technology. He's been programming since he was 9 and has built a wide variety of software, from those meant to run on a calculator to those intended for deployment in multiple data centers around the world. Trained as a Microsoft Certified System Engineer and certified by Linux Professional Institute, he has also dabbled in reverse engineering, information security, hardware programming, and web development. His current interests lie in developing cryptographic peer-to-peer trustless systems, polishing his penetration testing skills, learning new languages (both human and computer), and playing table tennis.

Matt Watkins is a final year computer networks and cyber security student. He has been the Cyber Security Challenge master class finalist twice. Most of the time, you'll find him studying, reading, writing, programming, or just generally breaking things. He also enjoys getting his heart pumping, which includes activities such as running, hitting the gym, rock climbing, and snowboarding.

www.PacktPub.com

Support files, eBooks, discount offers, and more

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply