Learn Penetration Testing with Python 3.x
eBook - ePub

Learn Penetration Testing with Python 3.x

Perform Offensive Pentesting and Prepare Red Teaming to Prevent Network Attacks and Web Vulnerabilities (English Edition)

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Learn Penetration Testing with Python 3.x

Perform Offensive Pentesting and Prepare Red Teaming to Prevent Network Attacks and Web Vulnerabilities (English Edition)

About this book

Identify vulnerabilities across applications, network and systems using simplified cybersecurity scripting

Key Features
? Exciting coverage on red teaming methodologies and penetration testing techniques.
? Explore the exploitation development environment and process of creating exploit scripts.
? Includes powerful Python libraries to analyze the web and helps identifying critical vulnerabilities.
? Conduct wireless attacks and identify potential threats using Python.

Description
This book starts with an understanding of penetration testing and red teaming methodologies and teaches Python 3.x from scratch for those who are not familiar with programming. The book gives the skills of how to create scripts for cracking, and brute force attacks.The second part of this book focuses on the network and wireless level. The book teaches you the skills of how to create an offensive tool using Python 3.x to identify different services and ports using different Python network modules and conducting network attacks. In the network monitoring section, you will be able to monitor layers 3 and 4. And finally, you will be able to conduct different attacks on wireless.The last part of this book focuses on web applications and exploitation developments. It focuses on how to create scripts to extract web information such as links, images, documents, etc. It also focuses on how to create scripts to identify and exploit web vulnerabilities and how to bypass WAF. The last chapter of this book focuses on exploitation development starting with how to play with the stack and then moving on to how to use Python in fuzzing and creating exploitation scripts.

What you will learn
? Learn to code Python scripts from scratch to identify web vulnerabilities.
? Conduct network attacks, create offensive tools, and identify vulnerable services and ports.
? Perform deep monitoring of network up to layers 3 and 4.
? Execute web scraping scripts to extract images, documents, and links.

Who this book is for
This book is for Penetration Testers, Security Researchers, Red Teams, Security Auditors and IT Administrators who want to start with an action plan in protecting their IT systems. All you need is some basic understanding of programming concepts and working of IT systems. Hands-on experience with python will be more beneficial but not required.

Table of Contents
1. Start with Penetration Testing and Basic Python
2. Cracking with Python
3. Service and Applications Brute Forcing with Python
4. Python Services Identifications - Ports and Banner
5. Python Network Modules and Nmap
6. Network Monitoring with Python
7. Attacking Wireless with Python
8. Analyze Web Applications with Python
9. Attack Web Application with Python
10. Exploitation Development with Python

Trusted byĀ 375,005 students

Access to over 1 million titles for a fair monthly price.

Study more efficiently using our study tools.

CHAPTER 1

Start with Penetration Testing and Basic Python

Nowadays, the need for cybersecurity is becoming a dire necessity due to the rise of cyber-attacks not only on an individual level but also on corporate and government levels. Cyber-attacks have become more sophisticated and harder to detect. Ethical hackers may have different skills and may have followed different paths, but they all share one common skill: programming.
In the first part of this chapter, we will learn about the different penetration testing methodologies in use nowadays. We will also learn about wireless and mobile applications penetration testing and red teaming activities. We will familiarize ourselves with different tools that are being used by ethical hackers.
If you are not familiar with the basics of Python programming; in the second part of this chapter, you will learn about the basics of Python programming and how to create your first program. If you already are a penetration tester, you can skip ahead to Chapter 2, Cracking with Python, which will shed light on how to use Python in cracking.
NOTE: The offensive tools and programming scripts you will learn in this book can be used only in your local environment. Using offensive tools in a live environment like companies requires written permission from the entity. Always remember that penetration testing without a permission from clients is illegal. Note: Tools and programming scripts in this book will be tested in a local environment. You need to set up your environment using virtualization as a first step, you can choose between VMWARE (https://www.vmware.com/products/) or Oracle Virtual Box (https://www.virtualbox.org). In the second step, you need to download and install an updated KALI Linux on a virtual machine from (https://www.kali.org/downloads/). Also, you need to install Windows on a virtual machine preferably a Windows 7. Make sure the two virtual machines are on the same IP range using (NAT or Bridged). If any other tools or software are required, they will be indicated when appropriate in the chapters.

Structure

In this chapter, the following topics will be covered:
  • Introducing penetration testing
  • Different assessment methodologies
  • Wireless testing
  • Mobile application penetration testing
  • Penetration testing tools
  • Python variables
  • Python statements
  • Python operators
  • Python functions
  • Python classes

Objectives

When you complete the first part of this chapter, you will be able to understand different penetration testing methodologies and red teaming, you will also understand all the penetration testing phases. You will get practical knowledge on the most offensive tools being used these days by the ethical hackers.
When you complete the second part of this chapter, you will be writing your scripts using Python3 in which you get the required programming skills to write advanced scripts in the coming chapters.

Introducing Penetration Testing

Penetration testing, pen testing, or ethical hacking all refer to the process of testing a computer system, network, web application or wireless mobile applications to find security holes or vulnerabilities that may be abused by malicious users or criminals to gain unauthorized access to a system. Malicious users are not only external users, but can also be internal ones, or employees; many reported incidents were from inside organizations. Penetration testers use their skills to prove the existence of security holes in different systems so they can fix those security holes, and consequently, prevent access of attackers who may abuse them.
Penetration testers usually have the knowledge and the expertise that enables them to test different environments to discover security holes. This expertise and knowledge should contain at least one programming language which makes them not fully dependent on existing tools, and of course the deep knowledge of systems, networks, and web protocols.
However, knowing how to use different hacking tools and their limits and how they work in the background is necessary, as most systems that are being tested are in production, so any mistakes will affect the clientā€™s business. In the end, you can write everything.
Penetration testers should have mixed knowledge of how to use existing tools and the ability to write his/her scripts and programs. Depending only on existing tools to discover vulnerabilities is not efficient, as we have recently seen many private and governmental entities being attacked successfully, despite penetration testing and red teaming assessments being carried out.
This is because many companies don't apply manual penetration testing that focuses on discovering vulnerabilities in application functionalities. Instead, they depend solely on vulnerability scanners that lead to inaccurate results and many false positives.
The only systems that are not tested during operation are SCADA which are systems that are being used in countriesā€™ infrastructures. The rationale behind this is that any mistake or wrong packet is sent while testing it will cause a disaster; since SCADA systems control oil and gas operations, water and electricity, nuclear powers, vessels, and so on. Therefore, governments most of the time clone the operating system to allow the penetration testers to try to find potential vulnerabilities. Besides, updating and patching the vulnerabilities as well as the replacement of software or hardware is not easy as they require suspending certain production functions.
There are two types of penetration testing:
  • Automated: This is concerned with using different tools to discover existing vulnerabilities.
  • Manual: This is concerned with viewing the application manually without using the tools or scanners and trying to abuse the application's functionality. Usually, manual testing is used in web applications and source code review.

Exploits Writing

There is a common misunderstanding that penetration testers should be able to discover the zero-day vulnerability which is a type of vulnerability that has a zero-day patch (that is, the vendor doesn't know about its existence). Usually, this type of vulnerability costs thousands of dollars in the black market. Penetration testers donā€™t have to know how to discover zero-days simply because it takes a very long time to them on software or hardware. However, the pen tester must know about the basic reverse engineering and exploitation development. In certain companies and governments, exploit writers and reverse engineers are hired to create cyber weapons for the government.
A lot of penetration testers donā€™t discover zero-day vulnerabilities in client applications or networks simply because this requires lots of time and persistence. Usually, zero-day vulnerabilities are only discovered in governmental entities. They must know, however, how the memory works during a program's execution. They should also be aware of the assembly languages to understand how to read programs from the debuggers and manipulate CPU registers which are small storage systems that store the programsā€™ data during execution. We are going to talk about this in Chapter 10, Exploit Development with Python.

The Origin of the Term Hacking

There is a huge misunderstanding about the term hacking. Hacking, in today's world, is related to criminal activities like stealing money, fraud, or destroying a companyā€™s system. This is particularly the case in the media. However, if we look at hacking from a cyber-security perspective, we realize that it is related to attacking systems to prove they are being vulnerable or exploitable, which is partly correct, but not totally.
The term hacking came from MIT in 1955. It started with a group calling themselves hackers who edited and modified train models and elaborated miniature buildings. Hacking originally referred to understanding a system so deeply that you can modify it or add functions to it. Itā€™s not only related to computers; a person who modified the mechanics of a car is known as a car hacker, for example. Returning to the cybersecurity domain, if we apply...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication Page
  5. About the Author
  6. About the Reviewers
  7. Acknowledgement
  8. Preface
  9. Errata
  10. Table of Contents
  11. 1. Start with Penetration Testing and Basic Python
  12. 2. Cracking with Python
  13. 3. Service and Applications Brute Forcing with Python
  14. 4. Python Services Identifications - Ports and Banner
  15. 5. Python Network Modules and Nmap
  16. 6. Network Monitoring with Python
  17. 7. Attacking Wireless with Python
  18. 8. Analyze Web Applications with Python
  19. 9. Attack Web Application with Python
  20. 10. Exploitation Development with Python
  21. Index

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, weā€™ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Learn Penetration Testing with Python 3.x by Yehia Elghaly in PDF and/or ePUB format, as well as other popular books in Computer Science & Certification Guides in Computer Science. We have over one million books available in our catalogue for you to explore.