Mark Baggett on Python for InfoSec
Jun 03, 2015•1 hr 15 min
Episode description
Read all of our show notes and find more information about us at Beautiful Soup
Brief Introduction- Date of recording – May 28th, 2015
- Hosts – Tobias Macey and Chris Patti
- Overview – Interview with Mark Bagett
- Follow us on iTunes, Stitcher or TuneIn
- Give us feedback! (iTunes, Twitter, email, Disqus comments)
- You can donate (if you want)!
- Introductions
- How were you first introduced to Python? – Chris
- Started using it for automating tasks while working as a sysadmin
- Found code that launched an attack on FTP server – in Python
- What are some of the tasks in your job that you use Python for? -Tobias
- Trusted command & control backdoor for Windows
- Mostly not used by malware authors – thus far (at least Mark hasn’t seen it used that way)
- Flame virus – 5MB payload – incredibly advanced
- Lua interpreter bundled along with the scripts
- Vale framework – Python framework that takes payloads out of penetration testing executables
- Trusted command & control backdoor for Windows
- What is it about Python that makes it useful for penetration testing and other information security tasks?
- Same thing that makes it useful for anything else
- mpacket from core security
- What are some of the more useful Python penetration testing tools?
- OFFENSE
- DEFENSE
- Counter dictionary from collections
- Pandas
- iPython
- matplotlib
- We’ve noticed that a lot of the literature around information security and penetration testing focuses on targeting Windows. Can you enlighten us as to why that is?
- Windows event tracing
- logman
- event trace providers – implement packet sniffing (Can turn every browser into a key logger)
- Primary attack surface – Where most attacks are targeted
- Fewer purely Linux systems
- Very few ports open – maybe 80, 22
- Very likely no user just sitting there waiting to run an executable you send
- More freedom on Linux – less formalized patching process, more variable tools = more exploits
- Will write code to only use built in modules for Python that will run in customer target environments
- Windows event tracing
- What are some of the legal considerations that you have to deal with on a regular basis as a penetration tester?
- There have recently been a number of attacks based on hijacking the TCP/IP stack. Is Python being used for any of these exploits or tools to defend against them?
- Data analytics
- Detect repeated sequence numbers – Man in the Middle Attack
- As simple as 5 lines of Python code
- import scapy, start sniffing packets, pull together all packets – make list of associated packets
- Can pull together all packets inside of stream
- Time spefic source communicates with specific destination
- Bro – intrusion detection suite
- Built into Security Onion – Doug Berks
- FLOSS Weekly episode 296 with Bro developers
- What are some activities that you do on a regular basis for which you would turn to another language or toolchain, rather than using Python?
- Powershell – The Python of windows
- Whitelisted and ubiquitous
- Password cracking – compiled language like C or assembly
- Powershell – The Python of windows
- For anyone who is interested in getting involved in the security industry, and penetration testing in particular, what resources or tools would you recommend?
- Developers make the best InfoSec professionals
- Lots of jobs and opportunities
- Developer -> Systems Administration -> Information Security
- Security conferences – BSides, Defcon, Black Hat
- Online capture the flag challenges (google it) – good practice for critical thinking and using code for security exercises
- Get involved in the industry – Meetups, etc.
- SANS institute course, Python for Penetration Testers, SEC573 by Mark Baggett – sans.org
- Lots of free online resources
- Violent Python
- PicoCTF
- Counter Hack Challenges
- Developers make the best InfoSec professionals
- Tobias
- Chris
- Mark Bagett
- Twitter: @markbaggett
- In Depth Defense
The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA