Introduction

The Python language has many advantages when it comes to scripting. The power of
python can be felt when you start working with and try new things with it. It has modules
which can be used to create scripts to automate stuff, play with files and folders, Image
processing, controlling keyboard and mouse, web scraping, regex parsing etc.

For those of you who are familiar with Kali Linux, many scripts are written in Python.
There are many freeware tools which are there in the market which can get the job
done, the why script it with Python? The answer to the question is simple. For those
who have written the tools have a superset of requirements, they want to cover all the
scenarios and add customisations to the tools. This ends up in tools getting
complicated and cumbersome. Moreover, every time we do not have the feasibility to
use tools and hence scripting comes handy. We can script tasks as per our need and
requirement set.

For security professionals, Python can be used for but not limited to:

• Penetration testing
• Information gathering
• Scripting tools
• Automating stuff
• Forensics

I will be discussing a few examples where Python can be used along with the code
and comments. I have tried to heavily comment the code so that it becomes easy to
understand and digest. The approach which I have taken is to break the requirement
into small steps and generate a flow control for how the code should go.

NOTE: I assume that the user is having basic knowledge of Python-like syntax, data
types, flow control, loops, functions, sockets, etc. since the article will not be
discussing the basics and will be drifting away from the conventional “hello world”
approach.

Some prerequisites before baking the code

Python can be installed from https://www.python.org/downloads/

NOTE: In case you have not installed Python, I would recommend Python3, although
Python3 is backward compatible with Python2 this might require some troubleshooting at
times. Moreover, you can install both Python 2 and 3 at the same time in a system.
Module name: os
This module provides a way of using operating system dependent functionality with
Python. It can be beneficial when working with files (opening, reading, writing),
windows paths (both absolute and relative), folders (creating folders, finding size and
folder contents), check path validity, running OS commands like clearing the cmd
screen, etc.

Example 1: What’s your name?

# Code
Import os
os.name

# Output for windows

‘nt’

Example 2: Joining the paths

#Code
Import os
os.path.join(‘harpreet’,’py_scripts’)

#Output
‘harpreet\\py_scripts’

Example 3: Where you are working right now?

#Code
Import os
os.getcwd()

#Output
‘C:\\Users\\harpreetsingh\\Desktop’

Example 4: Are you there or not?

# Checks the presence of a path/directory

#Code
Import os
os.chdir(‘C:\\Users\\harpreetsingh\\Desktop’)

Example 5: Creating folders/directories

#Code
Import os
os.makedirs(‘C:\\resources\\infosec\\harpreetsingh’)

Example 6: Running the window commands in Python

# Clearing the cmd inside Python screen

# Code
Import os
os.system(‘cls’)
# Getting the IP address
os.system(‘ipconfig’)

Example 7: Opening a file

# Steps involved:

• Open
• read /write
• Close the file

# Step 1: Opening a file:

# Code
Import os
Myfile= open(‘C:\\Users\\harpreetsingh\\Desktop\\test.txt’)

# Step 2(a): Reading contents of a file

Import os
Myfile=open(‘C:\\Users\\harpreetsingh\\Desktop\\text.txt’)
Myfile.read()

# Step 2(b): Writing contents to a file

# Code
Import os
Myfile = open(‘C:\\Users\\harpreetsingh\\Desktop\\test.txt’, ‘w’)
Myfile.write(‘I am written by Python in test file’)
Myfile.close()

# Step 3: Closing the file

# Code
Import os
Myfile=open(‘C:\\Users\\harpreetsingh\\Desktop\\text.txt’)
Myfile.close()

For further reading about os module:

Open cmd
Python
>>>import os
>>>help(os)

# Output
Module name: Webbrowser
This module is used to open link in the browser. We will be using the open function of
this module to open links in the browser in the below examples. It can take two optional
parameters ‘–n’ to open URL in a new window or ‘-t’ to open URL in new tab.

It will open the URL in the browser. In no time it will fire up the browser and open the
link.

Example 1: Opening a URL in a web browser

# Code
Import webbrowser
webbrowser.open(‘https://google.com’)

For further reading about web browser module

Open cmd
Python
>>>import webbrowser
>>>help(webbrowser)

# Output
Module name: Sys

With this module, command line arguments can be passed to the Python scripts

sys.argv[0]  name of the script

sys.argv[1]  argument passed by the user
Example 1: Printing the name of the script and user input
# Code
import sys
print (‘\n’)
print “The name of the script is : %s” %sys.argv[0]
print (‘\n’)
print “The input to the script is : %s” %sys.argv[1]

# Output
For further reading about sys module

Open cmd
Python
>>>import sys
>>>help(sys)

# Output

Module name: Urllib2

Urllib2 is used to fetch internet resources. We will be using this to fetch the response
code for the URLs. It can even be used to download files, parse/fetch URL’s, encode
URLs, etc.

For further reading about urllib2 module

Open cmd
Python
>>>import urllib2
>>>help(urllib2)

# Output
Module Name: Socket
This module is used when we need to mix Python with networking. It can be used to
create socket connections (TCP/UDP), binding the sockets to the host and port,
closing the connection, promiscuous mode configurations and much more.

For further reading about socket module

Open cmd
Python
>>>import socket
>>>help(socket)
# Output

Ctypes:
It is a means of using C (low-level language) code within Python scripts. It will be used
to decode the IP header in one of the below examples.
 Data type – CTYPES Date type – Python
C_bool <Boolean> Bool
C_char One character
C_byte <charcater> Int/long
C_ubyte <unsigned character> Int/long
C_shot <short> Int/long
C_ushort <unsigned short> Int/long
C_int <integer> Int/long
C_uint Int/long
C_long Int/long
C_ulong Int/long
C_float Float
For further reading about ctypes module

Open cmd
Python
>>>import ctypes
>>>help(ctypes)

# Output
IP packet architecture
• Version: IP version used – 4 for IPv4 and 6 for IPv6.
• IHL – IP Header Length: No of 32-bit words forming the header
• Identification: a 16-bit number which is used to identify a packet uniquely.
• Flags: Used to control fragment permissions for that packet.
• TTL (Time to live): No of hops for which the packet may be routed. This number
will get decremented by one each time the packet is routed through hops. This is used
to avoid routing loops.
• Protocol: This field helps us to identify the type of packet
• 1 ICMP
• 6 TCP
• 17 UDP
• Header Checksum: Used for error detection which might have been introduced
during transit.
• Source address: Source address from where the packet has originated
• Destination address: Address for which the packet is destined for.

Let’s code stuff

Bursting the directories

The below-discussed code will take two inputs – URL/IP address and the directory
list which you would like to test. It will test for the existence of the directories and will
open the URI in the browser if it exists.

Code Flow
Code and comments

“”” *********** USAGE ****************

Create a file named dir.txt with the below data

/jmx-console
/images
/audio
/php-my-admin
/tag/sniffers/
Save the file dir.txt to a location and copy the location address (Replace the ‘\’ in the
address with ‘\\’). Replace the address in the first line of the first for loop with this
address.
Copy and paste the below code in an IDE and save it(dirb.py)
Command to run the code: python dirb.py (URL)
Example: python dirb.py sectools.org
“””
# Import required packages
import os,webbrowser,sys,urllib.request,urllib.error,urllib.parse
# Print the input of the user on the screen
print(“The URL/IP entered is “)
print(str(sys.argv[1]))
print (“\n”)
url=str(sys.argv[1])
files=[‘dir.txt’]
url_list=[]
for f in files:
hellow=open(os.path.join(‘C:\\Users\\harpreetsingh\\Desktop\\py_scripts’, f))
directories = hellow.readlines()

# iterate through the directory list and create a list with directories appended to the
IP/URL and save it
for i in directories:
i=i.strip()
url_list.append(‘http://’+url+i)

# Iterate through the items from the newly created list and check the response code
# Incase the response code is 200, open the link in the browser
for url in url_list:
print(url)
try:
connection = urllib.request.urlopen(url)
print(connection.getcode())
connection.close()
if connection.getcode() == 200:
webbrowser.open(url)
except urllib.error.HTTPError as e:
print(e.getcode())

# Output
# Response codes on the output screen

Part2
This is the second article on “Python for Security Professionals, ”
In this part we are going to discuss the below using python:

• Port scanning
• Parsing text files for regex
• Creating a reverse TCP shell
Followed by a scenario discussion and code enhancement. So, let’s start.

Some prerequisites before baking the code

When we have a network, checking every host manually for collecting information
will not be a viable option, in such cases, network scans can make this task easy
and fast.

Network scans can be used to accomplish various purposes like:

• Host discover and its status (alive/dead)

• Check port status(open/closed)
• Search vulnerabilities
• Fingerprint OS
Different scans use different approach depending on the result required. A TCP
connect scan will try to open a TCP connection, and if the connection is successful,
the port is opened else closed.

What is regex?

Regex or regular expressions are syntaxes or a small filter which can be

used/applied to a set of data to filter it as per requirement.

• \d  to look for integer

• {4}  Look for 4 characters
• ‘-‘  The character ‘-‘ itself
• “.” [Matches anything in the given set]
• [a-z]  Matches lower case alphabets
• ^  Matches anything apart from this, e.g. [^H5P] match anything apart from H or 5
or P
Example:
In case you are less familiar with regex, you can check the online regex interactive
examples at https://www.regexone.com/
Python module: re
In the Python re module is being used to accomplish regular expression

>>help(re) #code

Methods present in the re module

• Compile  Converts the pattern into regex engine understandable form

• Search  Scans for pattern
• Match  Only matches if the pattern is present at the beginning of the string
• Findall  Returns all matched patterns in the string
Shell and Reverse Shell

A shell is something which allows us to execute commands on a system. A reverse

shell is a shell connection initiated by the client to the server. The server can then
execute commands in that client shell and can see the output on the server.

Module name: subprocess

In python subprocess module is used to handle subprograms or subprocesses.
Further help regarding the module can be found out using Python itself.

>>Import subprocess
>>help(subprocess)
Let’s code stuff

Port scanning and Banner grabbing

The code discussed below will scan a host and port range to check for the status of
the port. The post can then be separately analyzed for the services running and
vulnerabilities. We will be performing a TCP connect scan (Actively connecting to a
port) for doing this.

NOTE:
TCP connect scan can be easily detected and blocked since we are trying to create a
connection. Limit the no of ports to be scanned to avoid detection.
Code and comments

”’ ********** USAGE **************

Copy and save the code with .py extension ex. Scanner.py
Open the command window (where the script has been stored) and run the
command: python scanner.py
Rest of the code is user interactive.
Make sure that the path where python has been installed is added to the
environment variables.
”’
# importing the required packages
import socket, sys
# Creating a TCP socket connection
connect = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

# Make the user enter the host address to be scanned

host=input(“Enter the host to scan for open ports: “)
print(“\n”)

# The user can enter garbage value or fatfinger the hostname while typing, check if
this gets resolved for a valid IP address
try:
IP=socket.gethostbyname(host)
except:
print(“%s –> Oops! Entered host cannot be resolved to an IP address” %host)
exit()

# Get the starting and ending of the ports to be scanned

first_port=input(“Enter the starting/first port to be scanned for: “)
last_port=input(“Enter the last port to be scanned for: “)

# The ports entered by the user needs to be converted to an integer for feeding this
to the range function else this will give an error.
int_first_port=int(first_port)
int_last_port=int(last_port)

# Just print the information just in case the user wants to save the result to a text file
print(“\n”)
print(“The host address to be scanned is: %s” %host)
print(“The IP address to be scanned is: %s” %IP)
print(“The port range to be scanned is: %d to %d” %(int_first_port,int_last_port))
print(“================== SCANNING ===================”)

# Loop through the port range and check if we are able to create a successful
connection
for port in range(int_first_port,int_last_port+1):
try:
connect.connect((IP,port))
print(“%s Port open” %port)
connect.close()

# If we are not able to connect the port is closed.

except:
print(“%s port closed” %port)
exit()
Usage and enhancements
The code can be used when we need to check if a port is opened or not during a
security testing. A website can be tested if port 80 is being opened, this can be a
security risk as it is less secure. Let’s say that you have a list of websites which
needs to be tested for some port/port range being open or closed. The code will not
be of much help if the port range to be scanned is large. Thus, we have the scope of
enhancement.

The code can be enhanced to perform the following:

• Take multiple hostnames from a text file and perform the scan. The user can start the
scan and perform some other work or take a break for coffee.
• Introduce timestamps: It will be useful if the timestamp of when the scan started and
ended. This can also be used to calculate the duration of the scan, and this can be used
as a parameter to speed up our tool as well.
• Introduce threading: You will realize that the scan is fast when we have a small range
of ports, but this becomes slow when the range is large. Make the code threaded so
that the speed increase since multiple threads will be running in parallel. (HINT:
Threading module in python will be of help)

Regex

Regex handling can be tricky at times due to some factors:

• File or data not in correct format

• Regex pattern is difficult to create and contains false positives
However, once we have the regex pattern ready, it saves a lot of time and effort for
parsing data. We will be taking a simple example in which we need to search for a
phone number from the data present in a file. The data present in the file will be read
into a buffer and then be filtered using the regex pattern for the presence of the
pattern. The matched searches are then printed on the screen.

Code and comments

”’******************* USAGE *******************

Copy and paste the code into an IDE and save it (regex.py)
Command to run the code: python regex.py
You will be asked to enter the file path where the data file which has to be parsed is
saved
Handling regex in python
”’
# importing the required modules, re module is required for working with regex
import re,os

# The use is asked to enter the path of the file from which the raw data is to be
searched for regex.
file_path=input(“Enter the file path which contains the raw data”)
buffer = “Read buffer:\n”

# The data from the file is stored in a buffer

buffer += open(file_path, ‘rU’).read()

# The below line is just to make sure that the data is getting stored in the buffer, can
be commented as well
print(“===================== BELOW DATA IS PRESENT IN THE FILE
========================”)
print(buffer)
print(“===================== PARSED OUTPUT
BELOW========================”)

# Compile function from re module can be used to provide the regex pattern we are
searching for.
# Below regex pattern is for searching the phone number; this can be changed as
per your need.
a = re.compile(‘\d{3}-\d{8}’)
# Findall function from the re module can be used to find the pattern in the data. The
data which has been found will be stored in the form of a list and can be printed
using a loop.
find = re.findall(a,buffer)
for i in find:
print(i)
Data present in the text file is below:

Output of the code

Usage and enhancements

The code can be of help when we have raw logs from various security tools. Let us
consider the case that your organization has been flooded with spam emails and the
only thing you have now id the dump of logs from the mail server. Will you be reading
that to parse the critical data (may be source IP address of the attacker) or will you
prefer to spend some time on the raw logs and identify the regex of what you are
looking for? The choice is yours, but in the interest of time, scripting will be helpful.

The points of enhancements can be:

• Is there a need to print out the buffer? If not skip this since the buffer will usually be
large.
• It will be great if the output is piped into a text file for usage and ease of reading. This
can be further used as an input to some other programs. The output can also be directed
to a CSV file for further analysis (ex: filtering the legitimate IP addresses from which
we expect the mails)(HINT: python module openpyxl can be helpful when dealing with
excel files)