Python for Cybersecurity

Discover an up-to-date and authoritative exploration of Python cybersecurity strategies

Python For Cybersecurity: Using Python for Cyber Offense and Defense delivers an intuitive and hands-on explanation of using Python for cybersecurity. It relies on the MITRE ATT&CK framework to structure its exploration of cyberattack techniques, attack defenses, and the key cybersecurity challenges facing network administrators and other stakeholders today.

Offering downloadable sample code, the book is written to help you discover how to use Python in a wide variety of cybersecurity situations, including:

• Reconnaissance, resource development, initial access, and execution
• Persistence, privilege escalation, defense evasion, and credential access
• Discovery, lateral movement, collection, and command and control
• Exfiltration and impact

Each chapter includes discussions of several techniques and sub-techniques that could be used to achieve an attacker's objectives in any of these use cases. The ideal resource for anyone with a professional or personal interest in cybersecurity, Python For Cybersecurity offers in-depth information about a wide variety of attacks and effective, Python-based defenses against them.

Auteur

HOWARD E. POSTON III is a freelance consultant and content creator with a professional focus on blockchain and cybersecurity. He has over ten years' experience in programming with Python and has developed and taught over a dozen courses teaching cybersecurity. He is a sought-after speaker on blockchain and cybersecurity at international security conferences.

Contenu

Introduction xvii

Chapter 1 Fulfilling Pre- ATT&CK Objectives 1

Active Scanning 2

Scanning Networks with scapy 2

Implementing a SYN Scan in scapy 4

Performing a DNS Scan in scapy 5

Running the Code 5

Network Scanning for Defenders 6

Monitoring Traffic with scapy 7

Building Deceptive Responses 8

Running the Code 9

Search Open Technical Databases 9

Offensive DNS Exploration 10

Searching DNS Records 11

Performing a DNS Lookup 12

Reverse DNS Lookup 12

Running the Code 13

DNS Exploration for Defenders 13

Handling DNS Requests 15

Building a DNS Response 15

Running the Code 16

Summary 17

Suggested Exercises 17

Chapter 2 Gaining Initial Access 19

Valid Accounts 20

Discovering Default Accounts 20

Accessing a List of Default Credentials 21

Starting SSH Connections in Python 22

Performing Telnet Queries in Python 23

Running the Code 24

Account Monitoring for Defenders 24

Introduction to Windows Event Logs 25

Accessing Event Logs in Python 28

Detecting Failed Logon Attempts 28

Identifying Unauthorized Access to Default Accounts 30

Running the Code 30

Replication Through Removable Media 31

Exploiting Autorun 31

Converting Python Scripts to Windows Executables 32

Generating an Autorun File 33

Setting Up the Removable Media 34

Running the Code 34

Detecting Autorun Scripts 34

Identifying Removable Drives 35

Finding Autorun Scripts 36

Detecting Autorun Processes 36

Running the Code 36

Summary 37

Suggested Exercises 37

Chapter 3 Achieving Code Execution 39

Windows Management Instrumentation 40

Executing Code with WMI 40

Creating Processes with WMI 41

Launching Processes with PowerShell 41

Running the Code 42

WMI Event Monitoring for Defenders 42

WMI in Windows Event Logs 43

Accessing WMI Event Logs in Python 45

Processing Event Log XML Data 45

Running the Code 46

Scheduled Task/Job 47

Scheduling Malicious Tasks 47

Checking for Scheduled Tasks 48

Scheduling a Malicious Task 48

Running the Code 49

Task Scheduling for Defenders 50

Querying Scheduled Tasks 51

Identifying Suspicious Tasks 52

Running the Code 52

Summary 53

Suggested Exercises 53

Chapter 4 Maintaining Persistence 55

Boot or Logon Autostart Execution 56

Exploiting Registry Autorun 56

The Windows Registry and Autorun Keys 57

Modifying Autorun Keys with Python 60

Running the Code 61

Registry Monitoring for Defenders 62

Querying Windows Registry Keys 63

Searching the HKU Hive 64

Running the Code 64

Hijack Execution Flow 65

Modifying the Windows Path 65

Accessing the Windows Path 66

Modifying the Path 67

Running the Code 68

Path Management for Defenders 69

Detecting Path Modification via Timestamps 69

Enabling Audit Events 71

Monitoring Audit Logs 73

Running the Code 75

Summary 76

Suggested Exercises 76

Chapter 5 Performing Privilege Escalation 77

Boot or Logon Initialization Scripts 78

Creating Malicious Logon Scripts 78

Achieving Privilege Escalation with Logon Scripts 79

Creating a Logon Script 79

Running the Code 79

Searching for Logon Scripts 80

Identifying Autorun Keys 81

Running the Code 81

Hijack Execution Flow 81

Injecting Malicious Python Libraries 82

How Python Finds Libraries 82

Creating a Python Library 83

Running the Code 83

Detecting Suspicious Python Libraries 83

Identifying Imports 85

Detecting Duplicates 85

Running the Code 86

Summary 86

Suggested Exercises 87

Chapter 6 Evading Defenses 89

Impair Defenses 90

Disabling Antivirus 90

Disabling Antivirus Autorun 90

Terminating Processes 93

Creating Decoy Antivirus Processes 94

Catching Signals 95

Running the Code 95

Hide Artifacts 95

Concealing Files in Alternate Data Streams 96

Exploring Alternate Data Streams 96

Alternate Data Streams in Python 97

Running the Code 98

Detecting Alternate Data Streams 98

Walking a Directory with Python 99

Using PowerShell to Detect ADS 100

Parsing PowerShell Output 101

Running the Code 102

Summary 102

Suggested Exercises 103

Chapter 7 Accessing Credentials 105

Credentials from Password Stores 106

Dumping Credentials from Web Browsers 106

Accessing the Chrome Master Key 108

Querying the Chrome Login Data Database 108

Parsing Output and Decrypting Passwords 109

Running the Code 109

Monitoring Chrome Passwords 110

Enabling File Auditing 110

Detecting Local State Access Attempts 111

Running the Code 113

Network Sniffing 114

Sniffing Passwords with scapy 114

Port- Based Protocol Identification 116

Sniffing FTP Passwords 116

Extracting SMTP Passwords 117

Tracking Telnet Authentication State 119

Running the Code 121

Creating Deceptive Network Connections 121

Creating Decoy Connections 122

Running the Code 122

Summary 123

Suggested Exercises 123

Chapter 8 Performing Discovery 125

Account Discovery 126

Collecting User Account Data 126

Identifying Administrator Accounts 127

Collecting User Account Information 128

Accessing Windows Password Policies 128

Running the Code 129

Monitoring User Accounts 130

Monitoring Last Login Times 130

Monitoring Administrator Login Attempts 131

Running the Code 132

File and Directory Discovery 133

Identifying Valuable Files and Folders 133

Regular Expressions for Data Discovery 135

Parsing Different File Formats 135

Running the Code 136

Creating Honeypot Files and Folders 136

Monitoring Decoy Content 136

Creating the Decoy Content 137

Running the Code 138

Summary 138

Suggested Exercises 139

Chapter 9 Moving Laterally 141

Remote Services 142

Exploiting Windows Admin Shares 142

Enabling Full Access to Administrative Shares 143

Transferring Files via Administrative Shares 144

Executing Commands on Administrative Shares 144

Running the Code 144

Admin Share Management for Defenders 145

Monitoring File Operations 146

Detecting Authentication Attempts 147

Running the Code 148

Use Alternative Authentication Material 148

Collecting Web Session Cookies 149

Accessing W…