Book Review — Coding for Penetration Testers: Building Better Tools
Below is a review of Coding for penetration testers by Elsevier, written by Jason Andress and Ryan Linn.
First I would like to thank the BK community for their contribution in developing my own skills.
This book will be a valuable resource to those involved in penetration testing activities, as well as security professionals and network and system administrators. Those in development positions will find this information useful as well, from the stand point of developing better tools for their organization.
In order to gain the most out of this book, some knowledge or experience is required. The book will go over networking, advanced windows commands and Web and application exploitation.
Python, PHP, Perl, ruby and power shell are all the programming/ controlling languages you need to know. You can use w3schools as an overview for each language structure/syntax and semantics of the commands.
I was very excited during my journey with each chapter. The only problem I faced was that I got a mixture of syntax for each language, as such I messed up concatenation for two string syntax’s under PHP and Python. The author gives good tutorials and references for each language.My reaction before reading such a book was that I will need just two languages to do my assigned task under my penetration testing activity. This was a big joke after reading the first chapter. The author states that when we are attacking an environment, we don’t always get to choose the tools we have at hand and we may very well find ourselves in a situation where we are not able to, or are not allowed to install tools or utilities on a system.
For that reason you have to add shell scripting to your skills because shell scripts allow us to string together complex set of commands, develop tools, automate processes, manipulate files and more.
So who are the Authors of this book? They are:
Jason Andress [ISSAP, CISSP , GPEN,C|EH]
Is a seasoned security professional with a depth of experience in both the academic and business world. He holds a doctorate in Computer Science researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing and digital forensics.
Ryan Linn [OSCE ,GPEN and GWAPT ]
Is a penetration tester, an author, a developer and an educator. He comes from a System Administration and web development background with many years of IT Security Experience
He is a regular contributor to Open source Projects such as Metasploit, The Browser Exploitation Framework and the Dradis Framework. Besides one of many security Conferences like “Defcon”.
Starting with chapter one, which is a good introduction to shell scripting. With my experience with bash script under debian based Linux, I passed through the first half of this chapter, while the other half was about power shell. It wasn’t hard but difficult to understand that Microsoft has changed their mind in giving the administrator more power to manage his/her own Operating system. Besides some syntax problems as usual, when I first used power shell I was happy that the “ls” command was working and after a few hours I figured out that Microsoft has put their own touch on the command complexity but with shell scripting knowledge you could deal with power shell .
The Second chapter was about python. The author started by explaining the power of Python. First you will learn how to manipulate files using python, then go through client communication with server. Here you will need to have knowledge of what sockets are and how to use them in sending/receiving over the channel you have. Also, don’t forget that blocks in python are determined by tabs. This is the most important thing to remember during coding because Java/C++ and other languages use brackets to detect blocks. This is called syntax difference. Perl and Ruby were explored through the third and fourth chapters with the same methodology.
Learn syntax through basic paragraphs, practice and then put all the knowledge together to build something to do file manipulation and network communication.
Network communication as stated before relates to socket programming but you also need to have background knowledge about what protocols are used for SNMP, SMB, FTP and SSH …..
By understanding network basics you start to understand where your first point is to get into the victim machine. The aim from this is not to build a black hat community, but to know where we have our weaknesses. So before you know where it is, you have to do a Proof of Concept “POC” that states you have a threat from this parameter. To do so you need to learn how to use those protocols under each language because we don’t always have a choice to install our own tools.
Chapter five takes a different trend. It starts to talk about web applications. The author uses PHP as one of the web application development languages. He show us how to handle forms and command execution, beside file handling , the main idea I got from here was building backdoors using PHP for a compromised web server which supports PHP. It was a nice chapter from my perspective but we also need to take a look at how we could do so through ASP.NET and Java. PHP is the most used language in Web Application Development but now days it is not the only one.
Till this point we didn’t practice any step of the Penetration Testing Methodology. Chapter Six talks about manipulating Windows using power shell, and expresses in depth the penetration testing uses for power shell.
Chapter seven starts the first step of the Penetration Testing Methodology. Discovery in active mode, using scanners such as Nmap, Nessus, OPenVas and NetCat. The chapter shows how to use Nmap and Netcat to detect what ports are open/closed while Nessus /OpenVas do not just do fingerprinting or detecting the ports but also does vulnerability scanning. During this section the author introduces how to use NSE which allows Nmap to have extended power to detect vulnerabilities. It was good knowledge to have but you will still need to see how we are going to use the results of the data we collected about the target asset.
Chapter eight introduces you to another type of Discovery, passive mode. This means you are not going to have direct communication with the target. Just use a search engine to collect data and meta data similar to the harvester tool in backtrack. The author gives examples in Perl on how to extract meta data using the Google search Engine.
It was amazing and helpful, especially if you are going to engage in external penetration testing activity. The more you hear the more you are able to understand, this is my comment on this chapter. “Copied from Matts quote during OSCP Course”
Chapter nine was the big party of this long journey. Here we are going to use the Metasploit framework and build our own script for exploiting targets in addition to python and php scripting. I explored different strategies and methodologies for exploitation using different languages. You will use python to create the war-FTPD exploit that leverages a buffer-overflow vulnerability to gain a remote shell. Once you do a POC, the author shows you how to turn the exploit into a more versatile Metasploit exploit using ruby. While under web application vulnerability, the author was interested in only three web vulnerabilities : Remote File Inclusion, XSS and command execution. It was great fun but this was not the end. I was happy to reach this point but victory was still not ours..
Chapter ten, the last chapter in this book guides you to victory. The problem is not just typing string “YOU HAVE BEEN HACKED” over the compromised system because this resource is not for the black hat community, it is for the white hat one, who have to care about data. A piece of information like a user name and password may be worth 1$ or may be ( 10^x )$. The attacker’s goal is to compromise more systems in your company’s infrastructure and through your assets, discover the infrastructure hierarchy, dumping usernames and passwords to the systems as well as enumerating groups and user privileges and bypassing login pages and dumping the databases. It was awesome and I feel the real power when I implemented this on my test lab using Virtual box
Summary:
The machines have the power to manage the world, while humans are just pets. The world invests time and money to make life easier to build the World Wide Web to exchange information and building smart phones to facilitate communication in different ways. There is another door we have to see that someone could make use of to spy on you. You have to do regular assessments on your environment to discover their vulnerabilities and try to close these gaps before someone else knows about them. The mission is to decrease the risk level from an information security point of view which requires you to have hands on practice more and more about each technology you have or you know about. I recommend the readers of this book take a look at Perl, Ruby, Python and PHP basics before reading to make full use of this resource. Thank you for your time.
About The Author
Muhammed M.Bassem, Senior Information Security Consultant at Deloitte Middle East