The Python Podcast.__init__

Share on social media:

Read all of our show notes and find more information about us at Beautiful Soup

Brief Introduction

• Date of recording – May 28th, 2015
• Hosts – Tobias Macey and Chris Patti
• Overview – Interview with Mark Bagett
• Follow us on iTunes, Stitcher or TuneIn
• Give us feedback! (iTunes, Twitter, email, Disqus comments)
• You can donate (if you want)!

Interview with Mark Bagett

• Introductions
• How were you first introduced to Python? – Chris
  • Started using it for automating tasks while working as a sysadmin
  • Found code that launched an attack on FTP server – in Python



• What are some of the tasks in your job that you use Python for? -Tobias
  • Trusted command & control backdoor for Windows
    • Mostly not used by malware authors – thus far (at least Mark hasn’t seen it used that way)
    • Flame virus – 5MB payload – incredibly advanced
      • Lua interpreter bundled along with the scripts

    
    
    • Vale framework – Python framework that takes payloads out of penetration testing executables
    
    
    
    
  
  
  
  


• What is it about Python that makes it useful for penetration testing and other information security tasks?
  • Same thing that makes it useful for anything else
  • mpacket from core security



• What are some of the more useful Python penetration testing tools?
  • OFFENSE
    • Beautiful Soup
    • scapy
    • Volatility

  
  
  • DEFENSE
    • Counter dictionary from collections
    • Pandas
    • iPython
    • matplotlib

  
  
  
  


• We’ve noticed that a lot of the literature around information security and penetration testing focuses on targeting Windows. Can you enlighten us as to why that is?
  • Windows event tracing
    • logman
    • event trace providers – implement packet sniffing (Can turn every browser into a key logger)

  
  
  • Primary attack surface – Where most attacks are targeted
  
  
  • Fewer purely Linux systems
    • Very few ports open – maybe 80, 22
    • Very likely no user just sitting there waiting to run an executable you send

  
  
  • More freedom on Linux – less formalized patching process, more variable tools = more exploits
  
  
  • Will write code to only use built in modules for Python that will run in customer target environments
  
  
  
  


• What are some of the legal considerations that you have to deal with on a regular basis as a penetration tester?


• There have recently been a number of attacks based on hijacking the TCP/IP stack. Is Python being used for any of these exploits or tools to defend against them?
  • Data analytics
  • Detect repeated sequence numbers – Man in the Middle Attack
    • As simple as 5 lines of Python code
    • import scapy, start sniffing packets, pull together all packets – make list of associated packets
    • Can pull together all packets inside of stream
    • Time spefic source communicates with specific destination
    • Bro – intrusion detection suite
      • Built into Security Onion – Doug Berks
      • FLOSS Weekly episode 296 with Bro developers

    
    
    
    
  
  
  
  


• What are some activities that you do on a regular basis for which you would turn to another language or toolchain, rather than using Python?
  • Powershell – The Python of windows
    • Whitelisted and ubiquitous

  
  
  • Password cracking – compiled language like C or assembly
  
  
  
  


• For anyone who is interested in getting involved in the security industry, and penetration testing in particular, what resources or tools would you recommend?
  • Developers make the best InfoSec professionals
    • Lots of jobs and opportunities

  
  
  • Developer -> Systems Administration -> Information Security
  
  
  • Security conferences – BSides, Defcon, Black Hat
  
  
  • Online capture the flag challenges (google it) – good practice for critical thinking and using code for security exercises
  
  
  • Get involved in the industry – Meetups, etc.
  
  
  • SANS institute course, Python for Penetration Testers, SEC573 by Mark Baggett – sans.org
  
  
  • Lots of free online resources
  
  
  • Violent Python
  
  
  • PicoCTF
  
  
  • Counter Hack Challenges
  
  
  
  

Picks

• Tobias
  • Authy
  • OpenWRT
  • TP-Link Archer C7
  • Schemas For The Real World by Carina C. Zona
  • The Soul of Software by Avdi Grimm
  • China Mieville



• Chris
  • Rapscallion Munich Dark
  • Write
  • Marginal Way
  • Frankie and Johnny’s
  • pyenv



• Mark Bagett
  • Corelabs impacket
  • Google Labs – Rekall
  • Adams peanut butter cup fudge ripple cheesecake
  • BSides security conference

Keep in Touch

• Twitter: @markbaggett
• In Depth Defense

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

[00:00:14] Unknown:

Hello, and welcome to podcast.init,   a podcast about Python and the people who make it great. We are recording today on May 28, 2015.   Your hosts as usual, are Tobias Macy and Chris Patti.   Tonight, we're interviewing Mark Baggett.   As usual, you can follow us on Itunes, Stitcher, or TuneIn Radio,   And please give us feedback. You can leave us a review on Itunes or Stitcher.   You can contact us on Twitter. We're at podcastunderinit.   You could email us at hosts@podcastinit.com   or leave us a comment on our show notes on our website at podcastinit.com.   And if you'd like, you can give us a donation. There are links on our site.  

Mark, could you please introduce yourself?  

[00:00:58] Unknown:

Sure. First, Tobias, Chris, thanks for having me on the show. Appreciate it.   I'm Mark Baggett. I am an information security professional.   Started out as a   software developer   straight out of college   and developing in languages like c and   Pascal and CLIPr and lots of other languages that have long since been forgotten.   After developing for several years, I went into,   networking systems administration   and and some of the other areas in IT,   when I finally came around to   to information security. So, I I do penetration testing for companies where   they they need an audit. They need an assessment. We'll come in, and we'll   bypass their controls, gain access to the data that they they're concerned about, and show them really what the risk is   if an attacker gets a foothold on their network. And I love to use Python in that process.  

So  

[00:02:00] Unknown:

Very cool. So, Mark, how were you first introduced to Python?  

[00:02:05] Unknown:

Well, like I said, I was a coder for many years, so I I knew programming.   Then when I got into systems administration and networking and things like that, I probably had 5   5 to 7 years of my career when I didn't really   do much coding, but there was always   a better way. There was always some way that I could take the   menial tasks that I had to do every single day and   automate them. But   languages like c   are not   quick and easy fixes, and   you have to have a process that   really justifies the writing of that code before you're gonna jump in and and do things like that to see. But Pascal   and CLIPr, they they really weren't around anymore. So a lot of my   coding skills had atrophied in in places where I could really use them as systems administration. And then I remember I was reading,   some exploit code that that an attacker had released on the Internet that was   launching some attacks against FTP server,   an FTP server. And it was written in this this language called Python, which   I thought was named after snakes initially, then, you know, come to find out many years later that it's much cooler than being named after snakes.  

And just looking at the code, it was very easy to read.   It was   it   was just a fun language. So,   I had decided I've been looking for a way to get back into and redevelop my coding skills. And so Python reading that exploit and seeing how easy it was to read through that,   that seemed like a great place to go. So   started coding in Python from there,   automating simple systems administration   tasks and things like that,   and I've just really used it since then for just about anything I   need.  

[00:03:55] Unknown:

So what are some of the tasks in your current job that you use Python for?  

[00:04:01] Unknown:

So as   an,   an offensive security,   professional where I'm trying to gain access to systems, Python is really nice   as   a very simple command and control backdoor that you put onto target systems.   1 of the things that makes Python a nice a nice command and control backdoor is   well, it's it's a trusted platform on Windows systems. So,   you've you've got lots of opportunities to to develop code. But if you take a Python executable   or a Python script and then you turn it into an executable using something like pyinstaller.   There's lots of legitimate companies out there that use pyinstaller to create software products that they sell to people. For   for many years until recently, that Dropbox   tray icon that you had there that would synchronize your desktop to Dropbox was was written in Python.  

And so for an antivirus company to start deleting   your Python based backdoors,   they would they couldn't just delete all of the Python interpreter or Python   code that was out there because there's lots of legitimate programs. So antivirus companies would have to actually   pull apart your, py installer executables, find the the code that you have, and interpret that Python bytecode in order to figure out whether or not your   virus was malicious code or if it was just   the Dropbox synchronization tool.   So it's a hard problem for antivirus companies to fix,   and, creating backdoors in Python was   was a a great way to do that. It's also   a great way to interface with web pages. So if I've got a web page I need to assess the security of, then   using the request module or or even the built in,   build opener and URL lib modules to make requests to web pages,   to manipulate cookies for session hijacking or to launch password guessing, to read a web page and then get a CAPTCHA. No.  

Not 1 of those CAPTCHAs that human beings themselves can't even solve, but, you know, the we there's a lot of CAPTCHAs that you have on web pages that people develop that are like,   what is 1 plus 1? You know, are you a human?   CAPTCHA's like that that are really intended to keep people from posting Viagra ads all over your, your   blogs and everything else   are not really there to keep out targeted attacks. It's more so just to to keep the nuisance   scanners away.   You know, you'll come across those as you're doing your testing,   and you can easily solve. Python is really good at adding together 2 numbers   or saying, yes. I am a human to questions like that. So it makes   solving those CAPTCHAs and and   and being able to assess websites like that   very easy, whereas your off the shelf password guessers and things like that that you might download off the web can't handle those types of situations.  



[00:06:59] Unknown:

That's really interesting. So has there been any   instances in the wild of well known malware that   use Python for a CNC backdoor that they actually install onto target window systems?  

[00:07:13] Unknown:

I   am glad to say that I have not come across a Python backdoor   in   any of the incidents that I have handled.   As someone who   teaches   professional penetration testers how to do these things and teaches them how to develop backdoors in Python. I'm   I'm happy to say that I have never seen it used by   anyone with malicious intent   yet. I'm sure   that it could happen. Now that that said, the   the thing that makes Python great, which is it's an interpreted language, so, really, you're not putting a a malicious executable on a system. You're putting an interpreter   on a system with a malicious script.  

That concept has been used by malware.   You know, I think the most   the most famous case I can think of is the the flame virus that,   you know, was it was a huge piece of malware, 5 megabytes in size, and   and had   nation state capabilities   and, you know, had some incredible   incredibly advanced attacks in there against   encryption   and the way that we sign our certificates   as well as the ability   to create its own Microsoft   updates services and distribute   command and control and updates to the malware through   a fake Microsoft   Windows update service that was installed on the victim's machines. It was a really   incredible piece of malware.  

And that was written   in Lua,   and a Lua interpreter along with the Lua scripts were   were distributed to targets. So while I haven't seen Python used, I have seen other inter interpreted languages,   used. And I I have no doubt that Python is,   used in in malicious attacks,   Particularly, I mean, you you look at some of the frameworks out there like the Volatility   excuse me. Not Volatility.   The Vail framework.   The Vail framework is a Python framework   that will take   payloads   out of penetration testing to executables   and allow you to distribute those to systems. Now the Metasploit framework   is,   I I like to think, mostly used by the good guys, the professional penetration testers who are there to make your network better.  

But the Metasploit framework is so useful   to to attackers   regardless of intent. I'm sure that some bad guys use that as well.   And the Vail framework makes it very easy to take any of those payloads that you have inside of the Metasploit framework and turn them into executable so you can run on any Windows system.  

[00:09:56] Unknown:

Wow. So going back to your point about antivirus   practitioners having to pick apart Python code rather than just delete it wholesale from a system,   I would think that obfuscating your Python code as an attacker would be a good way to try and sidestep some of their attempts at interpreting the intent of that code as well.  

[00:10:18] Unknown:

Yeah. Either, you know, import sockets as   not sockets or making just a simple class that wraps the classes that they might be detecting.   You could easily get around someone who was actually going to look at your Python byte code and determine   what you were trying to do. But   that said, I I haven't had to do that. Mhmm. I mean, I it's just it's just not a problem today. You can take   write your write your,   backdoors in Python,   and   antivirus software doesn't care about it. The only place that I I see it, really   detecting Python backdoors today is if you have some of the products that do reputation based filtering, things like, Symantec, where they have   huge databases   of   hashes, and they they'll tell you that this particular executable   hasn't been run on any other targets. This is a unique cache that is we've only seen it here. Something like explorer.exe,   which is running on millions of hosts, it recognizes that that file. It says this is this is explorer.exe, and it doesn't it doesn't raise any flags. But when it sees a unique executable that it's never seen before or it's not in its massive database of hashes,   Those I've seen flagged Python executables that were created with the py installer. But,   you know, 1 way you can get around that is when you use py installer to create, say, an executable,   you you don't have to create a single EXE. You have to create a directory.  

And in that directory, you end up with the Python interpreter, all the DLLs, and your bytecode. So now   on the target system,   you're no longer running a custom py installer executable that has unique cache. You're running Python,   which is running on thousands of computers and recognized by everyone. So   the the reputation filters are perfectly happy with running Python there.  

[00:12:18] Unknown:

That's that's very interesting.   What is it about Python that makes it useful for penetration testing and other information security tasks?  

[00:12:27] Unknown:

Oh, I mean,   import this, man. I mean,   what it's what is that makes Python awesome when developing just about anything? You know? And it's that other people have written the hard part, and you just gotta glue together all the pieces that are in the modules.   And there there's so many useful modules out there that   do   these incredibly   complex tasks in just a few lines of code because somebody else did all the heavy lifting for you. 1 of my favorite modules from a penetration testing standpoint is called the Impacket, and it's by,   Core Security.  

And they have completely written all of the server message block APIs that are necessary to communicate with Microsoft servers across the network.   You know, whether you wanna authenticate to servers   and do something like execute code on them using similar functionality to Microsoft's ps exec   to execute code on a remote host or   do WMI queries to a remote Windows system. You know, they've they've got   these incredibly   well written and very useful   libraries written to do all of the heavy lifting. So to to execute code on a remote system, I   import their library. I create a psexec object. I give it an IP address and tell it what I wanna run, and it logs in, creates a service. It runs my commands on remote hosts, and captures all the output and stores it in a variable for me.  

And so, I mean, the usefulness of   Python for security professionals is is, I'm sure, the same usefulness that   every other developer that loves Python out there   experiences, which is   there's all of these great third party modules that are out there that make your life so much easier.  

[00:14:14] Unknown:

And exposed at a very high level of abstraction. Right? So so as you mentioned,   sort of being able to pick them up and use them, bend them to your will is is relatively straightforward and takes not a lot of time and effort.  

[00:14:27] Unknown:

Correct.   Correct. Yeah.   From a security standpoint, I'll I'll mention some of the modules that I use frequently. I use, as I mentioned, Impacket by Core Labs,   You know, of course, Beautiful Soup and Request   for for talking to the web is very useful.   I'll use Scapy a lot for   for or dpacket   for just reading network packets   and parsing them out and trying to find useful data in them, you know, some of recall or volatility for parsing through memory.   Then as a defender, you know, using   something like the counter module, something as simple as the counter module,   or the counter dictionary, excuse me, from the collections module and,   you know, Panda, InoteBook, Matlab   Matplotlib   to to give you statistics on   the kinds of people that are communicating with you and trying to find outliers. And, you know, I've only I've only saw traffic from   this 1 IP address once an hour   for the last 24 hours, things like that, flying all those outliers,   just the regular statistical model,   type   modules that you would see normal data analysis people using are are very useful in Python,   for finding people that are attacking you.  



[00:15:48] Unknown:

That's somewhere that I'm sure when a lot of people think about data analysis or big data, that's not necessarily somewhere that they jump to immediately is doing   secure defensive security because they're used to thinking about it in terms of advertising or marketing or,   you know, may maybe even scientific purposes,   but there's definitely a lot of traffic that gets generated by all the systems that we use every day. And   by knowing how to look at it and what to look for, you can definitely find a lot   of valuable information that'll give you   information about precursor attacks or about information gathering attacks that people are launching against your system so that you can defend against that before it actually ends up being a full blown   invasion of your network?  



[00:16:36] Unknown:

Oh, for sure. I mean, your your intrusion detection systems that you run on your network,   you know, they   they do a good job at what they're intended to do, but they can only do so much.   And most people have,   you know, megabytes, if not gigabytes or terabytes of logs,   distributed across their systems.   And they they look at those logs perhaps   once a month. Maybe they're looking at them once a week. But if they do look at them, they're looking at them   in   perhaps in just the context of that local system and not as as an entire network. But when you start looking at,   the logs and systems and things you have running across your entire network and you start putting them in context or comparing them to each other,   then you can you can find a lot of useful information. So   just take, you know, Panda,   INowbook, matplotlib.  

We're just gonna build some   databases that are gonna collect up a list of all the processes that are running on every host on a given subnet.   And then you go through those those processes and you see that, okay, explorer.exe   is running on   all   255   or 254,   hosts that I have in this given subnet.   Very good. Right? And then, you know, antivirus software. That's running on 249.   Well, you might wanna go look and see what those other ones are, but then you've got this executable called   marx python backdoor.exe   that's running on 2 of your hosts. Maybe you should probably go check that out and find out why is it that only 2 of your hosts on your on your network   are use are running this 1 executable.  

Usually,   corporate networks,   they tend to look the same. There's there's always outliers, but it's when you start looking at the outliers and finding the the thing that's unusual, the thing that makes a host unique that you really   begin to   look under the rocks   and find evil sitting there.  

[00:18:39] Unknown:

You know, it's really interesting. I I was a Windows Enterprise developer for for just a couple of years. I've been mostly a Unix guy. But I will say,   listening to you talk about some of these facilities and modules that you use,   1 thing that I was very impressed by in my time doing Windows Dev was how   how rich   the introspection facilities are for being able to, like you mentioned, remote WMI queries,   things like that. You really can   sort of treat your Windows box like a database and kind of mine it in all kinds of interesting ways   that the Unix   universe is just only kind of now catching up to speed with.  

So that must make your job an awful lot easier as a security guy.  

[00:19:23] Unknown:

It depends upon which side I'm on.   As as an attacker, that would make it could make your, life really difficult if you were if you were trying to hide, which as professional penetration duster, I'm never trying to hide on a network. So,   but   yeah. I mean,   to your point,   if you look at Windows event tracing just look at   there's if you look in   your Windows event logs, you've got your security logs, your application logs, your system logs, which everybody's aware of. But if you drop to that command line or your PowerShell prompt now and you you type,   you type in log man   space query space providers,   you'll you'll come back with a list of over 900 on Windows 8 machine, 900 different   event log providers.  

And these are these are systems that just generate event Windows events, and almost all of them are turned off by default and not generating any logs.   But there are so many interesting things that you can you can begin to capture and learn about your system if you just turn some of those on. Most of them are off because they're noisy,   and they generate so many logs that you're it's not something you would run all the   time. But   when I'm dealing with an incident and trying to find attackers and anomalies on systems,   turning those on, you can learn a great deal of things. There's there's event trace   providers that will record every packet that goes in and out of your network. So from an attacking standpoint, if I wanna implement a packet sniffer on your machine, I can do that through your event logs with,   with Windows event tracing. Or,   there's the Win Inet provider, which you can turn that on and   your you can turn every browser into a key logger, basically, where as passwords are being typed,   it rec or transmitted, it it will   record usernames, passwords, cookies, and other information that's transmitted over SSL packets   in clear text   on the hard drive and inside of event logs.  

So, yeah, Windows   Windows event logs and the information that's recorded   there is   amazingly comprehensive,   and it's incredibly useful to us as   both   offensive and defensive   security personnel, but   it's a lot of data.   Fortunately,   Python is really good at   pulling together lots of data and analyzing that data and finding useful bits of information out of it.  

[00:21:50] Unknown:

Definitely.   So this kinda dovetails with that. We've noticed that a lot of literature around information security and penetration testing   focuses largely on Windows. Can you enlighten us as to why that is?  

[00:22:05] Unknown:

Well, I think it's because   that's where most of our attacks are targeted. So   organizations still have Linux systems   in their environments.   Those Linux systems are often in the form of   databases   or   websites   or   or a lot of appliances that people run,   but your primary tax surface in organizations   is still   the Windows systems that that users are sitting behind. So   as as a penetration tester,   yeah, I I do wanna ultimately gain access to   other platforms besides Windows,   but it's all about where the data is. And generally speaking, you're gonna come into an organization   either through their external web interfaces,   or you're gonna be attacking   SQL attacks and cross,   command injection, things like that, where you might be using the requests module,   pipe Beautiful Soup and things like that.  

Or   you're going to   exploit   an endpoint such as a Windows based system there and get a user there to   click on a link and get your your   foothold   into their organization.   So   I think that's why you see the   a lot of Python tools being written to go after Windows,   because   Windows is is the primary target. Once you gain access to that target, you're gonna look for other resources, but   pretty much   the attackers want to gain access to those Windows systems.  

[00:23:39] Unknown:

That's really interesting. I I guess I had never thought of it in those terms. I I guess I thought maybe it was something along the lines of this is the majority of what your clients   who are actually ping you do penetration testing run.   But but I I can see that   it's not that at all. Like you said, that's where the attack surface   is. Is it also true that   Unix presents a   less target rich attack service surface than Windows does? Or is that a misconception that I have as a as a mostly Linux guy?  

[00:24:12] Unknown:

Well,   it depends upon what you mean by the question. So there are fewer   Linux systems in the typical organization. Right? I mean, in a company with 10, 000 employees,   I I might come across   30 to 40   Linux systems that are in that environment,   pure Linux systems. There's probably gonna be another   30   to 50   appliances,   in there that are running Linux.   But for the most part, those Linux systems are going to have very few ports in them. They're gonna have   port 80 and   maybe port 22 if I'm lucky,   and there's not gonna be a user   sitting behind there just waiting to click on the executable that I I send them.  

You know? Whereas on the Windows platform,   there is.   And   I think that   the Linux operating system, there there are fewer   services that are just sitting there waiting for you to connect to them.   I I think some of that is just based upon the fact there's there's not a lot of,   users that are sitting behind the keyboards on these Unix systems. So   you don't have to have services open for   some   software inventory system to come and connect to the hard drive of all these machines   administering the system to copying files to I mean, you you do everything   over the SMB protocol. But as soon as you open that 1 protocol up,   you've you've exposed yourself to remote code execution. And it's it's very similar to SSH in that way, I suppose.  

We we like to put better controls around our SSH systems, our Linux systems, I think.  

[00:25:56] Unknown:

So it sounds like it's a combination of both the system itself being a little bit of an easier target, but also somewhat to a larger extent the fact that a lot of the   targeted attacks into an organization   are through phishing, you know, spear phishing or fish general phishing attacks against the actual users behind the terminals and trying to get them to   trying to trick them into doing something foolish that will actually give you a foothold into the organization. Is that correct?  

[00:26:23] Unknown:

Yeah. I I think that that's absolutely correct. Although although I'd say, you know, as I I'm a UNIX guy. Right? I,   given the chance of writing my Python code on Unix or on a Windows system, I'm gonna write it on Unix, make it work,   and then or Linux. Then I'm gonna move it to that Windows target just long enough to make sure that my code works there and then   and then do it. So I'm a I'm a Linux guy. But I'll say that if you look at the the number of vulnerabilities   that   were were   discovered,   released, and   and or exploits released for and patches released for   last year. You know, Microsoft has has done an incredible job, and they continue to get better and   better from, an information security standpoint as far as having a secure   software development life cycle and things like that   and doing code reviews and things like that so so that they are   they're doing a really good job with the operating system itself.  

Also,   the fact that they can control the compiler, the Visual Studio,   the compiler   is building in more and more security controls.   In in in Linux. That's it the the power of Linux is the freedom   that we have and not being locked down with 1 software provider and being able to do just about anything we want to. But that that same freedom   means that we're using   a wider array of   of compilers and software development platforms   and no not standardized patch management processes. And it it does lead to more vulnerabilities in in our Linux platforms than than you see on the Windows platforms last year.   That said,   you're still gonna not more likely a pop a Linux, Windows box than a than a Linux box any day.  



[00:28:13] Unknown:

And this all brings up another interesting point of there's   been a lot of discussion   in Python and in other   dynamic languages about the difficulty of being able to get up and running and actually perform development on Windows systems. So the fact that you're targeting a lot of your code to run on those platforms   and developing it on Linux as you said, it's just   an interesting aspect of this particular industry   where   a lot of the other places that you see and hear about Python being run is generally on Linux and Unix systems.  

[00:28:50] Unknown:

Yeah. I mean, it's   there by default on many many Linux systems.   You know, it's not there on on Windows.   We have to download it, install it, and idle idle is okay.   And it does a pretty good job, but,   you know, I can't take those dotpy programs and just move them to any Windows program and expect them to run. I have to turn it into an executable before I'm gonna   move it around from system to system. You know? Whereas I got my dotpy programs. I can move that to just about   any of my Linux tar   or targets or hosts, things that I'm I'm using on on a network, and it's gonna work there.  

[00:29:29] Unknown:

And does that pose any issues in terms of trying to   keep your dependencies to a minimum as far as being able to package that all up?  

[00:29:39] Unknown:

It does.   So it is very nice to be able to import,   you know, anti gravity and import   request module. You know, the request module is   something that's gosh. That that should be that should be built in. Right? I guess there's there's a lot of it's just so useful. But,   you know, URL lib, URL lib 2, managing cookies with URL lib 2 is is not nearly as easy as it is with the request module. But   I will force myself to use urlib 2 and build opener to to build   my scripts with only built in modules   if it's a script that I think   I might be running on a system other than my own. In other words, if if I think I might gain access to a Linux target inside of an environment,   I am certainly not going to install a Python module   on   a customer's machine and alter the configurations that are there.  

Even though PIP can uninstall,   I'm still not gonna make those changes to to a target system. I I wanna make sure that the things that I move to that target environment are gonna run-in that target environment. So I'll force myself to use just built in modules.   But,   yeah, there there's very few scripts that   I put into that category. Most of the things I can run directly from my machine, like, it's target systems.  

[00:31:01] Unknown:

And I would also think that   by virtue of eliminating the need to download those dependencies, it would also decrease the likelihood of being discovered in the process of placing that code on the target machine.  

[00:31:16] Unknown:

Yeah. I I think that's true as well. Although,   you know, honestly, in   almost all of my penetration tests, I can't even I can't even think of an exception.   Trying not to get caught   is usually   not in scope. I mean, I, you know, I I don't I will usually try to get caught when you get in there. You you gain access to a system, and then you start to do things just to to measure what the the, target   organization's   noise threshold is. How how noisy do you have to be before   their IDS   picks up and figures out that you're there? Because you wanna give them that information so that so that they understand exactly   how clumsy the attacker has to be before they're gonna,   be detected.  



[00:32:09] Unknown:

So will the burglar alarm go off the moment you set foot in the house, or are you gonna have to stand over their bed   and,   bang on a drum in order to get them to wake up and realize that you're there? That's that's kinda funny actually.  

[00:32:21] Unknown:

Actually, that's that's a very good analogy. Yeah.  

[00:32:24] Unknown:

And so continuing this thread a little bit further, what are some of the   legal considerations that you have to   deal with on a regular basis as a penetration tester?  

[00:32:35] Unknown:

Yeah. So you you need to have   a good get out of jail free card so the the organization has to   understand in advance   what you're gonna do. I think even even after having   documents   signed that have been reviewed by lawyers that say, alright. I am going to break into your organization, and I am going   to I am going to steal data that you don't want me to steal just to show you that I can.   And after even after all those documents have been signed,   you still,   in going through these steps, say, okay. I'd like to have a meeting now because now I'm going to do this. You you understand I'm gonna do that. Right? Yes. Yes. Alright. And these are the people that I'm sending this this email to.   And when they click on it, I'm gonna have control of their box because there's ultimately all kinds of things that that can go wrong, you know, in a penetration test.  

And you you have to spend a lot of time   thinking about   controlling the situation.   Mhmm. If I send a link to   20 employees,   you know, what what if they read that web mail or that that email on their their home computer through their web mail account and click on the link there. Mhmm.   The employee didn't give me ax permission   to implant my Python backdoor on their home computer,   So that could be a problem. You know? What if what if, an employee sees the malware or sees the link and then forwards it off to   their their husband or their wife who provides them technical support that says, hey. Do you think this is malicious?   And then someone from another company clicks on that link. All of those are possible   ways that you could get yourself into trouble. I have   I have a couple of stories   that are near misses with with,   the the customer not quite understanding   exactly what it was that we were doing even though you explained it twice and had it in writing where they said, yes. We understand what you're doing.  

So communications   is is important with with that and, you know, having   good legal counsel is is also important for penetration testers.  

[00:34:49] Unknown:

I'll bet. I can I can only imagine   that there are instances where   also, especially if you're dealing with larger clients where the left hand isn't talking to the right? Right? And someone hires you for a penetration test and you do that test and then someone from some other segment of the company   gets all up in arms because as far as they're concerned,   someone let,   let the the fox into the hen house. I can see that getting very hairy very quickly.  

[00:35:15] Unknown:

Oh, yeah. And oftentimes,   it it can be an embarrassment to say a division or something like that within the company that, wait a minute. Someone broke into our systems or or the corporate data was   was compromised because   we didn't patch our systems, and   their   their defensive   the reaction to that is, well, who let this person do this? As opposed to,   you know, something more constructive.  

[00:35:44] Unknown:

Right.   So there have been recently a number of attacks based on hijacking the TCPIP   stack. I know that there are certain things that you can and can't talk about but feel free to, you know, speak in general terms although,   obviously the more specific you can get, the more interesting it'll be for our listeners.   Is Python being used for any of those exploits or tools to defend against them?  

[00:36:07] Unknown:

So I can talk about how Python could be used to defend against something like that. And this comes back to   Python's ability to do data analytics analytics   and and some of the third party modules that are out there. You you take something like let let's say that I wanted to detect   repeated sequence numbers coming into my my organization.   The reason you might do that is if   if, organizations   or an attacker was   anywhere   where he could intercept   communications that you have. So a man a man in the middle attack, as we call it, where,   the attacker is between the source and the destination IP addresses   and can see   the traffic that is flowing back and forth between them. If I can see the traffic that's flowing back and forth between a client and a server,   then I can see all of the sequence information and other information that's that is included inside of the TCP headers   that is used   for session tracking, if you will,   of that that connection. And if I can see that information,   then I can also see those sequence numbers,   or the session information, if you will, and I can retransmit   packets   that have the same sequence numbers.  

And if my packets get there first, well, you're gonna accept my packet. The first 1 well, it depends upon the operating system. Right. Maybe you'll accept the first 1. Maybe you'll accept the last 1.   But you know what? I can transmit multiple times, and I can make sure that I am both first and last.   So that that that would be a typical man in the middle scenario. So if you were trying to just detect   sequence number,   duplicate sequence numbers coming to your host, that that could be done in as simple as, you know, 5 lines of   of of Python code where,   you know, just from Scapy import asterisk and import the Scapy module into your system and then   start   sniffing packets and recording.  

Yeah. Scapy has a has a great,   has a great capability of of pulling together all the packets and put putting them into a list of associated packets, which   if you're familiar with Wireshark   in Wireshark, you   can select a single packet. You can say right click, follow, stream,   and it'll pull together all the packets that are part of that same packet. You have similar capabilities inside of   Python or excuse me, inside of Scapy.   So you could pull together all the packets that are inside of   inside of a stream   with Scapy and then step through them and just   do I have duplicate sequence numbers? Is would be a very quick and easy check for for things like that. So   yeah. But   while you're in there and while you've got skateboarding,   those statistics. You know, you can you can pull together all kinds of information from   the time that a specific   source   communicates with a specific destination.  

And do you have   a host that   establish a TCP communication and then just keep that channel up for long periods of time? Yeah. Most most of our TCP communications   on that occur on a network are pretty short. I establish a 3 way handshake. I'll I'll download some web page and, you know, maybe a couple of get requests. I'm using HTTP 1.1,   and then we'll tear down the the handshake. So,   you know, my my communications might be up for, you know, a couple of seconds.   It's   it's more interesting when you start looking at communications that are up for long periods of time. You know, what when do you have   communications that establish a connection and   perhaps just send out Keepalives for   once an hour or once a day and keep connections up for for much longer period of times. So analyzing data and things like that with with Scapy is,   and Python is is useful bits of data that,   you know, lots of your   traditional intrusion detection systems aren't necessarily gonna look at. You can you look at some tools that are out there that'll do things like that, like Bro and others that are that are useful to you. But, yeah, augmenting those types of tools with Python is is a is a good approach for intrusion detection.  



[00:40:26] Unknown:

Did you say bro, as in hey, bro, don't tase me, bro, kind of thing? Yep. Don't tase me, bro. Okay.  

[00:40:32] Unknown:

Yeah. I believe there's a   is an analytics module like that for, it's an intrusion detection system that does analytics.   And it it it looks for anomalies like that   in your traffic as opposed to being signature based.   It's it's built into,   the security onion, which is a Linux distribution that   has got,   Snort and and other intrusion detection based tools that are all built in, very easy to install. So if you if you never played with Security Onion, it's it's a great distribution for,   for setting up and and looking for attacks on your network and getting it up and running very quickly.   Running systems that would normally take you, you know, weeks   of configuration,   Doug Birx, who created that distribution, has has automated that entire process and made it very simple.  



[00:41:22] Unknown:

Yeah. I believe there was   a floss weekly episode where they talked to some of the gentlemen behind the bro tool.   So we'll we'll put the link to that in the show notes.   So what are some activities that you do on a regular basis for which you would turn to another language tool chain rather than using Python?  

[00:41:42] Unknown:

So,   yeah, I I would say I the other language that I will use is PowerShell,   just because   PowerShell is the Python of Windows. Right? It's it's built in to every Windows system. I got the interpreter sitting right there, or interpreter, if you will. You know, I've got all the commandlets right there, and it's incredibly powerful.   So so PowerShell   is,   I think, is is emerging as   perhaps the   development platform of choice for   offensive tools in the environment. You know, PowerShell scripts are gonna allow you to put   all kinds of things in memory that antivirus software isn't looking for. The PowerShell   interpreter is almost always gonna be whitelisted and allowed   in every environment,   and   antivirus software looking at PowerShell scripts and determining their maliciousness is is,   I think, a while away.  

So   PowerShell is is a is another platform that I'll go to. If I if I wanted to do any type of password   cracking,   you know, p Python's great for password guessing.   So anything that I have to interact with a host on the network and send information back and forth,   hey.   Python, multithreading,   it's awesome.   With password cracking,   where   speed is critical,   obviously, a   a compiled language like c or assembly language is is gonna be   just   a magnitude faster than than Python   doing, you know, very fast encryption cycles and things like that.   So, I'll I'll turn to to see if if I have to do something like that, but pretty much Python is the go to language.  

I'll I'll step out of my Python world and and go to PowerShell when necessary and sometimes c.  

[00:43:36] Unknown:

It's it's actually been very impressive to me. I mean, I'm sure since you've been doing this for a while, it sounds like you've been around from the days when pretty much the only way to automate Windows   was to go to an outside language, a non built in language like Python   or to be stuck writing, you know, dot bat scripts and things like that, cmd.exe   programs which are pretty horrendous.   It really is impressive   how much of,   again, that sort of richness of of introspection   and   configuration   that is available these days in Windows,   they made really really trivial accessible from PowerShell. It's it's 1 of the coolest things to happen in the Windows platform as far as I'm concerned in the last 10 years.  

So I can only imagine that, you know, it's made your job easier as far as accessing administrative interfaces and the like.  

[00:44:27] Unknown:

For sure. For sure. And as as when you know, as more and more environments turn on the WinRM,   capability, so the ability to do   Windows PowerShell scripting remotely to to query lots of targets,   1, from an incident response standpoint, being able to, from 1 centralized console,   pull back the list of all the processes that are running on every target and a list of all the DLLs that are loaded inside of all those processes. And being able to compare them 1 to another, just a a few lines of PowerShell,   incredibly powerful.   From the attacker standpoint, yeah, just the ability to evade antivirus   and the fact that that's   that is   so trivial right now in PowerShell is is it's incredibly useful.  

But, you know, as a as a Python coder, you know, PowerShell is also really nice because, I mean, we use square brackets into our our lists and, you know, hash tables or or dictionaries are are are very similar   in   syntactically as they are in PowerShell. So,   you know, once you get used to all the the pipe pipe pipe pipe pipe stuff that you have in PowerShell,   it becomes,   you know, not not a very difficult translate   transition for Python coders.  

[00:45:40] Unknown:

I bet. I mean, in in definitely object pipelines are really you mentioned all those pipe, pipe, pipe. It's a pretty powerful paradigm. It's it's definitely something, as I say, I'm a Unix guy. I don't use Windows much on a daily basis at all, but I really have have to look at that and say,   Jeffrey Snover and the folks other folks in the PowerShell team,   that's some pretty deep thought that they that they did,   making this product. It's   it's pretty cool and I and I actually think the UNIX community not to say that we should all be running PowerShell, that just doesn't make any sense, but that kind of object pipelining capability,   I think that's a direction that that maybe the other operating system platform should consider moving in the future.  



[00:46:22] Unknown:

Yeah. I mean,   you know, as as Linux guy, I would always turn up my nose to the Windows guys and say, look. You you've got   1 executable   with a bazillion   different command line options that that you can use to do these things. I have I have 1 tool that does 1 thing, you know, and I can pipe the output of that into another thing and, like, cut. And then I can take the output of cut, and I can pipe that into, and it was the the command chaining   in Unix   that and all of these individual tools that really   made it   so automatable and scriptable.  

And then you look at   PowerShell, and they've they've done that. And they've they've   taken tab completion. I mean, you can tab complete the options   on on PowerShell commandlets. And then after you selected your options, you know, if it's something like, you   know, process name, then   you hit tab again, and it actually tabs through a list of all the processes that are running, things like that. So, I mean, they've taken tab completion to the next level.   You know? And   as as much as you'd you'd like to not like PowerShell   as a as a Linux guy when you open up that PowerShell prompt and you accidentally type LS and it actually gives you the directory listing, you're like, woah. What just happened?  

You know, even even they've got the, you know, the directory   listing looks like, you know, your your Linux,   security groups with   the the   everyone group and or the the owner and everyone else and other and all those other things that so it looks like,   you know, the the security or the director listing we would see on Linux.  

[00:48:04] Unknown:

Absolutely.   So for anyone who's interested in getting involved in the security industry and penetration testing in particular,   what resources   or tools would you recommend?  

[00:48:17] Unknown:

Yeah. So particularly from from your listeners, I'll say that   developers   make the best   information security professionals.   I mean, there's   there's a big rush of people coming into the information security   industry now because there's there's lots of jobs and there's lots of opportunities.   But by far, the people that have   a coding background   just   far excel beyond their peers in this industry. If you if you can code, if you can write tools, if you can automate processes, you're gonna do very well in information   security. And just you know, you you understand the language that   of   how our computers think. You know? Once you think like a computer, then you're gonna be able to, you know,   predict how they might make missteps   and how you might be able to   to exploit that or take advantage of that. When I I started out as as as developer,   and then I I started doing systems administration and things like that. And I always think of, my my career evolution has been,   you know, after development, I I started looking at, you know, how   to implement   or or engineer   information   systems in the way that the   people who built or designed the system   intended it to be put together. You know? So I wanna I'm gonna implement   a Microsoft Active Directory. Well, I'm gonna have to Microsoft says I have to have this. Microsoft says I have to have this. And just how do I make all these components work together? So my my step 1 was learn how to build systems   and implement them the way that they were designed.  

And then as I became more senior in the IT field, it was, let me see how I can   implement security systems that go beyond   and make the systems do things   that the people who designed them   never really intended for them to do. So   make it do really awesome new stuff   that's beyond its original design.   And then finally, when when you start doing information security, it's,   well, let   me implement and make these systems do things that are counter to the way that they were originally designed. So let me make them do things that they were specifically intended   not to do.  

And it's really just the next the next challenge, I think. It's the next logical challenge on   how to,   how to really   find interesting and challenging work in,   information security.   And so I think   being a developer, understanding how to start implementing systems,   how to take those systems and go beyond what they were intended to do, and then,   you know, how to make them do things that they were specifically intended not to do   is just the next logical step. There's lots of places for you to learn,   manipulating systems and and, you know, exploiting   misconfigurations   and and design flaws in systems. You know, you got lots of security conferences that go on all over the all over the nation from,   b sides,   security conferences. If you Google b sides, you'll probably find that there's a security conference there, and you're,   not too far from wherever you live in the United States. You know, there's lots of online capture the flags.  

If you go to Google and you type, you know, online,   CTF challenge   hacking,   then   and, you know, let's let's not go there with the, the word hacking and and all the baggage that that in includes.   Just just Google it. You'll come up with lots of interesting challenges   that that'll help you to,   you know, find use critical thinking and come up with interesting ways that you can use code to solve problems. Lots of those capture the flags out there   have programming challenges. Like, I was just talking to a guy today. He he was just doing to capture the flag, and he used Python to, code it. The challenge was this. So you went to a website, and there was an audio   CAPTCHA that   was on there. So, you know, you go to websites and you click the little play button, and it speaks to you. Well, this particular audio CAPTCHA   would   speak numbers,   and so give you a PIN that you had to type into the web page in order to proceed past the web page. The problem was that the the audio captcha was always about 30 seconds long worth of pins,   numbers that you had to type in, and the web page only gave you 5 minutes,   or 5 seconds in order to enter the PIN.  

So you gotta listen to a 30 second message   and type it in in less than 5 seconds.   So the the solution was Python. So you download the audio CAPTCHA or the audio CAPTCHA,   and you just read it in as a binary file,   and then you start you identify the patterns of the ones and zeros inside the m p 3   that alright. Whenever I see this pattern, that is   the audio file saying   1. And whenever I see this pattern, that is the audio file saying   2. So   you access the web page. You download the audio file. You figure out what the PIN is in there, and then you enter the PIN in less than 5 seconds.   And so there's there's programming challenges like that that just require you to to think outside the box and and write code to do it.  

And   they're just they're just great programming challenges, if nothing else, and they're and they're fun. So by learning you know, doing some of those challenges, get involved in the information   security industry.   You know, there's there's lots of   of opportunities for meetups, and most of the information security professionals that are out there   are eager to meet new people and and, you know, talk shop   and and and teach people who,   want to come into the industry.   Of course, if I can   give a plug for my own my own course, I do teach a class for SANS.   I wrote a course called Python for Penetration Testers, SCC 573,   where, you know, if you're a Python coder and you just wanna learn how to start building tools and applying it to,   to information security, you can,   come there. We'll we'll build backdoors. We'll build SQL injection tools   and and password guessers   and,   and some network reconnaissance tools and things like that as well.  



[00:54:35] Unknown:

Now is that an in person course that you actually have to travel somewhere to take, or is that like an online thing? Or  

[00:54:41] Unknown:

It is an in person course. It's, offered as a 5 day class. We, teach it at various places around the country.   You can you can go to sans.org if you wanna, find a class and where it's being offered,   but there is no online opportunity for that. I 1 of the reasons for that is I think that if you   want to learn Python or if you just wanna learn hacking, there's there's lots of,   free resources that are out there   for for that that you can go online. You can find online resources to do that. So 1 of the things that I try to do in this course to to differentiate you is is to add that instructor led content, the opportunity to ask questions, to to work together on challenges.   And, there there's some interesting capture the flags and things like that that go on throughout the class with with challenges similar to the audio challenge that I mentioned and other things that that we have to solve together in class as we as we start from scratch and start building these tools up together.  



[00:55:40] Unknown:

That's that sounds great.   That sounds that sounds really neat. It's it's 1 of the things I I can absolutely see where the in person element could really help because   I've sort of been   becoming more interested in security of late myself, and I've been trying to go from I I build infrastructure by day doing lots of infrastructure as code stuff,   and chef and other things.   And and I came to realize, you know, I should be I should be more clueful about building these systems in a secure way.   So I've been trying to educate myself a little bit. And   it's interesting because the the amount of info there's a lot of information out there, but it seems very targeted and focused and a lot of it seems to be very sort of   aimed at at kind of 1 demographic and and and 1   1 particular   niche. So it sounds like this could be a really interesting opportunity to sort of generalize those skills   and and actually also apply it to some real world  

[00:56:39] Unknown:

challenges as well. That's great. Yeah. Well, let let me clarify and say that,   my course   is not   how to develop   secure code. You know, there's certainly some things that we should we should, think about as as coders with   I mean, Python is a type safe language. Right? So we don't really have to worry about   us creating   memory corruption vulnerabilities like buffer overflows and things like that in our code. We can we can certainly make   logical errors and introduce   things to our code that make us vulnerable just by unsafe practices and   you know, don't use input. Use raw input. Right.  

But   but, you know, underneath, you know, Python still relies on c in many cases. And, you know, just last year, March 2014, we had a buffer overflow in the socket module.   You know, when when you called receive from underscore into,   there's a buffer overflow in that. So we're not immune to attack, and there's some certainly some things that we should do   as coders to make sure that our code is secure,   you know, analyze input,   make sure that it's of   a proper length and things like that.   But that's not the focus of my class. My the focus of my class is   how we can use Python   in an offensive capability   to test   the security of our code.  

So we're we're looking to attack other things with Python,   not to attack Python.  

[00:58:08] Unknown:

Right. Right. Right. Right.   So,   obviously, your your course sounds like a really incredible opportunity. And and so for those people who are able to come take it, that sounds like   the best approach.   But for those people who, for whatever reason, their bosses aren't willing to pay or they can't travel or whatever other restrictions there may be, are there any other books or online resources that you like to recommend to people that that that, you know, are in that same vein?  

[00:58:35] Unknown:

Yeah. So   a good friend of mine, TJ O'Connor,   he wrote a book called Violent Python.   Mhmm. Violent Python is   it's it's a cookbook of all kinds of things you can do with Python from writing password guessers to tools that evade antivirus software to forensics capabilities, so analyzing,   you know, memory captures and things like that with with Python.   It's a it's a great resource.   You know, there's,   there's all kinds of free online capture the flags   that are out there from from an information   security standpoint. Assuming you already know Python. I mean, if you're   I'm assuming all your listeners already know how to code in Python. But, of course, you know, there's there's Google's Python class and, you know, there's   all kinds of universities that have free online Python classes and things that are out there. Once you know Python,   there's great capture the flags. Like, there's, counter hack challenges.  

Counter hack challenges is a website. You can go out there, and they're they're going to have all kinds of security challenges.   There's PICO CTF, p I c o c t f, which is another capture the flag that   has   security related challenges, many of which require that you write some code in order to solve them.   And and like I said, just googling online,   CTF or hacking CTF   will take you to lots of those, particular websites.  

[00:59:54] Unknown:

Well, that's great. So is there anything that we didn't ask you that we think you think we should have, like, something that that you think our our listeners might find particularly interesting that you might have to share?  

[01:00:07] Unknown:

No. Let me ask you guys. 27 or 3?  

[01:00:11] Unknown:

3 whenever possible. Yeah. Yeah. Absolutely.   Absolutely. I think that's exactly it. For anything greenfield, it's 3.   For code existing code bases or or where 3 modules are not available in 3, then, yeah, 279.  

[01:00:26] Unknown:

279. And make sure to make heavy use of from future import, whatever you need.  

[01:00:32] Unknown:

Yeah. Okay. Alright. I I would say   I agree with you   in   theory.   I'd say most many of my Python, modules that I use, particularly in the information security industry,   were still on 2 7.   And and I rely heavily on lots of 2 7, so I end up spending a lot more time in 2 7 than I should. And that's where the when possible  

[01:00:57] Unknown:

caveat comes into play.  

[01:00:59] Unknown:

Yeah.   But   I I agree with you in principle.  

[01:01:03] Unknown:

So are most of those Win 32 based modules, or are they are they just general modules that haven't been ported yet?  

[01:01:10] Unknown:

I would say it's it's,   more the latter. More modules that haven't been ported yet.   Very large code bases that are out there that, you know, do lots of great things, and it just takes a lot of time.   And, you know, until   until there is   a very compelling   reason that says, alright. No. Really. Really, it's going away.   That, you know, you've got developers that are just not gonna wanna  

[01:01:36] Unknown:

migrate their code sets. Right. I think we're getting there, though. Like, I think, you know, red both Red Hat and Debian or maybe it was just Debian or an Ubuntu, pardon me, have said that they're gonna be shipping Python 3 as their default   Python   in their new releases that are that are coming down the pike.   And in at least 1 case, I know they they basically have said, we're not gonna ship 27 by default at all. You have to explicitly install it if you want it. So I think that while the the, you know, the needle is still definitely pointing in 27 LAN largely now, I think that we're on the very the cusp of that changing   and the pressure to to to actually move   is building. And I think I think you're gonna see the number of modules where that's the case   dwindling over time.  



[01:02:23] Unknown:

And we've got a 5 year deadline.  

[01:02:26] Unknown:

Yeah.   Yeah. I hope you're right. I I hope you're right. I think you're   right.  

[01:02:31] Unknown:

I think so too because it's not like this is like a pearl 6 thing. You know what I mean? Like, it's not like they said, hey, we're gonna turn reality on its ear and completely reinvent the language and get into all kinds of really wacky   gymnastics.   There yes, there are some big changes, but none of them are like mind bending earth shattering.   This is nothing like everything you know is wrong   kinda changes. They're all sort of like these,   you know, yeah. I can deal with that when it come when push comes to shove. Most of them anyway.  

[01:03:02] Unknown:

Yep. I agree.  

[01:03:05] Unknown:

So that's great. So at this point in time, this is where we do what we what we call picks. Tobias, why don't you start us off?  

[01:03:13] Unknown:

Sure.   So my first pick tonight   in the vein of security is going to be Authy, which is a 2 factor authentication application that is available for iOS, Android,   and few other places. It's got a Chrome plug in.   And I've been using that and steadily moving a lot more of the online services that I used to using 2 factor authentication   largely because of the convenience that it grants, particularly the fact that it has a browser plug in. So it's not always tied to your phone. So while that does   decrease the level of absolute security that you get from it, it makes you a lot more likely to use it. So in the general sense it does increase your security.   And my next pick   is OpenWRT   which is an open source and freely available firmware   for wireless routers and other embedded systems.  

And it's essentially a stripped down Linux system with its own package system,   and I use it for my Wi Fi routers. I will only buy a Wi Fi router if I can install OpenWRT   on it. And I actually just recently got a new router, the Archer C 7 from TP Link,   which is a wireless AC router that actually supports   it is supported by OpenWRT.   My next pick is a really excellent talk that I watched recently called schemas for the real world by Carina c Zona,   And she's presented it in a number of different venues and over the over the past few years. The most recent of which was at PyCon 2015.   And it is a discussion of   a lot of the different   ways that as we design   as we design and build software, we are   influencing   the ways that people can actually   think about themselves   in relation to that software   largely in terms of the different input fields we provide. So 1 example is   a gender input where usually we provide male or female, but there are a number of people who may be put off by that because they may not necessarily identify by those strict binary   conceptions   and just really excellent   excellent take on how we can think more deeply about what we build and how that affects the people who use it. And   in a similar vein, another really excellent talk that I watched was The Soul of Software by Avdi Grimm,   where he talks about,   again, how our perceptions   and thoughts   go into the software that we build and how that gets reflected back up into the people who use that and how we should be a lot more mindful   about   how we approach building software and the different considerations that we make while building it.  

And my last pick is 1 of my favorite authors, China Miebel.   He is   a   sort of sci fi fantasy author. He's he's really   he defies   categorizing into a strict genre because his   works are just so   incredibly unique and he has a really excellent command of language. So I highly recommend that you read anything that he writes.   Chris, go ahead.  

[01:06:27] Unknown:

Very cool. I just have to say, I I, you know,   the that Avdi Grin talk, I am just a card carrying Avdi Grin fan. His his work is is phenomenal. I've been following it for years.   As I mentioned previously, the Ruby Rogues have been on that for quite a while. I actually still subscribe to his RubyTappas   screencasts   just because I've learned so much about   software development   from them. And and his blog is great. Like basically anything he writes,   any code, pros,   you know, that he writes, screencasts that he makes, I I I can't recommend them highly enough. It's all great stuff.   Okay. Anyway,   my picks. 1st, I'm going to pick a beer because I like really good beer.  

It's a beer called, Munich Dark by Rapscallion.   They're actually a a kind of a a sub label, I don't quite know what to call it, of Concrete Brewing here in Concord, Massachusetts.   It's just a really good   dark beer. I I I get the impression that it was kind of like a special batch kind of thing. I saw it at 1 of the pubs around here. It was just a really tasty malty   dark ale. I highly recommend it.   My next pick is going to be an application called Write.   And this is basically the note taking Swiss army knife application for   Mac and,   and also iOS, you know, mobile devices.  

I had kinda struggled for for the last several years with various note taking applications and methodologies.   And, you know, I had never really quite found 1 that fit. Notational Velocity, it's an open source note taking app, is really kinda nice but it's kinda fallen into   it's no longer maintained very well and it's kinda flaky.   And and write sort of does everything that all these do and   more, and it backends to Dropbox.   So I even still have access to my notes in emacs or vim or or, you know, whatever other tools I'm   in. It's just it's it's excellent. The interface is great. It it gets out of the way. It supports markdown   inline,   which is really nice.  

So I can I can format my notes that way and and add links and the like?   It's just great.   My next pick, and I apologize I have more than my usual round of picks but what can I say, it's been a a week for finding things   I guess, is a place? It's the marginal way. It's in in Agungkwa,   Maine,   which is a beautiful little seacoast town in Maine. If you've never been there and you're in the the east eastern seaboard, I highly recommend you check it out. And the marginal way is, from my perspective anyway, 1 of the most romantic places on earth. It is a perfect sort of like date spot into where I proposed to my wife. It's this path,   carved into the side of a cliff overlooking the ocean in a gunkuit. And it is just gorgeous. I tried to find a really good sort of online site with pictures and the truth   is none of them even come close to actually seeing it in person. It's breathtaking.  

My next pick is a restaurant also in Agungkuit called Frankie and Johnny's. It is a 1 of the sort of, you know, Frankie and Johnny's. It is a 1 of the sort of, you know, farm to table kind of places,   but it's phenomenal. I I'm usually a   slavering carnivore. Like I generally think of salad as something that my food eats. But, these folks make salads that I would run a mile for. It's just a great place. They're in Cape Nenik, Maine, right next door to Ogunquit.   And my last pick, a Python pick for a change. I don't always have a Python pick because the truth is I've only been using it for 6 months and I'm still kind of a noob, is a tool called pyenv.   For those folks who who work in Ruby, it's it's not unlike rbenv and the like.  

It lets you build and manage different Python   versions   for your development, you know, workstation machine. And it also integrates it has a virtual end plugin that goes with it so that as a for instance, you know, when you cd into your project directory, pyenv will actually switch to the appropriate   installed version of Python for that project.   It's really cool and and I found it to be indispensable   for working on different things with different versions of Python.   And, and if you're on a Mac, it's easily installable with Homebrew, so it's kinda no must, no fuss, just drop it in and it works.   That's it for me. That's plenty enough. Mark, please go ahead.  



[01:10:56] Unknown:

Labs impacket,   which is a Python module, I find indispensable.   It's got, you know, the ability to craft packets as well as communicate over SMB, talking to Windows targets, and   logging in with pass the hash, and it's got, some built in attacks like the SMB relay attack and other   really cool attacks.   I also love Google's   recall module, which is a memory analysis module.   It also comes with a a device driver called winpmem   that you can install.   And once you've installed winpmem, you can just, from Python, directly,   access and,   read all all the memory that you have in your system from from kernel space memory to user space memory, and you can analyze   exactly what's being placed into memory and, determine whether or not your applications   are really   storing that   sensitive data in an encrypted format in memory or whether or not they just say they are.  

Let's see. Some pics. How about this? How about   Adam's peanut butter, cup fudge ripple cheesecake from the Cheesecake Factory that cost me £5   around my waist last week while I was traveling   and staying at a hotel right next to The Cheesecake Factory. I hate you.   Let's see.   B sides security conference. The Augusta, Georgia is having a a b side security conference on September 12th.   We've got, all kinds of great keynote speakers,   and normal speakers set up already. It's gonna be an awesome event. So if any any of your listeners are in the Augusta, Georgia area, check us out at besides   25th or besides Augusta 2015,   and you'll you'll be glad you did.  



[01:12:40] Unknown:

We just had a b sides in Boston, I think, last weekend. I think it was while I was away, in fact. So I  

[01:12:53] Unknown:

alternate conference at DEFCON   and then,   but it's grown into so much more. You you're gonna see your it you're gonna hear the a side talkers at many of the,   b side conferences,   around the country.  

[01:13:08] Unknown:

Very cool. So, Mark, how can our listeners keep in touch and follow what you're writing and thinking and producing?  

[01:13:14] Unknown:

There's always Twitter,   at markbaggett, 1 word, markbaggett.   I blog in various   locations,   but, I usually try to record links to the various blogs that I post to   on my corporate web page, which is in-depth defense.com.   You'll you'll see a list of of articles and things like that that I've posted to there.  

[01:13:43] Unknown:

Great. Well, we wanna thank you very much for taking the time to come and talk to us today. It's been a really interesting discussion, and I'm sure our listeners will come away learning a lot more than they ever thought they would about security.   So thank you very much,   and,  

[01:13:58] Unknown:

yeah, we just really appreciate you taking the time. Yeah. Well, thanks for having me. I enjoyed it.