Episode 8 – Mark Baggett on Python for InfoSec

Read all of our show notes and find more information about us at Beautiful Soup

Brief Introduction

  • Date of recording – May 28th, 2015
  • Hosts – Tobias Macey and Chris Patti
  • Overview – Interview with Mark Bagett
  • Follow us on iTunes, Stitcher or TuneIn
  • Give us feedback! (iTunes, Twitter, email, Disqus comments)
  • You can donate (if you want)!

Interview with Mark Bagett

  • Introductions
  • How were you first introduced to Python? – Chris
    • Started using it for automating tasks while working as a sysadmin
    • Found code that launched an attack on FTP server – in Python
  • What are some of the tasks in your job that you use Python for? -Tobias
    • Trusted command & control backdoor for Windows
      • Mostly not used by malware authors – thus far (at least Mark hasn’t seen it used that way)
      • Flame virus – 5MB payload – incredibly advanced
        • Lua interpreter bundled along with the scripts
      • Vale framework – Python framework that takes payloads out of penetration testing executables
  • What is it about Python that makes it useful for penetration testing and other information security tasks?
    • Same thing that makes it useful for anything else
    • mpacket from core security
  • What are some of the more useful Python penetration testing tools?
  • We’ve noticed that a lot of the literature around information security and penetration testing focuses on targeting Windows. Can you enlighten us as to why that is?
    • Windows event tracing
      • logman
      • event trace providers – implement packet sniffing (Can turn every browser into a key logger)
    • Primary attack surface – Where most attacks are targeted
    • Fewer purely Linux systems
      • Very few ports open – maybe 80, 22
      • Very likely no user just sitting there waiting to run an executable you send
    • More freedom on Linux – less formalized patching process, more variable tools = more exploits
    • Will write code to only use built in modules for Python that will run in customer target environments
  • What are some of the legal considerations that you have to deal with on a regular basis as a penetration tester?
  • There have recently been a number of attacks based on hijacking the TCP/IP stack. Is Python being used for any of these exploits or tools to defend against them?
    • Data analytics
    • Detect repeated sequence numbers – Man in the Middle Attack
      • As simple as 5 lines of Python code
      • import scapy, start sniffing packets, pull together all packets – make list of associated packets
      • Can pull together all packets inside of stream
      • Time spefic source communicates with specific destination
      • Bro – intrusion detection suite
        • Built into Security Onion – Doug Berks
        • FLOSS Weekly episode 296 with Bro developers
  • What are some activities that you do on a regular basis for which you would turn to another language or toolchain, rather than using Python?
    • Powershell – The Python of windows
      • Whitelisted and ubiquitous
    • Password cracking – compiled language like C or assembly
  • For anyone who is interested in getting involved in the security industry, and penetration testing in particular, what resources or tools would you recommend?
    • Developers make the best InfoSec professionals
      • Lots of jobs and opportunities
    • Developer -> Systems Administration -> Information Security
    • Security conferences – BSides, Defcon, Black Hat
    • Online capture the flag challenges (google it) – good practice for critical thinking and using code for security exercises
    • Get involved in the industry – Meetups, etc.
    • SANS institute course, Python for Penetration Testers, SEC573 by Mark Baggett – sans.org
    • Lots of free online resources
    • Violent Python
    • PicoCTF
    • Counter Hack Challenges

Picks

Keep in Touch

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA