Talk Venue: BSides Tampa 2020 Speakers: Mike Felch & Joff Thyer This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.

1. Offensive Python
for
Pentesting
Mike Felch, Joff Thyer

2. Who are we?
• Mike Felch
• Vuln Research/Exploit Dev/Reverse Engineering
• Black Hills Information Security
• Established circa ‘99 in the lost underground
• Joff Thyer
• Security Researcher, Pen Tester, Developer
• Black Hills Information Security
• Certified SANS Instructor of SEC573 - Automating Infosec with Python

3. What are we covering?
• Attacking Cloud
• AWS
• Google
• Microsoft Azure
• Writing Malware
• Evasion
• Injection
• Execution
• Ways to weaponize
• Libraries
• Tooling/Frameworks

4. Attacking Cloud

5. Attacking Cloud: Overview
• Infrastructure AND Services
• SaaS Platforms: O365 vs G Suite
• IaaS Platforms: AWS vs Azure vs Google
• Overlooked rich attack surfaces
• Customer: “We don’t use Azure, just O365”
• Pentesters: “.. but we need DA!”
• Developers: “Oops.. I checked in my .aws folder.”
• Major providers released an SDK/API

6. Attacking Cloud: Auth Flow
Standard Auth Flow
• Creating a client
• Need authorization to authorize
• Need access token to resources
• Auth on behalf of victim
• ….
• Profit!

7. Attacking Cloud: AWS
Boto 3: The AWS SDK for Python
• Client:
• Low-level AWS access
• Maps 1:1 to AWS services
• Most (all?) operations supported
• Resource/Sessions
• CRUD-like Operations
• Enumerate all the things..
• 219 services supported!
Resource: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html

8. Attacking Cloud: AWS
• SDK: pip install boto3
• Auth is easier w/ awscli installed
• Requires access key & secret access key
• Leak via SSRF
• Source-code repos
• Hard-coded credentials
• Commonly misconfigured
• S3, EBS, EC2, SQS, Lambda, IAM, etc

9. Attacking Cloud: AWS
Searching S3
• public?
• ro vs rw?
• data!

10. Attacking Cloud: AWS
Dump Secrets
• creds
• API keys
• SSH keys
• binaries

11. Attacking Cloud: Google
• API Client: pip install oauth2client
• Requires registering your app
• Save the token.json
• Auth is easier w/ logged in web session
• Cache to credentials.json
• Search files, pilfer email, and add backdoors
• GMail, GDrive, Calendar, etc
• Compute SDK(s):
• https://cloud.google.com/python/setup
Resource: https://oauth2client.readthedocs.io/en/latest/

12. Attacking Cloud: Google
Backdoor
• Persistence
• Full access

13. Attacking Cloud: Azure
• SDK: pip install azure (or individuals)
• Auth is easier w/ az cli installed
• Prompts web session for authorization
• Just a bunch of API’s wrapped
• Enumerate resources
• Breaks services into smaller libraries
• AzureAD, Storage, KeyVault, VMs, etc
• Dump Users, Groups, Memberships
Resource: https://docs.microsoft.com/en-us/azure/python/

14. Attacking Cloud: Azure

15. Attacking Cloud: Azure
AzureAD
• Users
• Groups
• Devices
• Memberships
• SPN’s

16. Attacking Cloud: Azure
Freebie!
• Portal access
• Enabled by default
• More attack
surfaces
• Just auth.. :)

17. Writing Malware

18. Writing Python Malware
● Evasion
○ Evading AMSI: Stripping PowerShell
● Injection
○ Injecting shellcode wi/ custom Python
● Execution
○ Creating an EXE from a Python script

19. 1)Evading AMSI: PowerStrip.py
● PowerShell detection by Anti-Malware Scan Interface (AMSI)
● Can be suboptimal and annoying on a test
● Evasion?
○ Invoke-Obfuscation by Daniel Bohannon is amazing
○ But… you really don’t have to go that far.

20. PowerStrip.py
● What if we just stripped comments, and changed a few applet
names? No really… not kidding.
● https://github.com/yoda66/PowerStrip

21. No obfuscation = :(
● BUMMER!!!! AMSI busted me...

22. After PowerStripping...
● https://github.com/yoda66/PowerStrip

23. Hack on and profit..
● And we only stripped the comments out.

24. Once again with stutter!

25. Applet Name Stuttering

26. 2) Python Malware
● Python has access to Windows kernel32 DLL calls through the
“ctypes” module
○ Setting up the correct kernel32 DLL calls is a painstaking process.
● You can leverage this to run a shellcode of choice.
○ msfvenom, or cobalt strike generated shellcode for example.
● There are a huge number of different process injection techniques.
● There is a lot of BAD code floating around the Internet.

27. Steps for shellcode injection
● Three fundamental steps no matter whether you are creating a
thread locally, or in remote process
○ Allocate Memory
○ Copy Shellcode to allocated memory
○ Create a running thread of code
● Notes:
○ We will not be using reflexive DLL injection which typically involves using
LoadLibraryA() from DLL on disk.
○ Remote process injection requires opening a remote process handle
○ We will not address “Process Hollowing” either.

28. Injection: Memory Allocation
● Limited number of choices of kernel32 API call
○ VirtualAlloc()
■ allocate memory within same process
○ VirtualAllocEx()
■ allocate memory in a remote process
○ HeapCreate() then HeapAlloc()
■ allocate memory from heap within same process

29. Injection: Copy shellcode
● Two basic choices
○ RtlMoveMemory()
■ for local in-process activity
○ WriteProcessMemory()
■ for remote process activity
● Note: “ctypes” under Python3 will not allow you to copy a payload
with NULL “x00” characters within it.
○ This nearly drove me nuts. As much as I hate to say it, use Python2 for now.
○ Alternative: Encode your shellcode but this has ramifications

30. Injection: Starting Thread
● Three possibilities
○ CreateThread()
■ in local process only
○ CreateRemoteThread()
■ in remote process
○ QueueUserAPC()
■ in remote process.
■ interesting variant...

31. Matching API Arg Types
● if you don’t do this, then the API calls will all assume a Windows
MFC INT type, and you will fail.
○ Make sure to use “from ctypes.wintypes import DWORD, HANDLE … “
○ This example as part of a Python Class. (yes I learned the hard way)

32. Same Process Example

33. Remote Process Injection
● You first need to find a process!
● Python “psutil” module is helpful and well… “svchost.exe”

34. Remote Process Injection Steps
● OpenProcess() - open the remote process handle
● VirtualAllocEx() - allocate memory within process
● WriteProcessMemory() - write shellcode to memory
● VirtualProtectEx() - change to READ_EXECUTE only
● CreateRemoteThread() - spin up remote process thread
● VirtualFreeEx() - free Virtual Memory
● CloseHandle() - close remote process handle

35. 3) Create EXE from Script
● A number of different methods
○ PyInstaller
○ Py2EXE
○ Possibly IronPython but its maintenance is lagging
● Pyinstaller install with “pip2” for Python2
C:> pip2 --install pyinstaller
C:> pyinstaller.exe --onefile scriptname.py
● Resulting EXE will be within “dist” directory.

36. PyInjector Demo
● https://github.com/yoda66/PyInjector
● DEMO TIME!

37. Ways to Weaponize:
Libraries

38. Libraries: Networks
● C2/DNS: socket
● Port scan (nmap wrapper): python-libnmap
● Packet Manipulation: scapy
● Packet Crafting/Parsing: dpkt
● PCAP interaction: pcapy
● Live host discovery: ping3
● Network Protocols: impacket
● Exploit Development: pwntools

39. Libraries: Windows
● Win32 API: pywin32
● DLL/Shared Libraries: ctypes
● Windows Management Instrumentation: wmi
● Windows Remote Management: pywinrm
● PowerShell Remoting: pypsrp

40. Libraries: Web & Cloud
● Internet recon: shodan
● Web requests/Password attacks: requests
● Attacking hipster web: requestium
● Parsing/Querying HTML (BeautifulSoup4): bs4
● Cracking JSON Web Tokens: jwt
● Parsing SQLite: sqlite3
● Processing XML/HTML: lxml
● AWS: boto3
● Google Cloud: google-api-python-client
● Azure: azure

41. Ways to Weaponize:
Tooling/Frameworks

42. Tooling/Frameworks
● ScoutSuite: https://github.com/nccgroup/ScoutSuite
● SilentTrinity: https://github.com/byt3bl33d3r/SILENTTRINITY
● FireProx: https://github.com/ustayready/fireprox
● CredSniper: https://github.com/ustayready/CredSniper
● Recon-ng: https://github.com/lanmaster53/recon-ng
● Veil: https://github.com/Veil-Framework/Veil

43. Go Get Started!
● pymeta.py
● powerstrip.py
● pyinjector.py
● pivot_winrm.py
● cloud_aws_s3.py
● cloud_aws_secrets.py
● cloud_azure_ad.py
● cloud_gsuite_backdoor.py
● cloud_gsuite_email.py
● crack_jwt.py
● live_host_discovery.py
● live_port_discovery.py
● passwords_attack.py
● pivot_psremoting.py
● pivot_wmi.py
● shodan_search.py
● socket_c2_client.py
● socket_c2_server.py
● web_brute.py
● web_robots.py
● web_sniff.py
● web_spa.py
https://github.com/ustayready/python-pentesting
Here’s some motivation...

44. End Slide
• Mike Felch @ustayready
• Joff Thyer @joff_thyer
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• Python Goodies!
• https://github.com/ustayready/python-pentesting
• Questions?