Python for Network Penetration Testing: Best Practices and Evasion Techniques
Being stealthy is one of the most important aspects of a network penetration test. There will often be intermediary devices like IDS and IPS which can trigger alerts if there is any malicious traffic detected. Defenders often choose to block source IP addresses to stop some of these attacks. Similarly, some administrators use MAC address filtering as a way to block or allow clients in their network. This article discusses how some of the evasion techniques can be employed using Python during a network penetration test.
The importance of stealth in the pentesting process
During a penetration test, we often begin the process using reconnaissance tools such as nmap, which is largely noisy and non-stealthy. Tools like this can get picked up by devices such as firewalls and IDS. There are other scenarios where a red team operator drops a payload on the victim’s machine, which can get picked by the Anti Virus or EDR solution. To avoid these, it is important to perform activities such as reconnaissance without triggering alerts to the defense teams and thus offensive teams usually employ techniques that will bypass the defense mechanisms.
Learn Python for Pentesting
How, why and when you should change your MAC or IP address during a pentest
Coming specifically to network scans using tools like nmap, these scans are done using a three-way handshake to find out TCP ports. A three-way handshake includes the following sequence before establishing a TCP connection.
- The client sends a TCP packet to the server with the SYN flag set
- The server responds to the client with a TCP packet with the SYN and ACK flags set if it says a probed port is open
- If the port is closed, the server will respond with a TCP packet with the RST flag set
- In case the port is open, the client will respond to the server with an ACK
When this sequence of steps happens on a large number of ports from the same source over a short period of time, that is a red flag and it may be detected as a malicious attempt. So, it is important to stay undetected as we perform such activities within a network.
There are several techniques used by security professionals to stay undetected in a network and one of those techniques is spoofing. If an attacker knows that there are known IP addresses or MAC addresses that are whitelisted in the network, he/she can impersonate that whitelisted known address.
When IP addresses are spoofed, the traffic being monitored will appear to originate from a trusted source even though it is originating from the attacker.
Some administrators use MAC addresses in places like Wi-Fi captive portals to determine if the user is authenticated. A malicious user can spoof a known whitelisted MAC address to bypass authentication. The MAC address spoofing can also be seen in ARP spoofing attacks to stay undetected within the network.
IP Spoofing using Python:
Python allows us to modify traffic at packet level, which provides us with the ability to spoof the source IP address in the network traffic. This can be achieved using the popular python module scapy. The following python script is the simplest example to demonstrate ip spoofing.
#!/usr/bin/python3
import sys
from scapy.all import *
source = "192.168.21.1"
destination = "192.168.1.23"
packet = IP(src=source, dst=destination) / ICMP()
resp = send(packet)
if resp:
resp.show()
As we can observe in the preceding excerpt, a source ip address setup to ping the ip address specified in variable destination. We are crafting this packet and sending it into the network using the function send(). The following excerpt shows the output of this script with response printed.
.
Sent 1 packets.
#
As shown in the following figure, Wireshark was used to capture the network traffic when this script is run.
As we can observe in the preceding figure, the network packet contains source and destination ip addresses as specified in the python script.
MAC address spoofing using Python:
Spoofing mac addresses on a given interface is as easy as running few operating system commands. This can be automated using python’s subprocess.call(). Python’s subprocess.call() allows us to execute OS commands using the python program. The following sample script shows how one can change the mac address of an interface.
import subprocess as sub
interface = "eth0"
new_mac = "08:00:27:02:3a:71"
sub.call(['sudo', 'ifconfig', interface, 'down'])
sub.call(['sudo', 'ifconfig', interface, 'hw', 'ether', new_mac])
sub.call(['sudo', 'ifconfig', interface, 'up'])
Following is the original mac address on the interface eth0.
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.108 netmask 255.255.255.0 broadcast 192.168.0.255
ether 08:00:27:02:3a:72 txqueuelen 1000 (Ethernet)
RX packets 321 bytes 48605 (47.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145 bytes 17121 (16.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#
After running the python script, the mac address is changed to the new address as specified in the script. This is shown below.
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.108 netmask 255.255.255.0 broadcast 192.168.0.255
ether 08:00:27:02:3a:71 txqueuelen 1000 (Ethernet)
RX packets 321 bytes 48605 (47.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145 bytes 17121 (16.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#
As mentioned earlier, changing the mac address on a given interface just requires a few commands.
Learn Python for Pentesting
Conclusion
In this article, we have gone through some simple examples of how python can be used for evading detection during a pentest process. While these scripts are simple and intended for beginners, there are more advanced evasion tools written in Python, which demonstrate the power of Python scripting in employing evasion techniques. The Veil framework written in Python is one such example, which is used to bypass Anti Virus software.
Sources
- Python for Offensive PenTest: A Practical Guide to Ethical Hacking and Penetration Testing Using Python Book by Hussam Khrais - https://www.amazon.com/Python-Offensive-PenTest-practical-penetration/dp/1788838971
- https://github.com/oddcod3/Phantom-Evasion
- https://www.fireeye.com/blog/threat-research/2017/03/_antivirus_evasionr.html
Learn Python for Pentesting
Get in-depth experience using Python for penetration testing with four hands-on courses. What you'll learn:- Basics of Python
- Exploiting vulnerabilities
- Network pentesting
- Web application pentesting
- And more
In this Series
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding