Secure coding

Python for Network Penetration Testing: Best Practices and Evasion Techniques

December 21, 2020 by Srinivas

Being stealthy is one of the most important aspects of a network penetration test. There will often be intermediary devices like IDS and IPS which can trigger alerts if there is any malicious traffic detected. Defenders often choose to block source IP addresses to stop some of these attacks. Similarly, some administrators use MAC address filtering as a way to block or allow clients in their network. This article discusses how some of the evasion techniques can be employed using Python during a network penetration test.

The importance of stealth in the pentesting process

During a penetration test, we often begin the process using reconnaissance tools such as nmap, which is largely noisy and non-stealthy. Tools like this can get picked up by devices such as firewalls and IDS. There are other scenarios where a red team operator drops a payload on the victim’s machine, which can get picked by the Anti Virus or EDR solution. To avoid these, it is important to perform activities such as reconnaissance without triggering alerts to the defense teams and thus offensive teams usually employ techniques that will bypass the defense mechanisms.  

How, why and when you should change your MAC or IP address during a pentest

Coming specifically to network scans using tools like nmap, these scans are done using a three-way handshake to find out TCP ports. A three-way handshake includes the following sequence before establishing a TCP connection. 

  • The client sends a TCP packet to the server with the SYN flag set
  • The server responds to the client with a TCP packet with the SYN and ACK flags set if it says a probed port is open
  • If the port is closed, the server will respond with a TCP packet with the RST flag set
  • In case the port is open, the client will respond to the server with an ACK

When this sequence of steps happens on a large number of ports from the same source over a short period of time, that is a red flag and it may be detected as a malicious attempt. So, it is important to stay undetected as we perform such activities within a network.

There are several techniques used by security professionals to stay undetected in a network and one of those techniques is spoofing. If an attacker knows that there are known IP addresses or MAC addresses that are whitelisted in the network, he/she can impersonate that whitelisted known address. 

When IP addresses are spoofed, the traffic being monitored will appear to originate from a trusted source even though it is originating from the attacker. 

Some administrators use MAC addresses in places like Wi-Fi captive portals to determine if the user is authenticated. A malicious user can spoof a known whitelisted MAC address to bypass authentication. The MAC address spoofing can also be seen in ARP spoofing attacks to stay undetected within the network.

IP Spoofing using Python:

Python allows us to modify traffic at packet level, which provides us with the ability to spoof the source IP address in the network traffic. This can be achieved using the popular python module scapy. The following python script is the simplest example to demonstrate ip spoofing. 

cat ip-spoof.py 

#!/usr/bin/python3

import sys

from scapy.all import *

source = “192.168.21.1”

destination = “192.168.1.23”

packet = IP(src=source, dst=destination) / ICMP()

resp = send(packet)

if resp:

    resp.show()

 

As we can observe in the preceding excerpt, a source ip address setup to ping the ip address specified in variable destination. We are crafting this packet and sending it into the network using the function send(). The following excerpt shows the output of this script with response printed.

# ./ip-spoof.py 

.

Sent 1 packets.

#

 

As shown in the following figure, Wireshark was used to capture the network traffic when this script is run. 

As we can observe in the preceding figure, the network packet contains source and destination ip addresses as specified in the python script.

MAC address spoofing using Python:

Spoofing mac addresses on a given interface is as easy as running few operating system commands. This can be automated using python’s subprocess.call(). Python’s subprocess.call() allows us to execute OS commands using the python program. The following sample script shows how one can change the mac address of an interface.

#!/usr/bin/python3

import subprocess as sub

interface = “eth0”

new_mac = “08:00:27:02:3a:71”

sub.call([‘sudo’, ‘ifconfig’, interface, ‘down’])

sub.call([‘sudo’, ‘ifconfig’, interface, ‘hw’, ‘ether’, new_mac])

sub.call([‘sudo’, ‘ifconfig’, interface, ‘up’])

 

Following is the original mac address on the interface eth0.

# ifconfig eth0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.108  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 08:00:27:02:3a:72  txqueuelen 1000  (Ethernet)

        RX packets 321  bytes 48605 (47.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 145  bytes 17121 (16.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#

 

After running the python script, the mac address is changed to the new address as specified in the script. This is shown below.

# ifconfig eth0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.108  netmask 255.255.255.0  broadcast 192.168.0.255

        ether 08:00:27:02:3a:71  txqueuelen 1000  (Ethernet)

        RX packets 321  bytes 48605 (47.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 145  bytes 17121 (16.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#

 

As mentioned earlier, changing the mac address on a given interface just requires a few commands. 

Conclusion

In this article, we have gone through some simple examples of how python can be used for evading detection during a pentest process. While these scripts are simple and intended for beginners, there are more advanced evasion tools written in Python, which demonstrate the power of Python scripting in employing evasion techniques. The Veil framework written in Python is one such example, which is used to bypass Anti Virus software.

 

Sources

  1. Python for Offensive PenTest: A Practical Guide to Ethical Hacking and Penetration Testing Using Python Book by Hussam Khrais – https://www.amazon.com/Python-Offensive-PenTest-practical-penetration/dp/1788838971
  2. https://github.com/oddcod3/Phantom-Evasion
  3. https://www.fireeye.com/blog/threat-research/2017/03/_antivirus_evasionr.html
Posted: December 21, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117