Hacking_and_Penetration_Testing_with_Low_Power_Devices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
90 CHAPTER 4 Filling the toolbox<br />
PYTHON TOOLS<br />
Python is an extremely popular scripting language in the security community. A<br />
complete coverage of this powerful language <strong>and</strong> its use in penetration testing is well<br />
beyond the scope of this book. If you want to know more, I would recommend<br />
the SecurityTube Python for Pentesters course <strong>and</strong>/or the book Violent Python<br />
by T. J. O’Connor. The following Python modules should be installed at a minimum:<br />
Scapy, Beautiful Soup, mechanize, Nmap, <strong>and</strong> paramiko. All of these can be<br />
installed via sudo apt-get install python- or using the Python easy<br />
installer, sudo easy_install .<br />
Scapy is both a Python module <strong>and</strong> a st<strong>and</strong>-alone interactive shell for creating, sending,<br />
<strong>and</strong> analyzing network packets. A good tutorial on how to use Scapy can be found<br />
at http://www.secdev.org/projects/scapy/doc/usage.html. Basic tasks such as finding<br />
wireless networks <strong>and</strong> port scanning <strong>with</strong> Scapy will be covered later in this book.<br />
Beautiful Soup is a tool for parsing HTML in Python. Technically, Beautiful<br />
Soup uses other parsers to put webpages into a convenient format for Python scripts.<br />
Further information on using Beautiful Soup can be found at http://www.crummy.<br />
com/software/BeautifulSoup/bs4/doc/.<br />
Mechanize is a Python module that is based on a Perl module of the same name.<br />
Mechanize is used to interact <strong>with</strong> webpages <strong>with</strong>in a Python script. Using Mechanize,<br />
you can easily emulate a user in order to find out more about a target Web<br />
server. A Mechanize tutorial is available at http://www.pythonforbeginners.com/<br />
python-on-the-web/browsing-in-python-<strong>with</strong>-mechanize/.<br />
While Nmap does include scripting abilities, many penetration testers might prefer<br />
to use Python to script Nmap. A tutorial on using the Nmap Python module is<br />
available at http://xael.org/norman/python/python-nmap/.<br />
Python includes a Pexpect module that can be used to script interactions <strong>with</strong> console<br />
applications. A number of specialized modules are also available for popular<br />
applications. paramiko is such a module for scripting secure shell (SSH) operations.<br />
A tutorial on paramiko can be found at http://jessenoller.com/blog/2009/02/05/sshprogramming-<strong>with</strong>-paramiko-completely-different.<br />
There are lots of useful Python modules available that you might also wish to<br />
consider installing. The set of modules installed by default are used extensively in<br />
penetration testing. The short list of additional modules here is a testament to the<br />
power of the st<strong>and</strong>ard Python tools. Some of these tools will be discussed in more<br />
detail later in this book.<br />
METASPLOIT<br />
If you are a penetration tester, you have likely at least heard of Metasploit. For many,<br />
Metasploit is the go-to tool for performing penetration tests. You might think that installing<br />
Metasploit is easy given that it is written in Ruby. You would be wrong. Because of<br />
the Ruby gems contained <strong>with</strong>in Metasploit, it is likely that Metasploit cannot be<br />
installed <strong>with</strong> the version of Ruby available from the operating system repositories.