Mark Baggett on Python for InfoSec


June 3rd, 2015

1 hr 14 mins 30 secs

Your Hosts

About this Episode

Read all of our show notes and find more information about us at Beautiful Soup

Brief Introduction

  • Date of recording – May 28th, 2015
  • Hosts – Tobias Macey and Chris Patti
  • Overview – Interview with Mark Bagett
  • Follow us on iTunes, Stitcher or TuneIn
  • Give us feedback! (iTunes, Twitter, email, Disqus comments)
  • You can donate (if you want)!

Interview with Mark Bagett

  • Introductions
  • How were you first introduced to Python? – Chris
    • Started using it for automating tasks while working as a sysadmin
    • Found code that launched an attack on FTP server – in Python

  • What are some of the tasks in your job that you use Python for? -Tobias

    • Trusted command & control backdoor for Windows
      • Mostly not used by malware authors – thus far (at least Mark hasn’t seen it used that way)
      • Flame virus – 5MB payload – incredibly advanced
        • Lua interpreter bundled along with the scripts

      • Vale framework – Python framework that takes payloads out of penetration testing executables

  • What is it about Python that makes it useful for penetration testing and other information security tasks?

    • Same thing that makes it useful for anything else
    • mpacket from core security

  • What are some of the more useful Python penetration testing tools?

  • We’ve noticed that a lot of the literature around information security and penetration testing focuses on targeting Windows. Can you enlighten us as to why that is?

    • Windows event tracing
      • logman
      • event trace providers – implement packet sniffing (Can turn every browser into a key logger)

    • Primary attack surface – Where most attacks are targeted

    • Fewer purely Linux systems

      • Very few ports open – maybe 80, 22
      • Very likely no user just sitting there waiting to run an executable you send

    • More freedom on Linux – less formalized patching process, more variable tools = more exploits

    • Will write code to only use built in modules for Python that will run in customer target environments

  • What are some of the legal considerations that you have to deal with on a regular basis as a penetration tester?

  • There have recently been a number of attacks based on hijacking the TCP/IP stack. Is Python being used for any of these exploits or tools to defend against them?

    • Data analytics
    • Detect repeated sequence numbers – Man in the Middle Attack
      • As simple as 5 lines of Python code
      • import scapy, start sniffing packets, pull together all packets – make list of associated packets
      • Can pull together all packets inside of stream
      • Time spefic source communicates with specific destination
      • Bro – intrusion detection suite
        • Built into Security Onion – Doug Berks
        • FLOSS Weekly episode 296 with Bro developers

  • What are some activities that you do on a regular basis for which you would turn to another language or toolchain, rather than using Python?

    • Powershell – The Python of windows
      • Whitelisted and ubiquitous

    • Password cracking – compiled language like C or assembly

  • For anyone who is interested in getting involved in the security industry, and penetration testing in particular, what resources or tools would you recommend?

    • Developers make the best InfoSec professionals
      • Lots of jobs and opportunities

    • Developer -> Systems Administration -> Information Security

    • Security conferences – BSides, Defcon, Black Hat

    • Online capture the flag challenges (google it) – good practice for critical thinking and using code for security exercises

    • Get involved in the industry – Meetups, etc.

    • SANS institute course, Python for Penetration Testers, SEC573 by Mark Baggett –

    • Lots of free online resources

    • Violent Python

    • PicoCTF

    • Counter Hack Challenges


Keep in Touch

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA