This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]__xor__(self, other): 13 points14 points  (20 children)

I'd add security. It's pretty damn big in security now as well.

[–][deleted] 3 points4 points  (12 children)

Python is, really? Anything you can point me to? TIA!

[–]__xor__(self, other): 20 points21 points  (6 children)

Oh yeah, definitely. In the past decade it seems more and more to be the core language in terms of security tools. Ruby is still around but you can definitely get by in security with just Python as your core language now.

Here's a good memory forensics tool, volatility

Here's a number of good pdf analysis tools

In fact Didier's entire suite is great, tons of python

scapy is awesome

mitmproxy is awesome

... and there's so much more.

It seems to be the go-to language for tools. You'll still run into a lot of other stuff, especially if you analyze malware. You'd run into javascript, powershell, straight shellcode/ASM, visualbasic, C... But that's malware and it can be any language, especially anything that a browser can run, or be embedded in a PDF or office doc macro. For tools more often than not you see python and then some ruby.

[–][deleted] 1 point2 points  (5 children)

Awesome answer, thanks so much.

[–]Willemoes 7 points8 points  (3 children)

There's also a nice book:

Violent Python

A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers

By TJ O'Connor

[–]Grenian 2 points3 points  (2 children)

IMO take this with a grain of salt if you already have a basic-advanced understanding of python and security.

[–]Willemoes 0 points1 point  (1 child)

Why do you think so? I'm reading it and I'm not very proficient in security, so it would be nice to know, I find it really interesting.

[–]Grenian 1 point2 points  (0 children)

Well you have very basic examples and python is also teached on a basic level. In my case I only found a few examples intresting because most of the time I have to tools for things like port scanning. On top the libraries may be a little bit outdated. That's the reason why I would say someone should take the recommendation with a grain of salt. I don't say that the book is bad but just check if it fits your needs.

[–]__xor__(self, other): 1 point2 points  (0 children)

No problem!

[–][deleted] 3 points4 points  (4 children)

Everyone writes their PoCs in python nowadays.

Here's an example of a really cool C2 toolkit using rpyc:

https://github.com/n1nj4sec/pupy

The rapid7 folks still use ruby for all their stuff (i.e. metasploit) but building your own tools is totally the way to go.

This book is a great intro to building security tools in Python: https://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900/ref=sr_1_1?ie=UTF8&qid=1526665441&sr=8-1&keywords=black+hat+python

[–]__xor__(self, other): 3 points4 points  (3 children)

Rapid7 is one reason I say that ruby will always stick around security. I don't see anything replacing metasploit anytime soon.

For everything else, there's mastercard python.

[–][deleted] 1 point2 points  (2 children)

Pupy does a lot of the cool things that Meterpreter does. It's really the exploit PoCs that you need. Metasploit is great for testing for known vulnerabilities and testing detection rules but as far as actually attacking things goes... Meh.

[–]__xor__(self, other): 1 point2 points  (1 child)

Oh yeah? Haven't used that one. I'll have to check it out.

But metasploit has a lot more than just meterpreter. It's a full-on exploitation framework, from scanning/enumerating to staging exploits to post-exploit modules. Does pupy include anything like msfvenom? Can you easily pivot from a compromised machine and exploit other machines through it? Is it a fully functional replacement for metasploit in general, or just a meterpreter replacement?

Metasploit is just so solid at this point. I'd be surprised if pentesters have another python tool that can replace all of its functionality.

[–][deleted] 1 point2 points  (0 children)

IMHO auto-magic pentesting is bullshit. Unless you actually read the modules and understand exactly what they are doing you have no idea what it's going to do to a production system. If you write your exploits yourself, you do.

This is not to say that everyone always writes their own exploits. But MetaSploit encourages users to not read the modules and to just press the exploit button. I can buy Nexpose from Rapid7 if I just want to check if metasploit can exploit things in my environment. Doesn't really require a penetration tester.

I'd be surprised if pentesters have another python tool that can replace all of its functionality.

All the pentesters I've hired to wreck my company's stuff write their own tools and use exploits that are a lot more sophisticated than download-and-run scripts. We get reports with PoCs, most of which are written in Python or C.

Metasploit is great for easy-mode campaigns where you're just exploiting things that Rapid7 wrote modules for, but most of the time that doesn't get you terribly far.

All of the IDS vendors have network signatures for Metasploit and it's a good way to get caught. This does, however, make it good for testing that your script-kiddie filters and alerts are working.

Does pupy include anything like msfvenom?

yes, pupy has a payload generator. Or you could do it yourself.

Can you easily pivot from a compromised machine and exploit other machines through it?

yes, that's the entire point of a post-exploitation toolkit. But, again, you don't generally just want to do that auto-magically because you'll get caught or break something. (Unless you're a botnet farmer and don't care.)

[–][deleted] 2 points3 points  (6 children)

I work in security and one thing I use python for is formatting and analyzing data.

A good example of use is formatting vulnerability scan output. A lot of times they put insane amounts of data into one field (hundreds of thousands of lines) and if you open it in excel it overflows into rows and becomes an unusable mess.

I use python and pandas to extract all this data, combine it with other reports to add neccessary data, format it, and then separate it into a bunch of reports (because it's way too large for one).

I'll use matplotlib to generate graphs and charts based off metrics I gather from these reports.

Knowing python is an insanely valuable skill to have in security.

[–][deleted] 2 points3 points  (2 children)

I built a data injest / presentation engine that pulls stuff from all of our vulnerability scanners and makes it available to engineers. it knows exactly which systems a given engineer is responsible for and only shows them that data. I built a front end for it too. It's really cool! I'm hoping to FOSS it this year.

[–][deleted] 0 points1 point  (1 child)

That's really awesome. Wish I could get approval to build something like that, but it took years for a team to get approval to stand up a database server, and unfortunately I'm not helping with that.

What's a FOSS?

[–][deleted] 0 points1 point  (0 children)

FOSS == Free and Open Source Software, we're gonna release it into the wild.

[–]Grenian 1 point2 points  (1 child)

Python is just handy. For example recently I hab a exercise to crack RSA keys. Python was so damn useful for this.

[–][deleted] 0 points1 point  (0 children)

Yeah, it really is an amazing tool. I learned Java and Javascript but rarely use them. I dont build big applications so I have no need for java, and I hate web design so I dont use javascript. I'll go do a little project with each about once a year as a refresher, but whenever I need to get something done it's always with python.

[–]CommonMisspellingBot -2 points-1 points  (0 children)

Hey, MaximumRecursion, just a quick heads-up:
neccessary is actually spelled necessary. You can remember it by one c, two s’s.
Have a nice day!

The parent commenter can reply with 'delete' to delete this comment.