Python: Penetration Testing for Developers
Execute effective tests to identify software vulnerabilities
1st Edition
Published on 15. April 2025
650 pages
978-1-78712-097-6 (ISBN)
Description
No detailed description available for "Python: Penetration Testing for Developers".
All prices
More details
Persons
Duffy Christopher :
Christopher Duffy currently leads cybersecurity and penetration testing engagements globally. He has a specialization in advanced technical testing, including penetration testing and security assessment done to evaluate an organization's security strategy from a malicious actor's perspective. He has worked a lot with both network and system engineering teams to evaluate critical system data flows, and identified areas where controls can be put in place to prevent a breach of sensitive or critical data. His work with multiple organizations has been key to protecting resources based on the information they have held, which has helped reduce risks while maintaining resilient and cost-effective security postures. Chris has over 12 years of experience in the information technology and security areas, including security consultation, with a focus on business risk. He has helped build advanced attack and penetration teams. The work that his teams have done has encompassed everything from threat modeling and penetration tests to firewall reviews and FedRAMP readiness assessments. Chris has led, managed, and executed over 400 engagements for Fortune 500 companies, U.S. government entities, medical providers and payers, educational institutes, financial services, research organizations, and cloud providers. For almost a decade prior to private sector work, Chris was a cyber warfare specialist, senior systems engineer, and network infrastructure supervisor for the United States Air Force (USAF). He has been honored with numerous technical and leadership awards. Some of these include the (ISC)2 Information Security Leadership Award (ISLA) for the information security practitioner category in 2013, the noncommissioned officer of the year (both at the base and wing levels) in 2011, and the top technician within the cyber transport career field for the United States Air Force (USAF) Intelligence Surveillance and Reconnaissance Agency. He is a distinguished graduate of USAF network warfare training and has publications to his credit in SANS Reading Room, Hackin9 magazine, eForensics magazine and PenTest magazine. He holds 23 certifications, a degree in computer science, and a master's degree in information security and assurance.Raj Mohit :
Mohit Raj is a Python programmer with a keen interest in the field of information security. He completed his bachelor's degree in technology in computer science from Kurukshetra University, Kurukshetra, and his masters in engineering (2012) in computer science from Thapar University, Patiala. He is a C
Christopher Duffy currently leads cybersecurity and penetration testing engagements globally. He has a specialization in advanced technical testing, including penetration testing and security assessment done to evaluate an organization's security strategy from a malicious actor's perspective. He has worked a lot with both network and system engineering teams to evaluate critical system data flows, and identified areas where controls can be put in place to prevent a breach of sensitive or critical data. His work with multiple organizations has been key to protecting resources based on the information they have held, which has helped reduce risks while maintaining resilient and cost-effective security postures. Chris has over 12 years of experience in the information technology and security areas, including security consultation, with a focus on business risk. He has helped build advanced attack and penetration teams. The work that his teams have done has encompassed everything from threat modeling and penetration tests to firewall reviews and FedRAMP readiness assessments. Chris has led, managed, and executed over 400 engagements for Fortune 500 companies, U.S. government entities, medical providers and payers, educational institutes, financial services, research organizations, and cloud providers. For almost a decade prior to private sector work, Chris was a cyber warfare specialist, senior systems engineer, and network infrastructure supervisor for the United States Air Force (USAF). He has been honored with numerous technical and leadership awards. Some of these include the (ISC)2 Information Security Leadership Award (ISLA) for the information security practitioner category in 2013, the noncommissioned officer of the year (both at the base and wing levels) in 2011, and the top technician within the cyber transport career field for the United States Air Force (USAF) Intelligence Surveillance and Reconnaissance Agency. He is a distinguished graduate of USAF network warfare training and has publications to his credit in SANS Reading Room, Hackin9 magazine, eForensics magazine and PenTest magazine. He holds 23 certifications, a degree in computer science, and a master's degree in information security and assurance.Raj Mohit :
Mohit Raj is a Python programmer with a keen interest in the field of information security. He completed his bachelor's degree in technology in computer science from Kurukshetra University, Kurukshetra, and his masters in engineering (2012) in computer science from Thapar University, Patiala. He is a C
Content
- Cover
- Copyright
- Credits
- Preface
- Table of Contents
- Module 1
- Chapter 1: Understanding the Penetration Testing Methodology
- An overview of penetration testing
- Understanding what penetration testing is not
- Assessment methodologies
- The penetration testing execution standard
- Penetration testing tools
- Summary
- Chapter 2: The Basics of Python Scripting
- The first Python script
- Developing scripts and identifying errors
- Python formatting
- Python variables
- Operators
- Compound statements
- Functions
- The Python style guide
- Arguments and options
- Your first assessor script
- Summary
- Chapter 3: Identifying Targets with Nmap, Scapy, and Python
- Understanding how systems communicate
- Understanding Nmap
- Nmap libraries for Python
- The Scapy library for Python
- Summary
- Chapter 4: Executing Credential Attacks with Python
- The types of credential attacks
- Identifying the target
- Creating targeted usernames
- Testing for users using SMTP VRFY
- Summary
- Chapter 5: Exploiting Services with Python
- Understanding the new age of service exploitation
- Understanding the chaining of exploits
- Automating the exploit train with Python
- Summary
- Chapter 6: Assessing Web Applications with Python
- Identifying live applications versus open ports
- Identifying hidden files and directories with Python
- Credential attacks with Burp Suite
- Using twill to walk through the source
- Understanding when to use Python for web assessments
- Summary
- Chapter 7: Cracking the Perimeter with Python
- Understanding today's perimeter
- Understanding the link between accounts and services
- Cracking inboxes with Burp Suite
- Identifying the attack path
- Gaining access through websites
- Summary
- Chapter 8: Exploit Development with Python, Metasploit, and Immunity
- Getting started with registers
- Understanding the Windows memory structure
- Understanding memory addresses and endianness
- Understanding the manipulation of the stack
- Understanding immunity
- Understanding basic buffer overflow
- Writing a basic buffer overflow exploit
- Understanding stack adjustments
- Understanding the purpose of local exploits
- Understanding other exploit scripts
- Reversing Metasploit modules
- Understanding protection mechanisms
- Summary
- Chapter 9: Automating Reports and Tasks with Python
- Understanding how to parse XML files for reports
- Understanding how to create a Python class
- Summary
- Chapter 10: Adding Permanency to Python Tools
- Understanding logging within Python
- Understanding the difference between multithreading and multiprocessing
- Building industry-standard tools
- Summary
- Module 2
- Chapter 1: Python with Penetration Testing and Networking
- Introducing the scope of pentesting
- Approaches to pentesting
- Introducing Python scripting
- Understanding the tests and tools you'll need
- Learning the common testing platforms with Python
- Network sockets
- Server socket methods
- Client socket methods
- General socket methods
- Moving on to the practical
- Summary
- Chapter 2: Scanning Pentesting
- How to check live systems in a network and the concept of a live system
- What are the services running on the target machine?
- Summary
- Chapter 3: Sniffing and Penetration Testing
- Introducing a network sniffer
- Implementing a network sniffer using Python
- Learning about packet crafting
- Introducing ARP spoofing and implementing it using Python
- Testing the security system using custom packet crafting and injection
- Summary
- Chapter 4: Wireless Pentesting
- Wireless SSID finding and wireless traffic analysis by Python
- Wireless attacks
- Summary
- Chapter 5: Foot Printing of a Web Server and a Web Application
- The concept of foot printing of a web server
- Introducing information gathering
- Information gathering of a website from SmartWhois by the parser BeautifulSoup
- Banner grabbing of a website
- Hardening of a web server
- Summary
- Chapter 6: Client-side and DDoS Attacks
- Introducing client-side validation
- Tampering with the client-side parameter with Python
- Effects of parameter tampering on business
- Introducing DoS and DDoS
- Summary
- Chapter 7: Pentesting of SQLI and XSS
- Introducing the SQL injection attack
- Types of SQL injections
- Understanding the SQL injection attack by a Python script
- Learning about Cross-Site scripting
- Summary
- Module 3
- Chapter 1: Gathering Open Source Intelligence
- Introduction
- Gathering information using the Shodan API
- Scripting a Google+ API search
- Downloading profile pictures using the Google+ API
- Harvesting additional results from the Google+ API using pagination
- Getting screenshots of websites with QtWebKit
- Screenshots based on a port list
- Spidering websites
- Chapter 2: Enumeration
- Introduction
- Performing a ping sweep with Scapy
- Scanning with Scapy
- Checking username validity
- Brute forcing usernames
- Enumerating files
- Brute forcing passwords
- Generating e-mail addresses from names
- Finding e-mail addresses from web pages
- Finding comments in source code
- Chapter 3: Vulnerability Identification
- Introduction
- Automated URL-based Directory Traversal
- Automated URL-based Cross-site scripting
- Automated parameter-based Cross-site scripting
- Automated fuzzing
- jQuery checking
- Header-based Cross-site scripting
- Shellshock checking
- Chapter 4: SQL Injection
- Introduction
- Checking jitter
- Identifying URL-based SQLi
- Exploiting Boolean SQLi
- Exploiting Blind SQL Injection
- Encoding payloads
- Chapter 5: Web Header Manipulation
- Introduction
- Testing HTTP methods
- Fingerprinting servers through HTTP headers
- Testing for insecure headers
- Brute forcing login through the Authorization header
- Testing for clickjacking vulnerabilities
- Identifying alternative sites by spoofing user agents
- Testing for insecure cookie flags
- Session fixation through a cookie injection
- Chapter 6: Image Analysis and Manipulation
- Introduction
- Hiding a message using LSB steganography
- Extracting messages hidden in LSB
- Hiding text in images
- Extracting text from images
- Enabling command and control using steganography
- Chapter 7: Encryption and Encoding
- Introduction
- Generating an MD5 hash
- Generating an SHA 1/128/256 hash
- Implementing SHA and MD5 hashes together
- Implementing SHA in a real-world scenario
- Generating a Bcrypt hash
- Cracking an MD5 hash
- Encoding with Base64
- Encoding with ROT13
- Cracking a substitution cipher
- Cracking the Atbash cipher
- Attacking one-time pad reuse
- Predicting a linear congruential generator
- Identifying hashes
- Chapter 8: Payloads and Shells
- Introduction
- Extracting data through HTTP requests
- Creating an HTTP C2
- Creating an FTP C2
- Creating an Twitter C2
- Creating a simple Netcat shell
- Chapter 9: Reporting
- Introduction
- Converting Nmap XML to CSV
- Extracting links from a URL to Maltego
- Extracting e-mails to Maltego
- Parsing Sslscan into CSV
- Generating graphs using plot.ly
- Bibliography
