EvilZone
Programming and Scripting => Scripting Languages => : powerkickeR January 22, 2012, 10:37:03 PM
-
Hey guys, I just recently joined these forums and I have to say I've found some pretty useful information around here. My native programming language is Python, and I still consider myself a beginner at it. I've spent some time looking around google and other websites, but I guess its come to a point where I need to ask. How can I apply Python to hacking? Like making exploits, stuff like that. I'm rather confused on that topic, I'm not sure what modules to use and how to figure out how to use them. I guess that's all for now, thanks guys!
-
You have to know what you need to write before you can write it.
If you don't know what to exploit, then how are you gonna write a script for it? :D
To know HOW to write, you need experience... don't really know what to tell you here, kinda dumb question IMO :P
-
But how exactly would I know what? Wouldn't I need to learn the modules first? I have no idea how to apply it to that. I mean, I can make programs and what not, but I just don't know the modules I need in order to do stuff like that? O_O.
Edit: Like would I write a python CGI script to exploit a website that has a vulnerability? Agh T_T. This is confusing.
-
wat? you need to be more specific, in programming terms you are asking: "OK I know python, how do I write a program?". A useless question, we need more info(what program?). Exploits, hacking tools are exactly like any other program.. They have a specific purpose, one related to security. There is no h4x0r python library as far as I know, the closest I can think of would be the metasploit "API"(ruby).
I really doubt CGI is what you need bro. Have you looked at any other exploits? The python ones are usually wrap-arounds for remote execution, etc flaws. It has absolutely nothing to do with python.
If somebody told you that hacking == programming, they either lied or had no fucking clue what they were talking about.
-
wat? you need to be more specific, in programming terms you are asking: "OK I know python, how do I write a program?". A useless question, we need more info(what program?). Exploits, hacking tools are exactly like any other program.. They have a specific purpose, one related to security. There is no h4x0r python library as far as I know, the closest I can think of would be the metasploit "API"(ruby).
I really doubt CGI is what you need bro. Have you looked at any other exploits? The python ones are usually wrap-arounds for remote execution, etc flaws. It has absolutely nothing to do with python.
If somebody told you that hacking == programming, they either lied or had no fucking clue what they were talking about.
Thanks man this is some useful information. I'm very cloudy on this subject. Basically, every where I've looked, I've always seen people say you have to know how to program to be a good hacker, or to even be a hacker. that was when I first took the initiative to start programming. I've also been told that hacking tools "limit" you in a way.
And I haven't looked into writing exploits in other languages considering I only know HTML,XML and Python.
So, I guess what I'm trying to get around with asking here is to point me in the right direction, so to speak. I've always thought that programming would be the way I could do my own things for hacking and such.
Edit:
"[size=78%] [/size][size=78%]hacking == programming"[/size]
[size=78%]this made me laugh XD.[/size]
-
well programming is a part of hacking, but there is much more to it. It really helps to be able to code programs to do exactly what you need them to do, but this requires knowledge of WTF is going on. I'll take an HTML solution, say for example a [malicious] form:
<form action="http://web/user_ban.php" method="post">
<input type="hidden" name="user" value="some_guy_you_hate">
<input type="hidden" name="foo" value="bar">
</form>
<!-- javascript trigger -->
HTML isn't the only part of the problem... you need knowledge of the web-app, knowledge of HTTP, knowledge of how to get the target(in this case, admin or w/e) to fuck himself, etc.. HTML helped, but someone who knows HTML doesn't automatically know how to do this.
>> you can exploit more systems with knowledge of (so called limited)tools than you can with knowledge of programming, so long as you understand what they are doing <<
-
Alright bro I see where your coming from, hmm. Is it possible to see all the exploits that metasploit has? like the source code so I can have examples and such?
So, I guess the final question, where should I start, where should I expand my knowledge to?
Thanks a ton man.
-
Metasploit is pretty much just scripts, you can browse the code simply by opening the files with a text editor. Although I would recommend you browse exploit websites, try exploit-db (http://www.exploit-db.com).
As for second q I would recommend you browse those exploits and see: "buffer overflow"? what is that?... *google* I kinda get it, I maybe should consult with a tutorial(google once again) and perhaps further my knowledge of C/ASM. You will also notice those sites have a papers/tutorial section, read anything that strikes your interest. While you're at it visit evilzone's tutorial section.
> it won't be easy, lots of learning, lots of effort.. but if it was easy, there'd be no fucking point to it. good luck.
-
Alright I'll have a voyage through that website ;P.
Thanks a ton man, I really appreciate it.
off to find the master sword!!!!!!!
-
Python in itself isn't going to help you become a better hacker. Rather it's going to aid you with what you already know. By that I mean; knowing python isn't going to directly help you hack anything, it will however aid you as you can write scripts to automate processes which may otherwise take time.
To be a good 'hacker' you have to understand the systems and how they work. Read books on network/web application security and exploitation and then apply python to that. Just make sure that the ebooks are good and actually explain what and how everything (source code examples are always good). And also read up more on python before attempting to write any exploit scripts. If you aren't sure about which modules you would use then you have learned enough.
-
Alright bro I see where your coming from, hmm. Is it possible to see all the exploits that metasploit has? like the source code so I can have examples and such?.
I do believe metasploit maintains a list on their website of the pre loaded modules.
http://metasploit.com/modules/ (http://metasploit.com/modules/)
This might help you out.
-
I am not following the topic, but metasploit is perl only right?
-
I am not following the topic, but metasploit is perl only right?
What the modules? 98% sure they are ruby.http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide
-
What the modules? 98% sure they are ruby.http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide
Aah, wikipedia: Metasploit was created by HD Moore in 2003 as a portable network tool using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby
-
You can't really hack with Python! It's one of the worst languages for hacking.
But one way to hack with Python is FTP or e-mail hacking. In order to hack these with Python you have to know following things:
- FTP (ftplib module)
- SMTP (smtplib module)
- IMAP (imaplib module)
- POP (poplib module)
- Brute Force (itertools module)
Then you could make a Brute Force attack to a FTP/e-mail Server in order to gain the password.
You only have to make an 'for i in itertools.permutations' loop wich trys all combinations of characters from a list (the list should contain all ASCII chars).
-
Oh wow, I hadn't realized this topic was still going on, thanks for all the replies guys!
@Area_13
Why do you say Python is the worst for this?
@Python
Recommend any good books about that subject? I personally love reading, so I don't mind if it's a big book.
Btw, what do you guys think about this guy's post?
http://evilzone.org/tutorials/getting-into-the-hacker-mindset/msg7106/#msg7106
-
Why do you say Python is the worst for this?
It's not that bad. It's fine for developing exploits and small local things. The problem is that it's very high-level, there's lots of stuff going in the background, which makes code slow and large files/EXEs. It's designed for high-level scripting and sharing libraries, not for compact exploits (although it can do it, kinda).
Btw, what do you guys think about this guy's post?
http://evilzone.org/tutorials/getting-into-the-hacker-mindset/msg7106/#msg7106
Nice post. Lots to talk about there but it's good.
-
Hmm, I see.
So what language do you suggest for developing quick/large exploits?
Also, do you have any tips on finding vulnerabilities in networks/websites? I think I want to lean more into 802.11 pen testing, just general stuff in that 'network' genre.
-
C or Delphi are often used for exploits. Of course you'll need to know ASM for finding the exploits. C is a bit more difficult than Delphi. Delphi is good and compiles to remarkably small and fast code.
If you already know some scripting languages then find the exploit using that, then write the payloads in C or Delphi or whatever gives you small enough code.
Sorry, no networking tips.
-
stick with python.. compiled langs are for a different thing entirely(btw use C, don't bother with anything else, C is god to all).
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm
-
C or Delphi are often used for exploits. Of course you'll need to know ASM for finding the exploits. C is a bit more difficult than Delphi. Delphi is good and compiles to remarkably small and fast code.
If you already know some scripting languages then find the exploit using that, then write the payloads in C or Delphi or whatever gives you small enough code.
Sorry, no networking tips.
Dang, ASM is rather confusing lol. Any suggestions on books?
stick with python.. compiled langs are for a different thing entirely(btw use C, don't bother with anything else, C is god to all).
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm (http://www.cs.wright.edu/%7Epmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm)
Why do you say C is so good? :O.
-
Because you can make anything run with it. Operating Systems are written in C. BIOS'es most likely are written in C+ASM. Do you get my point?
-
A book for C, ASM, and exploit writing all in one is Hacking - The Art of Exploitation (2nd edition). That should be easy to find on Google. There's a CD that goes along with the book. It's just a modified Ubuntu with a few tools. Come to think of it, there's also a little about network vulnerabilities in the book too.
-
@Kulverstukas:
Alright I understand what your saying. Mind sharing any experiences with C? Like learning, or what kind of exploits you've written, perhaps?
@FuyuKitsune:
Oh, I've heard of that book, I'll make sure to check it out! Thanks a lot.
Edit: I'm interested in learning Java, as it looks rather fun to learn. Do you guys find it useful?
-
I haven't used Java but I'll be learning that in a few months. I doubt it will be useful for security/hacking but it should be good developing regular programs.
-
Windows Assembly Language Primer For Hackers: http://www.securitytube.net/groups?operation=view&groupId=6 9 parts. worth watching in my opinion, there is also a megaprimer on Assembly Languagefor Linux so if you think watching is a better fit for you, go go go go!
-
@Factionwars
Thanks for the link,have been searching for something like that a few days now. I would have never expected to find a tutorial link at this topic. Was worth checking it ;D
@Hacking with Python
I think hacking with Python is a bad idea because...
Firstly I have been trying to learn hacking with Python 2 years now, and all I have learned was FTP/email Brute Force attacks (and I found the way to do that on myown, not on a page...). Secondly like FuyuKitsune said that you haven't control of what Python is doing (e.g. the background-work) and it uses a lot of main-storage too.
I agree with xzid that C would be a good language because it's hardware near and you have full control of what the program is doing.
Assembly,like Factionwars said, is also a good language because it's even more hardware near than C and even faster too, but it's very complicated and takes much more time to write and learn, and it's even harder than in C to make it work on various platforms.
So I would recommend you to learn C,because it's fast and hardware near, but does not consume as much time as Assebly would.
-
@Factionwars
Thanks for the link,have been searching for something like that a few days now. I would have never expected to find a tutorial link at this topic. Was worth checking it ;D
@Hacking with Python
I think hacking with Python is a bad idea because...
Firstly I have been trying to learn hacking with Python 2 years now, and all I have learned was FTP/email Brute Force attacks (and I found the way to do that on myown, not on a page...). Secondly like FuyuKitsune said that you haven't control of what Python is doing (e.g. the background-work) and it uses a lot of main-storage too.
I agree with xzid that C would be a good language because it's hardware near and you have full control of what the program is doing.
Assembly,like Factionwars said, is also a good language because it's even more hardware near than C and even faster too, but it's very complicated and takes much more time to write and learn, and it's even harder than in C to make it work on various platforms.
So I would recommend you to learn C,because it's fast and hardware near, but does not consume as much time as Assebly would.
Python is a fast development language for hacking, read gray hat python, and it will uncover the true power of importing c libary's in python :), building your own debugger, dll injection etc.etc.
-
@powerkickeR:
Sorry, I don't do C.