[Python] Questions

[powerkickeR]

Hey guys, I just recently joined these forums and I have to say I've found some pretty useful information around here. My native programming language is Python, and I still consider myself a beginner at it. I've spent some time looking around google and other websites, but I guess its come to a point where I need to ask. How can I apply Python to hacking? Like making exploits, stuff like that. I'm rather confused on that topic, I'm not sure what modules to use and how to figure out how to use them. I guess that's all for now, thanks guys!

[Kulverstukas]

You have to know what you need to write before you can write it.
If you don't know what to exploit, then how are you gonna write a script for it?
To know HOW to write, you need experience... don't really know what to tell you here, kinda dumb question IMO

[powerkickeR]

But how exactly would I know what? Wouldn't I need to learn the modules first? I have no idea how to apply it to that. I mean, I can make programs and what not, but I just don't know the modules I need in order to do stuff like that? O_O.


Edit: Like would I write a python CGI script to exploit a website that has a vulnerability? Agh T_T. This is confusing.

[xzid]

wat? you need to be more specific, in programming terms you are asking: "OK I know python, how do I write a program?". A useless question, we need more info(what program?). Exploits, hacking tools are exactly like any other program.. They have a specific purpose, one related to security. There is no h4x0r python library as far as I know, the closest I can think of would be the metasploit "API"(ruby).

I really doubt CGI is what you need bro. Have you looked at any other exploits? The python ones are usually wrap-arounds for remote execution, etc flaws. It has absolutely nothing to do with python.

If somebody told you that hacking == programming, they either lied or had no fucking clue what they were talking about.

[powerkickeR]

wat? you need to be more specific, in programming terms you are asking: "OK I know python, how do I write a program?". A useless question, we need more info(what program?). Exploits, hacking tools are exactly like any other program.. They have a specific purpose, one related to security. There is no h4x0r python library as far as I know, the closest I can think of would be the metasploit "API"(ruby).

I really doubt CGI is what you need bro. Have you looked at any other exploits? The python ones are usually wrap-arounds for remote execution, etc flaws. It has absolutely nothing to do with python.

If somebody told you that hacking == programming, they either lied or had no fucking clue what they were talking about.

Thanks man this is some useful information. I'm very cloudy on this subject. Basically, every where I've looked, I've always seen people say you have to know how to program to be a good hacker, or to even be a hacker. that was when I first took the initiative to start programming. I've also been told that hacking tools "limit" you in a way.
And I haven't looked into writing exploits in other languages considering I only know HTML,XML and Python.


So, I guess what I'm trying to get around with asking here is to point me in the right direction, so to speak. I've always thought that programming would be the way I could do my own things for hacking and such.


Edit:
"[size=78%] [/size][size=78%]hacking == programming"[/size]
[size=78%]this made me laugh XD.[/size]

[xzid]

well programming is a part of hacking, but there is much more to it. It really helps to be able to code programs to do exactly what you need them to do, but this requires knowledge of WTF is going on. I'll take an HTML solution, say for example a [malicious] form:

Code: [Select]

<form action="http://web/user_ban.php" method="post">
<input type="hidden" name="user" value="some_guy_you_hate">
<input type="hidden" name="foo" value="bar">
</form>
<!-- javascript trigger -->

HTML isn't the only part of the problem... you need knowledge of the web-app, knowledge of HTTP, knowledge of how to get the target(in this case, admin or w/e) to fuck himself, etc.. HTML helped, but someone who knows HTML doesn't automatically know how to do this.

>> you can exploit more systems with knowledge of (so called limited)tools than you can with knowledge of programming, so long as you understand what they are doing <<

[powerkickeR]

Alright bro I see where your coming from, hmm. Is it possible to see all the exploits that metasploit has? like the source code so I can have examples and such?


So, I guess the final question, where should I start, where should I expand my knowledge to?


Thanks a ton man.

[xzid]

Metasploit is pretty much just scripts, you can browse the code simply by opening the files with a text editor. Although I would recommend you browse exploit websites, try exploit-db.

As for second q I would recommend you browse those exploits and see: "buffer overflow"? what is that?... *google* I kinda get it, I maybe should consult with a tutorial(google once again) and perhaps further my knowledge of C/ASM. You will also notice those sites have a papers/tutorial section, read anything that strikes your interest. While you're at it visit evilzone's tutorial section.

> it won't be easy, lots of learning, lots of effort.. but if it was easy, there'd be no fucking point to it. good luck.

[powerkickeR]

Alright I'll have a voyage through that website ;P.
Thanks a ton man, I really appreciate it.
off to find the master sword!!!!!!!

[Python]

Python in itself isn't going to help you become a better hacker. Rather it's going to aid you with what you already know. By that I mean; knowing python isn't going to directly help you hack anything, it will however aid you as you can write scripts to automate processes which may otherwise take time.

To be a good 'hacker' you have to understand the systems and how they work. Read books on network/web application security and exploitation and then apply python to that. Just make sure that the ebooks are good and actually explain what and how everything (source code examples are always good). And also read up more on python before attempting to write any exploit scripts. If you aren't sure about which modules you would use then you have learned enough.

[Live Wire]

Alright bro I see where your coming from, hmm. Is it possible to see all the exploits that metasploit has? like the source code so I can have examples and such?.

I do believe metasploit maintains a list on their website of the pre loaded modules.

http://metasploit.com/modules/


This might help you out.

[Stackprotector]

I am not following the topic, but metasploit is perl only right?

[Live Wire]

I am not following the topic, but metasploit is perl only right?

What the modules? 98% sure they are ruby.http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide

[Stackprotector]

What the modules? 98% sure they are ruby.http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide

Aah,   wikipedia: Metasploit was created by HD Moore in 2003 as a portable network tool using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby

[flowjob]

You can't really hack with Python! It's one of the worst languages for hacking.

But one way to hack with Python is FTP or e-mail hacking. In order to hack these with Python you have to know following things:

• FTP (ftplib module)
• SMTP (smtplib module)
• IMAP (imaplib module)
• POP (poplib module)
• Brute Force (itertools module)

Then you could make a Brute Force attack to a FTP/e-mail Server in order to gain the password.
You only have to make an 'for i in itertools.permutations' loop wich trys all combinations of characters from a list (the list should contain all ASCII chars).