Cybersecurity tools have become more important than ever. For many organizations, COVID made their workplace perimeter-less for the first time when they extended their network to encompass employees forced to work from home during COVID lockdowns. IT teams have seen a spike in threats that are often due to human error or vulnerable home networks. This spike has been paralleled by a massive rise in cybercrime, which is expected to cost organizations more than $1T this year.
In this post we look at the kinds of exploits a remote workforce can be subject to, and how you can use Python tools and scripts to help counteract them.
Python is a versatile programming language with a low barrier of entry, making it something of a double-edged sword: not only can it help create solutions to hinder cyber attacks, but it also simplifies the creation of scripts ideally suited for carrying out attacks. Just as attackers can use Python to create scripts targeted at gaining access to an organization’s data and resources, it only makes sense that organizations should also step into an attacker’s shoes and leverage Python scripts to secure their systems.
A previous blog post by Mike Mackrory titled ‘Using Python For CyberSecurity Testing‘ covers many relevant topics, including:
- Port scanning
- Packet sniffing
- TCP packet injection
A quick Google search will also turn up a number of posts that discuss how to use popular Python cybersecurity tools like Requests, Beautiful Soup, Scrapy, and Socket. As a result, this post will look at some Python tools that are off the beaten track. Most of these tools help with penetration testing, and can be useful for auditing remote employees in general, and remote development teams in particular.
Let’s get started.
#1 — Scan GitHub for Secrets
The trend toward digital transformation means that every organization now has the problem of managing secret information in the form of API keys and tokens required to access their internal software and cloud-based resources. Partners, ex-employees, or even existing employees can expose this kind of sensitive information if they’re not handled properly.
One major vector for exposure of API Keys and tokens is GitHub, the most popular developer platform in use today. It’s unfortunately all too common for your own developers, or even a partner’s developers to inadvertently include an API Key in their GitHub repository.
GitGraber automatically scans GitHub repositories for your organization’s API keys related to online services like Twitter, Facebook, Twilio, AWS, Slack, and more. If it finds an exposed token, it reports it in your Slack channel. False positives can occur, but they’re bearable if you find even one exposed API key you didn’t know about.
Before you can run gitGraber, you’ll need to modify config.py to:
- Add your Github access tokens:
GITHUB_TOKENS = ['yourToken1Here','yourToken2Here']
- Add your Slack Webhook:
SLACK_WEBHOOKURL = 'https://hooks.slack.com/services/TXXXX/BXXXX/XXXXXXX'
You can then run gitGraber:
gitGraber.py -q “apikey” --slack
#2 — Catch a Sneaky RAT
Pupy stands for Pretty Useful Python, and is a Remote Administration Tool (RAT) that can be used to control a machine. You can use it to test if a system has a RAT tool installed already, as well as to regain access to a compromised system. But of course, so can attackers.
The key strength of pupy is that it operates completely from in-memory resources without touching the disk. This makes it invisible to malware detectors. It can start out with low privileges and quickly gain escalated privileges on the target machine. Because puppy includes a Python interpreter, it allows anyone to run Python packages and extensions remotely, and from the device’s memory.
By default, you can create a RAT client for an x86 Windows system simply by running “pupygen.” The RAT server can be instantiated by simply running “pupysh.py.” Now you’re ready to upload your RAT to a target machine which, if successful, will call back to the server. To see a list of commands you can remotely execute, simply type “?” at the server prompt.
#3 — Find Hidden Directories
Hidden files and directories that contain malicious code is a common characteristic of compromised systems. But finding them can be tricky and/or tedious. Dirsearch is a brute force tool that automates the task of discovering directories, subdirectories, and files primarily for use on a web server. The tool generates a result that shows you the exact site structure of a domain. Dirsearch can multithread requests, making it very fast.
dirsearch -u <http://some.URL> -e <fileExtension>
dirsearch -u https://www.activestate.com -e php
There are similar tools, such as Dirhunt, but they typically don’t use brute force or support multithreading.
#4 — Find Hidden Subdomains and Files
The more subdomains an organization, the greater its attack surface. This is why an important part of penetration testing is to identify all active subdomains. One handy Python script that does this well is OneForAll. There are free tools that do a basic job of subdomain collection, but OneForAll towers over them with its powerful features for data collection. It checks for subdomain transfers, cross-domain policy files, HTTPS certificates, robots and sitemap files, and a lot more. And it’s extremely capable, able to process 350,000 domain names per second.
oneforall.py --target activestate.com run
Alternatively, take a look at Knock, which is a similar tool that can scan for subdomains through a wordlist.
#5 — Test NoSQL Databases
NoSQL databases are very popular in today’s web applications. But developers can often misconfigure a NoSQL database, leaving it vulnerable to both web application and database access attacks. A handy Python tool to check for these vulnerabilities is NoSQLMap, which currently supports both MongoDB and CouchDB. MongoDB is a ripe target for attacks these days, with a new case of a compromised Mongo database reported every month.
NoSQLMap can gain access to a compromised database even without authorization. To create an attack, all it needs is a list of:
- IP addresses, or
- Subnets, or
- Web application hosts, or
- Web application or database ports, or
- Application paths
Based on this information, NoSQLMap can find all deployed instances of MongoDB and CouchDB. For non-compromised databases, it can check for common vulnerabilities like weak username and password combinations.
Check for Privilege Escalation
And one bonus tool: Linuxprivchecker, which offers a basic sanity check for suspicious privilege escalations, such as world-writable files and clear-text passwords. The tool only works locally on Linux machines, so it’s not useful for checking remote worker’s systems. However, it’s always good practice to run something like linuxprivchecker to make sure your machine isn’t compromised before using it to assess other systems.
To run the tool and output the results to a file:
linuxprivchecker.py --write --outfile filename
Cybersecurity Tools: Conclusions
In a remote workplace, security teams need to use remote security approaches as well. Running the Cybersecurity tools listed here offers a great way to:
- Gauge the attack surface of an organization
- Estimate the impact of an ongoing attack
- Attempt to regain control after an attack
And since they’re all open source Python scripts/tools, there’s no excuse for not taking advantage of them in your security operations today.