Below are several code examples that illustrate how you might leverage and integrate some of the essential penetration testing tools discussed in Module 3: Tools of the Trade – A Comprehensive Guide to Penetration Testing Tools. These examples are provided for educational purposes only and should be used in controlled, authorized environments. In many cases, we use Python (or other languages) to automate or interface with these tools.
1. Reconnaissance and Information Gathering with Nmap
Overview: Nmap is widely used for host discovery, port scanning, and service/OS detection. The following Python script uses the python‑nmap library to perform a scan on a subnet.
# nmap_scan.py
import nmap
def scan_network(target):
scanner = nmap.PortScanner()
# -sV for service/version detection, -O for OS detection
scanner.scan(hosts=target, arguments='-sV -O')
results = {}
for host in scanner.all_hosts():
host_info = {
'hostname': scanner[host].hostname(),
'state': scanner[host].state(),
'protocols': {}
}
for proto in scanner[host].all_protocols():
ports = []
for port in sorted(scanner[host][proto].keys()):
port_details = {
'port': port,
'state': scanner[host][proto][port]['state'],
'service': scanner[host][proto][port].get('name', '')
}
ports.append(port_details)
host_info['protocols'][proto] = ports
results[host] = host_info
return results
if __name__ == '__main__':
target_subnet = '192.168.1.0/24' # Change to your authorized target
scan_results = scan_network(target_subnet)
for host, info in scan_results.items():
print(f"Host: {host} ({info['hostname']})")
print(f" State: {info['state']}")
for proto, ports in info['protocols'].items():
print(f" Protocol: {proto}")
for port in ports:
print(f" Port {port['port']} - {port['state']} ({port['service']})")
2. Vulnerability Assessment with OpenVAS (GVM)
Overview: OpenVAS (now part of the Greenbone Vulnerability Management suite) automates vulnerability scanning. While OpenVAS is primarily managed via a web interface, you can also interact with it using Python. For example, the python-gvm library enables you to communicate with the Greenbone Management Protocol (GMP).
# openvas_scan.py
from gvm.connections import UnixSocketConnection # or use TCPConnection for remote hosts
from gvm.protocols.gmp import Gmp
def list_tasks():
connection = UnixSocketConnection() # Adjust connection type and parameters as needed
with Gmp(connection=connection) as gmp:
gmp.authenticate('admin', 'yourpassword') # Replace with your credentials
tasks = gmp.get_tasks()
for task in tasks.xpath('//task'):
name = task.xpath('name/text()')[0]
status = task.xpath('status/text()')[0]
print(f"Task: {name}, Status: {status}")
if __name__ == '__main__':
list_tasks()
3. Exploitation Framework with Metasploit
Overview: Metasploit’s powerful exploitation framework can be automated using its RPC API. The python‑msfrpc (or similar) library lets you connect to Metasploit, search for exploits, and even launch modules from a Python script.
# metasploit_example.py
# This example uses the MsfRpcClient from the metasploit.msfrpc package.
# Make sure to run msfrpcd or use msfconsole with RPC enabled.
try:
from metasploit.msfrpc import MsfRpcClient
except ImportError:
print("Please install the msfrpc client library.")
exit(1)
def search_exploits(keyword):
client = MsfRpcClient('your_password', server='127.0.0.1', port=55553) # adjust port and password as needed
# Search for exploits related to the keyword (e.g., 'ftp')
exploits = client.modules.exploits.search(keyword)
print(f"Exploits matching '{keyword}':")
for mod in exploits:
print(mod)
if __name__ == '__main__':
search_exploits('ftp')
4. Web Application Testing with Burp Suite Extension
Overview: Burp Suite is a comprehensive web application testing platform. You can extend its functionality with custom extensions written in Jython (Python running on the Java Virtual Machine). The sample below logs every HTTP request URL that passes through Burp’s proxy.
Overview: Wireshark is excellent for network traffic analysis. PyShark is a Python wrapper for tshark (Wireshark’s command‑line tool) that allows you to capture and analyze network packets in real time.
# pyshark_capture.py
import pyshark
def capture_http_packets(interface='eth0', packet_count=5):
# Capture live packets on the specified interface with an HTTP filter
capture = pyshark.LiveCapture(interface=interface, display_filter='http')
print(f"Capturing {packet_count} HTTP packets on interface {interface}...")
for packet in capture.sniff_continuously(packet_count=packet_count):
try:
# Display source, destination, and HTTP host if available
src = packet.ip.src
dst = packet.ip.dst
http_host = packet.http.host if hasattr(packet, 'http') else 'N/A'
print(f"Packet from {src} to {dst}, HTTP Host: {http_host}")
except AttributeError:
# Some packets might not have the expected attributes
continue
if __name__ == '__main__':
capture_http_packets(interface='eth0', packet_count=5)
6. Post-Exploitation Reporting: Generating a JSON Report
Overview: After testing, it’s essential to compile your findings in a clear, structured report. The following Python script demonstrates how to aggregate dummy scan and exploitation results into a JSON report.
These examples demonstrate how to integrate some of the key penetration testing tools into a cohesive workflow:
Reconnaissance: Use Python and Nmap for host and service discovery.
Vulnerability Assessment: Interface with OpenVAS (GVM) to manage and view scan tasks.
Exploitation: Leverage Metasploit’s RPC API to search for and, in controlled labs, execute exploits.
Web Testing: Extend Burp Suite with a custom Jython extension to monitor HTTP traffic.
Network Analysis: Use PyShark to capture and analyze live network traffic.
Reporting: Combine scan and exploitation results into a structured JSON report.
Always ensure you have explicit authorization before testing any system, and use these tools responsibly within legal and ethical boundaries. Happy testing, and keep learning!