Book Image

Python: Penetration Testing for Developers

By : Christopher Duffy, Mohit , Cameron Buchanan, Andrew Mabbitt, Terry Ip, Dave Mound, Benjamin May
Book Image

Python: Penetration Testing for Developers

By: Christopher Duffy, Mohit , Cameron Buchanan, Andrew Mabbitt, Terry Ip, Dave Mound, Benjamin May

Overview of this book

Cybercriminals are always one step ahead, when it comes to tools and techniques. This means you need to use the same tools and adopt the same mindset to properly secure your software. This course shows you how to do just that, demonstrating how effective Python can be for powerful pentesting that keeps your software safe. Comprising of three key modules, follow each one to push your Python and security skills to the next level. In the first module, we’ll show you how to get to grips with the fundamentals. This means you’ll quickly find out how to tackle some of the common challenges facing pentesters using custom Python tools designed specifically for your needs. You’ll also learn what tools to use and when, giving you complete confidence when deploying your pentester tools to combat any potential threat. In the next module you’ll begin hacking into the application layer. Covering everything from parameter tampering, DDoS, XXS and SQL injection, it will build on the knowledge and skills you learned in the first module to make you an even more fluent security expert. Finally in the third module, you’ll find more than 60 Python pentesting recipes. We think this will soon become your trusted resource for any pentesting situation. This Learning Path combines some of the best that Packt has to offer in one complete, curated package. It includes content from the following Packt products: ? Learning Penetration Testing with Python by Christopher Duffy ? Python Penetration Testing Essentials by Mohit ? Python Web Penetration Testing Cookbook by Cameron Buchanan,Terry Ip, Andrew Mabbitt, Benjamin May and Dave Mound
Table of Contents (32 chapters)
Python: Penetration Testing for Developers
Python: Penetration Testing for Developers
Credits
Preface
Bibliography
Index

Predicting a linear congruential generator


LCGs are used in web applications to create quick and easy pseudo-random numbers. They are by nature broken and can be easily made to be predictable with enough data. The algorithm for an LCG is:

Here, X is the current value, a is a fixed multiplier, c is a fixed increment, and m is a fixed modulus. If any data is leaked, such as the multiplier, modulus, and increment in this example, it is possible to calculate the seed and thus the next values.

Getting ready

The situation here is where an application is generating random 2-digit numbers and returning them to you. You have the multiplier, modulus, and increment. This may seem strange, but this has happened in live tests.

How to do it…

Here is the code:

C = ""
A = ""
M = ""

print "Starting attempt to brute"

for i in range(1, 99999999):
    a = str((A * int(str(i)+'00') + C) % 2**M)
    if a[-2:] == "47":
        b = str((A * int(a) + C) % 2**M)
        if b[-2:] == "46":
            c = str((A * int...