5 Python Libraries Every Pentester Should Be Using

As a penetration tester who uses Python in virtually all engagement, here are the top 5 python libraries that I recommend pentesters should use. Some of these might be tools and some of them may be libraries, but the idea is they’re beneficial when you’re doing a pentest. If you’re new, we’ll briefly go over what Python is then gradually get more detailed from here, including why pentesters heavily use Python and then finally go through that top 5 list.

So, what is Python?

Python is a general purpose, interpreter programming language. It is object oriented but also supports limited functional programming. It has a strong emphasis on code readability and the indentation delimits code blocks. It fast for creating projects, but as a con, it is not so fast when it comes to code execution.

Why do Pentesters use Python?

It’s relatively easy compared to other languages and it’s supported by all major platforms: Linux, OS X, and Windows. Not to mention it has an incredible deep set of native libraries that in turn reduces the number of lines of code required. And the best part? It has a highly active development community, which means there are thousands of third party libraries being developed all the time. This extends the native functionality of the language to accomplish nearly any task.

My Top 5 Python Libraries for Pentesters (with a bonus #6):

  • Impacket
  • Python Nmap (libnmap)
  • Scapy/dpkt+pcapy
  • Requests/BeautifulSoup
  • Mona
  • Bonus: Socket

Core Impacket

What does it do? Impacket is a collection of Python classes for working with network protocols and provides low-level programmatic access to the packets, and for some protocols, the entire implementation

Why is it useful? It easily interacts with native Windows protocols such as SMB, MSSQL, NetBios, and DCERPC. It’s also great for Windows reconnaissance and exploit development (it even supports hash based authentication). Which projects use this library? CrackMapExec, SMBMap, Ranger, Polenum, Pupy, Veil-Framework, PorLa, the list goes on and on and on…

Python Nmap

What does it do? Makes it easier to programmatically parse Nmap scan results.

Why is it useful? Every pen tester uses Nmap. Python-Nmap provides an easy method to analyze scan results, and execute custom attacks against specific hosts. And did I mention it’s great for importing Nmap results into other tools for reporting purposes?

Which projects use this library? Surprisingly, very few, but it’s a still a great library!

Scapy/dpkt+pcapy

What does it do? This is a Powerful python-based packet manipulation tool and library. It forges/decodes packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more

Why is it useful? It programmatically accomplished the functionality of tools such as Nmap, Wireshark, hping, arpspoof, tcpdump, etc. It’s also great for fuzzing attacks against custom thick clients and is incredibly helpful as an educational tool when learning about low level network protocols.

Which projects use this library? Pupy, airodump-iv, WiFi-Analyzer

Requests/BeautifulSoup

What does it do? Requests allows programmers to easily send HTTP/1.1 requests, without the need for manual labor or encoding. Also, BeautifulSoup is the Python library for pulling data out of HTML and XML files

Why is it useful? It’s perfect for generating custom payloads and attacks against web applications where tools like Burp fail to deliver an easy solution. It also combines with BeautifulSoup to quickly isolate important details in a response.

Which projects use this library? Reddit, DirSearch, EyeWitness, SQLMap, theHarvester

Mona

What does it do? Mona.py is a plugin for Immunity Debugger which is developed by Corelan Team — it is intended to assist in exploit development.

Why is it useful? Mona simplified tasks such as identifying offsets, bad characters, ROP gadgets, and generating functional exploit code.

Which projects use this library? Immunity Debugger (PyCommander)

(the humble) Socket

What does it do? Low-level network interfacing library that allows systems to speak over a network.

Why is it useful? The (humble) socket is the foundation of (almost) every single tool we’ve covered in my top five list! It is the proverbial giant that all other tools stand on the shoulders of yet it’s simple (file like) I/O makes it incredibly easy to create client/server applications.

Which projects use this library? More or less anything that communicates over a network interface, which is to say, tens of thousands of tools rely on the simple socket. Bow to its simple mightiness. =)

I discussed all these tools and it uses in more depth in my webinar — I invite you to watch the free on-demand version here. If you’d like to know more about NopSec’s penetration testing and/or our other cybersecurity services, please visit this page for more info.