How to Hack (Legally): Python Edition

Tuesday 4:10 pm to 5:00 pm, in Salon A-E
All

About This Talk

How to Hack (Legally): Python Edition

Abstract

People often emphasize that the best way to learn is by doing, but when it comes to hacking, the trainee is at risk of legal implications and developing bad habits instead of following ethical procedures. Many people wishing to develop penetration testing skills are unaware of the number of resources available to them to set up a controlled environment where they can legally test hacking tools and techniques.

In this talk, I will cover a wide range of resources available to attendees, and how they can be used as learning tools. The resources I will cover include pre-built vulnerable virtual machines and web applications, open source tools that can be used in conjunction with Python for discovery/enumeration/exploitation, competitions and challenges, trainings geared towards hacking with Python, and certifications.

I will also outline general safe practices using my “TRUSTED” acrostic to ensure attendees understand what is and isn’t legal, and the consequences of not staying within ethical boundaries. During the talk, a link to my website (hack-hub.com) will be displayed so that participants can easily save a list of the resources outlined in this talk with additional information to reference later. I don’t profit or benefit in any way from people visiting my website, it simply exists as an information resource. Additionally, my presentation isn’t just a recital of what’s on the website, so attendees can uniquely benefit from my talk.

Objectives

  • Provide an ongoing centralized repository for helpful resources to promote safe and legal hacking (hack-hub.com)
  • Outline general safe hacking practices to create awareness of what is acceptable and what could result in legal implications
  • Share trusted sources of vulnerable targets which can be used to build a home lab for penetration testing with Python
  • Introduce sources of vetted Python exploits and how to test them while discouraging the use of unknown/untrusted exploits
  • Provide a list of trusted open source tools what can be used for recon, scanning, and exploitation within a home lab
  • Discuss valuable trainings that can be pursued to develop Python hacking skills and different routes to certifications
  • Describe the benefits of participating in hacking competitions and challenges, either individually or on a team

Resource Sample

Below is a small sample of some of the resources that may be included in the repository and discussed in the lightning talk.

  • Vulnerable machines: Vulnhub, Metasploitable
  • Vulnerable web applications: DVWA, bWAPP, XVWA, various OWASP apps/VMs
  • Penetration testing tools: Kali Linux, exploit-db, pypcap, scapy
  • Training/certifications: OSCP, CEH, SANS GPEN, HackerSploit
  • Competitions/challenges: picoCTF, pwnable, MITRE CTF

Presenters

    Photo of

    Karen Miller

    Karen D. Miller is a recent Carnegie Mellon University graduate from the Information Security, M.S. program and currently works full-time as an Associate Cyber Security Engineer at the Software Engineering Institute. Karen received a Bachelor of Science degree in Computer Science from Southern Utah University where she frequently participated in cyber defense and capture the flag competitions which sparked her interest in penetration testing as a career. Because of her interest in security and government work, Karen chose to pursue her Master’s degree through the Scholarship for Service program at CMU instead of moving into a full-time job after graduating from SUU. Although still early in her career, Karen wishes to help people of all backgrounds learn new skills and develop new goals which can be intimidating, but fulfilling.