Karen Miller

How to Hack (Legally): Python Edition

Audience: All


# How to Hack (Legally): Python Edition ## Abstract People often emphasize that the best way to learn is by doing, but when it comes to hacking, the trainee is at risk of legal implications and developing bad habits instead of following ethical procedures. Many people wishing to develop penetration testing skills are unaware of the number of resources available to them to set up a controlled environment where they can legally test hacking tools and techniques. In this lightning talk, I will briefly cover a wide range of resources available to attendees, and how they can be used as learning tools. The resources I will cover include pre-built vulnerable virtual machines and web applications, open source tools that can be used in conjunction with Python for discovery/enumeration/exploitation, competitions and challenges, trainings geared towards hacking with Python, and certifications. I will also outline general safe practices to ensure attendees understand what is and isn't legal, and the consequences of not staying within ethical boundaries. During the talk, a link will be displayed so that participants can easily save a list of the resources outlined in this talk with additional information to reference later. ## Objectives - Provide an ongoing centralized repository for helpful resources to promote safe and legal hacking - Outline general safe hacking practices to create awareness of what is acceptable and what could result in legal implications - Share trusted sources of vulnerable targets which can be used to build a home lab for penetration testing with Python - Introduce sources of vetted Python exploits and how to test them while discouraging the use of unknown/untrusted exploits - Provide a list of trusted open source tools what can be used for recon, scanning, and exploitation within a home lab - Discuss valuable trainings that can be pursued to develop Python hacking skills and potentially obtain certifications - Describe the benefits of participating in hacking competitions and challenges, either individually or on a team ## Resource Sample Below is a small sample of some of the resources that will be included in the repository and discussed in the lightning talk. - Vulnerable machines: Vulnhub, Metasploitable - Vulnerable web applications: DVWA, bWAPP, XVWA, various OWASP apps/VMs - Penetration testing tools: Kali Linux, exploit-db, pypcap, scapy - Training/certifications: OSCP, CEH, SANS GPEN, HackerSploit - Competitions/challenges: picoCTF, pwnable, MITRE CTF