Now, one of the methods we'll discuss here is dynamic DNS. Let's say that the attacker IP is 1.1.1.1 on day 1. Then, the next day, we get an IP address of 2.2.2.2. Then, how would our target know the new IP address ? The answer is dynamic DNS (DDNS). It is a method to preserve a unique name for you on a DNS server. While the reserved name is fixed, the correlated IP address will change each time you change your public IP address. For demonstration, we will use noip.com. It provides a free dynamic DNS service. So I have previously preserved a name called pythonhussam.ddns.net. So on the target side, instead of hard-coding the IP address on that script, we will do a DNS lookup for this name; then we will retrieve the IP address to make the connection. Now, you're probably asking: When the attacker IP address changes, how does noip.com ...

Now, we will discuss a technique that is used frequently these days: relying on well-known servers to perform certain tasks or transfer a piece of information. This technique has been used by a Russian malware. What the attackers did was they sent the data over their Twitter account and made the target parse it later on. So, on the attacker machine, we just send an order or command as a normal tweet to our Twitter account. Note that there is no direct communication between the attacker and its target, which is really evil here. Later on, the target will parse the tweet and execute that order. The benefits of doing this is are:

• Twitter is a trusted website and it has a very good reputation; most likely, it's a whitelisted website
• This type of attack is very hard to detect, where an unskilled security team would never have thought that this data could...

In this section, we will automate capturing a screenshot from the target machine and retrieve it over HTTP reverse shell. Getting a screenshot from the target Desktop can be useful to see what programs and activities are going on on the target side. In Metasploit Meterpreter, there is a function called screengrab(), which will take a snapshot from the target machine and transfer it back to the attacker machine. So here, we will do something similar in our existing HTTP shell. For this purpose, we will be using a library called Pillow at the target. This is a high-level image library in Python. The installation is quite simple. You just need to run pip install Pillow via cmd.

Before doing that, just make sure that you have internet access. Once we install this library, I will go to Devices|Network|Network Settings...

We will now code a Python function that will search into target directories and provide us with a list of file locations for a certain specific file extension. For instance, say we need to search for a PDF or document file on the target machine; instead of checking each directory, we will add a new function to automatically do the job for us. This is very useful when you first land in a target machine and try to explore as much data as possible such as documents, PDF files, and so on. The coding part is quite easy. We will use the Python os library to do the job for us. So, as usual, I have added a new if statement to specify that if we get a search keyword we will do the following:

# Python For Offensive PenTest

# Searching for Content

import requests 
import subprocess 
import os
import time

while True: 

    req = requests.get('http...

During penetration testing, sometimes you encounter a scenario where your client is using some kind of an internal server that is not accessible through the internet. And just because of this they think it's secure. In this section, we will see how we can integrate a simple port scanner with our script to prevent a possible attack.

Usually, once you get into your target machine, you start looking for other possible targets. For example, if we were able to access machine A, then we can extend our attack and scan machine B to see what ports and services are running on that machine. The other usages are to make the target scan an online server on our behalf to hide our activities. Now, let's get to the coding part. We will build a basic low-level scanner. It's named low-level because we will use the built-in socket library and then...

In this chapter, we learned about DDNS and the DDNS-aware shell. We also learned how to interact with Twitter, and replicate Metasploit's screen capturing, and we searched for the content and looked into target directory navigation. Last, we saw how to integrate a low-level port scanner.

In the next chapter, we will learn about password hacking.