Black Hat Python For Hackers and Pentesters // Karim Nathoo

In-Person | November 3,4 | 2 Days

BOOK NOW

ABSTRACT

This is the official companion course to the popular book Black Hat Python, 2nd Edition from No Starch Press. This companion course has been updated for Python 3 and developed under the oversight and cooperation of the original Black Hat Python author Justin Seitz. The course aims to cover the major subject areas from Black Hat Python 2nd Edition in a hands-on format where students will learn by working on an extensive suite of labs and exercises in a guided manner to make the most of our time together. This course will be beneficial for students that are seasoned Python programmers as well as those newer to the field.

Only a basic understanding of Python is required to participate in the course. Students will be provided with a brief Python language basics tutorial that they can go through on their own prior to starting the course.

Black Hat Python For Hackers and Pentesters // Karim Nathoo

In-Person | November 3-4 | 2 Days

BOOK NOW

INTENDED AUDIENCE

Penetration testers and hackers wanting to write custom tools and up their game with Python coding!

KEY LEARNING OBJECTIVES

  • Python basics and environment setup
  • Basic Networking Tools
  • Writing a Sniffer
  • Owning the Network with Scapy
  • Web Hackery
  • Designing a Command and Control (C2) Framework
  • Windows Implants
  • Data Exfiltration
  • Privilege Escalation
BOOK NOW

DETAILED AGENDA

Module 1 – Introduction and Setup

  • Setting up a Python environment
  • Installing an IDE
  • Installing support Virtual Machines (Kali Linux)
  • Python refresher

Module 2 - Basic Networking Tools

  • Introduces core networking concepts and demonstrates how Python can implement TCP and UDP clients, servers, and proxies.
  • Covers Python’s socket library for low-level communication, along with higher-level modules for building practical networking tools.
  • Examines how attackers and defenders alike rely on these fundamentals for scanning, remote access, and traffic manipulation
  • Hands-On Exercises
    • Build TCP and UDP clients and servers, including a multi-threaded server for handling concurrent connections.
    • Implement a Python version of Netcat to support command execution, file transfer, and remote communication.
    • Develop a simple proxy for intercepting, displaying, and optionally modifying network traffic

Module 3 - Writing a Sniffer

  • Focuses on creating packet sniffers using Python raw sockets, with comparisons of Windows and Linux behaviors.
  • Introduces binary data handling with the struct module to decode IPv4 and ICMP headers.
  • Highlights the role of sniffing in reconnaissance, host discovery, and low-level attacks such as ARP spoofing
  • Hands-On Exercises
    • Create a raw socket sniffer that captures packets in promiscuous mode.
    • Decode IPv4 and ICMP headers to extract useful protocol information.
    • Implement a UDP host scanner that uses ICMP “port unreachable” responses to identify active systems

Module 4 - Scapy

  • Introduces Scapy, a Python library for packet crafting, sniffing, and manipulation.
  • Demonstrates how Scapy simplifies the creation of custom sniffers and network tools without manually parsing binary protocols.
  • Explores the security implications of packet manipulation and man-in-the-middle techniques
  • Hands-On Exercises
    • Use Scapy to build a simple sniffer and extract credentials from captured traffic.
    • Implement ARP cache poisoning to position an attacker as a man-in-the-middle.
    • Combine sniffing and poisoning techniques to monitor and manipulate network communications

Module 5 – Web Hackery

  • Introduce techniques for analyzing and exploiting web applications as an entry point into deeper networks.
  • Covers essential Python 3 libraries (urllib, requests, lxml, BeautifulSoup) to automate reconnaissance, interaction, and data extraction from web applications.
  • Provides context on why internet-facing web apps are high-value targets, often serving as pivot points into internal systems
  • Hands-On Exercises
    • Map open-source applications like WordPress to identify exposed files, credentials, and misconfigurations.
    • Use brute-forcing techniques to discover hidden directories, files, and weak login credentials.
    • Apply threading and queuing to scale attacks, simulating real adversary tradecraft

Module 6 - Command and Control

  • Command-and-Control (C2) fundamentals for post-compromise operations: definitions (C2, exfiltration, implant), core design considerations (encrypted communications, traffic blending, implant-initiated check-ins), and the requirements for remote tasking and result collection.
  • Design a practical C2 architecture leveraging a cloud-based SaaS platform as transport: per-implant config files (JSON), modular task code hosted on the cloud platform, a consistent module interface, and an import hook that allows the implant to dynamically load and execute modules from the repository.
  • Hands-On Exercises
    • Build the repository layout and implant config format: create config/, modules/, and data/ directories; author an implant-specific JSON config that references module names.
    • Implement the implant runtime: write polling logic that fetches and parses config, dynamically import modules, spawn threads to run functions, and upload module results back to the collection point.
    • Include operational details and telemetry considerations: implement randomized check-in intervals and backoff, secure token handling for the SaaS API, and basic result serialization/encoding for reliable exfiltration

Module 7 – Windows Implants

  • Explores how adversaries use Python to develop implants for Windows environments.
  • Discusses keystroke logging, screen capture, and shellcode execution as common implant capabilities.
  • Highlights the trade-offs of using Python for implants, including rapid development benefits and detection challenges
  • Hands-On Exercises
    • Implement a keystroke logger with application context using pyWinhook.
    • Capture desktop screenshots via the Windows GDI API using pywin32.
    • Download and execute attacker-supplied shellcode from a remote host using the ctypes library

Module 8 – Case Study in Privilege Escalation

  • Presents a Windows privilege escalation case study using a deliberately vulnerable service.
  • Demonstrates how attackers identify misconfigurations in services and scheduled tasks to gain elevated privileges.
  • Introduce process monitoring and file system monitoring with Python, using WMI and Windows APIs
  • Hands-On Exercises
    • Deploy and interact with a vulnerable service that runs scripts with system-level privileges.
    • Use Python-based process monitoring to analyze service behavior and identify exploitable conditions.
    • Exploit a race condition by modifying a script file before execution, achieving code execution as Local System
BOOK NOW

Knowledge Prequisites

Only a basic understanding of Python is required to participate in the course. Students will be provided with a brief Python language basics tutorial that they can go through on their own prior to starting the course.

Hardware Requirements

  • A laptop capable of running a Windows 11 and Kali Linux virtual machine concurrently
  • 16GB of RAM is recommended.
  • 25GB of free hard disk space.

Software Requirements

  • Students will be responsible for installing a Python 3 language environment or using virtual machines provided by the instructor.
  • Students will need to have the most recent version of VMWare workstation (free software) to run VMWare images produced with the latest version of the software.
  • Students should have administrative access to their laptop and the ability to disable antivirus and other security software

YOUR INSTRUCTOR: Karim Nathoo

Karim Nathoo is a freelance computer security consultant providing specialized security services to government, military and private sector clients. Karim has extensive experience in high assurance ethical hacking, incident response and security product evaluation, including the application of binary code analysis and reverse engineering. Karim has delivered professional services for international clients in Asia, Europe, Canada and the United States. Karim has experience ranging from working with R&D teams in cutting edge technical environments to providing executive level risk management briefings and proof of concept demonstrations.

Karim has performed security assurance and engineering engagements for organizations such as Apple, Microsoft, France Telecom, Cloakware Corporation, Creative Labs, Motorola, Verizon, Nokia, Philips Semiconductor, SONY BMG, SUN Microsystems, QNX Software Systems and numerous Canadian and US Government agencies.

Specialties: Penetration testing, code analysis, reverse engineering, software security evaluation, custom software development, malware analysis, incident response, product evaluation, and security engineering

BOOK NOW
Cancellation Policy

COUNTERMEASURE25: 60+ days before the event 75% of fees refunded; 45-60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.

OTHER IN-PERSON TRAINING COURSES

Apple iOS Forensics
COUNTERMEASURE25 In-Person Training

Apple iOS Forensics

This course examines the challenge of examining Apple's proprietary iOS ecosystem, a common target for sophisticated cyberattacks. You'll learn foundational iOS security principles, practical forensic constraints, and methods and tools for extracting data in fully authorised forensic engagements.
READ MORE
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated