Python Penetration Testing Essentials Techniques

for ethical hacking with Python 2nd Edition

Mohit install download

https://ebookmeta.com/product/python-penetration-testing-
essentials-techniques-for-ethical-hacking-with-python-2nd-
edition-mohit/

Download more ebook from https://ebookmeta.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmeta.com
to discover even more!

Beginning Ethical Hacking with Python 1st Edition

Sanjib Sinha

https://ebookmeta.com/product/beginning-ethical-hacking-with-
python-1st-edition-sanjib-sinha/

Learning Kali Linux Security Testing Penetration

Testing and Ethical Hacking 1st Edition Ric Messier

https://ebookmeta.com/product/learning-kali-linux-security-
testing-penetration-testing-and-ethical-hacking-1st-edition-ric-
messier/

Learning Kali Linux: Security Testing, Penetration

Testing, and Ethical Hacking, 2nd Edition - First Early
Release Ric Messier

https://ebookmeta.com/product/learning-kali-linux-security-
testing-penetration-testing-and-ethical-hacking-2nd-edition-
first-early-release-ric-messier/

Mayor of Elf Town 4 1st Edition Dante King

https://ebookmeta.com/product/mayor-of-elf-town-4-1st-edition-
dante-king-2/
Theatre Translation: A Practice as Research Model 1st
Edition Angela Tiziana Tarantini

https://ebookmeta.com/product/theatre-translation-a-practice-as-
research-model-1st-edition-angela-tiziana-tarantini/

Essential Revision Notes for FRCS Urol Book 1 1st

Edition Jack Donati Bourne

https://ebookmeta.com/product/essential-revision-notes-for-frcs-
urol-book-1-1st-edition-jack-donati-bourne/

Eyewitness to Chaos Personal Accounts of the

Intervention in Haiti 1994 1st Edition Walter E
Kretchik

https://ebookmeta.com/product/eyewitness-to-chaos-personal-
accounts-of-the-intervention-in-haiti-1994-1st-edition-walter-e-
kretchik/

The Blobfish Book Jessica Olien

https://ebookmeta.com/product/the-blobfish-book-jessica-olien/

Spoon Feeding Basic must Know Physics for Boys and Men
for IIT JEE Olympiad kind of exams by Professor
Subhashish Chattopadhyay 1st Edition Professor
Subhashish Chattopadhyay
https://ebookmeta.com/product/spoon-feeding-basic-must-know-
physics-for-boys-and-men-for-iit-jee-olympiad-kind-of-exams-by-
professor-subhashish-chattopadhyay-1st-edition-professor-
College Reunions and Clues Tiffany Black Travel Cozy
Mystery 4 A.R. Winters Et El

https://ebookmeta.com/product/college-reunions-and-clues-tiffany-
black-travel-cozy-mystery-4-a-r-winters-et-el/
||||||||||||||||||||

||||||||||||||||||||
||||||||||||||||||||

Python Penetration Testing

Essentials
Second Edition

5FDIOJRVFTGPSFUIJDBMIBDLJOHXJUI1ZUIPO

Mohit

BIRMINGHAM - MUMBAI

||||||||||||||||||||
||||||||||||||||||||

Python Penetration Testing Essentials

Second Edition
Copyright a 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, without the prior written permission of the publisher, except in the case of brief quotations
embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither the
author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to
have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy
of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Noyonika Das
Content Development Editor: Roshan Kumar
Technical Editor: Sushmeeta Jena
Copy Editor: Safis Editing
Project Coordinator: Hardik Bhinde
Proofreader: Safis Editing
Indexer: Aishwarya Gangawane
Graphics: Jason Monteiro
Production Coordinator: Deepika Naik

First published: January 2015

Second edition: May 2018

Production reference: 1290518

Published by Packt Publishing Ltd.

Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.

ISBN 978-1-78913-896-2

XXXQBDLUQVCDPN

||||||||||||||||||||
||||||||||||||||||||

NBQUJP

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.

Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com
Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at XXX1BDLU1VCDPN and as a
print book customer, you are entitled to a discount on the eBook copy. Get in touch with us
at TFSWJDF!QBDLUQVCDPN for more details.

At XXX1BDLU1VCDPN, you can also read a collection of free technical articles, sign up for a
range of free newsletters, and receive exclusive discounts and offers on Packt books and
eBooks.

||||||||||||||||||||
||||||||||||||||||||

Contributors

About the author

Mohit is a Python programmer with a keen interest in the field of information security. He
has B.Tech (UIET, KUK, 2009) and M.E (Thapar University, 2012) degree. He is a CEH,
ECSA at EC-Council USA. He has worked in IBM and Sapient. He is currently doing PhD
from Thapar Institute of Engg & Technology under Dr. Maninder Singh. He has published
several articles in national and international magazines. He is the author of Python
Penetration Testing Essentials, Python: Penetration Testing for Developers and Learn Python in 7
Days also by Packt. His username is mohitrajcs on gmail. .

||||||||||||||||||||
||||||||||||||||||||

About the reviewers

Sanjeev Jaiswal is a computer graduate from CUSAT with 9 years of industrial experience.
He uses Perl, Python, AWS, and GNU/Linux for his day-to-day activities. He's currently
working on projects involving penetration testing, source code review, security design, and
implementations in AWS and Cloud security projects.

He is learning DevSecOps and security automation currently as well. Sanjeev loves

teaching engineering students and IT professionals. He has been teaching for the past 8
years in his leisure time. He founded Alien Coders and Cybercloud Guru as well.

My special thanks to my wife, Shalini Jaiswal, for her unconditional support, and my
friends Ranjan, Ritesh, Mickey, Vivek, Hari, Sujay, Shankar, and Santosh for their care
and support all the time.

Rejah Rehim is currently the Director and Chief Information Security Officer (CISO) of
Appfabs. Previously holding the title of Security Architect at FAYA India, he is a long-time
preacher of open source and steady contributor to the Mozilla Foundation. He has
successfully created the world's first security testing browser bundle, PenQ, an open
source Linux-based penetration testing browser bundle preconfigured with tools
for security testing. He is also an active member of OWASP and the chapter
leader of OWASP Kerala. Additionally, Rejah also holds the title of commander at
Cyberdome, an initiative of the Kerala Police Department.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit BVUIPSTQBDLUQVCDPN
and apply today. We have worked with thousands of developers and tech professionals,
just like you, to help them share their insight with the global tech community. You can
make a general application, apply for a specific hot topic that we are recruiting an author
for, or submit your own idea.

||||||||||||||||||||
||||||||||||||||||||

Table of Contents
Preface 1
Chapter 1: Python with Penetration Testing and Networking 6
Introducing the scope of pentesting 7
The need for pentesting 7
Components to be tested 8
Qualities of a good pentester 8
Defining the scope of pentesting 9
Approaches to pentesting 9
Introducing Python scripting 10
Understanding the tests and tools you'll need 11
Learning the common testing platforms with Python 11
Network sockets 11
Server socket methods 12
Client socket methods 13
General socket methods 13
Moving on to the practical 14
Socket exceptions 22
Useful socket methods 23
Summary 29
Chapter 2: Scanning Pentesting 30
How to check live systems in a network and the concept of a live
system 31
Ping sweep 31
The TCP scan concept and its implementation using a Python script 35
How to create an efficient IP scanner in Windows 37
How to create an efficient IP scanner in Linux 44
The concept of the Linux-based IP scanner 44
nmap with Python 47
What are the services running on the target machine? 51
The concept of a port scanner 51
How to create an efficient port scanner 54
Summary 59
Chapter 3: Sniffing and Penetration Testing 60
Introducing a network sniffer 61
Passive sniffing 61
Active sniffing 61
Implementing a network sniffer using Python 61

||||||||||||||||||||
||||||||||||||||||||

Table of Contents

Format characters 63
Learning about packet crafting 73
Introducing ARP spoofing and implementing it using Python 74
The ARP request 74
The ARP reply 75
The ARP cache 75
Testing the security system using custom packet crafting 78
A half-open scan 79
The FIN scan 82
ACK flag scanning 83
Summary 85
Chapter 4: Network Attacks and Prevention 86
Technical requirements 86
DHCP starvation attack 87
The MAC flooding attack 93
How the switch uses the CAM tables 93
The MAC flood logic 94
Gateway disassociation by RAW socket 95
Torrent detection 96
Running the program in hidden mode 104
Summary 106
Chapter 5: Wireless Pentesting 107
Introduction to 802.11 frames 108
Wireless SSID finding and wireless traffic analysis with Python 110
Detecting clients of an AP 120
Wireless hidden SSID scanner 122
Wireless attacks 125
The deauthentication (deauth) attack 125
Detecting the deauth attack 128
Summary 131
Chapter 6: Honeypot – Building Traps for Attackers 132
Technical requirements 132
Fake ARP reply 133
Fake ping reply 135
Fake port-scanning reply 142
Fake OS-signature reply to nmap 145
Fake web server reply 146
Summary 149
Chapter 7: Foot Printing a Web Server and a Web Application 150
The concept of foot printing a web server 150
Introducing information gathering 151

[ ii ]

||||||||||||||||||||
||||||||||||||||||||

Table of Contents

Checking the HTTP header 155

Information gathering of a website from whois.domaintools.com 157
Email address gathering from a web page 159
Banner grabbing of a website 160
Hardening of a web server 161
Summary 162
Chapter 8: Client-Side and DDoS Attacks 163
Introducing client-side validation 163
Tampering with the client-side parameter with Python 164
Effects of parameter tampering on business 169
Introducing DoS and DDoS 172
Single IP, single ports 172
Single IP, multiple port 174
Multiple IP, multiple ports 176
Detection of DDoS 178
Summary 181
Chapter 9: Pentesting SQL and XSS 182
Introducing the SQL injection attack 183
Types of SQL injections 184
Simple SQL injection 184
Blind SQL injection 184
Understanding the SQL injection attack by a Python script 184
Learning about cross-site scripting 194
Persistent or stored XSS 195
Nonpersistent or reflected XSS 195
Summary 204
Other Books You May Enjoy 205
Index 208

[ iii ]

||||||||||||||||||||
||||||||||||||||||||

Preface
This book is a practical guide that shows you the advantages of using Python for
pentesting, with the help of detailed code examples. This book starts by exploring the
basics of networking with Python and then proceeds to network and wireless pentesting,
including information gathering and attacking. You will learn how to build honeypot traps.
Later on, we delve into hacking the application layer, where we start by gathering
information from a website, and then eventually move on to concepts related to website
hacking, such as parameter tampering, DDOS, XSS, and SQL injection.

Who this book is for

If you are a Python programmer, a security researcher, or a network admin who has basic
knowledge of Python programming and want to learn about penetration testing with the
help of Python, this book is ideal for you. Even if you are new to the field of ethical hacking,
this book can help you find the vulnerabilities in your system so that you are ready to
tackle any kind of attack or intrusion.

What this book covers

$IBQUFS, Python with Penetration Testing and Networking, goes through the prerequisites of
the following chapters. This chapter also discusses the socket and its methods. The server
socket's method defines how to create a simple server.

$IBQUFS, Scanning Pentesting, covers how to perform network scanning to gather

information on a network, host, and the services that are running on the hosts. You will see
a very fast and efficient IP scanner.

$IBQUFS, Sniffing and Penetration Testing, teaches how to perform active sniffing and how
to create a Transport layer sniffer. You will learn special kinds of scanning.

$IBQUFS, Network Attacks and Prevention, outlines different types of network attacks, such
as DHCP starvation and switch mac flooding. You will learn how to detect a torrent on the
client side.

||||||||||||||||||||
||||||||||||||||||||

Preface

$IBQUFS, Wireless Pentesting, goes through wireless frames and explains how to obtain
information such as SSID, BSSID, and the channel number from a wireless frame using a
Python script. In this type of attack, you will learn how to perform pentesting attacks on the
AP.

$IBQUFS, Honeypot ` Building Traps for Attackers, focuses on how to build a trap for
attackers. You will learn how to bulid code from TCP layer 2 to TCP layer 4.

$IBQUFS, Foot Printing a Web Server and a Web Application, dives into the importance of a
web server signature, email gathering, and why knowing the server signature is the first
step in hacking.

$IBQUFS, Client-Side and DDoS Attacks, explores client-side validation and how to bypass
client-side validation. This chapter covers the implantation of four types of DDoS attacks.

$IBQUFS, Pentesting SQL and XSS, discusses two major web attacks: SQL injection and
XSS. In SQL injection, you will learn how to find the admin login page using a Python
script.

To get the most out of this book

In order to understand the book reader must have the knowledge of Networking
fundamentals, basic knowledge of Linux OS, good knowledge of information security and
core Python.

In order to perform experiments or run the codes reader can use the virtual machine
(Vmware, virtual box). For Wireless pen-testing readers can use a wireless card TP-Link TL-
WN722N. Becuase TL-WN722N wireless card supports the Kali Linux in VMware.

Download the example code files

You can download the example code files for this book from your account at
XXXQBDLUQVCDPN. If you purchased this book elsewhere, you can visit
XXXQBDLUQVCDPNTVQQPSU and register to have the files emailed directly to you.

[2]

||||||||||||||||||||
||||||||||||||||||||

Preface

You can download the code files by following these steps:

1. Log in or register at XXXQBDLUQVCDPN.

2. Select the SUPPORT tab.
3. Click on Code Downloads & Errata.
4. Enter the name of the book in the Search box and follow the onscreen
instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the
latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac
7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at IUUQTHJUIVCDPN
1BDLU1VCMJTIJOH1ZUIPO1FOFUSBUJPO5FTUJOH&TTFOUJBMT4FDPOE&EJUJPO. In case
there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available
at IUUQTHJUIVCDPN1BDLU1VCMJTIJOH. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this
book. You can download it here: IUUQXXXQBDLUQVCDPNTJUFTEFGBVMUGJMFT
EPXOMPBET1ZUIPO1FOFUSBUJPO5FTUJOH&TTFOUJBMT4FDPOE&EJUJPO@$PMPS*NBHFTQEG.

Code in Action
Visit the following link to check out videos of the code being run:
IUUQTHPPHMT#)7/%

[3]

||||||||||||||||||||
||||||||||||||||||||

Preface

Conventions used
There are a number of text conventions used throughout this book.

$PEF*O5FYU: Indicates code words in text, database table names, folder names, filenames,
file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an
example: "Mount the downloaded 8FC4UPSN ENH disk image file as another disk in
your system."

A block of code is set as follows:

JNQPSUPT
SFTQPOTFPTQPQFO QJOHO
GPSMJOFJOSFTQPOTFSFBEMJOFT 
QSJOUMJOF

When we wish to draw your attention to a particular part of a code block, the relevant lines
or items are set in bold:
s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW,TPDLFUOUPIT Y
J

Any command-line input or output is written as follows:

python setup.py install

Bold: Indicates a new term, an important word, or words that you see onscreen. For
example, words in menus or dialog boxes appear in the text like this. Here is an example:
"Select System info from the Administration panel."

Warnings or important notes appear like this.

Tips and tricks appear like this.

[4]

||||||||||||||||||||
||||||||||||||||||||

Preface

Get in touch
Feedback from our readers is always welcome.

General feedback: Email GFFECBDL!QBDLUQVCDPN and mention the book title in the
subject of your message. If you have questions about any aspect of this book, please email
us at RVFTUJPOT!QBDLUQVCDPN.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you have found a mistake in this book, we would be grateful if you would
report this to us. Please visit XXXQBDLUQVCDPNTVCNJUFSSBUB, selecting your book,
clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we
would be grateful if you would provide us with the location address or website name.
Please contact us at DPQZSJHIU!QBDLUQVCDPN with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in
and you are interested in either writing or contributing to a book, please visit
BVUIPSTQBDLUQVCDPN.

Reviews
Please leave a review. Once you have read and used this book, why not leave a review on
the site that you purchased it from? Potential readers can then see and use your unbiased
opinion to make purchase decisions, we at Packt can understand what you think about our
products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit QBDLUQVCDPN.

[5]

||||||||||||||||||||
||||||||||||||||||||

1
Python with Penetration Testing
and Networking
Penetration (pen) tester and hacker are similar terms. The difference is that penetration
testers work for an organization to prevent hacking attempts, while hackers hack for any
purpose such as fame, selling vulnerability for money, or to exploit the vulnerability of
personal enmity.

Lots of well-trained hackers have got jobs in the information security field by hacking into a
system and then informing the victim of their security bug(s) so that they might be fixed.

A hacker is called a penetration tester when they work for an organization or company to
secure its system. A pentester performs hacking attempts to break into the network after
getting legal approval from the client and then presents a report of their findings. To
become an expert in pentesting, a person should have a deep knowledge of the concepts of
their technology. In this chapter, we will cover the following topics:

The scope of pentesting

The need for pentesting
Components to be tested
Qualities of a good pentester
Approaches to pentesting
Understanding the tests and tools you'll need
Network sockets
Server socket methods
Client socket methods
General socket methods
Practical examples of sockets
Socket exceptions
Useful socket methods

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Introducing the scope of pentesting

In simple words, penetration testing is used to test the information security measures of a
company. Information security measures entail a company's network, database, website,
public-facing servers, security policies, and everything else specified by the client. At the
end of the day, a pentester must present a detailed report of their findings such as
weaknesses, vulnerabilities in the company's infrastructure, and the risk level of particular
vulnerabilities, and provide solutions if possible.

The need for pentesting

There are several points that describe the significance of pentesting:

Pentesting identifies the threats that might expose the confidentiality of an

organization
Expert pentesting provides assurance to the organization with a complete and
detailed assessment of organizational security
Pentesting assesses the network's efficiency by producing a huge amount of
traffic and scrutinizes the security of devices such as firewalls, routers, and
switches
Changing or upgrading the existing infrastructure of software, hardware, or
network design might lead to vulnerabilities that can be detected by pentesting
In today's world, potential threats are increasing significantly; pentesting is a
proactive exercise to minimize the chances of being exploited
Pentesting ensures whether suitable security policies are being followed or not

Consider the example of a well-reputed e-commerce company that makes money from an
online business. A hacker or a group of black hat hackers find a vulnerability in the
company's website and hack it. The amount of loss the company will have to bear will be
tremendous.

[7]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Components to be tested
An organization should conduct a risk assessment operation before pentesting; this will
help identify the main threats such as misconfiguration or vulnerability in:

Routers, switches, or gateways

Public-facing systems; websites, DMZ, email servers, and remote systems
DNS, firewalls, proxy servers, FTP, and web servers

Testing should be performed on all hardware and software components of a network

security system.

Qualities of a good pentester

The following points describe the qualities of a good pentester. They should:

Choose a suitable set of tests and tools that balance cost and benefits
Follow suitable procedures with proper planning and documentation
Establish the scope for each penetration test, such as objectives, limitations, and
the justification of procedures
Be ready to show how to exploit the vulnerabilities that they find
State the potential risks and findings clearly in the final report and provide
methods to mitigate the risk(s) if possible
Keep themselves updated at all times because technology is advancing rapidly

A pentester tests the network using manual techniques or the relevant tools. There are lots
of tools available on the market. Some of them are open source and some of them are highly
expensive. With the help of programming, a programmer can make his/her own tools. By
creating your own tools, you can clear your concepts and also perform more R&D. If you
are interested in pentesting and want to make your own tools, then the Python
programming language is the best, since extensive and freely available pentesting packages
are available in Python, in addition to its ease of programming. This simplicity, along with
the third-party libraries such as scapy and mechanize, reduces the code size. In Python, to
make a program, you don't need to define big classes such as Java. It's more productive to
write code in Python than in C, and high-level libraries are easily available for virtually any
imaginable task.

If you know some programming in Python and are interested in pentesting, this book is
perfect for you.

[8]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Defining the scope of pentesting

Before we get into pentesting, the scope of pentesting should be defined. The following
points should be taken into account while defining the scope:

You should develop the scope of the project by consulting with the client. For
example, if Bob (the client) wants to test the entire network infrastructure of the
organization, then pentester Alice would define the scope of pentesting by taking
this network into account. Alice will consult Bob on whether any sensitive or
restricted areas should be included or not.
You should take into account time, people, and money.
You should profile the test boundaries on the basis of an agreement signed by the
pentester and the client.
Changes in business practice might affect the scope. For example, the addition of
a subnet, new system component installations, the addition or modification of a
web server, and so on, might change the scope of pentesting.

The scope of pentesting is defined in two types of tests:

A non-destructive test: This test is limited to finding and carrying out the tests
without any potential risks. It performs the following actions:
Scans and identifies the remote system for potential vulnerabilities
Investigates and verifies the findings
Maps the vulnerabilities with proper exploits
Exploits the remote system with proper care to avoid disruption
Provides a proof of concept
Does not attempt a Denial-of-Service (DoS) attack
A destructive test: This test can produce risks. It performs the following actions:
Attempts a DoS attack and a buffer overflow attack, which have
the potential to bring down the system

Approaches to pentesting
There are three types of approaches to pentesting:

Black-box pentesting follows a non-deterministic approach of testing:

You will be given just a company name
It is like hacking with the knowledge of an outside attacker

[9]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

You do not need any prior knowledge of the system

It is time-consuming
White-box pentesting follows a deterministic approach to testing:
You will be given complete knowledge of the infrastructure that
needs to be tested
This is like working as a malicious employee who has ample
knowledge of the company's infrastructure
You will be provided information on the company's infrastructure,
network type, company's policies, do's and don'ts, the IP address,
and the IPS/IDS firewall
Gray-box pentesting follows a hybrid approach of black-box and white-box
testing:
The tester usually has limited information on the target
network/system that is provided by the client to lower the costs
and decrease trial and error on the part of the pentester
It performs the security assessment and testing internally

Introducing Python scripting

Before you start reading this book, you should know the basics of Python programming,
such as the basic syntax, variable type, data type tuple, list dictionary, functions, strings,
and methods. Two versions, 3.4 and 2.7.8, are available at QZUIPOPSHEPXOMPBET.

In this book, all experiments and demonstrations have been done in Python version 2.7.8. If
you use Linux OSes such as Kali or BackTrack, then there will be no issue, because many
programs, such as wireless sniffing, do not work on the Windows platform. Kali Linux also
uses the 2.7 version. If you love to work on Red Hat or CentOS, then this version is suitable
for you.

Most hackers choose this profession because they don't want to do programming. They
want to use tools. However, without programming, a hacker cannot enhance his/her skills.
Each and every time, they have to search for the tools over the internet. Believe me, after
seeing its simplicity, you will love this language.

[ 10 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Understanding the tests and tools you'll

need
As you have seen, this book is divided into nine chapters. To conduct scanning and sniffing
pentesting, you will need a small network of attached devices. If you don't have a lab, you
can make virtual machines on your computer. For wireless traffic analysis, you should have
a wireless network. To conduct a web attack, you will need an Apache server running on
the Linux platform. It is a good idea to use CentOS or Red Hat Version 5 or 6 for the web
server because this contains the RPM of Apache and PHP. For the Python script, we will
use the Wireshark tool, which is open source and can be run on Windows as well as Linux
platforms.

Learning the common testing platforms with

Python
You will now perform some pentesting; I hope you are well acquainted with networking
fundamentals such as IP addresses, classful subnetting, classless subnetting, the meaning of
ports, network addresses, and broadcast addresses. A pentester must be knowledgeable in
networking fundamentals as well as in at least one operating system; if you are thinking of
using Linux, then you are on the right track. In this book, we will execute our programs on
Windows as well as Linux. In this book, Windows, CentOS, and Kali Linux will be used.

A hacker always loves to work on a Linux system. Since it is a free and open source, Kali
Linux marks the rebirth of BackTrack and is like an arsenal of hacking tools. Kali Linux
NetHunter is the first open-source Android penetration testing platform for Nexus devices.
However, some tools work on both Linux and Windows, but on Windows, you have to
install those tools. I expect you to have knowledge of Linux. Now, it's time to work with
networking on Python.

Network sockets
A network socket address contains an IP address and port number. In a very simple way, a
socket is a way to talk to other computers. By means of a socket, a process can communicate
with another process over the network.

[ 11 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

In order to create a socket, use the TPDLFUTPDLFU that is available in the socket
module. The general syntax of a socket function is as follows:
TTPDLFUTPDLFU TPDLFU@GBNJMZTPDLFU@UZQFQSPUPDPM

Here is the description of the parameters:

TPDLFU@GBNJMZTPDLFU"'@*/&51'@1"$,&5

"'@*/&5 is the address family for IPv4. 1'@1"$,&5 operates at the device driver layer. The
pcap library for Linux uses 1'@1"$,&5. You will see more details on 1'@1"$,&5 in
$IBQUFS, Sniffing and Penetration Testing. These arguments represent the address families
and the protocol of the transport layer:
4PDLFU@UZQFTPDLFU40$,@%(3".TPDLFU40$,@3"8TPDLFU40$,@453&".

The TPDLFU40$,@%(3". argument depicts that UDP is unreliable and connectionless, and
TPDLFU40$,@453&". depicts that TCP is reliable and a two-way, connection-based
service. We will discuss TPDLFU40$,@3"8 in $IBQUFS, Sniffing and Penetration Testing:
QSPUPDPM

Generally, we leave this argument; it takes 0 if it's not specified. We will see the use of this
argument in $IBQUFS, Sniffing and Penetration Testing.

Server socket methods

In a client-server architecture, there is one centralized server that provides service, and
many clients request and receive service from the centralized server. Here are some
methods you need to know:

TPDLFUCJOE BEESFTT : This method is used to connect the address (IP

address, port number) to the socket. The socket must be open before connecting
to the address.
TPDLFUMJTUFO R : This method starts the TCP listener. The R argument
defines the maximum number of lined-up connections.

[ 12 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

TPDLFUBDDFQU : The use of this method is to accept the connection from the
client. Before using this method, the TPDLFUCJOE BEESFTT and
TPDLFUMJTUFO R methods must be used. The TPDLFUBDDFQU method
returns two values, DMJFOU@TPDLFU and BEESFTT, where DMJFOU@TPDLFU is a
new socket object used to send and receive data over the connection, and
BEESFTT is the address of the client. You will see examples of this later.

Client socket methods

The only method dedicated to the client is the following:

TPDLFUDPOOFDU BEESFTT : This method connects the client to the server. The
BEESFTT argument is the address of the server.

General socket methods

The general socket methods are as follows:

TPDLFUSFDW CVGTJ[F : This method receives a TCP message from the socket.
The CVGTJ[F argument defines the maximum data it can receive at any one time.
TPDLFUSFDWGSPN CVGTJ[F : This method receives data from the socket. The
method returns a pair of values, the first value gives the received data, and the
second value gives the address of the socket sending the data.
TPDLFUSFDW@JOUP CVGGFS : This method receives data less than or equal to
CVGGFS. The CVGGFS parameter is created by the CZUFBSSBZ method. We will
discuss this in an example later.
TPDLFUSFDWGSPN@JOUP CVGGFS : This method obtains data from the socket
and writes it into the buffer. The return value is a pair (nbytes, address), where
nbytes is the number of bytes received, and the address is the address of the
socket sending the data.

Be careful while using the TPDLFUSFDWGSPN@JOUP CVGGFS method

in older versions of Python. Buffer overflow vulnerability has been found
in this method. The name of this vulnerability is CVE-2014-1912, and its
vulnerability was published on February 27, 2014. Buffer overflow in the
TPDLFUSFDWGSPN@JOUP function in .PEVMFTTPDLFUNPEVMFD in
Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1, allows
remote attackers to execute arbitrary code via a crafted string.

[ 13 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

TPDLFUTFOE CZUFT : This method is used to send data to the socket. Before
sending the data, ensure that the socket is connected to a remote machine. It
returns the number of bytes sent.
TPDLFUTFOEUP EBUBBEESFTT : This method is used to send data to the
socket. Generally, we use this method in UDP. UDP is a connectionless protocol;
therefore, the socket should not be connected to a remote machine, and the
address argument specifies the address of the remote machine. The returned
value tells us the number of bytes sent.
TPDLFUTFOEBMM EBUB : As the name implies, this method sends all data to the
socket. Before sending the data, ensure that the socket is connected to a remote
machine. This method ceaselessly transfers data until an error is seen. If an error
is seen, an exception will rise, and TPDLFUDMPTF will close the socket.

Now, it is time for the practical; no more mundane theory.

Moving on to the practical

First, we will make a server-side program that offers a connection to the client and sends a
message to the client. Run TFSWFSQZ:
JNQPSUTPDLFU
IPTU4FSWFSBEESFTT
QPSU1PSUPG4FSWFS
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
TCJOE IPTUQPSU CJOETFSWFS
TMJTUFO 
DPOOBEESTBDDFQU
QSJOUBEES/PX$POOFDUFE
DPOOTFOE 5IBOLZPVGPSDPOOFDUJOH
DPOODMPTF

The preceding code is very simple; it is minimal code on the server side.

[ 14 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

First, import the socket module and define the host and port number,  is the
server's IP address. 4PDLFU"'@*/&5 defines the IPv4 protocol's family.
4PDLFU40$,@453&". defines the TCP connection. The TCJOE IPTUQPSU statement
takes only one argument. It binds the socket to the host and port number. The
TMJTUFO  statement listens to the connection and waits for the client. The DPOOBEES
TBDDFQU statement returns two values: DPOO and BEES. The DPOO socket is the client
socket, as we discussed earlier. The DPOOTFOE function sends the message to the client.
Finally, DPOODMPTF closes the socket. From the following examples and screenshot, you
will understand DPOO better.

This is the output of the TFSWFSQZ program:

G:PythonNetworking>python server1.py

Now, the server is in the listening mode and is waiting for the client.

Let's see the client-side code. Run DMJFOUQZ:

JNQPSUTPDLFU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
IPTUTFSWFSBEESFTT
QPSUTFSWFSQPSU
TDPOOFDU IPTUQPSU
QSJOUTSFDW 
TTFOE )FMMP4FSWFS
TDMPTF

In the preceding code, there are two new methods, TDPOOFDU IPTUQPSU , which
connects the client to the server, and TSFDW  , which receives the strings sent by the
server.

The output of DMJFOUQZ and the response of the server is shown in the following
screenshot:

[ 15 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

The preceding screenshot of the output shows that the server accepted the connection from
. Don't get confused by seeing port ; it is the random port of the client.
When the server sends a message to the client, it uses the DPOO socket, as mentioned earlier,
and this DPOO socket contains the client IP address and port number.

The following diagram shows how the client accepts a connection from the server. The
server is in listening mode, and the client connects to the server. When you run the server
and client program again, the random port gets changed. For the client, the server
port, 12345, is the destination port, and for the server, the client random port, 1789, is the
destination port:

6%2EQOOWPKECVKQP

You can extend the functionality of the server using the XIJMF loop, as shown in the
following program. Run the TFSWFSQZ program:
JNQPSUTPDLFU

[ 16 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
TCJOE IPTUQPSU
TMJTUFO 
XIJMF5SVF
DPOOBEESTBDDFQU
QSJOUBEES/PX$POOFDUFE
DPOOTFOE 5IBOLZPVGPSDPOOFDUJOH
DPOODMPTF

The preceding code is the same as the previous one, except the infinite XIJMF loop has been
added.

Run the TFSWFSQZ program, and from the client, run DMJFOUQZ.

The output of TFSWFSQZ is shown here:

One server can give service to many clients. The XIJMF loop keeps the server program alive
and does not allow the code to end. You can set a connection limit to the XIJMF loop; for
example, set XIJMFJ  and increment J with each connection.

[ 17 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Before proceeding to the next example, the concept of CZUFBSSBZ should be understood.
The CZUFBSSBZ array is a mutable sequence of unsigned integers in the range of 0 to 255.
You can delete, insert, or replace arbitrary values or slices. The CZUFBSSBZ array's objects
can be created by calling the built-in CZUFBSSBZ array.

The general syntax of CZUFBSSBZ is as follows:

CZUFBSSBZ <TPVSDF<FODPEJOH<FSSPST>>>

Let's illustrate this with an example:

NCZUFBSSBZ .PIJU.PIJU
N<>

N<>

N<>)FMMP
N
CZUFBSSBZ C )FMMP.PIJU

This is an example of slicing the CZUFBSSBZ.

Now, let's look at the TQMJU operation on CZUFBSSBZ :

NCZUFBSSBZ )FMMP.PIJU
N
CZUFBSSBZ C )FMMP.PIJU
NTQMJU
<CZUFBSSBZ C )FMMP CZUFBSSBZ C .PIJU >

The following is the BQQFOE operation on CZUFBSSBZ :

NBQQFOE 
N
CZUFBSSBZ C )FMMP.PIJU
CZUFBSSBZ C )FMMP8PSME

The next example is of TSFDW@JOUP CVGG . In this example, we will use CZUFBSSBZ to
create a buffer to store data.

First, run the server-side code. Run TFSWFSQZ:

JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".

[ 18 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

TCJOE IPTUQPSU
TMJTUFO 
DPOOBEESTBDDFQU
QSJOUDPOOFDUFECZBEES
DPOOTFOE 5IBOLT
DPOODMPTF

The preceding program is the same as the previous one. In this program, the server sends
5IBOLT; six characters.

Let's run the client-side program. Run DMJFOUQZ:

JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
TDPOOFDU IPTUQPSU
CVGCZUFBSSBZ   CVGGFSDSFBUFE
QSJOU/VNCFSPG#ZUFTTSFDW@JOUP CVG
QSJOUCVG
TDMPTF

In the preceding program, a CVG parameter is created using CZUFBSSBZ . The

TSFDW@JOUP CVG statement gives us the number of bytes received. The CVG parameter
gives us the string received.

The output of DMJFOUQZ and TFSWFSQZ is shown in the following screenshot:

[ 19 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Our client program successfully received 6 bytes of the string, 5IBOLT. You must have an
idea of CZUFBSSBZ by now. I hope you will remember it.

This time, I will create a UDP socket.

Run VEQQZ, and we will discuss the code line by line:

JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@%(3".
TCJOE IPTUQPSU
EBUBBEESTSFDWGSPN 
QSJOUSFDFJWFEGSPNBEES
QSJOUPCUBJOFEEBUB
TDMPTF

TPDLFU40$,@%(3". creates a UDP socket, and EBUBBEESTSFDWGSPN 

returns two things, the first is the data and the second is the address of the source.

Now, see the client-side preparations. Run VEQQZ:

JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@%(3".
QSJOUTTFOEUP IFMMPBMM IPTUQPSU
TDMPTF

Here, I used the UDP socket and the TTFOEUP method, as you can see in the definition
of TPDLFUTFOEUP . You will know that UDP is a connectionless protocol, so there is no
need to establish a connection here.

[ 20 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

The following screenshot shows the output of VEQQZ (the UDP server) and VEQQZ (the
UDP client):

The server program successfully received data.

Let's assume that a server is running and that there is no client start connection, and that
the server will have been listening. So, to avoid this situation, use
TPDLFUTFUUJNFPVU WBMVF .

Generally, we give a value as an integer; if I give  as the value, this would mean wait for
five seconds. If the operation doesn't complete within five seconds, then a timeout
exception would be raised. You can also provide a non-negative float value.

For example, let's look at the following code:

JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@%(3".
TCJOE IPTUQPSU
TTFUUJNFPVU 
EBUBBEESTSFDWGSPN 
QSJOUSFDFWJFEGSPNBEES
QSJOUPCUBJOFEEBUB
TDMPTF

I added one extra line, that is, TTFUUJNFPVU  . The program waits for five seconds; only
after that will it give us an error message. Run VEQUJNFQZ.

[ 21 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

The output is shown in the following screenshot:

The program shows an error; however, it does not look good if it gives an error message.
The program should handle the exceptions.

Socket exceptions
In order to handle exceptions, we'll use the try and except blocks. The following example
will tell you how to handle the exceptions. Run VEQUJNFQZ:
JNQPSUTPDLFU
IPTU
QPSU
TTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@%(3".
USZ
TCJOE IPTUQPSU
TTFUUJNFPVU 
EBUBBEESTSFDWGSPN 
QSJOUSFDFWJFEGSPNBEES
QSJOUPCUBJOFEEBUB
TDMPTF
FYDFQUTPDLFUUJNFPVU
QSJOU$MJFOUOPUDPOOFDUFE
TDMPTF

The output is shown in the following screenshot:

[ 22 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

In the try block, I put my code, and from the except block, a customized message is printed
if any exception occurs.

Different types of exceptions are defined in Python's socket library for different errors.
These exceptions are described here:

FYDFQUJPOTPDLFUIFSSPS: This block catches the address-related error.

FYDFQUJPOTPDLFUUJNFPVU: This block catches the exception when a timeout
on a socket occurs, which has been enabled by TFUUJNFPVU . In the previous
example, you can see that we used TPDLFUUJNFPVU.
FYDFQUJPOTPDLFUHBJFSSPS: This block catches any exception that is raised
due to HFUBEESJOGP and HFUOBNFJOGP .
FYDFQUJPOTPDLFUFSSPS: This block catches any socket-related errors. If you
are not sure about any exception, you could use this. In other words, you can say
that it is a generic block and can catch any type of exception.

Downloading the example code

You can download the example code files from your account at IUUQ
XXXQBDLUQVCDPN for all of the Packt Publishing books you have
purchased. If you purchased this book elsewhere, you can visit IUUQ
XXXQBDLUQVCDPNTVQQPSU and register to have the files emailed directly
to you.

Useful socket methods

So far, you have gained knowledge of socket and client-server architecture. At this level,
you can make a small program of networks. However, the aim of this book is to test the
network and gather information. Python offers very beautiful as well as useful methods to
gather information. First, import the socket and then use these methods:

TPDLFUHFUIPTUCZOBNF IPTUOBNF : This method converts a hostname to the

IPv4 address format. The IPv4 address is returned in the form of a string. Here is
an example:
>>> import socket>>>
socket.gethostbyname('thapar.edu')'220.227.15.55'>>>>>>
socket.gethostbyname('google.com')'173.194.126.64'>>>

[ 23 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

I know you are thinking about the OTMPPLVQ command. Later, you will see more magic.

TPDLFUHFUIPTUCZOBNF@FY OBNF : This method converts a hostname to the

IPv4 address pattern. However, the advantage over the previous method is that
it gives all the IP addresses of the domain name. It returns a tuple (hostname,
canonical name, and IP_addrlist) where the hostname is given by us, the
canonical name is a (possibly empty) list of canonical hostnames of the server for
the same address, and IP_addrlist is a list of all of the available IP addresses of
the same hostname. Often, one domain name is hosted on many IP addresses to
balance the load of the server. Unfortunately, this method does not work for
IPv6. I hope you are well-acquainted with tuples, lists, and dictionaries. Let's
look at an example:
>>> socket.gethostbyname_ex('thapar.edu')('thapar.edu', [],
['14.139.242.100', '220.227.15.55'])>>>
socket.gethostbyname_ex('google.com')>>>('google.com', [],
['173.194.36.64', '173.194.36.71', '173.194.36.73',
'173.194.36.70',
'173.194.36.78', '173.194.36.66', '173.194.36.65',
'173.194.36.68',
'173.194.36.69', '173.194.36.72', '173.194.36.67'])>>>

It returns many IP addresses for a single domain name. This means that one domain such
as UIBQBSFEV or HPPHMFDPN runs on multiple IPs.

TPDLFUHFUIPTUOBNF : This returns the hostname of the system where the

Python interpreter is currently running:
>>> socket.gethostname()'eXtreme'

To glean the current machine's IP address by using the socket module, you can use the
following trick using HFUIPTUCZOBNF HFUIPTUOBNF :
>>> socket.gethostbyname(socket.gethostname())'192.168.10.1'>>>

You know that our computer has many interfaces. If you want to know the IP address of all
of the interfaces, use the extended interface:.
>>> socket.gethostbyname_ex(socket.gethostname())('eXtreme', [],
['10.0.0.10', '192.168.10.1', '192.168.0.1'])>>>

It returns one tuple containing three elements, the first is the machine name, the second is a
list of aliases for the hostname (empty, in this case,) and the third is the list of the IP
addresses of interfaces.

[ 24 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

TPDLFUHFUGREO <OBNF> : This is used to find the fully qualified domain name
if it's available. The fully qualified domain name consists of a host and domain
name; for example, CFUB might be the hostname, and FYBNQMFDPN might be the
domain name. The fully qualified domain name (FQDN) becomes
CFUBFYBNQMFDPN:

>>> socket.getfqdn('facebook.com')'edge-star-shv-12-
frc3.facebook.com'

In the preceding example, FEHFTUBSTIWGSD is the hostname, and GBDFCPPLDPN

is the domain name. In the following example, FQDN is not available for UIBQBSFEV:
>>> socket.getfqdn('thapar.edu')'thapar.edu'

If the name argument is blank, it returns the current machine name:

>>> socket.getfqdn()'eXtreme'>>>

TPDLFUHFUIPTUCZBEES JQ@BEESFTT : This is like a reverse lookup for the

name. It returns a tuple (hostname, canonical name, and IP_addrlist) where
hostname is the hostname that responds to the given JQ@BEESFTT, the canonical
name is a (possibly empty) list of canonical names of the same address, and
IP_addrlist is a list of IP addresses for the same network interface on the same
host:
>>> socket.gethostbyaddr('173.194.36.71')('del01s06-in-
f7.1e100.net', [], ['173.194.36.71'])>>>
socket.gethostbyaddr('119.18.50.66')Traceback (most recent call
last): File "<pyshell#9>", line 1, in <module>
socket.gethostbyaddr('119.18.50.66')herror: [Errno 11004] host
not found

It shows an error in the last query because reverse DNS lookup is not present.

TPDLFUHFUTFSWCZOBNF TFSWJDFOBNF<QSPUPDPM@OBNF> : This converts

any protocol name to the corresponding port number. The Protocol name is
optional, either TCP or UDP. For example, the DNS service uses TCP as well as
UDP connections. If the protocol name is not given, any protocol could match:
>>> import socket>>> socket.getservbyname('http')80>>>
socket.getservbyname('smtp','tcp')25>>>

[ 25 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

TPDLFUHFUTFSWCZQPSU QPSU<QSPUPDPM@OBNF> : This converts an internet

port number to the corresponding service name. The protocol name is optional,
either TCP or UDP:
>>> socket.getservbyport(80)'http'>>>
socket.getservbyport(23)'telnet'>>>
socket.getservbyport(445)'microsoft-ds'>>>

TPDLFUDPOOFDU@FY BEESFTT : This method returns an error indicator. If

successful, it returns ; otherwise, it returns the FSSOP variable. You can take
advantage of this function to scan the ports. Run the DPOOFDU@FYQZ program:
JNQPSUTPDLFU
SNJQ 
QPSUMJTU<>

GPSQPSUJOQPSUMJTU
TPDLTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
SFTVMUTPDLDPOOFDU@FY SNJQQPSU
QSJOUQPSUSFTVMU
TPDLDMPTF

The output is shown in the following screenshot:

The preceding program output shows that ports  , ,, and  are open. This is a
rudimentary port scanner. The program is using the IP address ; this is a
loopback address, so it is impossible to have any connectivity issues. However, when you
have issues, perform this on another device with a large port list. This time, you will have
to use TPDLFUTFUUJNFPVU WBMVF :
TPDLFUHFUBEESJOGP IPTUQPSU<GBNJMZ<TPDLUZQF<QSPUP<GMBHT>>>>

[ 26 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

This socket method converts the host and port arguments into a sequence of five tuples.

Let's take a look at the following example:

>>> import socket
>>> socket.getaddrinfo('www.thapar.edu', 'http')
[(2, 1, 0, '', ('220.227.15.47', 80)), (2, 1, 0, '',
('14.139.242.100', 80))]
>>>

Output  represents the family,  represents the socket type,  represents the protocol,
represents the canonical name, and   represents the  socket
address. However, this number is difficult to comprehend. Open the directory of the socket.

Use the following code to find the result in a readable form:

JNQPSUTPDLFU
EFGHFU@QSPUOVNCFS QSFGJY 
SFUVSOEJDU  HFUBUUS TPDLFUB B
GPSBJOEJS TPDLFU
JGBTUBSUTXJUI QSFGJY

QSPUP@GBNHFU@QSPUOVNCFS "'@
UZQFTHFU@QSPUOVNCFS 40$,@
QSPUPDPMTHFU@QSPUOVNCFS *113050@

GPSSFTJOTPDLFUHFUBEESJOGP XXXUIBQBSFEV  IUUQ 

GBNJMZTPDLUZQFQSPUPDBOPOOBNFTPDLBEESSFT

QSJOU 'BNJMZ QSPUP@GBN<GBNJMZ>

QSJOU 5ZQF UZQFT<TPDLUZQF>
QSJOU 1SPUPDPM QSPUPDPMT<QSPUP>
QSJOU $BOPOJDBMOBNF DBOPOOBNF
QSJOU 4PDLFUBEESFTT TPDLBEES

[ 27 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

The output of the code is shown in the following screenshot:

The upper part makes a dictionary using the "'@, 40$,@, and *113050@ prefixes that map
the protocol number to their names. This dictionary is formed by the list comprehension
technique.

The upper part of the code might be confusing sometimes, but we can execute the code
separately as follows:
>>> dict(( getattr(socket,n),n) for n in dir(socket) if
n.startswith('AF_'))
{0: 'AF_UNSPEC', 2: 'AF_INET', 6: 'AF_IPX', 11: 'AF_SNA', 12:
'AF_DECnet', 16: 'AF_APPLETALK', 23: 'AF_INET6', 26: 'AF_IRDA'}

Now, this is easy to understand. This code is usually used to get the protocol number:
GPSSFTJOTPDLFUHFUBEESJOGP XXXUIBQBSFEV  IUUQ 

The preceding line of code returns the five values, as discussed in the definition. These
values are then matched with their corresponding dictionary.

[ 28 ]

||||||||||||||||||||
||||||||||||||||||||

Python with Penetration Testing and Networking Chapter 1

Summary
From reading this chapter, you have got an understanding of networking in Python. The
aim of this chapter was to complete the prerequisites of the upcoming chapters. From the
start, you have learned the need for pentesting. Pentesting is conducted to identify threats
and vulnerabilities in an organization. What should be tested? This is specified in the
agreement; don't try to test anything that is not mentioned in the agreement. The agreement
is your get out of jail free card. A pentester should have knowledge of the latest technology,
and you should have some knowledge of Python before you start reading this book. In
order to run Python scripts, you should have a lab setup, a network of computers to test a
live system, and dummy websites running on the Apache server.

This chapter also discussed the socket and its methods. The server socket method defines
how to make a simple server. The server binds its own address and port to listen to the
connections. A client that knows the server address and port number connects to the server
to get a service. Some socket methods such as TPDLFUSFDW CVGTJ[F ,
TPDLFUSFDWGSPN CVGTJ[F , TPDLFUSFDW@JOUP CVGGFS , TPDLFUTFOE CZUFT ,
and so on are useful for the server as well as the client. You learned how to handle different
types of exceptions. In the Useful socket methods section, you got an idea of how to get the IP
address and hostname of a machine, how to glean the IP address from the domain name,
and vice versa.

In the next chapter, we will be looking at scanning pentesting, which includes IP address
scanning to detect live hosts. To carry out IP scanning, ping sweep and TCP scanning are
used. You will learn how to detect services running on a remote host using a port scanner.

[ 29 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

2
Scanning Pentesting
Network scanning refers to a set of procedures that investigate a live host, the type of host,
open ports, and the type of services running on the host. Network scanning is a part of
intelligence gathering by virtue of which an attacker can create a profile of the target
organization.

In this chapter, we will cover the following topics:

How to check live systems

Ping sweep
TCP scanner
How to create an efficient IP scanner
Services running on the target machine
The concept of a port scanner
How to create an efficient port scanner

You should have a basic knowledge of the TCP/IP layer communication. Before proceeding
further, the concept of the protocol data unit (PDU) should be clear.

PDU is a unit of data specified in the protocol. It is the generic term for data at each layer:

For the application layer, PDU indicates data

For the transport layer, PDU indicates a segment
For the internet or the network layer, PDU indicates a packet
For the data link layer or network access layer, PDU indicates a frame
For the physical layer, that is, physical transmission, PDU indicates bits

||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

How to check live systems in a network and

the concept of a live system
A ping scan involves sending an ICMP ECHO Request to a host. If a host is live, it will
return an ICMP ECHO Reply, as shown in the following diagram:

+%/2TGSWGUVCPFTGRN[

The operating system's QJOH command provides the facility to check whether the host is
live or not. Consider a situation where you have to test a full list of IP addresses. In this
situation, if you test the IP addresses one by one, it will take a lot of time and effort. In
order to handle this situation, we use ping sweep.

Ping sweep
Ping sweep is used to identify the live host from a range of IP addresses by sending the
ICMP ECHO request and the ICMP ECHO reply. From a subnet and network address, an
attacker or pentester can calculate the network range. In this section, I am going to
demonstrate how to take advantage of the ping facility of an operating system.

First, I shall write a simple and small piece of code, as follows:

JNQPSUPT
SFTQPOTFPTQPQFO QJOHO
GPSMJOFJOSFTQPOTFSFBEMJOFT 
QSJOUMJOF

[ 31 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

In the preceding code, JNQPSUPT imports the OS module so that we can run on the OS
command. The next line, PTQPQFO QJOHO , which takes a DOS
command, is passed in as a string and returns a file-like object connected to the command's
standard input or output streams. The QJOHbO command is a Windows OS
command that sends one ICMP ECHO request packet. By reading the PTQTPQFO
function, you can intercept the command's output. The output is stored in the SFTQPOTF
variable. In the next line, the SFBEMJOFT function is used to read the output of a file-like
object.

The output of the program is as follows:

G:Project SnakeChapter 2ip>ips.py
Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=3ms TTL=64
Ping statistics for 10.0.0.1:
 Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 3ms, Maximum = 3ms, Average = 3ms

The output shows the SFQMZ, CZUF, UJNF, and 55- values, which indicate that the host is
live. Consider another output of the program for IP :
G:Project SnakeChapter 2ip>ips.py
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.16: Destination host unreachable.
Ping statistics for 10.0.0.2:
 Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

The preceding output shows that the host is not live.

The preceding code is very important for proper functioning and is similar to the engine of
a car. In order to make it fully functional, we need to modify the code so that it is platform-
independent and produces easily readable output.

I want my code to work for a range of IP addresses:

JNQPSUPT
OFUSBX@JOQVU &OUFSUIF/FUXPSL"EESFTT
OFUOFUTQMJU 
QSJOUOFU
B 
OFUOFU<> B OFU<> B OFU<> B
QSJOUOFU
TUJOU SBX@JOQVU &OUFSUIF4UBSUJOH/VNCFS
FOJOU SBX@JOQVU &OUFSUIF-BTU/VNCFS

[ 32 ]

||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

The preceding code asks for the network address of the subnet, but you can give any IP
address of the subnet. The next line, OFUOFUTQMJU  , splits the IP address into
four parts. The OFUOFU<> B OFU<> B OFU<> B statement forms the network
address. The last two lines ask for a range of IP addresses.

To make it platform-independent, use the following code:

JNQPSUPT
JNQPSUQMBUGPSN
PQFSQMBUGPSNTZTUFN
JG PQFS8JOEPXT 
QJOHQJOHO
FMJG PQFS-JOVY 
QJOHQJOHD
FMTF
QJOHQJOHD

The preceding code determines whether the code is running on Windows OS or the Linux
platform. The PQFSQMBUGPSNTZTUFN statement informs this to the running
operating system as the QJOH command is different in Windows and Linux. Windows OS
uses QJOHbO to send one packet of the ICMP ECHO request, whereas Linux uses QJOH
bD.

Now, let's see the full code as follows:

JNQPSUPT
JNQPSUQMBUGPSN
GSPNEBUFUJNFJNQPSUEBUFUJNF
OFUSBX@JOQVU &OUFSUIF/FUXPSL"EESFTT
OFUOFUTQMJU 
B 
OFUOFU<> B OFU<> B OFU<> B
TUJOU SBX@JOQVU &OUFSUIF4UBSUJOH/VNCFS
FOJOU SBX@JOQVU &OUFSUIF-BTU/VNCFS
FOFO 
PQFSQMBUGPSNTZTUFN

JG PQFS8JOEPXT 
QJOHQJOHO
FMJG PQFS-JOVY 
QJOHQJOHD
FMTF
QJOHQJOHD
UEBUFUJNFOPX
QSJOU4DBOOJOHJO1SPHSFTT
GPSJQJOYSBOHF TUFO 

[ 33 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

BEESOFU TUS JQ
DPNNQJOH BEES
SFTQPOTFPTQPQFO DPNN
GPSMJOFJOSFTQPOTFSFBEMJOFT 
JG UUM JOMJOFMPXFS 
CSFBL
JG UUM JOMJOFMPXFS 
QSJOUBEES -JWF

UEBUFUJNFOPX
UPUBMUU
QSJOUTDBOOJOHDPNQMFUFJOUPUBM

A couple of new things are in the preceding code. The GPSJQJOYSBOHF TUFO 
statement supplies the numeric values, that is, the last octet value of the IP address. Within
the GPS loop, the BEESOFU TUS JQ statement makes it one complete IP address, and
the DPNNQJOH BEES statement makes it a full OS command, which passes to
PTQPQFO DPNN . The JG MJOFDPVOU 55-  statement checks for the occurrence of
55- in the line. If any 55- value is found in the line, then it breaks the further processing of
the line by using the CSFBL statement. The next two lines of code print the IP address as
live where 55- is found. I used EBUFUJNFOPX to calculate the total time taken to scan.

The output of the QJOH@TXFFQQZ program is as follows:

G:Project SnakeChapter 2ip>python ping_sweep.py
Enter the Network Address 10.0.0.1
Enter the Starting Number 1
Enter the Last Number 60
Scanning in Progress
10.0.0.1 --> Live
10.0.0.2 --> Live
10.0.0.5 --> Live
10.0.0.6 --> Live
10.0.0.7 --> Live
10.0.0.8 --> Live
10.0.0.9 --> Live
10.0.0.10 --> Live
10.0.0.11 --> Live
scanning complete in 0:02:35.230000

To scan 60 IP addresses, the program took 2 minutes 35 seconds.

[ 34 ]

||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

The TCP scan concept and its implementation

using a Python script
Ping sweep works on the ICMP ECHO request and the ICMP ECHO reply. Many users
turn off their ICMP ECHO reply feature or use a firewall to block ICMP packets. In this
situation, your ping sweep scanner might not work. In this case, you need a TCP scan. I
hope you are familiar with the three-way handshake, as shown in the following diagram:

To establish the connection, the hosts perform a three-way handshake. The three steps in
establishing a TCP connection are as follows:

1. The client sends a segment with the SYN flag; this means the client requests the
server to start a session
2. In the form of a reply, the server sends the segment that contains the ACK and
SYN flags
3. The client responds with an ACK flag

Now, let's see the following code for a TCP scan:

JNQPSUTPDLFU
GSPNEBUFUJNFJNQPSUEBUFUJNF
OFUSBX@JOQVU &OUFSUIF*1BEESFTT
OFUOFUTQMJU 
B 
OFUOFU<> B OFU<> B OFU<> B
TUJOU SBX@JOQVU &OUFSUIF4UBSUJOH/VNCFS
FOJOU SBX@JOQVU &OUFSUIF-BTU/VNCFS
FOFO 

[ 35 ]

Technet24
||||||||||||||||||||
||||||||||||||||||||

Scanning Pentesting Chapter 2

UEBUFUJNFOPX
EFGTDBO BEES 
TPDLTPDLFUTPDLFU TPDLFU"'@*/&5TPDLFU40$,@453&".
TPDLFUTFUEFGBVMUUJNFPVU 
SFTVMUTPDLDPOOFDU@FY BEES
JGSFTVMU
SFUVSO
FMTF
SFUVSO

EFGSVO 
GPSJQJOYSBOHF TUFO 
BEESOFU TUS JQ
JG TDBO BEES 
QSJOUBEESJTMJWF

SVO
UEBUFUJNFOPX
UPUBMUU
QSJOUTDBOOJOHDPNQMFUFJOUPUBM

The upper part of the preceding code is the same as in the previous code. Here, we use two
functions. Firstly, the TDBO BEES function uses the socket as discussed in $IBQUFS,
Python with Penetration Testing and Networking. The SFTVMU
TPDLDPOOFDU@FY BEES statement returns an error indicator. The error indicator
is  if the operation succeeds, otherwise it is the value of the FSSOP variable. Here, we used
port ; this scanner works for the Windows system. There are some ports such as ,
,  (NetBIOS name service), and  (Microsoft-DSActive Directory) that are usually
open. So, for better results, you have to change the port and scan repeatedly.

The output of the JQUDQTDBOQZ program is as follows:

G:Project SnakeChapter 2ip>python iptcpscan.py
Enter the IP address 10.0.0.1
Enter the Starting Number 1
Enter the Last Number 60
10.0.0.8 is live
10.0.0.11 is live
10.0.0.12 is live
10.0.0.15 is live
scanning complete in 0:00:57.415000
G:Project SnakeChapter 2ip>

[ 36 ]

||||||||||||||||||||
Exploring the Variety of Random
Documents with Different Content
story; in fact, everybody knows how you got here. I hope you’ll
enjoy every minute of your stay.”
Will was a ruddy-cheeked young man of fully six feet, with
tremendous shoulders and chest, and a voice that would compete,
not without hope of victory, with a bass drum. His smile alone was
enough to win him friends.
“Glad to meet you, Will,” said Clarence. “John here has been
telling me all about you. He says you’re Prefect of the Senior
Sodality. What does that mean?”
“Aren’t you a Catholic?”
“No.”
“Well, the Sodality is organized to honor the Blessed Mother of
God, by getting its members to lead a good Catholic life and by
doing good works. The Prefect is the leading officer; and he’s
supposed, though it may not be always the case, to have special
love for Mary and to show it in his life.”
“By George,” said Clarence, “here it is again. The first Catholic I
ever met to talk with was a little girl with the gypsies, and almost as
soon as she and I got to talking together, she began telling me
about the Blessed Mother and singing her praises.”
“Was the girl a gypsy?” asked Will.
“No; she was captured in Ohio during the flood, last May.”
“Oh; that awful flood!” said Will, his cheerful grin deserting him.
“I lost my little sister in that flood, too.”
“Are you from Ohio?”
“Yes, and my sister’s body wasn’t recovered till two weeks after
she was drowned. Well, let’s change the subject. I hate to think of
it.”
Within an hour Will Benton and Clarence had become fast
friends. Within another, the much-wandering youth, satisfied that his
adventures were over, had fallen into a dreamless sleep, little
suspecting the amazing events that the morrow was destined to
bring.
 CHAPTER XVI
In which the Bright-eyed Goddess comes to bat again, and
promises to win the game.

A pillow flung by the accurate arm of Will Benton early

following morning caught the sleeping visitor on the head.
the

“Eh, what is it?” cried Clarence, sitting up.

“It’s sunrise, boy. Just look out that window and see how
beautiful the new-born day can be when it wants to.”

“‘Night’s candles are burnt out, and jocund day

Stands tiptoe on the misty mountain top.’”

And as Clarence quoted the well-known lines, he jumped from

bed and slipped quickly into his clothes.
“You read Shakespeare?” asked Benton, rubbing his eyes.
“Of course; I’ve been reading him off and on for the last two
years. Say, what comes next?”
“We have morning prayers and Mass in a few minutes. Would
you like to attend?”
“I certainly would. Dora explained to me a lot about the Mass.”
“Dora?”
“Yes; that was the little girl’s name.”
“Strange!” murmured Benton. “Well, hurry on now. Here’s a
prayer-book with the parts of the Mass marked out. You may use it,
if you wish.”
Clarence was profoundly impressed by what he saw in the
chapel. The boys—full, in ordinary, of mischief and life—were going
about their devotions in earnest.
Clarence was seated next to John Rieler. That youth, when he
was not singing lustily with the others, had his face buried in his
prayer-book. Religion, Clarence perceived, entered intimately into
the lives of nearly all these boys.
 He was escorted by Rieler to breakfast, where he inspired much
respect among the boys of the particular table at which he sat by his
workmanlike way of getting through with the dishes served him.
The morning was devoted to shopping. Attended by the Brother
Infirmarian, Clarence went to the city proper of Prairie du Chien,
where in the course of an hour he was provided with a complete
outfit of shoes and clothing.
After a hearty dinner, John Rieler brought Clarence out upon the
campus.
“Say!” the youngster said, admiringly, “you ought to send this
campus on east. Lots of our colleges would be willing to buy it. It’s
one big level—acres and acres of it—and all you’ve got to do is to
walk out of your classroom building, and you’re right on it. At the
academy I went to, we used to go around to a good many other
schools in the baseball and the football season; but I must say I
never saw a campus anything near so good as this, and only one or
two as handy.”
“We’re thinking of taking out a patent on it, and we are rather
proud of it. The only thing is that we find it quite hard to live up to
such a fine campus.”
“Say, this is a funny school,” Clarence remarked. A number of the
smaller boys were now gathered about him. They had heard of his
tremendous swim down the river and of his escape from the gypsies,
and made little attempt to conceal their admiration. In fact—a very
unusual thing—they insisted upon being introduced.
“What’s funny about our school?” inquired one of the boys when
Clarence had shaken hands with each and all.
“Why, you study here!”
“Study! What did you expect?” asked Rieler. “This isn’t exactly a
health resort. All the same, study is no interruption to games. We
manage to get a good deal in during each day.”
“This is our half holiday and we’re going to have a game of ball
at two,” said a stocky youth with a freckled face and a substantial
smile, “and the shortstop on our team is going down town to have
his picture taken or some such foolishness. Will you help us out?”
 “Delighted,” said Clarence. “I’ve played several positions, but
shortstop is my favorite.”
Clarence, from the very outset of the game realized that he was
the hero of the hour. Nearly all of the junior division boys not
engaged in the game chose to be spectators.
Clarence rose to the occasion. The second batter up of the
opposing team sent him a sharp grounder. He captured it on a very
ugly bound, whirled it to the second baseman, who in turn threw it
to first. It resulted in a pretty double play.
Then the onlooking small boys broke into cheers and yells,
making at the same time lively demonstrations with legs and arms.
“Gee!” exclaimed an enthusiast near third base. “I hope he’ll stay
here.”
On coming to bat, Clarence sent a liner over second, and
reaching first, kept right on while the center fielder was throwing the
ball in. When, a moment later, Clarence stole third and came in on
an out at first, the storm of applause broke out again.
“Take off your hat,” said Rieler to the run-getter.
“Shucks!” said Clarence. “Say, here comes Will Benton, and he
looks excited.”
“Hey, Clarence,” shouted Benton as soon as he was within hailing
distance, “Father Rector wants you at once. It’s important and he
says you’re to bring John Rieler along, too.”
For the first and only time in his life, Master Clarence surrendered
his place in a ball contest willingly. Even Rieler, who next to
swimming loved the national game, called with alacrity for a
substitute.
“Hang baseball,” he said recklessly, as accompanied by Clarence
and Will, he hastened toward the Rector’s room. “We can play that
any fine day. But it’s nice to be with you, Clarence Esmond. I’ve a
feeling that when I’m with you there’s something going to happen.”
“You may be only half in earnest, Rieler,” said Will Benton; “but
the fact is I’ve got the same feeling myself. My firm belief is that
Master Clarence’s bright-eyed goddess of adventure hasn’t lost her
grip on her young victim yet. She’s got him hoodooed.”
 “See here, you fellows,” remonstrated Clarence, “talk about
something pleasant. What I want is a quiet life.”
“You’ll get a quiet life—somewhere, some day,” said Benton, “but
I’ve a feeling in my bones that you’re not out of the woods yet.”
“I feel just that way, too,” added Rieler.
The Reverend Rector dressed in his street clothes was awaiting
them at the entrance to the faculty building.
“Ah, Clarence,” he said, “are you ready for another adventure?”
“Anything but that, Father.”
“Oh yes, you are.”
“Never again, Father.”
“Very well; if that’s the case, we’ll drop it,” and the Rector
assumed a look of disappointment.
“Drop what, Father?”
“Nothing much. You know, I’ve had the station agents about the
river line to be on the lookout for that gypsy camp. We’ve got them
located, or at least we know about where they are.”
“And,” cried Clarence, growing very red, “we’ve got a chance to
save Dora?”
“That was my idea,” said Father Keenan. “I thought you were
interested in the girl. But of course, if you don’t care for any more
adventures——”
“Oh, Father, I take it back. I’d lose an arm or a leg—I’d lose
anything to save that poor little child from the hands of Pete.”
“Ah!” said the Rector, “you really don’t know what you want
sometimes. Now, boys, there’s a machine awaiting us at the side of
this house, and if you would like to go, Rieler——”
“Like it! I’d not miss it for ten years of my life,” cried Rieler,
ecstatically.
“And you, Will Benton? We may need your strong arm.”
“Father Rector, I consider this invitation the greatest privilege
you’ve ever granted me, and goodness knows you’ve been giving me
every favor you could since I came to Campion. Clarence has told
me a good deal about that little girl-saint, and I’d do anything to
save her.”
 The four knights-errant had by this time taken their places in the
automobile. Father Keenan gave the chauffeur a few words of
instruction, and with a speed exceeding the limit allowed in any
known State, county, city, or village of the United States the machine
shot down Minnesota Avenue.
“Now, listen, boys,” said Father Keenan, as they swept past the
Bohemian Catholic Church. “Yesterday, I got the local station agent,
who is a very good friend of mine, to make inquiries northward
about any gypsies who might be seen. Just a few minutes ago he
sent me word that a message had come from Lynxville, to the effect
that a party of gypsies had camped three miles below that village.”
“What time did he get the message?” asked Clarence.
“Just at a quarter past two,” said the Rector, “and he sent the
news within fifteen minutes of the gypsies’ arrival there. A friend of
his happened to be automobiling, saw the gypsies pitch tent, and
hurried at once to let him know.”
“If they camped at two,” said Clarence, “they’ll probably stay for
their noon-day meal, and won’t start off till half past three or four.
Can we get there before then?”
Father Keenan looked at his watch.
“I’m afraid not,” he said. “It’s now twenty minutes to three. Who
knows? If our chauffeur keeps up this clip, we may catch them.”
“And when we do catch ’em,” asked Rieler, “what are we going to
do with ’em?”
“How many men are in the crowd, Clarence?” asked the Rector.
“Let’s see. There’s Ben, but you needn’t count him. He’ll be with
us if it comes to a row. Then there’s Pete, the leader, his two grown
sons, and Ezra. Just four in all.”
“I rather think,” said the Rector, “that we can manage things
without getting the sheriff of Lynxville to come to our help with a
posse.”
“Sure thing,” exclaimed John Rieler, his eyes dancing with
enthusiasm. “I’m only sixteen myself, but I’m feeling pretty good,
and I would like to tackle Pete.”
“I’ve whipped Ezra once,” cried Clarence, forgetting his avowed
distaste for adventure, “and I feel pretty sure I can do it again.”
 “I don’t want to blow,” said the brawny muscular giant who was
Prefect of the Sodality, “but I really think I’d like to tackle those two
older sons of Pete myself.”
“And where do I come in?” asked the Rector.
“You’ve got the worst job of all, Father,” said Clarence, grinning.
“You’ll have to take care of Pete’s wife. For myself, I’d as soon fight a
bunch of wild-cats. I think she’s possessed by the devil.”
“Well, boys,” said the Rector after a moment’s reflection, and
with a certain tone of regret, “I’m not a fighting man. My cloth
forbids it. If possible, we must get Dora without striking a blow.”
John Rieler sighed like an auto in full speed with the muffler
open.
“We’re going to get Dora anyhow,” pleaded Benton.
“Oh, yes; we’ll get her, no doubt. Now here’s the way we’ll go
about it. When we arrive at the camp, Clarence and John Rieler and
myself will visit the gypsies. You, Will Benton, will remain in the
automobile with the chauffeur.”
“Father, won’t you please let me in on this?” pleaded the
chauffeur, opening his mouth for the first time. “If there’s any
fighting to be done, I’d like to have a chance.”
“But we’re not looking for a fight,” persisted the Rector, who was
clearly on the unpopular side. “Anyhow the three of us will visit the
gypsies, and I’ll do the talking. It is my intention to ask for the
release of Dora, and, if refused, try to scare the gypsies into giving
her up. While I’m talking I’ll take stock of their forces. If I see that
we’ll have to fight for it, I’ll raise my hand—my right hand—so.”
And the Rector raised a closed hand with the index finger
pointing upward. “That will mean, Benton, that you are to put on all
speed for Lynxville, get the sheriff and one other man without delay.
But if I see my way to getting the girl without a fight, I’ll raise both
hands upwards, and that means that you two are to step out of the
machine and join us.”
“All right, Father,” said Will. “But I think we can fix things without
any sheriff.”
During the conversation the machine had been whizzing past
hamlet, field and forest. Not once since leaving Prairie du Chien had
their speed lessened.
“Now, boys,” said the Rector, after the lapse of several minutes,
“we’re getting pretty near the place. Suppose we keep silent. Go
slowly, now, chauffeur, and make as little noise as possible. And
while we’re silent, let us all say a little prayer that we may succeed.”
The machine went forward slowly, cautiously. Clarence noticed
the lips of John Rieler moving. Will Benton had removed his hat and
sat with head bowed. Several minutes passed in perfect silence.
Then the Rector touched the chauffeur’s arm. The machine stopped.
“Look,” whispered the Rector, pointing toward an open space on
the river’s edge.
All turned eagerly.
A little tent—Dora’s tent—rose within thirty yards of them; only
the one tent—nothing more.
 CHAPTER XVII
In which one surprise follows so closely upon the heels of
another that Masters Esmond and Rieler lose power of speech and
Will Benton strikes a blow which will live forever in the traditions of
Campion College.

“F ollow me—quietly,” whispered Father Keenan to the two boys,

Clarence and John.
In single file the three threaded their way through the shrubbery.
Suddenly the Rector paused, and put his finger to his lips.
“Listen,” he said.
“Ben,” came a clear, sweet voice, “do you believe everything that
the Catholic Church believes and teaches?”
There was a response pitched so low that the listeners as they
pressed steadily forward failed to hear it.
“And do you forgive all who have injured you?”
Clarence thought he could detect Ben’s voice saying—“Yes, yes: I
do.”
“And do you forgive Pete?”
“Yes, from my heart.” The three were now quite near and the
deeper voice of Ben could clearly be heard.
“And, Ben,” continued the silvery voice, “you wish to die a
Catholic?”
“I do—I do.”
“And to be baptized?”
“Yes, Dora.”
“You must know, Ben, that when no priest can be had, anyone
may, in case of necessity, baptize. Now, I am going to the river for
water; and while I’m gone tell God that you are sorry for your sins.”
Suddenly, the flap of the tent was thrown back, and Dora, like
some heavenly apparition, stood revealed. Her face was stained with
tears. For the rest, she was in modesty, in expression in dress—blue
and white—a Child of Mary.
“Dora,” cried Clarence, no longer able to contain himself. “O,
Clarence,” cried the child throwing herself into his arms. “Pete has
killed Ben. He stabbed him an hour ago, because Ben defended the
statue of our Blessed Mother from Pete and his wife. They were
going to burn it.”
“Dora,” said Clarence, “there’s a priest here.” And he pointed to
Father Keenan.
“O, thank God! thank God! He has sent you to prepare Ben,” and
the child threw herself at Father Keenan’s feet, and in all reverence,
kissed his hand.
The practical Father Keenan, as she did so, took the glass from
her fingers, and handed it to Rieler.
“Run to the river, John, and get some water.” Then raising Dora
kindly, and throwing his hands above his head, the preconcerted
signal, the Rector hastened into the tent.
“Dora! Dora!” came a deep voice as the girl was about to follow
the priest.
Clarence turned. Will Benton, pale as a sheet, his eyes starting
from their sockets, was hastening toward them. He was holding out
his arms toward the girl, amazement and incredulity upon his face.
Dora turned. An astounding change came at once upon her face
at sight of Will Benton. Pure joy irradiated it.
“O Will! my dear Brother Will,” she cried; and darting forward
threw herself into his outstretched arms.
“But,” cried Will, as he caught her up and pressed her to his
bosom, “you were drowned. We buried you.”
“No, you didn’t, Will. Thanks to our Blessed Mother, I was saved.
A gypsy saved me, Will; and now he’s dying in my tent, dying
because he gave his life to save me from the gypsy leader and to
preserve our Blessed Mother’s statue from insult. Come, Will, let us
see him before he dies.”
Clarence and John Rieler, grouped together and holding each
others hands, stood stock-still gazing open mouthed. They looked at
each other, as Will and Dora made for the tent, with unutterable
awe. Speech was inadequate; and still linked together they followed
the brother and sister within.
On Dora’s couch, above him the dear statue for which he had
given his life, lay Ben, the sweat and the pallor of death upon his
face. On one side, his wife was staunching vainly a gash in his side.
On the other, leaned the Rector, talking earnestly in low tones to the
dying man. No king could have been more stately in life than was
Ben in his dying moments. No saint could have been more humble.
Crouching in one corner, wide-eyed and silent, were Ben’s three little
children.
“Are all here?” asked the Rector rising and gazing around. “I
want you all to see Ben baptized.”
“O dear Ben, we are all here and we all love you,” cried Dora.
“And here’s my brother Will, come to see you, too. Will, Ben has
been so good to me. I love him as though he were another father.”
The dying man turned dark, wistful eyes to the big brother.
“Will you forgive me? I love Dora,” he said simply.
“And I love anyone that is kind to my sister,” boomed forth Will
Benton’s hearty voice. “Your hand, Ben. May God be as good to you
as you have been to her.”
“Clarence,” cried the dying man, “will you forgive me too. I have
been bad, I am sorry.”
Clarence essayed to speak, but before he could enunciate a
syllable fell to blubbering. But he caught Ben’s hand and fondled it.
“I am glad I was stabbed,” said Ben simply, “in trying to save that
statue of the very good woman who was the mother of God, I
believe. I want to be baptized.”
John Rieler was dabbing his eyes.
“Let all kneel down,” said the Rector.
Even the gypsy children, following the example of Dorcas, fell
upon their knees, and then, the priest pouring water on Ben’s head
said solemnly, “I baptize thee in the name of the Father and of the
Son and of the Holy Ghost.”
Dora slipped over and pressed her lips to the newly regenerated
one’s brow. Dorcas followed the child’s example and, turning to the
priest, said:
 “Father, baptize me and my children.”
“Not yet, my child,” said Father Keenan. “Wait a little longer, so it
can be done in church. Boys, kneel down, while we say the prayers
for the dying.”
Suddenly Ben raised his head.
“Clarence and Dora,” he cried.
“Yes,” answered both coming to his bedside.
“Take care of Dorcas, my wife, and my children. Make them good
Catholics.”
“Yes, Ben,” said Dora.
“Yes, Ben,” said Clarence.
“O,” said the poor fellow—poor, that is according to the world’s
standard—“how happy I am. I am ready to——”
He fell back unconscious.
The Rector who had taken out his “Excerpts from the Roman
Ritual,” began, at once, the Litany of the Dying. Before the final
invocation was uttered, Ben, the simple, the loving, the repentant,
breathed his last.
“Let all leave the tent,” said Father Keenan, on coming to an end
of the prayers for the dying, “except the wife and the children. Wait
for me without. I will be with you in a few minutes.”
Dora, weeping freely, caught her big brother’s arm. Clarence and
John followed the two. There was, quite near the river, an avenue
formed by nature, a clear space of nearly a hundred yards in length,
bounded on the river side by willows and cottonwoods with a dense
growth of shrubbery below, on the other by majestic elms. Up and
down this court of nature walked brother and sister followed by the
two amazed boys. The stabbing of Ben, his beautiful death, the
reuniting of brother and sister had come together so closely, one
upon the heels of the other, that Clarence and John were almost
speechless. When they did speak, it was in interjections.
Will quickly comforted his little sister. His task was, indeed, not so
difficult. News from home, news of the dear ones is to the exile one
of the most engrossing things in the world. And it was all good
news. Everyone was well, business was flourishing; the only sorrow
that had fallen upon the family was the loss of Dora—and that
sorrow was now turned into exquisite joy for Will, as it would be for
his parents and the children when they received the good tidings by
wire that very day.
“And, Will,” said Dora, “I don’t regret all that has happened. It
was bitter to be away from mama and all the dear ones at home;
and it was hard to miss Holy Communion; and I was so afraid of
Pete and his wife all the time; but it’s all over now. Tomorrow, please
God, I will go to Communion once more; and then home, home,
home!”
The child’s eyes shone with joy. They had reached the end of the
avenue, and turning started back. Clarence and John were now in
the advance.
“As likely as not,” said Will, holding his sister’s hand, “father, on
getting the telegram tonight, will take the train at once. I’m sure he
will; and if mother can get away, she will come, too. I’ll wire them
on the road back to Campion. But why, Dora, do you say you’re not
sorry for all that happened?”
He paused, as he asked this question, directly before a thick
clump of bushes, and, catching Dora’s two hands in his, gazed
lovingly and eagerly into her starry eyes.
“Because,” answered the girl simply, “I believe I have helped to
save the soul of dear, good, kind Ben. Oh, how happy I was when
the priest poured the water on him and baptized him in the name of
the Father and of the Son and of the Holy Ghost.”
Will Benton, still gazing into the eyes of his sister, thought he
heard proceeding from the bushes which he was facing a low,
sibilant sound. It was not the hiss of a snake; it was the hiss of hate.
His keen eyes darted from Dora’s and peered into the bushes. In a
flash he threw the girl violently to one side, flinging her to the
ground, and with a spring crashed into the shrubbery. He was not a
moment too soon. Behind the bushes, an immense boulder in his
right hand, a man, whose eyes shot hate and whose features were
demon-like with passion, was in the very act of bringing it down
upon the unsuspecting girl’s head.
It was not a moment too soon: Ben caught the man’s upraised
arm and gave it a wrench which sent the boulder thudding to the
earth. That wrenched arm was never to be used again. A howl of
pain arose which was stilled as suddenly as it began; for, still holding
the paralysed arm in his grasp, Will Benton struck out with his left
hand. It was an awful blow. Its receiver as it struck him under the
jaw lost voice, and crumpled to the earth.
“Oh!” cried Dora, who had arisen, “it’s Pete.”
Will Benton drew the girl to his side.
“I know now,” he exclaimed, “why you feared him. I saw his face
for a second, and there was murder in it, murder and hell.”
The two boys who, hearing the short-lived scream of the gypsy,
had turned in time to see the memorable blow which had brought
Pete to earth, were gazing in awe at the Prefect of the Sodality. It
was something to be remembered. It was a blow which was to go
down in the traditions of Campion College. For Pete, the murderer of
Ben, the would-be murderer of Dora, never came to face trial. He
lingered for several weeks. But the blow made trial unnecessary.
“O Will!” cried John Rieler, “how did you manage to see him
hiding there?”
“He gave himself away,” answered the young giant. “His fury and
hatred got the better of him. When Dora spoke about Ben’s dying a
Catholic and used the name of the Father, Son and Holy Ghost, he
couldn’t stand it. He had his arm raised holding that stone, and was
just about to bring it down on Dora’s head. A hiss escaped him, and
I spied him while his arm was still moving: and—and—I really don’t
know how I caught him in time.”
Father Keenan arrived at this juncture; and the two boys and
Dora all began explaining at once. Out of the babel he gathered that
Pete who, after stabbing Ben, took flight with his wife and kinsfolk,
had returned—as murderers sometimes do—to find out the result of
the stabbing; how his hatred goaded him on to attempt Dora’s life,
and how the brother with lightning speed had inflicted with his one
hand a wrench, and with the other a blow which no one who had
seen them could ever forget.
“Dan,” called Father Keenan to the chauffeur, having ascertained
that Pete was alive, “get busy. Bring Pete to the Sheriff at Lynxville;
hire another automobile—a large one for Dorcas and her children.
We are going to bring Ben’s body to Prairie du Chien. I shall go with
them. And come back here as fast as you can. We’ll be ready to start
long before that.”
The Rector and the chauffeur put the insensible Pete in the
tonneau.
“One moment, Dan,” said Will Benton, who had taken out a pad
and written a few lines. “If Father Rector has no objection, I’d like
you to send this telegram to my father.” Then he read aloud: “Dora
alive, well, and found. She is with me. Hurrah!—Will Benton.”
“Good for you, Will,” said the Rector. “Your mind works as well as
your fists. Thank you, for reminding me.”
Before the return of the chauffeur, the Gypsy camp was
dismantled, the tent, converted into a shroud for Ben, the furniture
abandoned, and the precious statue placed in the hands of Dora,
who vowed she would keep it as long as she lived.
Master John Rieler took little hand in these preparations for
departure. He could not remove his eyes from the giant Prefect of
the Sodality. Will Benton was considered the gentlest boy in
attendance at Campion College. John was bursting to be back and to
tell the boys the wonderful blow he had seen with his own eyes.
The kind Rector gave all his attention to Dorcas and her children.
He soothed as much as was in his power the awful hours when
death is the family visitant. The machines arrived sooner than they
were expected. The Rector went off first with the sorrowing wife,
her children and the dead.
John still stood staring wide-eyed at Will Benton; remained thus
while the young man assisted his sister into the machine and
followed himself.
“Oh, it is excellent to have a ‘giant’s strength,’” said Clarence,
catching John’s arm.
Rieler came to from his trance, and smiled enthusiastically. “Oh,
Crickey!” he answered, “you bet it is.”
 CHAPTER XVIII
In which there are a joyful return, a sad duty and a picnic,
ending with a reunion of loved ones.

T he ride back to Campion College, so far as the boys and Dora

were concerned, was a thing of joy. Dora nestled beside her
brother and gazed her fill of that splendid young man. John Rieler,
seated on the other side, took his share of the gazing; love was in
Dora’s eyes; admiration, deep, unspeakable admiration, in John’s.
Occasionally, he put forth a timid hand to feel the muscle of the
strong left arm.
“Will is a southpaw,” he explained to Clarence, when that
watchful youth happened to catch him in the act.
“What does he diet on?” asked Clarence seriously.
But Dora’s admiration was not confined to her big brother. She
drew from the willing lips of Clarence an account of his arrival at
Campion College. In detailing Rieler’s share in the event Clarence
waxed so eloquent that the young water-rat flushed furiously.
In a word, the little party, very soon resolved itself into a highly
satisfactory mutual admiration society, of which Will Benton, in view
of his recent exploit, was incontrovertibly the uncrowned king.
“Clarence,” said the giant, “it is owing to you that my sister has
been found. You have put our family under an obligation we shall
never forget.”
“If John hadn’t fished me out of the river, she’d be with the
gypsies yet,” said Clarence. “Thank John and not me.”
“And,” said John, “if you hadn’t cranked Pete’s hand and struck
out with your good left arm there wouldn’t be any Dora to save.
Thank yourself.”
“It is Dora that has saved me,” said Clarence.
“I? How, Clarence?”
 “Well, you got me to thinking right about the Catholic Church. I
was almost ready to join when I left you by the river route. The boys
at Campion—especially John and Will—got me to thinking of it still
more. But when I heard you as we got near your tent, talking to Ben
and asking him if he wanted to be baptized, there seemed to be a
sort of explosion in my brain. When it passed away, I was
determined to be a Catholic. All hesitation was gone. If that Church
doesn’t save my soul, nothing can do it.”
“Say, Clarence,” said Dora with a smile, “how about that lawyer?”
“Lawyer?”
“Yes: you proposed to adopt me. Can’t we find the right man at
Prairie du Chien? Clarence,” exclaimed the child to her brother, “told
me one day at the gypsy camp that he proposed to adopt me,
because he had no sisters of his own.”
“I’d be delighted,” broke in Will Benton, “to have you as a
brother, Clarence: you have been in very deed, a brother to my little
sister. She told me all about your lively scrap with Ezra. And I’m sure
my father and mother would make our home yours.”
Clarence, thinking of his own dear ones, struggled hard to keep
down his emotion. His lips quivered.
“O, I beg pardon!” said Will much confused. “I forgot.” And in a
few words he told Dora of the railroad accident.
“Clarence,” said Dora, “did you pray to our Blessed Mother for the
safety of your parents?”
“Yes;” said Clarence humbly: “I thought of what you would do,
and so I prayed to her.”
“I’ll join with you. And tomorrow, Clarence, I’m going to
Communion again. Oh, I never felt so happy in all my life. I’m going
tomorrow.”
“We’ll all go tomorrow,” added Rieler, “and we’ll all pray for your
parents.”
And then the four innocents fell to laughing and talking till at
length Campion College was reached.
Dora at once demanded a confessor; and while John Rieler
hastened to do her bidding, Clarence and her brother brought her to
the students’ chapel. For the first time in four long, long months,
Dora had the privilege of visiting the Blessed Sacrament. Presently a
confessor arrived, the young sinner entered the confessional, and
came out within a few minutes in an almost perceptible aura of
peace and joy.
The President, in the meantime, had returned. He was awaiting
them outside.
“Well,” he said, “everything has been arranged. Ben is to be
buried at the Bohemian Church tomorrow at seven o’clock. Will
Benton, you should serve; and you may get John Rieler to help you.”
“Thank you, Father,” cried Will.
“On Sunday next—the day after—Ben’s wife and children will be
received into the Church. They are now quartered with a friend of
mine in the lower town.”
Dora grew happier than ever.
“I want to be received with them, Father,” pleaded Clarence.
“I can’t grant you that permission, I fear, Clarence. Besides, you
need instruction.”
“But I’ve had instruction already—at least,” Clarence added,
correcting himself, “I’ve had some. Dora told me a lot, and I’ve done
some reading.”
“And I’ll teach you enough, Clarence, before Sunday,” said the
girl.
“Well, we’ll see,” said Father Keenan.
The group, as this conversation went on, was moving slowly
towards the concrete walk which fronts the entire line of the main
Campion College buildings. In the meantime, Master John Rieler had
been holding spellbound nearly every lad of the Junior division with
his account of Dora’s rescue, and of Will Benton’s wrench and blow.
As the party then reached the walk, coincidently with the conclusion
of John Rieler’s exciting narrative, the small boys, detecting their
approach, spread out and, keeping at a respectful distance,
devoured with their eyes Clarence, who swam to Campion; Dora,
who lived a gypsy life four months; and, though his face had been
familiar enough, the big Prefect of the Sodality. It is only fair to state
that it was to Will Benton that they paid the most respectful
attention. He was the hero of the hour. The Rector—a most unusual
thing—was hardly considered.
Dora smiled and waved her hand.
“Three cheers for the Gypsy Queen,” yelled an enthusiast. They
were given with wild and artless energy.
“And three cheers for Strong-Arm,” piped another. The cheers
were deafening: Bedlam had broken loose.
“Let’s run,” said Will to Dora.
The child took him at his word: and the two darted along the
walk, and tripped up the steps of the middle building.
The Rector with Clarence caught up with them shortly.
“Dora,” he said, “we have no place for you here; but there’s a
nice family just north of our residence building who’ll keep you as
long as you’re with us. I’ve sent them word already, and they have
prepared a fine supper—a sort of banquet, for you and Will and
Clarence and John Rieler.”
“Did I hear my name?” asked John, just then joining the group.
“Yes, you go to the banquet, too.”
“Oh,” said John, “this whole thing is like taking candy from a
child. Say, Clarence,” he added in a whisper, “they’ve got a first-class
cook there, and I am hungry.”
“I feel that way myself,” admitted Clarence.
“I’ll wager,” said the Rector, his eyes twinkling, “that you two are
talking about the supper.”
“We just said we were hungry,” explained Rieler.
“For that matter, I’m famishing myself,” said the Prefect of the
Sodality.
“And I’m hungry, too,” added Dora.
“Very good: clear out all of you, and you boys will be back in
time for night prayers.”
And away they scampered like children—the big fellow, “Strong-
Arm,” leading in the romp.

The funeral of the faithful and well-beloved Ben was simple and
solemn, and the mourners fit though few. The Reverend Rector
himself offered up the holy sacrifice of the Mass. Very quietly the
simple cortege proceeded to the Catholic burying ground; and when
the last shovelful of earth was thrown on the coffin Dora stepped
forward and laid upon the mound the flowers such as Ben once
joyed to collect and place at the shrine of “that good woman who
was the Mother of God.”
They were scarcely outside the graveyard, when the Rector
addressed them:
“You have all had too much of tragedy these last days for your
tender years. Dora is a free agent; Clarence is simply our guest; they
have a right to a holiday. As for you, Will, I give you the day in
honor of the efficiency of your strong arm; and you, John, for saving
Clarence.”
The long faces shortened; eyes dimmed with tears grew bright. A
holiday to the school boys! What trouble, what sorrow can hold its
own against a holiday?
“I’ve secured a fine motor-boat for you——”
“I can run a motor all right,” broke in Rieler his face deeply
gashed by a smile.
“And I suggest,” continued the Rector, “Pictured Rocks and a ride
down the river.”
“Ah-h-h-h!” gurgled Dora.
“Oh-h-h-h!” cried Clarence.
“Say—say,” blurted John, “what about our breakfast? We’ve just
been to Communion, you know, all except Clarence, and he hasn’t
eaten yet.”
“There are some things, John,” observed the Rector, “that you
never forget. However, I haven’t overlooked that particular item
either. All you need do is to run down to the Prairie du Chien boat
landing. You’ll find a man there, John Durkin, the boat-owner, who’s
waiting to see that you get off with everything in good order. Then,
John, you motor over to North McGregor, and bring the party up to
Mr. Berry’s hotel. He’s heard of your wonderful adventures, and you
are his breakfast guests.”
“I took a meal there with my pa,” whispered the radiant Rieler,
“when he came up to see me last year. I’m glad I’m hungry,” he
added simply.
“I should think, John,” observed the Rector, “that you must have
that cause for rejoicing a good many times in the day. After your
breakfast, you must get together provisions enough for a good
dinner. The commissary department will be in charge of Will Benton.
Here, Will, are a few dollars for that purpose. Mr. Berry will help you
do the buying.”

“And I’ll be the cook,” said Dora, skipping about in uncontrollable

glee.
“The only thing left for me,” said Clarence with his most radiant
smile, “is to be dishwasher. I accept.”
“Hurry away now,” continued the Rector; and at the words they
were all dashing down the street, Dora in the lead.
“Last one down is a nigger,” yelled Rieler.
It should not be accounted to the discredit of that happy lad that
he did not succeed in overtaking the fleet-footed Dora. Not for
nothing had she lived for four months in the open. As a matter of
fact Dora retained her lead—owing, it may be, to the chivalry of
Clarence and Will. Nevertheless, John, despite his efforts, was the
last, of which fact all were careful to remind him till he had
succeeded in setting the motor-boat whirling off toward North
McGregor.
Of that happy morning, of the breakfast at Berry’s hotel, where
John Rieler by his execution regained the prestige he had lost in the
race, of the ride down the river, during which the hills of Iowa threw
back in multiplied echoes happy laughter and gleeful shouts, of the
ascent to the heights above Pictured Rocks, where Dora led the way
skippingly, and paused not for breath till they reached the summit;
of the lively chatter and flying jest; of the tumbles, unnecessary
most of them, as they went down; of the wonderful dinner prepared
—gypsy-wise—by Dora at the gypsy fire set going by Clarence; of
the ride down the river till they paused and surveyed the very place
where Clarence’s boat was taken in tow by “good dear Ben”—of all
these things there is a record in the unwritten book of sheer joy.
There never was a jollier, happier party on the broad bosom of the
upper Mississippi. A little joke evoked thrills of laughter; a good one,
an explosion. No pen is adequate to give an idea of how these pure,
innocent and loving hearts laughed and jested and drank deep of
the unpolluted joy of life.
They turned their boats at sunset homeward; and, as the twilight
began to creep from its hiding place in the East, Clarence begged
Dora to sing them a song of her gypsy exile.
The clear, pure voice—the sweeter, the more pathetic, doubtless,
for all Dora’s long days of suffering—rose and added its beauty to
the splendors of the dying day. Dora had just finished “Mother Dear,
O Pray for Me,” and at the request of all, was about to begin another
hymn, when Will Benton cried out:
“Look: there’s a boat making for us from Smith’s Creek. I believe
it’s the Campion.”
“So it is,” cried Rieler, keen of eye. “And Father Rector’s in it. And
——”
Suddenly a scream of joy rang from Dora’s throat.
“Oh! oh!” she cried. “It’s mama and papa!”
 CHAPTER XIX
In which John Rieler fails to finish his great speech, and
Clarence is seriously frightened.

T here were, as the two boats came together, shouts and joyous
cries and a quick interchange of crews. Dora was in the arms of
father and mother. Laughter and tears—the tears of strong emotion
—were intermingled with incoherent sobs. Feelings were beyond the
power of human language.
It was then, in the midst of all this, that Master John Rieler, filled
with an enthusiasm which could no longer be bottled up, mounted
the prow of the boat, of which he had that day been the happy
engineer, and raising his cap aloft, bellowed at the top of his voice:
“Three cheers for——” But John did not finish this splendid
sentence, and to this day no one knows for whom he intended the
signal honor; for, happening to wave his cap wildly with these
opening words, he lost his balance, and plumped into the water.
“Oh!” cried Mr. Benton, pulling off his coat.
“Stay where you are,” called the grinning Rector. “Don’t hurt
Rieler’s feelings. To go to his help would be less sensible than
carrying coals to Newcastle.”
John rose just then, and, shaking his locks, smiled graciously at
the crews of the two boats.
“We don’t want you,” said the Rector.
“Thank you, Father,” John made grateful answer, and once more
sank for a long, delicious dive. And thus did the youth continue to
disport himself while huggings were renewed and Babel continued
beside him.
“But, Father,” said Will Benton, “what I can’t understand is this!
Dora was lost; after two weeks her body was recovered and she was
buried in her coffin from our church.”
“You saw the coffin, Will?”
 “Yes, Father.”
“But did you see Dora in it?”
“No, Father; you told us she was disfigured and bloated from
being so long in the water; and you said we were not to see her.”
“Exactly. The facts are these: On one day, fourteen bodies of the
flood victims were recovered. Very soon all were identified except
that of a girl dressed in a white dress with a blue sash. I went to
view the body, and really couldn’t make up my mind whether it was
Dora’s, or not. Everybody insisted that it must be Dora. In the
meantime, your mother was so broken-hearted by anxiety that it
looked as if she would lose her mind. It occurred to me that even
the recovery of the body and the Holy Mass over it would set her at
rest, so I took the benefit of the doubt, and allowed the corpse in
white and blue to be buried as though it were Dora’s. But mind, I
never said it was Dora. I allowed the others to do that without
contradicting them; and also my intention in having that Mass
offered was that if Dora were alive, the Mass should go to the poor
abandoned child who took her place.”
“Do you see,” said Dora, “how good our Blessed Mother is? That
little girl because she was in blue and white got a Mass and Christian
burial.”
“Hey, John Rieler,” called the Rector fifteen minutes later, “haven’t
you had enough swimming yet?”
“If it’s all the same to you, Father Rector, I’d like to swim home.”
John, while disporting in the water, had taken off his shoes and
thoughtfully aimed them at the head of the admiring and envious
Clarence.
“It isn’t all the same to me,” responded the Rector. “Here, give
me your hand. Now suppose we start.”
And as they spun homeward, Dora told her wondering parents
the tale of four months on the open road.
“And,” concluded the child, “when I think of dear Ben, who died a
saint, and of Dorcas and her children, who join the Church
tomorrow, and of Clarence who is going to join——”
“You bet I am,” Clarence broke in from the other boat.
“I can’t say that I am sorry.”
 “To those who love God all things work together unto good,”
quoted Father Keenan.
“And when I recall,” said Mr. Benton catching Dora by the arms
and beaming with joy and gratitude as he looked upon her radiant
face, “how four months ago, you were pale, anaemic, and sentenced
by the doctor to death within a few months——”
“What!” gasped Will.
“Yes; sentenced to death. The doctor said the child had no sort
of constitution.”
“That doctor was loony,” said Rieler indignantly. “You ought to
see her run. Those fawns you read about in poetry books haven’t
anything on her.”
“I should say not,” added Clarence no less indignantly. “You
should have seen her skipping up Pictured Rocks Hill. She never lost
her wind, never turned a hair, and she’s as sure-footed as a
chamois.”
“All the same,” said the happy father, “the doctor was right. He
was a specialist and knew his business. He told me to keep her in
the open as much as possible; he told me so the very day before the
gypsies ran away with her. For four months she has lived the life the
doctor prescribed—and lived it, I rather think, more abundantly than
had she lived at home. Now, look at her. She is the picture of
health.”
“She’s the picture of something more than health,” whispered
Clarence into the ear of her big brother. “Do you remember those
lines of Wordsworth:
 “‘And beauty horn of murmuring sound
Shall pass into her face’?”

“I don’t read much poetry,” admitted Will Benton.

“Well, I’ve often thought of those lines in regard to Dora, only I
make them read:

“‘And beauty born of heavenly thought

Hath passed into her face.’

Good old Ben said she was an angel. If she isn’t she is, as the
gentlemanly druggists say, ‘something just as good.’”
“Beware of imitations,” said John Rieler.
Whereupon to the manifest discomfort of those in the boat, John
and Clarence set playfully to punching each other.
“Well,” sighed Clarence, as he jumped from the boat at the
Campion landing, “now for a quiet hour before going to bed.”
“Don’t forget supper,” said John.
“I don’t; but that is a quiet affair.”
“All the same,” continued John, “I’m going to keep near you. If
anything happens, I want to be around.”
Then came Dora with her father and mother to greet Clarence;
and the child, as she introduced him, made such comments on their
short but lovely acquaintance as caused Clarence to blush to the
roots of his hair.
“Remember, Clarence,” said Mr. Benton, “that our home is yours,
day or night, winter or summer, in any year, in any season. God sent
you to our little girl.”
“I think,” said Clarence modestly, “that it was, the other way
around. God sent Dora to me. It’s made me—different. Everything I
see and hear now I see and hear from a different angle—and a
better one.”
As they walked up toward the college, Clarence, ably assisted by
the eager John Rieler, pointed out their path of progress toward
Campion on his first arrival. He was at pains to expatiate on John’s
delicacy as to introducing him personally to the Rector.
“It wasn’t so very wrong, anyhow,” said Rieler.
“Didn’t God send me to save Clarence from drowning?”
“Don’t reason that way,” remonstrated Will Benton, whose
reputation as a student of logic was not brilliant only because his
prowess on the athletic field blinded the boys to what were in their
eyes less shining qualities, “Out of evil God draws good; he took
occasion of your breaking the rule to save Clarence’s life.”
“I’m beginning,” said Clarence solemnly, “to lose all faith in the
bright-eyed goddess of adventure. As Betsy Prigg said of Sairey
Gamp’s Mrs. Harris, I don’t believe there ain’t no sich a person.”
“What are you talking about now?” asked Rieler. “Who’s Betsy
Prigg? Who’s Sairey Gamp? Who’s Mrs. Harris? The bright-eyed
goddess has gone to your head, and placed a few bats in your
belfry.”
“John Rieler,” said Clarence, “at your age you ought to be
ashamed of yourself. You ought to know your Dickens. Read Martin
Chuzzlewit, and start tonight.”
“No,” continued Clarence, “I disavow here and now, forever and
forever, the squint-eyed goddess of adventure. I thought I was in
her hands; but now I firmly believe that all along I was in the loving
hands of God.”
Father Keenan, who had preceded the party, was now seen
coming down the steps of the faculty building. He was doing his best
to carry off his Indian immobility of face, but with partial success.
“Clarence,” he cried, “come here.”
“Another adventure,” said Rieler.
Clarence turned deathly pale. Something had happened—
something serious.
“Oh, Father, what is it?” he cried running to the side of the
Rector.
 CHAPTER XX
In which there is another joyful reunion, and Clarence presents
an important letter to the Rector of Campion College.

“C larence,” said Father Keenan, “there’s good news.”

“Oh, what is it? Were their lives saved? Were they unhurt?”
“Just forty miles to the East of the accident your father received
a telegram. It seems there was some mining trouble in the
Southwest, and he was ordered to go there at once. Both your
father and mother got off at a junction and so missed the accident.”
“Oh, thank God! thank God! And when shall I see them?”
“Very soon, Clarence. On the very day you arrived here, I sent
telegrams to different cities, and had advertisements inserted in the
most prominent papers in New York, Chicago, Philadelphia,
Cleveland and Cincinnati. The ads. read something like this: Any
friends or relations of Clarence Esmond falsely reported drowned are
requested to write or call upon the President of Campion College,
Prairie du Chien, Wis.”
“Did you really do that, Father?”
“Yes, my boy,” answered the Rector, as the two went up the steps
and proceeded in the direction of the infirmary. “And it seems that in
New York a member of the firm that sent the telegram to your father
read the ad. He at once wired your parents—and—and—” the Rector
paused.
They were standing just outside the parlor, from which came the
sound of voices.
“They’re here! They’re here?” cried Clarence, and burst into the
parlor.
Father George Keenan considerately waited outside until the first
rapture of reunion should have died away; waited and thought with
gratitude to God of his part in a romance of the upper Mississippi, a
romance of childhood and innocence, and the sure, guiding hand of
Divine Providence.
The parlor door opened presently, and Clarence came out.
“Oh, Father Rector, won’t you please come in? Say, Pa, this is the
priest who fed me when I was hungry, clothed me when I was
naked, took me in when I was abandoned, and treated me as if I
was a prince in disguise. Say, Ma, look at him and thank him, if you
can. I can’t.” And Clarence blubbered.
“Father Keenan,” said Mr. Esmond with quivering lips, “if I should
think of trying to thank you, I should become absolutely dumb. I am
helpless; and to think that you should be the member of an Order
I’ve been abusing all my life.”
Mrs. Esmond, in turn, took the dismayed Father’s hand, and tried
to speak. She failed; but her eyes spoke the gratitude her tongue
could not utter.
“Don’t—don’t mention it,” said Father Keenan lamely and with a
vivid blush. “I’m happier than I can say to have done anything for as
fine and as gifted a boy as I have ever met.”
There came an awkward silence. The Rector was confused
beyond measure; Mrs. Esmond had gathered her boy to her arms,
and was fondling him as she had done when he was a little child. Mr.
Esmond was endeavoring with but ill success to master his burst of
emotion.
“Say, Pa,” cried Clarence, breaking away in excitement. “There’s
one thing I want to say right off. You said I might choose my religion
when I was fourteen. Well, I’ve chosen. I want to be a Catholic.”
“Certainly, my boy, certainly. I never thought of your joining that
Faith; but you’ll be in good company.”
“And, Father Rector, may I be baptized?”
“Of course, Clarence, since your father so kindly consents.”
“And, Father, will you do it?”
“Gladly, Clarence.”
“Good! thank you. Come on,” and Clarence seized his hat.
“But what’s your hurry, Clarence?” asked Father Keenan, laying a
detaining hand upon the eager neophyte.
“Isn’t this rather sudden, my boy?” inquired Mr. Esmond.
 “It’s not at all sudden,” Clarence made answer. “I’ve been
thinking about this and preparing for this ever since I met Dora. Do
you think I want to go to bed to-night with original sin and all my
life’s wickedness on my soul when I can get it off in a few minutes?
Of course, I’m in a hurry.”
“Put your hat down, Clarence,” ordered the Rector. “But I promise
you this: you’ll be baptized and made a child of God and heir of
heaven before you go to bed tonight. And now, Mr. and Mrs.
Esmond, I want you to come out and meet Dora, who did so much
for Clarence and whom Clarence saved from the gypsies; John
Rieler, who rescued Clarence from the river; and Dora’s parents and
big brother. For the next hour, we are going to hold a symposium.
Clarence will tell his story from the time he left McGregor till he took
to the river; John Rieler will take up the theme and tell how he came
to make Clarence’s acquaintance; I, myself, will describe the boy’s
first appearance at Campion, and with the help of Will Benton will
tell the tale of our visit to the gypsy camp and rescue of Dora.”
As everybody following hard upon introduction insisted upon
talking at once, Father Keenan experienced no little difficulty in
carrying out the proposed program. It was fully an hour before the
story—the strange romance of the upper Mississippi—was clearly
unfolded to the wondering grown folks.
“I say,” urged Clarence, when the various adventures had been
adequately commented on, “isn’t it time for me to be baptized?”
“Oh,” said Dora. “Is it all arranged?”
“Yes, Dora.”
“And—and—may I be your godmother?”
“Delighted!” cried the boy. “Nothing could please me better.”
“You ought to know,” observed John Rieler, “that the Church has
erected an impediment between godmother and godson. If you
carry out that program, you two can never marry.”
“Marry!” cried Dora, “I’m not to marry. I’m to dedicate my life to
Mary.”
“Marry!” remonstrated Clarence. “Who ever thought of such a
thing? Dora and I don’t intend to discuss that subject ourselves; and
we don’t”—here he looked severely at John—“care about hearing
anyone else discuss it.”
“All right, Clarence,” said John, “if that’s the case I want to be
godfather.”
After supper, Clarence, alone, went to the boys’ chapel, where for
fifteen minutes he prayed and recalled in sorrow all the sins of his
life. Then came Dora, John, Will and the two married couples
followed by Father Keenan; and in the quiet of the evening Clarence
Esmond filled with faith and love received upon his brow the
regenerating waters of baptism and became a faithful child of the
true Church.
On the next morning the three children and Will Benton attended
the six o’clock Mass and together received Holy Communion.
Clarence frequently during that day pronounced it the happiest
day of his life.
On Sunday evening Clarence, who had passed most of the time
with his parents, entered Father Keenan’s room.
“Why, Clarence! How happy you look.”
“That’s because I’m a hypocrite, Father.”
“Surely, you haven’t come to bid me good-bye?”
“Oh, I should hope not, Father.” Here Clarence fumbled in his
pocket. “This is a letter my Pa gave me to bring to you.”
“So you were godfather for Dorcas and her children!”
“Yes, Father Rector, and Dora was godmother. Pa says it was
awful good of you to pay the expenses of Ben’s burial and to pay for
the board of Dorcas and her little ones; but he’s going to do the rest.
He has an interest in the ranch in the Southwest, and they need a
woman to feed the men and keep the house. Dorcas gets the
position.”
“Can she hold it?” asked the Rector.
“Oh, yes! Dora says that Dorcas cooks nicely and is fine at the
needle, and is very neat.”
“I hope she’ll have a chance to go to church,” continued Father
Keenan.
“There’s a church ten miles from the ranch; and the foreman is a
good Catholic. He is to bring Dorcas every Sunday.”
 “Excellent,” said the Rector.
“And did you hear about Pete?” asked Clarence.
“No; how is he?”
“Pa just got word. It took him thirty-six hours to recover from the
blow that Will Benton gave him. He was unconscious all that time.”
“Let us hope and pray that God may bring him to repentance,”
said the Rector.
“The jail doctor says he’ll never do harm again. And, Father,
tomorrow Dorcas goes to Communion; then she’s coming up to bid
you good-bye, and then off she starts to her new work.”
“Thank God,” said Father Keenan. “And now, Clarence, sit down
while I read your father’s letter.”
And this is what Father Keenan read:
“My dear Father Keenan: I am trying to write what I have found
it impossible to say. To borrow the language of my little boy—who, I
believe, borrowed from the words of Christ in the New Testament—
Clarence was hungry and you fed him, naked and you clothed him,
and outcast and you took him in. He was sorrowful and you consoled
him; orphaned, and, at the sacrifice of your precious time, you took
the place of father and mother. He needed, too, someone to take
hold of his complicated situation and you by telegram, telephone,
letter and in every conceivable way unravelled the tangle within a
few hours; and in doing so brought gladness to sad and suffering
hearts; in a few hours, you effected the rescue of his dear little girl
friend; and, when we arrived, had everything in the finest condition
imaginable and everybody happy. In all this you were aided and
abetted by that little saint, Dora—the most wonderful girl I have
ever met—by John Rieler, that paragon of good-nature who saved
my boy’s life; and by that prince of young men, Strong-Arm Benton,
which quick performance at the gypsy camp will never be forgotten
by those who hear it told.
“To have my boy the intimate of Will, Dora and Rieler—the most
wonderful trio one could bring together—I esteem a rare privilege
and an honor. Their friendship is touched with youth, and purity and
faith.
 “You will be glad to know, Reverend Father, that, in my opinion,
Clarence is not altogether unworthy of such splendid companions. At
Clermont School in New York, where he attended for three years, he
maintained a reputation for cleanness of speech and delicacy of
conduct, which, among the faculty, made him a marked boy. He was
the center of a group—some seven or eight in number—who had
professed and followed out lofty and lovely ideals. God, I know not
why, has been singularly good to my boy, and kept him from
dangers to morals only too common in these pagan days.
“The duty of thanking you, of showing you my gratitude, will be
with me, I trust, a life task. I can never forget how when my little
boy—a veritable Dan Cupid up to date—arrived you took him in
hand.
“His entrance into the Church pleases me more, the more I think
of it. When his mother gave up hope of ever seeing Clarence again,
it seemed for a time as though she would lose her mind. She
insisted that Clarence had been taken from her untimely because
she had not lived up to the Catholic Faith, in which, as a child, she
was baptized. It was in vain that I pointed out to her that she had
not been brought up a Catholic, that she was raised a Protestant;
that she had been in no way responsible. She would not be
consoled. Finally, with my full approbation, she promised God that
should Clarence be returned to us, she would once more embrace
the Faith of her fathers. She intends to go to confession and receive
Holy Communion before we bid an unwilling adieu to Campion. She
has already called at St. Mary’s Academy and engaged a splendid
nun there to give her a course of instructions.
“In a short time—by Christmas at the latest—I am going to join
the Church that received Ben and Dorcas with the same arms of
welcome as it receives the princes and potentates of the earth. This,
my fixed determination, is sudden; but for all that, it is none the less
firm. It came to me last night, as I watched the radiant Dora and the
reverent John holding my boy, whose face was aflame with zeal and
faith as you, Father, poured the water of baptism upon his head.
“And now, Father, I’ve been thinking much of what you did for
my boy. There must be other cases like his—cases of boys being