1 / 28

Synergy! A world where the tools communicate

Synergy! A world where the tools communicate. Joshua “Jabra” Abraham Rapid7 LLC jabra@spl0it.org jabra@rapid7.com. AppSec 09 November 12, 2009. Purpose of this talk. Raising the bar on pentesting Build upon current tools Leverage XML to automate pentesting tasks

mahon
Download Presentation

Synergy! A world where the tools communicate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Synergy! A world where the tools communicate Joshua “Jabra” Abraham Rapid7 LLC jabra@spl0it.org jabra@rapid7.com AppSec 09 November 12, 2009

  2. Purpose of this talk • Raising the bar on pentesting • Build upon current tools • Leverage XML to automate pentesting tasks • Extract data for a correlation engine • What we are doing today • High-level overview of an improved process (COE) • Releasing several modules and Fierce v2 Beta

  3. Why should you care? • Focus on tasks that require context • More exciting • Better/Larger assessments • Reduce reporting time!! • Customer’s get better quality for less time • Raising the bar on the Industry

  4. Things to remember about Automation • Can’t automate manual review • Not all tools can be automated • Manual testing required • Context: “P!A!S!S!W!0!R!D=test” • Working towards the goals of the assessment

  5. Encourage developers to build tools with XML and APIs

  6. Flow Diagram of Tools • Fierce • Enumeration domain (company.com) • Found several hosts, the most interesting: test.company.com • Nmap • Looking for open Ports • Found an open HTTP service on 8080 • Nikto • Scan HTTP service • Found interesting directory /admin • Dirbuster • Bruteforce directory • Found /admin/secret/

  7. Programming Language Sounds like Earl, but starts with a “P” • The programming language is Perl • The following are NOT programming languages: • PERL, perl, Pearl • Cross Platform • Built for Scripting and Object Orientation • Libraries = modules • Load a module: use My::Module; • Docs • perldoc perl • perldoc My::Module

  8. Fierce (Network Reconnaissance tool) • Enumerate non-contiguous address space • Version 1.0 built by Rsnake • Version 2.0 re-written by Jabra • Techniques in version 2 • Find NS, MX records, Reverse Lookups + Wildcards • Improved Zone Transfer Testing for all DNS Servers • New method of Enumeration for • prefixes, extensions and subdomains(ask me if you are curious) • New Virtual Host detection • Improved Range enum based on subnet (PTRname) • New ARIN, ARPNIC, etc enumeration….

  9. Zone Transfer, who has that enabled?..... Ns1.secure.net Ns2.secure.net

  10. Fierce (Network Reconnaissance tool)

  11. Example Usage of the Perl Modules

  12. Setup Phase • The rest of the talk will be all code! • Loading the following modules: use Nikto::Parser; use Dirbuster::Parser; use Sslscan::Parser; use Fierce::Parser; use Burpsuite::Parser;

  13. Setup Phase • Creating parser objects: my $np = new Nikto::Parser; my $dp = new Dirbuster::Parser; my $sp = new Sslscan::Parser; my $fp = new Fierce::Parser; my $bp = new Burpsuite::Parser;

  14. Fierce::Parser my $parser = $np->parse_file(‘google.xml’); my $node = $np->get_node(‘google.com’); my $bf = $node->bruteforce; print “Prefix Bruteforce:\n”; foreach my $n ( $bf->nodes ) { print “Hostname:\t” . $n->hostname . “\n”; print “IP:\t\t” . $n->ip . “\n”; }

  15. Dirbuster::Parser my $parser = $dp->parse_file(‘dirbuster.xml’); my @results = $parser->get_all_results(); print “Directories:\n”; foreach(@results) { print “Path“ . $_->path . “\n”; print “Type“ . $_->type . “\n”; print “Response “ . $_->response_code . “\n”; }

  16. Burpsuite::Parser my $parser = $bp->parse_file(‘burpsuite.xml’); my @issues = $parser->get_all_issues(); foreach(@issues) { print $_->name . “\n”; print “Severity:“ . $_->severity . “\n\n”; print “Description:\n” . $_->issue_background . “\n”; print “Proof of Concept:\n” . $_->issue_detail . “\n”; print “Recommendation:\n”; print $_->remediation_background . “\n”; }

  17. Sslscan::Parser • Options for usage: • Parse XML output • Scan and parse XML inline

  18. Sslscan::Parser my $parser = $sp->parse_file(‘domain.xml’); my $host = $parser->get_host(‘domain.com’); my $port = $host->get_port(‘443’); foreach my $i ( grep($_->status =~ /accepted/, @{ $port->ciphers }) ) { print “sslversion “ . $i->sslversion . “\n”; print “cipher “ . $i->cipher . “\n”; print “bits “ . $i->bits . “\n”; }

  19. Nikto::Parser • Options for usage: • Scan and save XML for parsing later. • Scan and parse XML inline

  20. Nikto::Parser my $parser = $np->parse_file(‘nikto.xml’); my $h = $parser->get_host(‘127.0.0.1’); my $p = $h->get_port(’80’); print “Target is: “ . $h->ip . “:” . $p->port . “\n”; print “Banner is: “ . $p->banner . “\n\n”; foreach my $v ( @{ $p->get_all_items(); } ) { print $v->description . “\n\n”; }

  21. Summary • Extracting Data for Reporting and/or Correlation

  22. Encourage developers to build tools with XML and APIs

  23. Contact Information • Joshua “Jabra” Abraham • jabra@spl0it.org • jabra@rapid7.com • Updated slides will be online this weekend: • http://spl0it.wordpress.com • http://blog.rapid7.com • Code online! • http://trac.assembla.com/fierce • http://search.cpan.org/~jabra/ • (comments, suggestions and patches welcome!)

  24. Fierce::Parser

  25. Dirbuster::Parser

  26. Burpsuite::Parser

  27. Sslscan::Parser

  28. Nikto::Parser

More Related