77
InfoSec Hunters and Gatherers By Primal Security 1
| Date post: | 15-Jul-2015 |
| Category: |
Documents |
| Upload: | andrew-mcnicol |
| View: | 566 times |
| Download: | 1 times |
InfoSec Hunters and Gatherers
By Primal Security
1
Who Are We?
• Primal Security: www.primalsecurity.net–Blog, Podcast, Tutorials
•Our blog and tutorials documented a lot of our experience through OSCP/OSCE
2
Zack Meyers@b3armunch
• Continuous Monitoring Enthusiast• PrimalSec team member and Web
Application PentesterGET
• Any and all information I can EVER find on offensive techniques, tools and procedures.
POST• I love hot sauce and will eat small meals
periodically throughout the day aka “Zack Snacks” :)
3
Andrew McNicol@PrimalSec
• Security consultant
• Co-Founder and one of the lead authors of Primal Security blog/podcast
try:print ‘I enjoy writing error-free Python with Google and stackoverflow”
except:pass
• I spend my day abusing features in web applications - previous IR (pcap, malware)
4
Quick Outline
• Hunter/Gatherer
• Defensive Use Cases:– Slicing and dicing pcap w/tcpdump + Dshell– Staying ahead of the game
• Offensive Use Cases:– A pentest is not a scan– Pushing Past Walls– Abusing Contact Us/Feedback Features– Testing Remediation #ThinkDifferently
• Making Your Own Tools - A quick look at Python 5
We didn’t do it
• We are not lawyers and/or giving you any legal advice.
• We are not giving you permission or authorizing you in any way to do anything.
• In fact don’t do anything ever...
6
This talk• Too many people only leverage automated tool
output to perform their job function
• We plan to share some of our experience on going beyond automated tools.
• Note: We do like automated tools – This is not a talk on bashing them!
7
What is a Gatherer?
• Someone who leverages automated tools:– Find vulnerabilities with scanners
– Find interesting network traffic with an IDS
8
What is a Hunter?
• One who goes beyond automated tools to:– Find vulnerabilities missed by vulnerability scanners
– Find evil in a sea of pcap
– Writes their own tools
9
Hunter Mindset
• General Zod or John Wick mode #Focus #Confidence
10
Defensive Use Cases
11
WARNING – PCAP Ahead
12
Hunting with tcpdump
• The ability to rip through pcap using tcpdump/Bash is a very useful skill
• Profiling network activity can help you find what might be missed
• We have a whole talk just on this topic:
–www.primalsecurity.net/being-the-hunter-with-tcpdump
13
Hunting with tcpdump Cont.
• How do you deal with the output?
– BPFs and Linux Utilities
14
Hunting with tcpdump: Linux Utilities
• grep / egrep - Powerful search utilities–Useful switches -i, -v
• sort / uniq
• awk - Awesome utility, lots of functionality - I use it to prints parts of a line
–Useful switch -F
15
Hunting with tcpdump: BPFs
• Berkeley Packet Filter (BPFs) can filter for packets of interest:
– host
– net
– port
– src / dst
– Boolean logic (and, or)
– Protocol specific (tcp, udp, icmp, etc.)
16
Useful Bash 1-liner for tcpdump
• Useful 1 liner to read in multiple files at once with tcpdump:
for i in `ls *.pcap`; do <tcpdump_comm>; done
• This for loop can be useful for really any command you need to run through a loop
17
Hunting with tcpdump: DNS
• I see DNS as a treasure trove of information
• You may find me getting dragon sickness over all the gold in DNS :)
18
Hunting with tcpdump: DNS Cont.
• Summarizing DNS with tcpdump/Bash:–for i in `ls *.pcap`; do tcpdump -ttttnnr $iudp and port 53; done | grep ‘ A? ‘
19
Hunting with tcpdump: DNS Cont.
•Summarizing DNS with tcpdump/Bash:
20
Hunting with tcpdump: DNS Cont.
•Summarizing DNS with tcpdump/Bash:
21
Hunting with tcpdump: DNS Cont.
•Advanced DNS BPF:
22
Hunting with tcpdump: DNS Cont.
•Advanced DNS BPF:
23
Hunting with tcpdump: Outbound Connections
• Find the SYN every hour ☺ #NeedleInHaystack
• Same approach as DNS, but we will focus on summarizing the dst IP in SYN packet
24
Hunting with tcpdump: Outbound Connections Cont.
• Quick BPF to key in on SYNs “tcp[13]=2”
• Next we will use “awk” to grab just the dst IP
25
Hunting with tcpdump: Outbound Connections Cont.
• Now we can summarize the dst IP with “awk” and “sort/uniq”
26
Hunting with tcpdump: Outbound Connections Cont.
• Now to speed things up we can extract just the IP and then toss into a script to lookup network info (CIDR/Net Owner)
27
Hunting with tcpdump: Outbound Connections Cont.
• Now we can add in a bit of Python to lookup network info using Team Cymru’s Python whois module:
28
Hunting with tcpdump: Outbound Connections Cont.
•Advanced BPF Example:
29
Hunting with Dshell
• Dshell is a Python based network hunting tool
• Takes stuff spread across several packets and puts relevant details on an evenly spaced line
30
Hunting with Dshell Cont.
• Dshell has several modules for hunting:– dns: matches up request/response– synrst: SYN followed by RST/ACK– netflow– web: parses HTTP request/response
• Check out the blog post on SANS:– https://isc.sans.edu/diary/Another+Networ
k+Forensic+Tool+for+the+Toolbox+-+Dshell/19277
31
Be in the Know
• As InfoSec professionals we all sit on a throne of vulnerability data and system versioning information that can ideally look overwhelming from a glance.
• So adjust your approach to keep yourself alert…
• Be the Continuous Monitoring Hunter and Gatherer for your firm through these techniques...
32
Follow, Read, Apply, Repeat• Follow other info sec professionals via twitter for the
latest news.
• Read security blogs and rss feeds for information on the newest vulnerabilities/ exploits that are trending today.
• Apply what you read and identify your firm's footprint if applicable (via vuln data or hunting with tools) or create a lab environment (VM) to test a recent exploit.
• Repeat do this process again throughout the day when you can or have downtime.
33
Some CM Examples
• Any security professional can appreciate a heads up!- Knowing info on the next BIG SCARY VULN
before management does…#Heartbleed #Shellshock #POODLE #GHOST
• Even knowing something as simple as a software having an out of band patch, security bulletin or approaching EOL- (i.e Java SE v7 EOL by the end of this month April 2015)
34
Spread Awareness
• Sharing information and knowledge about threats as they emerge can not only help you, but more importantly your TEAM.
• Reference blogs and the NIST NVD once a CVE is released to help track/ communicate amongst your team.
35
Offensive Use Cases
36
Scans Ran Found Nothing…So Secure, Right?
• Often the focus of an assessment is to run tools and get things “scanned”:
– “Did you run your scans?”
– “How many checks did it fail?”
37
Managers will ask
38
Pushing Past Walls
•Hacking is all about massive amounts of failure and not giving up
•The right mindset is critical to being successful
39
Pushing Past Walls
40
Pushing Past Walls Cont.
• Recent pentest we found a WordPress server
•Could access login panel - So brute force is in!–Enumerate valid usernames via login error messages
•Wpscan found some stuff to play with:–Avada Theme with Revslider
–Paid Memberships Pro Path Traversal Vulnerability
–Photo Gallery <= 1.2.7 - Unauthenticated SQL injection
41
Pushing Past Walls: Attack Plans
• Brute Force: Had a valid username - very slow ☹
• Paid Memberships Pro 1.7.14.2 Path Traversal:– Worked! Sweet LFI (Grabbed wp-config.php)
– It was via a php readfile() so no code execution42
Pushing Past Walls: Attack Plans
• Photo Gallery <= 1.2.7 - SQL injection• In lab:
– Read up on the vulnerability
– Replicated in lab
– Tested it in lab environment and w00tw00t worked
– On Assessment Server:
– Needed to have a valid Gallery ID for the server
– Attempted MSF module and failed ☹
– Dug through pcap, few requests in RSTs from the server…hmm potential WAF
43
Pushing Past Walls: Attack Plans
• Figured out how to replicate the finding on lab setup with sqlmap:
• sqlmap -u “<target_URL>” -p “order_by” --random-agent --tamper=between --dbms=mysql --level=5 --risk=3
– Sqlmap on the target site – Still blocked!
– Added in “--delay=“ and figured out I needed a 4 second delay to not trigger the WAF
44
So I am back to this again…..
45
Pushing Past Walls: Attack Plans
• Result? Took a long time, but (DB Enum, Table Enum, --dump wp_users):– Screen shot from lab setup:
46
Pushing Past Walls
• Was able to crack user hashes and authenticate to server and completely comprise the web app
• Great win here, but lots of places I nearly stopped and had to push past to be successful
• Much easier to give up
47
Contact Us and Feedback Forms
48
Example: SSRF open relay
•Server Side Request Forgery (SSRF) vulnerabilities can make the web app your puppet:
–Contact Us Forms
–Feedback Forms
–Forms to request external services:
•tweets-grab.php
49
Example: SSRF open relay Cont.
• Another team gave this site a clean bill of health after a WebInspect scan + remediation
• Automated tools weren’t really working too well (Automated tool said 30 days)
• Started to manually test features with Burp as proxy and found SSRF open relay ☺
50
Example: SSRF open relay Cont.
• Gave me the ability to send emails to anyone coming from anyone in the organization (#BeefHook)
51
Example: Vulns in Unlinked Content
• Sharepoint sites are guilty of this where you may see a default IIS page at when visiting the FQDN, but then after some Google Fu, Burps Engagement Tool, etc.
• site:<FQDN> or inurl:<FQDN> then from there leverage additional search operators to discover interesting information file:<extension> (maybe a .bak or .old) or (-) <FQDN>(kinda like a grep -v)
• You find a new source of unlinked directories and resources that now establish a whole new attack surface!
52
Example: Vulns in Unlinked Content
• Most automated tools will only evaluate linked content
• Enumerating technology in use and making requests for default content – lots of wins (default admin panels, vulnerable resources, etc.)– Google searching “<technology> exploit”
• Lots of vulns could be hanging out unlinked in the app
53
Username Enumeration
• Difference in login messages
•Password reset feature?
– Attempting to reset the web admin “Which admin username did you want to reset?”
• Metadata in documents on site
54
Username Enumeration Cont.
• In our experience web applications commonly don’t have strong password complexity requirements– “password3” “p@ssword”….yes they still work
• Enumerating usernames, combined with no lockout features, and some wordlists = account compromise:– Deploy code, emails, upload files, etc.
55
OSINT Example
• Found Admin video on Youtube
• Found Admin’s Github, LinkedIn, Facebook
• Found Admin’s email in README of source code
• Validated username via “Forgot my username” feature
• Found additional connections to admin who liked his post on facebook and worked for same organization:– Brute forced accounts and gained access to application
•We have a whole talk on OSINT: www.primalsecurity.net/osint/
56
Scanner Takes Too Long
• Not uncommon for an automated tool to say “Estimated time 34 days…”
57
Automated Tool Crashes App
• Not uncommon for an automated tool to tip over a server
• Throw an automated tool at a sensitive web application... You might see something like this:
58
Automated Tool Crashes App Cont.
• Should still be noted in the report as a finding
- The big boy internet scans applications
•You should also be able to perform manual testing to ensure other vulnerabilities are enumerated
59
Testing Remediation Example
• fileupload.php (client-side mime type check)bypass it by changing the “Content-Type”
60
Testing Remediation Example
• Developer fixes with additional server side checks and names the file fileupload2.php
• How would you go about testing this?
61
Testing Remediation Example Cont.
• I saw my input pass to “fileupload2.php”
• I thought “Hmm, I wonder if fileupload.php is still accessible…”
62
Making Your Own Tools
63
Learning a Scripting Language
• I find it a necessary part of my day to day
• Learning a scripting language isn’t that hard
• It’s like starting a friction fire
64
Python
• Python is my weapon of choice
• This talk won't teach you how to write Python, but we plan to show some examples
–We have a whole talk and tutorial on Python:
•Talk: www.primalsecurity.net/introduction-to-python-for-security-professionals/
•Tutorial: www.primalsecurity.net/tutorials/python-tutorials/
• We suggest picking a small project and tackle it
65
Python Resources
• Courses:– SecurityTube’s Python Scripting Expert Course– Google has a free course on Python– Codecademy Python course
• Books:– Violent Python by TJ O‘Connor– Gray Hat and Black Hat Python by Justin Seitz
66
Python Modules
• Python has a lot of built-in and 3rd party modules that can do the heavy lifting for you
• OS command:
• whois lookup:
67
Python Web Scanner
• During our assessments we find it very useful to make custom scripts to automate interaction with web applications
• Making web requests in Python is a very practical use case
68
Python Web Scanner Cont.
• A basic web scanner example
69
More Advanced Web Scanner
•PrimalSec <!-- Web Testing Framework -->
70
Python examples - ShellShock
• In Corelan training at DerbyCon …..deprived of sleep and overdosed on red bull -> Enter ShellShock–Had to spin up a tool to check for ShellShock
71
Python - ShellShock Cont.
• Below is a quick Proof of Concept (PoC) for Shellshock
72
Python - ShellShock Cont.
•Example output - this illustrates how to automate a RCE to make it feel like a web shell
73
Writing Scripts for Assessment Report
• Writing a script to demonstrate a vulnerability or the report can help land the impact
– LFI/RFI -> Shell
– Automating an RCE / web shell capability
– Automating a SSRF to show potential impact
74
Useful Training
• Offensive Security: OSCP/OSCE
• eLearnSecurity
• SANS
• Vulnhub.com
• We have a talk covering this in more depth:–www.primalsecurity.net/how-to-be-an-infosec-geek/
75
In Summary
• We hope this talk inspired more people to:
– Be a Hunter and Gatherer
– Pick up a scripting language or Bash Kung Fu #StartTheFire
• Hopefully you can go out tomorrow and find bad guys or vulnerabilities that may have been missed for days, months, or even years!
76
Contact Us
• Primal Security
–Website: www.primalsecurity.net
–Email: [email protected]
–Twitter: @PrimalSec, @b3armunch
77
