Hacking With Glue
Image: Cyanoacrylate is the generic name for a family of strong fast-acting adhesives with industrial, medical and household uses (source: wikipedia)
Blake Cornell, CTO, Integris Security [email protected]
Presentation ContextI will accept questions during this presentation. Raise your hand
and I will call on you.
Presentation overview:
1) Describe how a vulnerability assessment starts.2) Why automation is awesome.3) Describe what heuristic network scanning is.4) Introduce the idea of a “Robot Assessor”.5) Describe the trials, tribulations & considerations of writing a
Robot Assessor.6) Educate & Learn while having some fun.
Methodologies described herein should only be used for lawful purposes. Only test networks that you own or are given permission to test.
A Hammer or A DrillAnyone can use a tool. A carpenter can use these
tools effectively but software can use them automatically.
Tools are just the means to an end result. The result, in the context of this presentation, is to
identify vulnerabilities.
If a manual processes can be 100% automated it enables your institution to solve more complex
issues.
Two Categories of Security Tools
Open Source v. Commercial
Different institutions use tools from these two categories for different reasons, for
different purposes.
What are the Pros & Cons of each category of tool?
Open Source Tools
Advantages: Free Hundreds of tools available at a moments notice. Exploits and new attack methods can be available
within hours of a CVE announcement.
Disadvantages: Not as robust as commercial tools. Typically has no central reporting or result collection.
Open Source Tools
Requirements: Low level knowledge of OSI protocols from layer 4 – 7. Experience with Linux/Unix and the underlying
command line infrastructure. Command line arguments need to be either
memorized or looked up.
Kali Linux is a host based collection of these tools.
Open Source Tools
Popular open source tools include:
DirBuster Nmap Metasploit Framework Kali Linux
Total Cost: $0
Commercial ToolsAdvantages: Robust reporting. A single commercial tool can replace numerous open
source tools. Less technical knowledge required. Typically have a lower false positive rate.
Disadvantages: Cost & licensing limitations. Difficult to extend the capabilities to stay ahead of a
threat curve. New attack methods can take days or weeks to be
made available.
Commercial Tools
Requirements:
A budget for each IP, FQDN or analyst's seat. Can quickly become cost prohibitive.
Commercial Tools
Popular commercial tools include:
Burp Suite Pro Core Impact AppScan WebInspect Nessus
Total Cost: ~$70,000
Open Source & Commercial
Why not use both heuristically?
Heuristics defined: “technique designed for solving a problem more quickly when classic
methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or
precision for speed. In a way, it can be considered a shortcut.” - Wikipedia
Heuristic Network Scanning?
Putting an intelligent process into existing ones allows rapid & efficient execution during a
vulnerability assessment.
Old world adage: “Lets throw everything at it and see what sticks”. Example: A Traditional
Cluster Bomb.
New world adage: “We know what will stick before we do anything”. Example: A CBU-97
Sensor Fuzed Weapon.
What An Analyst Does With a Tool Scan targets within a project scope and discover running
services`nmap -sV -P0 -p0-65535 -O target.fqdn`
Evaluate results and determine what tools should be run against certain services.80/tcp open http Apache httpd443/tcp open ssl/http Apache httpd
Determine which tools to run against the discovered servicesExample Tools: nikto, carbonator, sqlmap, heartbleed,
SSLBasher, Nessus, ZAProxy, etc.
This high level overview of a typical engagement methodology, or process, has traditionally always been a manual task. The process of executing each scan
and subsequent scans takes time away from more valuable analysis.
I always saw this process as a waste of time. That's cause...
I Like Robots
They Do My Bidding
Pentesting with a Heuristic Robot
Using software that automates manual processes, let's call them robots, eliminates particular time requirements during a vulnerability assessment. Time == Money.
The required skill level of executing a “robot assessor” enables a non-specialist the ability to initiate scans. The resulting data can enable a security analyst the intelligence to get further faster.
Integris::IPSeek.
Why should an institution, regardless of size, consider using a Robot Assessor?
Value Proposition of a Robot Assessor
Q) Why should an institution, regardless of size, consider using a Robot Assessor?
A) Eliminates time required to execute common open source & commercial tools.
A) Enables a lower entry cost to conduct vulnerability assessments for SMB institutions (soft targets).
A) Allows a larger institution the ability to scan their entire perimeter with a single HTTP POST command.
Continual scanning of a Class B IPv4 network (65536 public IP's) could easily require a dedicated human resource just
to initiate and monitor scans.
Hello, Pen Testers!
Penetration Testers: Would you like to never run a port scan or other common baseline security tests again?
What Does a Robot Look Like?
What a Robot Does With a Tool #1[removed for brevity]}elsif($self->validateAddress($target)) {
print "Scanning: $target\n";return `nmap -sV -P0 -T Insane -p 0-65535 $target`;
}else{print "Supplied IP/FQDN was not valid: $target\n";
}return 0;
}
[removed for brevity]foreach my $line (@results) { #this parses every line of the nmap results, regex out what is required.if($line =~ /^(\d+)\/tcp\s+open\s+([REDACTEDREGEX)$/) { #SETS $1 and
$2 1=port number, 2=service desc[removed for brevity]
Results in the following process: username 8787 14.1 0.2 61992 10484 ? S 18:03 0:14 nmap -sV -P0 -T Insane --max_rtt_timeout 100ms --max_retries 2 -p 0-65535 target.fqdn
What a Robot Does With a Tool #2
$hash = $self->retSQLArrayRef("SELECT REDACTED SQL STATEMENT openports WHERE port = 80 || (service_desc LIKE '%http%' && service_desc NOT LIKE '%ssl/http%')",1); foreach my $id (keys %$hash) {[removed for brevity]
my @tmp; $tmp[0]='carbonator'; [removed for brevity] push(@scans,@tmp); $tmp[0]='nikto'; push(@scans,@tmp);
$tmp[0]='sqlmap'; push(@scans,@tmp);
[removed for brevity]
What a Robot Does With a Tool #3
if($scans[$i] eq 'fierce') {$self->insertScanResults('',$scans[$i+3],'fierce',$self-
>runFierce($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'heartbleed'){
$self->insertScanResults('',$scans[$i+3],'heartbleed',$self->runHeartbleed($scans[$i+1],$scans[$i+2]))}elsif($scans[$i] eq 'dnsrelay'){
$self->insertScanResults('',$scans[$i+3],'dnsrelay',$self->runDNSRelay($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'sslbasher'){
$self->insertScanResults('',$scans[$i+3],'sslbasher',$self->runSSLBasher($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'wafw00f'){
$self->insertScanResults('',$scans[$i+3],'wafw00f',$self->runWafW00f($scans[$i+1],$scans[$i+2]));
What a Robot Does With a Tool #4#this is where perl calls PHP – By now, these processes are already threaded,
running concurrently and forking out to a PHP instance. There is no better word to describe this then “Hacking with Glue”.
sub runHeartbleed { #port 443,465,993 or keyword like '%ssl%'my($self,$host,$port,@args)=@_;my $results = `php ../tools_executeSubScan.php $host $port heartbleed`;[removed for brevity]
#this is the PHP code that gets executed when the above perl function is executed
if(strtolower($tool) == 'sqlmap') {print $client->runToolSQLMap($ip,$user_id,$source_ip,0);
}elseif(strtolower($tool) == 'heartbleed') {print $client->runToolHeartBleed($ip,$port,$user_id,$source_ip,0);[removed for brevity]
What a Robot Does With a Tool #5
public function runToolHeartBleed($ip,$port,$user_id,$source_ip,$email_results) {if($this->checkIPHost($ip) && $this->checkPortNumber($port) && $this->addToolExecutionRecord($user_id,'Heart Bleed',$ip,$port,$source_ip)) {if($email_results) {
[removed for brevity]}else{
return preg_replace("/\r\n|\r|\n/","<br />",htmlspecialchars(shell_exec('python '.getcwd().'/tools/heartbleed_integris.py '.$ip.' -p '.$port)));}return $this->retInvalidURLIPFQDN();
}
What a Robot Does With a Tool #6#!/usr/bin/python import sysimport structimport socketimport timeimport selectimport reimport osfrom datetime import datetime, timedeltafrom optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test for
SSL heartbeat vulnerability (CVE-2014-0160)')options.add_option('-p', '--port', type='int', default=443, help='TCP port to test
(default: 443)')[removed for brevity]
What a Robot Does With a Tool
The previous code samples demonstrates: 6 step pragmatic process highly extensible capabilities 100% automated service discovery, tool selection and tool
execution.
Designate a Target
Submit a target and become aware of that target.
Intuitive web interface can be used to designate new targets. For example...
Designate a Target
Submit the Internet and become aware of the Internet.
This would be an interesting target to scan?!
Scanning a Target
The following is the Command Line output of the scanner running.
Setting Thread Max: 15_-=-=-=-=^-=^-=^-=-=-=-=-=^-=^-=-=^-=^^^^-=^-=^-=^^^-=-=^^^-=^-=^^-=-=-=-=^-
=-=-=-=^^-=-=^-=-=-=^^^-=^^^-=^^-=^^^^-=^-=-=^-=^-=^^-=-=-=^-=-=-=-=-=^-=^^^^^-=^^^-=^-=-=-= Approving Scan
Port ID: 4945Scan Name: webshag
-=^-=^^-=-=^^-=-=-=^^^-=-=^^-=-=-=-=^^-=^^^^-=-=-=^-=-=^^-=-=^^^^-=^-=-=-=^-=^-=Approving Scan
Port ID: 4943Scan Name: dirs3arch
^-=-=^-=-=^^-=^^-=^-=-=^-=Waiting for threads to finish.Waiting for threads to close.
Process: Wait for Results
Submit a target and become aware of that target.
Remain Flexible
Some integrations can take multiple days work. Most integration's take less then an hour. Over time the current
list of available tools will grow.
Integris Carbonator
Integris Security has open sourced a tool that was developed internally. It is an extension of Burp Suite Pro.
Carbonator automates the process of running the Burp Suite web application vulnerability scanner. A single command can initiate a scan against an unlimited number of web applications.
Numerous Fortune 1000 institutions are currently using this tool to automate manual, time consuming, processes.
Carbonator is a prime example of how to leverage automation. It is run from a CLI interface and is importable within this process.
Risk Impact via SANS Top 20The methods described in this presentation have a direct impact
on an institution's risk profile that can be directly mapped to the SANS Top 20 critical controls.
Subsections of the following critical controls are satisfied by a process described by this presentation.
CSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 4: Continuous Vulnerability Assessment and RemediationCSC 6: Application Software SecurityCSC 11: Limitation and Control of Network Ports, Protocols, and
ServicesCSC 19: Secure Network EngineeringCSC 20: Penetration Tests and Red Team Exercises
Hacking With Glue
Blake Cornell, CTO, Integris Security LLC.Email me at glue at integrissecurity dot com
Follow Integris Security @integrissec
Contact me if you have Questions!