Hacking With Glue

Image: Cyanoacrylate is the generic name for a family of strong fast-acting adhesives with industrial, medical and household uses (source: wikipedia)

Blake Cornell, CTO, Integris Security LLC.bcornell@integrissecurity.com

Presentation ContextI will accept questions during this presentation. Raise your hand

and I will call on you.

Presentation overview:

1) Describe how a vulnerability assessment starts.2) Why automation is awesome.3) Describe what heuristic network scanning is.4) Introduce the idea of a “Robot Assessor”.5) Describe the trials, tribulations & considerations of writing a

Robot Assessor.6) Educate & Learn while having some fun.

Methodologies described herein should only be used for lawful purposes. Only test networks that you own or are given permission to test.

A Hammer or A DrillAnyone can use a tool. A carpenter can use these

tools effectively but software can use them automatically.

Tools are just the means to an end result. The result, in the context of this presentation, is to

identify vulnerabilities.

If a manual processes can be 100% automated it enables your institution to solve more complex

issues.

Two Categories of Security Tools

Open Source v. Commercial

Different institutions use tools from these two categories for different reasons, for

different purposes.

What are the Pros & Cons of each category of tool?

Open Source Tools

Advantages: Free Hundreds of tools available at a moments notice. Exploits and new attack methods can be available

within hours of a CVE announcement.

Disadvantages: Not as robust as commercial tools. Typically has no central reporting or result collection.

Open Source Tools

Requirements: Low level knowledge of OSI protocols from layer 4 – 7. Experience with Linux/Unix and the underlying

command line infrastructure. Command line arguments need to be either

memorized or looked up.

Kali Linux is a host based collection of these tools.

Open Source Tools

Popular open source tools include:

DirBuster Nmap Metasploit Framework Kali Linux

Total Cost: $0

Commercial ToolsAdvantages: Robust reporting. A single commercial tool can replace numerous open

source tools. Less technical knowledge required. Typically have a lower false positive rate.

Disadvantages: Cost & licensing limitations. Difficult to extend the capabilities to stay ahead of a

threat curve. New attack methods can take days or weeks to be

made available.

Commercial Tools

Requirements:

A budget for each IP, FQDN or analyst's seat. Can quickly become cost prohibitive.

Commercial Tools

Popular commercial tools include:

Burp Suite Pro Core Impact AppScan WebInspect Nessus

Total Cost: ~$70,000

Open Source & Commercial

Why not use both heuristically?

Heuristics defined: “technique designed for solving a problem more quickly when classic

methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or

precision for speed. In a way, it can be considered a shortcut.” - Wikipedia

Heuristic Network Scanning?

Putting an intelligent process into existing ones allows rapid & efficient execution during a

vulnerability assessment.

Old world adage: “Lets throw everything at it and see what sticks”. Example: A Traditional

Cluster Bomb.

New world adage: “We know what will stick before we do anything”. Example: A CBU-97

Sensor Fuzed Weapon.

What An Analyst Does With a Tool Scan targets within a project scope and discover running

services`nmap -sV -P0 -p0-65535 -O target.fqdn`

Evaluate results and determine what tools should be run against certain services.80/tcp open http Apache httpd443/tcp open ssl/http Apache httpd

Determine which tools to run against the discovered servicesExample Tools: nikto, carbonator, sqlmap, heartbleed,

SSLBasher, Nessus, ZAProxy, etc.

This high level overview of a typical engagement methodology, or process, has traditionally always been a manual task. The process of executing each scan

and subsequent scans takes time away from more valuable analysis.

I always saw this process as a waste of time. That's cause...

I Like Robots

They Do My Bidding

Pentesting with a Heuristic Robot

Using software that automates manual processes, let's call them robots, eliminates particular time requirements during a vulnerability assessment. Time == Money.

The required skill level of executing a “robot assessor” enables a non-specialist the ability to initiate scans. The resulting data can enable a security analyst the intelligence to get further faster.

Integris::IPSeek.

Why should an institution, regardless of size, consider using a Robot Assessor?

Value Proposition of a Robot Assessor

Q) Why should an institution, regardless of size, consider using a Robot Assessor?

A) Eliminates time required to execute common open source & commercial tools.

A) Enables a lower entry cost to conduct vulnerability assessments for SMB institutions (soft targets).

A) Allows a larger institution the ability to scan their entire perimeter with a single HTTP POST command.

Continual scanning of a Class B IPv4 network (65536 public IP's) could easily require a dedicated human resource just

to initiate and monitor scans.

Hello, Pen Testers!

Penetration Testers: Would you like to never run a port scan or other common baseline security tests again?

What Does a Robot Look Like?

What a Robot Does With a Tool #1[removed for brevity]}elsif($self->validateAddress($target)) {

print "Scanning: $target\n";return `nmap -sV -P0 -T Insane -p 0-65535 $target`;

}else{print "Supplied IP/FQDN was not valid: $target\n";

}return 0;

}

[removed for brevity]foreach my $line (@results) { #this parses every line of the nmap results, regex out what is required.if($line =~ /^(\d+)\/tcp\s+open\s+([REDACTEDREGEX)$/) { #SETS $1 and

$2 1=port number, 2=service desc[removed for brevity]

Results in the following process: username 8787 14.1 0.2 61992 10484 ? S 18:03 0:14 nmap -sV -P0 -T Insane --max_rtt_timeout 100ms --max_retries 2 -p 0-65535 target.fqdn

What a Robot Does With a Tool #2

$hash = $self->retSQLArrayRef("SELECT REDACTED SQL STATEMENT openports WHERE port = 80 || (service_desc LIKE '%http%' && service_desc NOT LIKE '%ssl/http%')",1); foreach my $id (keys %$hash) {[removed for brevity]

my @tmp; $tmp[0]='carbonator'; [removed for brevity] push(@scans,@tmp); $tmp[0]='nikto'; push(@scans,@tmp);

$tmp[0]='sqlmap'; push(@scans,@tmp);

[removed for brevity]

What a Robot Does With a Tool #3

if($scans[$i] eq 'fierce') {$self->insertScanResults('',$scans[$i+3],'fierce',$self-

>runFierce($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'heartbleed'){

$self->insertScanResults('',$scans[$i+3],'heartbleed',$self->runHeartbleed($scans[$i+1],$scans[$i+2]))}elsif($scans[$i] eq 'dnsrelay'){

$self->insertScanResults('',$scans[$i+3],'dnsrelay',$self->runDNSRelay($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'sslbasher'){

$self->insertScanResults('',$scans[$i+3],'sslbasher',$self->runSSLBasher($scans[$i+1],$scans[$i+2]));}elsif($scans[$i] eq 'wafw00f'){

$self->insertScanResults('',$scans[$i+3],'wafw00f',$self->runWafW00f($scans[$i+1],$scans[$i+2]));

What a Robot Does With a Tool #4#this is where perl calls PHP – By now, these processes are already threaded,

running concurrently and forking out to a PHP instance. There is no better word to describe this then “Hacking with Glue”.

sub runHeartbleed { #port 443,465,993 or keyword like '%ssl%'my($self,$host,$port,@args)=@_;my $results = `php ../tools_executeSubScan.php $host $port heartbleed`;[removed for brevity]

#this is the PHP code that gets executed when the above perl function is executed

if(strtolower($tool) == 'sqlmap') {print $client->runToolSQLMap($ip,$user_id,$source_ip,0);

}elseif(strtolower($tool) == 'heartbleed') {print $client->runToolHeartBleed($ip,$port,$user_id,$source_ip,0);[removed for brevity]

What a Robot Does With a Tool #5

public function runToolHeartBleed($ip,$port,$user_id,$source_ip,$email_results) {if($this->checkIPHost($ip) && $this->checkPortNumber($port) && $this->addToolExecutionRecord($user_id,'Heart Bleed',$ip,$port,$source_ip)) {if($email_results) {

[removed for brevity]}else{

return preg_replace("/\r\n|\r|\n/","<br />",htmlspecialchars(shell_exec('python '.getcwd().'/tools/heartbleed_integris.py '.$ip.' -p '.$port)));}return $this->retInvalidURLIPFQDN();

}

What a Robot Does With a Tool #6#!/usr/bin/python import sysimport structimport socketimport timeimport selectimport reimport osfrom datetime import datetime, timedeltafrom optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test for

SSL heartbeat vulnerability (CVE-2014-0160)')options.add_option('-p', '--port', type='int', default=443, help='TCP port to test

(default: 443)')[removed for brevity]

What a Robot Does With a Tool

The previous code samples demonstrates: 6 step pragmatic process highly extensible capabilities 100% automated service discovery, tool selection and tool

execution.

Designate a Target

Submit a target and become aware of that target.

Intuitive web interface can be used to designate new targets. For example...

Designate a Target

Submit the Internet and become aware of the Internet.

This would be an interesting target to scan?!

Scanning a Target

The following is the Command Line output of the scanner running.

Setting Thread Max: 15_-=-=-=-=^-=^-=^-=-=-=-=-=^-=^-=-=^-=^^^^-=^-=^-=^^^-=-=^^^-=^-=^^-=-=-=-=^-

=-=-=-=^^-=-=^-=-=-=^^^-=^^^-=^^-=^^^^-=^-=-=^-=^-=^^-=-=-=^-=-=-=-=-=^-=^^^^^-=^^^-=^-=-=-= Approving Scan

Port ID: 4945Scan Name: webshag

-=^-=^^-=-=^^-=-=-=^^^-=-=^^-=-=-=-=^^-=^^^^-=-=-=^-=-=^^-=-=^^^^-=^-=-=-=^-=^-=Approving Scan

Port ID: 4943Scan Name: dirs3arch

^-=-=^-=-=^^-=^^-=^-=-=^-=Waiting for threads to finish.Waiting for threads to close.

Process: Wait for Results

Submit a target and become aware of that target.

Remain Flexible

Some integrations can take multiple days work. Most integration's take less then an hour. Over time the current

list of available tools will grow.

Integris Carbonator

Integris Security has open sourced a tool that was developed internally. It is an extension of Burp Suite Pro.

Carbonator automates the process of running the Burp Suite web application vulnerability scanner. A single command can initiate a scan against an unlimited number of web applications.

Numerous Fortune 1000 institutions are currently using this tool to automate manual, time consuming, processes.

Carbonator is a prime example of how to leverage automation. It is run from a CLI interface and is importable within this process.

Risk Impact via SANS Top 20The methods described in this presentation have a direct impact

on an institution's risk profile that can be directly mapped to the SANS Top 20 critical controls.

Subsections of the following critical controls are satisfied by a process described by this presentation.

CSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 4: Continuous Vulnerability Assessment and RemediationCSC 6: Application Software SecurityCSC 11: Limitation and Control of Network Ports, Protocols, and

ServicesCSC 19: Secure Network EngineeringCSC 20: Penetration Tests and Red Team Exercises

Hacking With Glue

Blake Cornell, CTO, Integris Security LLC.Email me at glue at integrissecurity dot com

Follow Integris Security @integrissec

Contact me if you have Questions!