+ All Categories
Home > Technology > Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

Date post: 29-Jun-2015
Category:
Upload: tom-moore
View: 192 times
Download: 1 times
Share this document with a friend
Description:
One of the highest threats to organizations today is also one of their most prevalent services available in most cases, web interfaces. The landscape has changed from simple static websites, to fully functional web-based applications that provide access to internal information gold mines. If you’re not testing those of your client organization, expect that someone else is! Our belief is that most organizations have little to no knowledge as to how many internal web resources they have within their environments that could lead to network compromise. By taking an approach to ensure the security of your client’s web interfaces through offensive security, you will find that there is a lot involved – and usually not a lot of time to get from initial scan to report. In this presentation, we’ll introduce RAWR (Rapid Assessment of Web Resources). We’ll cover its inception, hurdles faced, and give some practical advice on how to get the most out of ‘the little dinosaur’. There’s a lot packed in this tool that will help you get a better grasp of the threat landscape that is your client’s web resources. It has been tested from extremely large network environments, down to 5 node networks. It has been fine-tuned to promote fast, accurate, and applicable results in formats that you can use! RAWR will make the mapping phase of your next web assessment efficient and get you producing positive results faster!
Popular Tags:
23
RAWR Rapid Assessment of Web Resources https://www.bitbucket.org/ al14s/rawr
Transcript
Page 1: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

RAWRRapid Assessment of Web Resourceshttps://www.bitbucket.org/al14s/rawr

Page 2: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

Adam Byers [@al14s]

Started with BASIC – Antic mag… the ‘Blue Pages’

• Blue Team• Automation• Wireless• Malware forensics

INTRODUCTION

Tom Moore [@c0ncealed]

• Red Team Menace• Loves creating reports• Cuddles his AK

AOL proggies/punters in the 90’s

Page 3: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

AGENDA

• Web Assessments• Meet RAWR• Demo• Plans for the Future• Conclusion/Discussion

Page 4: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WHY WORRY ABOUT WEB?

If you don’t know your organizations web attack surface, expect that someone else already does.

One of the highest threats to organizations today is also one of their most prevalent services available in most cases, web interfaces. The landscape has changed from simple static websites, to fully functional web-based applications that provide access to internal information gold mines. Our belief is that most organizations have little to no knowledge as to how many internal web resources they have within their environmentsthat could lead to network compromise. By taking an approach to ensurethe security of your client’s web interfaces through offensive security, youwill find that there is a lot involved – and usually not a lot of time to getfrom initial scan to report.

Page 5: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WHAT WOULD YOU DO?

You are given the following objective:

Assess your organization’s internal and external web-based attack surface.

Your end goal is to produce a report that can be provided to both technical individuals and executives.

Page 6: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WHICH TOOLS TO LEVERAGE?

Recon Mapping Discovery Exploitation Reporting

Different tools for each step in the process:

These tools, in most cases do not produce output that play nicely with one another.This leaves YOU with the responsibility of interfacing between them…

Page 7: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

HOW WOULD YOU PRESENT IT?

Executive Technical

How much work would be involved in obtainingoutput that could be considered acceptable forboth of your intended audiences?

- Visuals and numbers.

- Specific information for remediation.

.. .

.

Page 8: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WHAT IS YOUR TURN-AROUND?

Mapping Formatting data Identify targets of interest Additional information collection Formatting data (again) Validation of findings Composing the report

How long would it take you to go from initialmapping, to producing the deliverable?

Page 9: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WHYUASKSOMANYQUESTION?

I’m glad you asked. =P

So, what really is the answer to this flurry ofquestions?

Page 10: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

MEET…

Page 11: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

WEB ASSESSMENTS

RAWR

ReconMappingDiscoveryExploitationReporting

Page 12: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

• NMap XML (live or from file) *• Nexpose Simple XML• Nexpose XML (v1,v2)• Nessus XML (.nessus) *• OpenVAS XML• Qualys XML (Scan Report) *• Qualys CSV (Port/Services Scan)• Metasploit CSV• ??? CSV

* Parses SSL cert info for these

INPUT

Page 13: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

Extract as much as possible from the server response.

INPUT

Default PasswordsGeo-location

CrawlModules

Bing DNS

ENUMERATION

Page 14: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

INPUT ENUM

• HTML• CSV• Attack Surface Matrix• SQLite3 db• Site Diagrams• JSON objects• NMap -oA (from live scan)

• Cookies• Robots.txt• SSL Certificates

OUTPUT

Page 15: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

RAWR

ReconMappingDiscoveryExploitationReporting

WEB ASSESSMENTS

Page 16: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

INP

UT

ENUM

OU

TP

UT

ERRORS

error.log

Page 17: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

ERRORS

Page 18: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

RAWR IN ACTION

Page 19: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

RAWR IN ACTIONRAWR INSTALL

Page 20: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

RAWR IN ACTIONRAWR SCAN

Page 21: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

…inefficiency kills

Your time is important.

Learn by doing… no matter how small the task.

PYTHON DOESN’T KILL…

Page 22: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

PLANS FOR THE FUTURE

• HTML appearance• SSL parser testing• Talk to:

• Malware Researchers• Pentesters• Developers• SysAdmins

Page 23: Rapid Assessment of Web Resources (RAWR) - DerbyCon 3.0

CONCLUSION / DISCUSSION

Comments, praise, questions, cash donations:Adam [ [email protected] ]

Enraged hate mail, insults, threats:Tom [ [email protected] ]

If not, it’s all Tom’s fault.

Thank you for sitting in - we hope you found our talk worthwhile.


Recommended