Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

Perl usage in security Usage of Perl in security every day log parsing, system hardening, system monitoring, ... in forensics log/evidence parsing/analyzing in penetration tests network layer testing application layer testing web application testing buffer overflow helpers fuzzing implementing Proof of Concepts (PoC)

Usage of Perl in security

every day

log parsing, system hardening, system monitoring, ...

in forensics

log/evidence parsing/analyzing

in penetration tests

network layer testing

application layer testing

web application testing

buffer overflow helpers

fuzzing

implementing Proof of Concepts (PoC)

Perl in Security World Monitoring mon, nagios, ... nodewatch, syswatch, ... Sherpa system security configuration tool File Integrity checkers (think: tripwire) ViperDB, Fcheck, Triplight, ... Honeypots rsucker, honeydsum, mydoom.pl, ... ...

Monitoring

mon, nagios, ...

nodewatch, syswatch, ...

Sherpa

system security configuration tool

File Integrity checkers (think: tripwire)

ViperDB, Fcheck, Triplight, ...

Honeypots

rsucker, honeydsum, mydoom.pl, ...

...

Perl in Penetration World Nikto web vulnerability scanner Metasploit <=2.7 exploit framework Metasploit >= 3.0 in Ruby Fuzzled - fuzzying framework snoopy simple SNMP security scanner NSS, dnswalk, snark (MiTM), ... ...

Nikto

web vulnerability scanner

Metasploit <=2.7

exploit framework

Metasploit >= 3.0 in Ruby

Fuzzled - fuzzying framework

snoopy

simple SNMP security scanner

NSS, dnswalk, snark (MiTM), ...

...

Simple TCP portscanner perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot;
&quot;;' Yes, I do Perl golfing.... You can too - try to shorten this if you dare :) whitespace optimization excluded

perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot;
&quot;;'

Yes, I do Perl golfing....

You can too - try to shorten this if you dare :)

whitespace optimization excluded

Simple TCP portscanner perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot;
&quot;;' localhost Example of running port scanner oneliner:

perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot;
&quot;;' localhost

Example of running port scanner oneliner:

Generating custom packets #!/usr/bin/perl use Net::RawIP; $raw_net = new Net::RawIP({icmp =>{}}); $raw_net -> set( { ip => { saddr => '192.168.1.1', daddr => '192.168.1.15' }, icmp => { type => 8, data => &quot;41414141414141414141414141414141&quot; } } ); $raw_net -> send(1,1000); Example of generating spoofed ICMP packet

#!/usr/bin/perl

use Net::RawIP;

$raw_net = new Net::RawIP({icmp =>{}});

$raw_net -> set(

{

ip =>

{

saddr => '192.168.1.1',

daddr => '192.168.1.15'

},

icmp =>

{

type => 8,

data => &quot;41414141414141414141414141414141&quot;

}

}

);

$raw_net -> send(1,1000);

Example of generating spoofed ICMP packet

Generating custom protocol testers You can layer up what you have... CPAN modules for almost every protocol It has even for really rare and the old ones Perl is old language, you know... :) Even for SSL based ones ...and then write the part which is custom

You can layer up what you have...

CPAN modules for almost every protocol

It has even for really rare and the old ones

Perl is old language, you know... :)

Even for SSL based ones

...and then write the part which is custom

Easy MiTM ssl_proxy.pl MiTM Proof of concept not working well Wrote MiTM for socket HTTP HTTPS I'll put it somewhere on the web eventually, mail me if you need it quicker! :)

ssl_proxy.pl

MiTM Proof of concept

not working well

Wrote MiTM for

socket

HTTP

HTTPS

I'll put it somewhere on the web eventually,

mail me if you need it quicker! :)

Buffer overflow helpers not common vulnerability in Perl from theory to practice from discovery to exploitation some of the methods (not only for buffer overflows...) analyzing source analyzing machine code fuzzying reverse engineering patches ...

not common vulnerability in Perl

from theory to practice

from discovery to exploitation

some of the methods (not only for buffer overflows...)

analyzing source

analyzing machine code

fuzzying

reverse engineering patches

...

Generating vulnerable inputs mostly oneliners to check length of buffer of vulnerable program on command line ./vuln –vulnbuf `perl -e 'print ”A”x1000'` enviroment export VULNENV=`perl -e 'print ”A”x1000'` ./vuln network protocol perl -e 'print &quot;GET /&quot;.&quot;A&quot;x1000; print &quot; HTTP/1.0
&quot;' | nc www.vuln.host 80

mostly oneliners to check length of buffer of vulnerable program

on command line

./vuln –vulnbuf `perl -e 'print ”A”x1000'`

enviroment

export VULNENV=`perl -e 'print ”A”x1000'`

./vuln

network protocol

perl -e 'print &quot;GET /&quot;.&quot;A&quot;x1000; print &quot; HTTP/1.0
&quot;' | nc www.vuln.host 80

Writing exploits with Perl Metasploit helper (<= 2.7) Helps you in finding length of vulnerable buffer Generate buffer with Perl helper script perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)' Run debugger (gdb, ollydbg, ...), note EIP run another Perl helper script with EIP sdk/patternOffset.pl 0x68423768 1090 Too easy It's not just fun any more...

Metasploit helper (<= 2.7)

Helps you in finding length of vulnerable buffer

Generate buffer with Perl helper script

perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)'

Run debugger (gdb, ollydbg, ...), note EIP

run another Perl helper script with EIP

sdk/patternOffset.pl 0x68423768 1090

Too easy

It's not just fun any more...

Fuzzying Custom fuzzying CPAN modules for almost every protocol You have to use lower protocol in order to fuzz the protocol itself Using existing helpers Fuzlled have some protocol drivers inside have some good logic for fuzzing I recommend Permutations, manglings, ...

Custom fuzzying

CPAN modules for almost every protocol

You have to use lower protocol in order to fuzz the protocol itself

Using existing helpers

Fuzlled

have some protocol drivers inside

have some good logic for fuzzing

I recommend

Permutations, manglings, ...

Web vulnerabilities Nikto libwhisker libwww WWW::Mechanize Sockets IO::Socket IO::Socket::SSL

Nikto

libwhisker

libwww

WWW::Mechanize

Sockets

IO::Socket

IO::Socket::SSL

Example usage of Mechanize perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get(&quot;$y/v/$i&quot;)->request->uri) =~ s/.*&t=(.+)/$1/; $m->get(&quot;$y/get_video?video_id=$i&t=$t&quot;, &quot;:content_file&quot; => &quot;$i.flv&quot;)' author: Peteris Krumins Youtube video ripper - oneliner

perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get(&quot;$y/v/$i&quot;)->request->uri) =~ s/.*&t=(.+)/$1/; $m->get(&quot;$y/get_video?video_id=$i&t=$t&quot;, &quot;:content_file&quot; => &quot;$i.flv&quot;)'

Youtube video ripper - oneliner

Web services vulnerabilities XML XML::Simple LibXML SOAP SOAP::Lite XML RPC RPC::XML Custom protocol no problem :)

XML

XML::Simple

LibXML

SOAP

SOAP::Lite

XML RPC

RPC::XML

Custom protocol

no problem :)

Example of custom fuzzying

Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server

Conclusion You don't want to write vulnerable security programs to test other vulnerabilities You have Encase case ;) or fakebo :)) It's hard to write vulnerable program in Perl at least buffer overflow vulnerable there's still input validation (taint?) You don't want to spend months writing proof of concept (PoC) don't use low level :) except if you're learning... or ..whatever :) use high level language like Perl

You don't want to write vulnerable security programs to test other vulnerabilities

You have Encase case ;)

or fakebo :))

It's hard to write vulnerable program in Perl

at least buffer overflow vulnerable

there's still input validation (taint?)

You don't want to spend months writing proof of concept (PoC)

don't use low level :)

except if you're learning... or ..whatever :)

use high level language like Perl

References http://www.sans.org http://securityfocus.com http://net-security.org http://packetstormsecurity.nl/ http://www.softpanorama.org/Security/perl_sec_scripts.shtml http://metasploit.org http://www.cirt.net/nikto2 http://www.ioactive.com/tools.html http://www.l0t3k.org/security/tools/honeypot/ http://www.catonmat.net/blog/ ...

http://www.sans.org

http://securityfocus.com

http://net-security.org

http://packetstormsecurity.nl/

http://www.softpanorama.org/Security/perl_sec_scripts.shtml

http://metasploit.org

http://www.cirt.net/nikto2

http://www.ioactive.com/tools.html

http://www.l0t3k.org/security/tools/honeypot/

http://www.catonmat.net/blog/

...

Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr