Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK ...
Perl usage in security <ul><li>Usage of Perl in security </li></ul><ul><ul><li>every day </li></ul></ul><ul><ul><ul><li>lo...
Perl in Security World <ul><li>Monitoring </li></ul><ul><ul><li>mon, nagios, ...  </li></ul></ul><ul><ul><li>nodewatch, sy...
Perl in Penetration World <ul><li>Nikto </li></ul><ul><ul><li>web vulnerability scanner </li></ul></ul><ul><li>Metasploit ...
Simple TCP portscanner <ul><li>perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$...
Simple TCP portscanner <ul><li>perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$...
Generating custom packets <ul><li>#!/usr/bin/perl </li></ul><ul><li>use Net::RawIP; </li></ul><ul><li>$raw_net = new Net::...
Generating custom protocol testers <ul><li>You can layer up what you have... </li></ul><ul><ul><li>CPAN modules for almost...
Easy MiTM <ul><li>ssl_proxy.pl  </li></ul><ul><ul><li>MiTM Proof of concept  </li></ul></ul><ul><ul><li>not working well  ...
Buffer overflow helpers <ul><li>not common vulnerability in Perl </li></ul><ul><li>from theory to practice </li></ul><ul><...
Generating vulnerable inputs <ul><li>mostly oneliners to check length of buffer of vulnerable program </li></ul><ul><li>on...
Writing exploits with Perl <ul><li>Metasploit helper (<= 2.7) </li></ul><ul><li>Helps you in finding length of vulnerable ...
Fuzzying <ul><li>Custom fuzzying </li></ul><ul><ul><li>CPAN modules for almost every protocol </li></ul></ul><ul><ul><li>Y...
Web vulnerabilities <ul><li>Nikto </li></ul><ul><li>libwhisker </li></ul><ul><li>libwww </li></ul><ul><li>WWW::Mechanize <...
Example usage of Mechanize <ul><li>perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+...
Web services vulnerabilities <ul><li>XML </li></ul><ul><ul><li>XML::Simple </li></ul></ul><ul><ul><li>LibXML </li></ul></u...
Example of custom fuzzying
Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server
Conclusion <ul><li>You don't want to write vulnerable security programs to test other vulnerabilities </li></ul><ul><ul><l...
References <ul><li>http://www.sans.org </li></ul><ul><li>http://securityfocus.com </li></ul><ul><li>http://net-security.or...
Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagr...
Upcoming SlideShare
Loading in...5
×

Perl Usage In Security and Penetration testing

5,226

Published on

Held at Croatian Perl Workshop 2008 in Zagreb, 15th May 2008.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,226
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
266
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Perl Usage In Security and Penetration testing

  1. 1. Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr
  2. 2. Perl usage in security <ul><li>Usage of Perl in security </li></ul><ul><ul><li>every day </li></ul></ul><ul><ul><ul><li>log parsing, system hardening, system monitoring, ... </li></ul></ul></ul><ul><ul><li>in forensics </li></ul></ul><ul><ul><ul><li>log/evidence parsing/analyzing </li></ul></ul></ul><ul><ul><li>in penetration tests </li></ul></ul><ul><ul><ul><li>network layer testing </li></ul></ul></ul><ul><ul><ul><li>application layer testing </li></ul></ul></ul><ul><ul><ul><li>web application testing </li></ul></ul></ul><ul><ul><ul><li>buffer overflow helpers </li></ul></ul></ul><ul><ul><ul><li>fuzzing </li></ul></ul></ul><ul><ul><ul><li>implementing Proof of Concepts (PoC) </li></ul></ul></ul>
  3. 3. Perl in Security World <ul><li>Monitoring </li></ul><ul><ul><li>mon, nagios, ... </li></ul></ul><ul><ul><li>nodewatch, syswatch, ... </li></ul></ul><ul><li>Sherpa </li></ul><ul><ul><li>system security configuration tool </li></ul></ul><ul><li>File Integrity checkers (think: tripwire) </li></ul><ul><ul><li>ViperDB, Fcheck, Triplight, ... </li></ul></ul><ul><li>Honeypots </li></ul><ul><ul><li>rsucker, honeydsum, mydoom.pl, ... </li></ul></ul><ul><li>... </li></ul>
  4. 4. Perl in Penetration World <ul><li>Nikto </li></ul><ul><ul><li>web vulnerability scanner </li></ul></ul><ul><li>Metasploit <=2.7 </li></ul><ul><ul><li>exploit framework </li></ul></ul><ul><ul><li>Metasploit >= 3.0 in Ruby </li></ul></ul><ul><li>Fuzzled - fuzzying framework </li></ul><ul><li>snoopy </li></ul><ul><ul><li>simple SNMP security scanner </li></ul></ul><ul><li>NSS, dnswalk, snark (MiTM), ... </li></ul><ul><li>... </li></ul>
  5. 5. Simple TCP portscanner <ul><li>perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;' </li></ul><ul><li>Yes, I do Perl golfing.... </li></ul><ul><li>You can too - try to shorten this if you dare :) </li></ul><ul><ul><ul><li>whitespace optimization excluded </li></ul></ul></ul>
  6. 6. Simple TCP portscanner <ul><li>perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;' localhost </li></ul><ul><li>Example of running port scanner oneliner: </li></ul>
  7. 7. Generating custom packets <ul><li>#!/usr/bin/perl </li></ul><ul><li>use Net::RawIP; </li></ul><ul><li>$raw_net = new Net::RawIP({icmp =>{}}); </li></ul><ul><li>$raw_net -> set( </li></ul><ul><li>{ </li></ul><ul><li>ip => </li></ul><ul><li>{ </li></ul><ul><li>saddr => '192.168.1.1', </li></ul><ul><li>daddr => '192.168.1.15' </li></ul><ul><li>}, </li></ul><ul><li>icmp => </li></ul><ul><li>{ </li></ul><ul><li>type => 8, </li></ul><ul><li>data => &quot;41414141414141414141414141414141&quot; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>); </li></ul><ul><li>$raw_net -> send(1,1000); </li></ul><ul><li>Example of generating spoofed ICMP packet </li></ul>
  8. 8. Generating custom protocol testers <ul><li>You can layer up what you have... </li></ul><ul><ul><li>CPAN modules for almost every protocol </li></ul></ul><ul><ul><ul><li>It has even for really rare and the old ones </li></ul></ul></ul><ul><ul><ul><ul><li>Perl is old language, you know... :) </li></ul></ul></ul></ul><ul><ul><ul><li>Even for SSL based ones </li></ul></ul></ul><ul><li>...and then write the part which is custom </li></ul>
  9. 9. Easy MiTM <ul><li>ssl_proxy.pl </li></ul><ul><ul><li>MiTM Proof of concept </li></ul></ul><ul><ul><li>not working well </li></ul></ul><ul><li>Wrote MiTM for </li></ul><ul><ul><li>socket </li></ul></ul><ul><ul><li>HTTP </li></ul></ul><ul><ul><li>HTTPS </li></ul></ul><ul><ul><li>I'll put it somewhere on the web eventually, </li></ul></ul><ul><ul><ul><li>mail me if you need it quicker! :) </li></ul></ul></ul>
  10. 10. Buffer overflow helpers <ul><li>not common vulnerability in Perl </li></ul><ul><li>from theory to practice </li></ul><ul><li>from discovery to exploitation </li></ul><ul><li>some of the methods (not only for buffer overflows...) </li></ul><ul><ul><li>analyzing source </li></ul></ul><ul><ul><li>analyzing machine code </li></ul></ul><ul><ul><li>fuzzying </li></ul></ul><ul><ul><li>reverse engineering patches </li></ul></ul><ul><ul><li>... </li></ul></ul>
  11. 11. Generating vulnerable inputs <ul><li>mostly oneliners to check length of buffer of vulnerable program </li></ul><ul><li>on command line </li></ul><ul><ul><li>./vuln –vulnbuf `perl -e 'print ”A”x1000'` </li></ul></ul><ul><li>enviroment </li></ul><ul><ul><li>export VULNENV=`perl -e 'print ”A”x1000'` </li></ul></ul><ul><ul><li>./vuln </li></ul></ul><ul><li>network protocol </li></ul><ul><ul><li>perl -e 'print &quot;GET /&quot;.&quot;A&quot;x1000; print &quot; HTTP/1.0 &quot;' | nc www.vuln.host 80 </li></ul></ul>
  12. 12. Writing exploits with Perl <ul><li>Metasploit helper (<= 2.7) </li></ul><ul><li>Helps you in finding length of vulnerable buffer </li></ul><ul><li>Generate buffer with Perl helper script </li></ul><ul><li>perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)' </li></ul><ul><li>Run debugger (gdb, ollydbg, ...), note EIP </li></ul><ul><li>run another Perl helper script with EIP </li></ul><ul><li>sdk/patternOffset.pl 0x68423768 1090 </li></ul><ul><li>Too easy </li></ul><ul><ul><li>It's not just fun any more... </li></ul></ul>
  13. 13. Fuzzying <ul><li>Custom fuzzying </li></ul><ul><ul><li>CPAN modules for almost every protocol </li></ul></ul><ul><ul><li>You have to use lower protocol in order to fuzz the protocol itself </li></ul></ul><ul><li>Using existing helpers </li></ul><ul><ul><li>Fuzlled </li></ul></ul><ul><ul><ul><li>have some protocol drivers inside </li></ul></ul></ul><ul><ul><ul><li>have some good logic for fuzzing </li></ul></ul></ul><ul><ul><ul><li>I recommend </li></ul></ul></ul><ul><li>Permutations, manglings, ... </li></ul>
  14. 14. Web vulnerabilities <ul><li>Nikto </li></ul><ul><li>libwhisker </li></ul><ul><li>libwww </li></ul><ul><li>WWW::Mechanize </li></ul><ul><li>Sockets </li></ul><ul><ul><li>IO::Socket </li></ul></ul><ul><ul><li>IO::Socket::SSL </li></ul></ul>
  15. 15. Example usage of Mechanize <ul><li>perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get(&quot;$y/v/$i&quot;)->request->uri) =~ s/.*&t=(.+)/$1/; $m->get(&quot;$y/get_video?video_id=$i&t=$t&quot;, &quot;:content_file&quot; => &quot;$i.flv&quot;)' </li></ul>author: Peteris Krumins <ul><li>Youtube video ripper - oneliner </li></ul>
  16. 16. Web services vulnerabilities <ul><li>XML </li></ul><ul><ul><li>XML::Simple </li></ul></ul><ul><ul><li>LibXML </li></ul></ul><ul><li>SOAP </li></ul><ul><ul><li>SOAP::Lite </li></ul></ul><ul><li>XML RPC </li></ul><ul><ul><li>RPC::XML </li></ul></ul><ul><li>Custom protocol </li></ul><ul><ul><li>no problem :) </li></ul></ul>
  17. 17. Example of custom fuzzying
  18. 18. Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server
  19. 19. Conclusion <ul><li>You don't want to write vulnerable security programs to test other vulnerabilities </li></ul><ul><ul><li>You have Encase case ;) </li></ul></ul><ul><ul><li>or fakebo :)) </li></ul></ul><ul><li>It's hard to write vulnerable program in Perl </li></ul><ul><ul><li>at least buffer overflow vulnerable </li></ul></ul><ul><ul><li>there's still input validation (taint?) </li></ul></ul><ul><li>You don't want to spend months writing proof of concept (PoC) </li></ul><ul><ul><li>don't use low level :) </li></ul></ul><ul><ul><ul><li>except if you're learning... or ..whatever :) </li></ul></ul></ul><ul><ul><li>use high level language like Perl </li></ul></ul>
  20. 20. References <ul><li>http://www.sans.org </li></ul><ul><li>http://securityfocus.com </li></ul><ul><li>http://net-security.org </li></ul><ul><li>http://packetstormsecurity.nl/ </li></ul><ul><li>http://www.softpanorama.org/Security/perl_sec_scripts.shtml </li></ul><ul><li>http://metasploit.org </li></ul><ul><li>http://www.cirt.net/nikto2 </li></ul><ul><li>http://www.ioactive.com/tools.html </li></ul><ul><li>http://www.l0t3k.org/security/tools/honeypot/ </li></ul><ul><li>http://www.catonmat.net/blog/ </li></ul><ul><li>... </li></ul>
  21. 21. Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×