Your SlideShare is downloading. ×
Perl Usage In Security and Penetration testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Perl Usage In Security and Penetration testing

5,007
views

Published on

Held at Croatian Perl Workshop 2008 in Zagreb, 15th May 2008.

Held at Croatian Perl Workshop 2008 in Zagreb, 15th May 2008.

Published in: Technology

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,007
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
262
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr
  • 2. Perl usage in security
    • Usage of Perl in security
      • every day
        • log parsing, system hardening, system monitoring, ...
      • in forensics
        • log/evidence parsing/analyzing
      • in penetration tests
        • network layer testing
        • application layer testing
        • web application testing
        • buffer overflow helpers
        • fuzzing
        • implementing Proof of Concepts (PoC)
  • 3. Perl in Security World
    • Monitoring
      • mon, nagios, ...
      • nodewatch, syswatch, ...
    • Sherpa
      • system security configuration tool
    • File Integrity checkers (think: tripwire)
      • ViperDB, Fcheck, Triplight, ...
    • Honeypots
      • rsucker, honeydsum, mydoom.pl, ...
    • ...
  • 4. Perl in Penetration World
    • Nikto
      • web vulnerability scanner
    • Metasploit <=2.7
      • exploit framework
      • Metasploit >= 3.0 in Ruby
    • Fuzzled - fuzzying framework
    • snoopy
      • simple SNMP security scanner
    • NSS, dnswalk, snark (MiTM), ...
    • ...
  • 5. Simple TCP portscanner
    • perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;'
    • Yes, I do Perl golfing....
    • You can too - try to shorten this if you dare :)
        • whitespace optimization excluded
  • 6. Simple TCP portscanner
    • perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;' localhost
    • Example of running port scanner oneliner:
  • 7. Generating custom packets
    • #!/usr/bin/perl
    • use Net::RawIP;
    • $raw_net = new Net::RawIP({icmp =>{}});
    • $raw_net -> set(
    • {
    • ip =>
    • {
    • saddr => '192.168.1.1',
    • daddr => '192.168.1.15'
    • },
    • icmp =>
    • {
    • type => 8,
    • data => &quot;41414141414141414141414141414141&quot;
    • }
    • }
    • );
    • $raw_net -> send(1,1000);
    • Example of generating spoofed ICMP packet
  • 8. Generating custom protocol testers
    • You can layer up what you have...
      • CPAN modules for almost every protocol
        • It has even for really rare and the old ones
          • Perl is old language, you know... :)
        • Even for SSL based ones
    • ...and then write the part which is custom
  • 9. Easy MiTM
    • ssl_proxy.pl
      • MiTM Proof of concept
      • not working well
    • Wrote MiTM for
      • socket
      • HTTP
      • HTTPS
      • I'll put it somewhere on the web eventually,
        • mail me if you need it quicker! :)
  • 10. Buffer overflow helpers
    • not common vulnerability in Perl
    • from theory to practice
    • from discovery to exploitation
    • some of the methods (not only for buffer overflows...)
      • analyzing source
      • analyzing machine code
      • fuzzying
      • reverse engineering patches
      • ...
  • 11. Generating vulnerable inputs
    • mostly oneliners to check length of buffer of vulnerable program
    • on command line
      • ./vuln –vulnbuf `perl -e 'print ”A”x1000'`
    • enviroment
      • export VULNENV=`perl -e 'print ”A”x1000'`
      • ./vuln
    • network protocol
      • perl -e 'print &quot;GET /&quot;.&quot;A&quot;x1000; print &quot; HTTP/1.0 &quot;' | nc www.vuln.host 80
  • 12. Writing exploits with Perl
    • Metasploit helper (<= 2.7)
    • Helps you in finding length of vulnerable buffer
    • Generate buffer with Perl helper script
    • perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)'
    • Run debugger (gdb, ollydbg, ...), note EIP
    • run another Perl helper script with EIP
    • sdk/patternOffset.pl 0x68423768 1090
    • Too easy
      • It's not just fun any more...
  • 13. Fuzzying
    • Custom fuzzying
      • CPAN modules for almost every protocol
      • You have to use lower protocol in order to fuzz the protocol itself
    • Using existing helpers
      • Fuzlled
        • have some protocol drivers inside
        • have some good logic for fuzzing
        • I recommend
    • Permutations, manglings, ...
  • 14. Web vulnerabilities
    • Nikto
    • libwhisker
    • libwww
    • WWW::Mechanize
    • Sockets
      • IO::Socket
      • IO::Socket::SSL
  • 15. Example usage of Mechanize
    • perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get(&quot;$y/v/$i&quot;)->request->uri) =~ s/.*&t=(.+)/$1/; $m->get(&quot;$y/get_video?video_id=$i&t=$t&quot;, &quot;:content_file&quot; => &quot;$i.flv&quot;)'
    author: Peteris Krumins
    • Youtube video ripper - oneliner
  • 16. Web services vulnerabilities
    • XML
      • XML::Simple
      • LibXML
    • SOAP
      • SOAP::Lite
    • XML RPC
      • RPC::XML
    • Custom protocol
      • no problem :)
  • 17. Example of custom fuzzying
  • 18. Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server
  • 19. Conclusion
    • You don't want to write vulnerable security programs to test other vulnerabilities
      • You have Encase case ;)
      • or fakebo :))
    • It's hard to write vulnerable program in Perl
      • at least buffer overflow vulnerable
      • there's still input validation (taint?)
    • You don't want to spend months writing proof of concept (PoC)
      • don't use low level :)
        • except if you're learning... or ..whatever :)
      • use high level language like Perl
  • 20. References
    • http://www.sans.org
    • http://securityfocus.com
    • http://net-security.org
    • http://packetstormsecurity.nl/
    • http://www.softpanorama.org/Security/perl_sec_scripts.shtml
    • http://metasploit.org
    • http://www.cirt.net/nikto2
    • http://www.ioactive.com/tools.html
    • http://www.l0t3k.org/security/tools/honeypot/
    • http://www.catonmat.net/blog/
    • ...
  • 21. Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr