Perl Usage In Security and Penetration testing

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    3 Favorites

    Perl Usage In Security and Penetration testing - Presentation Transcript

    1. Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr
    2. Perl usage in security
      • Usage of Perl in security
        • every day
          • log parsing, system hardening, system monitoring, ...
        • in forensics
          • log/evidence parsing/analyzing
        • in penetration tests
          • network layer testing
          • application layer testing
          • web application testing
          • buffer overflow helpers
          • fuzzing
          • implementing Proof of Concepts (PoC)
    3. Perl in Security World
      • Monitoring
        • mon, nagios, ...
        • nodewatch, syswatch, ...
      • Sherpa
        • system security configuration tool
      • File Integrity checkers (think: tripwire)
        • ViperDB, Fcheck, Triplight, ...
      • Honeypots
        • rsucker, honeydsum, mydoom.pl, ...
      • ...
    4. Perl in Penetration World
      • Nikto
        • web vulnerability scanner
      • Metasploit <=2.7
        • exploit framework
        • Metasploit >= 3.0 in Ruby
      • Fuzzled - fuzzying framework
      • snoopy
        • simple SNMP security scanner
      • NSS, dnswalk, snark (MiTM), ...
      • ...
    5. Simple TCP portscanner
      • perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;'
      • Yes, I do Perl golfing....
      • You can too - try to shorten this if you dare :)
          • whitespace optimization excluded
    6. Simple TCP portscanner
      • perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print &quot;$i &quot;; close ($s); } } print &quot; &quot;;' localhost
      • Example of running port scanner oneliner:
    7. Generating custom packets
      • #!/usr/bin/perl
      • use Net::RawIP;
      • $raw_net = new Net::RawIP({icmp =>{}});
      • $raw_net -> set(
      • {
      • ip =>
      • {
      • saddr => '192.168.1.1',
      • daddr => '192.168.1.15'
      • },
      • icmp =>
      • {
      • type => 8,
      • data => &quot;41414141414141414141414141414141&quot;
      • }
      • }
      • );
      • $raw_net -> send(1,1000);
      • Example of generating spoofed ICMP packet
    8. Generating custom protocol testers
      • You can layer up what you have...
        • CPAN modules for almost every protocol
          • It has even for really rare and the old ones
            • Perl is old language, you know... :)
          • Even for SSL based ones
      • ...and then write the part which is custom
    9. Easy MiTM
      • ssl_proxy.pl
        • MiTM Proof of concept
        • not working well
      • Wrote MiTM for
        • socket
        • HTTP
        • HTTPS
        • I'll put it somewhere on the web eventually,
          • mail me if you need it quicker! :)
    10. Buffer overflow helpers
      • not common vulnerability in Perl
      • from theory to practice
      • from discovery to exploitation
      • some of the methods (not only for buffer overflows...)
        • analyzing source
        • analyzing machine code
        • fuzzying
        • reverse engineering patches
        • ...
    11. Generating vulnerable inputs
      • mostly oneliners to check length of buffer of vulnerable program
      • on command line
        • ./vuln –vulnbuf `perl -e 'print ”A”x1000'`
      • enviroment
        • export VULNENV=`perl -e 'print ”A”x1000'`
        • ./vuln
      • network protocol
        • perl -e 'print &quot;GET /&quot;.&quot;A&quot;x1000; print &quot; HTTP/1.0 &quot;' | nc www.vuln.host 80
    12. Writing exploits with Perl
      • Metasploit helper (<= 2.7)
      • Helps you in finding length of vulnerable buffer
      • Generate buffer with Perl helper script
      • perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)'
      • Run debugger (gdb, ollydbg, ...), note EIP
      • run another Perl helper script with EIP
      • sdk/patternOffset.pl 0x68423768 1090
      • Too easy
        • It's not just fun any more...
    13. Fuzzying
      • Custom fuzzying
        • CPAN modules for almost every protocol
        • You have to use lower protocol in order to fuzz the protocol itself
      • Using existing helpers
        • Fuzlled
          • have some protocol drivers inside
          • have some good logic for fuzzing
          • I recommend
      • Permutations, manglings, ...
    14. Web vulnerabilities
      • Nikto
      • libwhisker
      • libwww
      • WWW::Mechanize
      • Sockets
        • IO::Socket
        • IO::Socket::SSL
    15. Example usage of Mechanize
      • perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get(&quot;$y/v/$i&quot;)->request->uri) =~ s/.*&t=(.+)/$1/; $m->get(&quot;$y/get_video?video_id=$i&t=$t&quot;, &quot;:content_file&quot; => &quot;$i.flv&quot;)'
      author: Peteris Krumins
      • Youtube video ripper - oneliner
    16. Web services vulnerabilities
      • XML
        • XML::Simple
        • LibXML
      • SOAP
        • SOAP::Lite
      • XML RPC
        • RPC::XML
      • Custom protocol
        • no problem :)
    17. Example of custom fuzzying
    18. Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server
    19. Conclusion
      • You don't want to write vulnerable security programs to test other vulnerabilities
        • You have Encase case ;)
        • or fakebo :))
      • It's hard to write vulnerable program in Perl
        • at least buffer overflow vulnerable
        • there's still input validation (taint?)
      • You don't want to spend months writing proof of concept (PoC)
        • don't use low level :)
          • except if you're learning... or ..whatever :)
        • use high level language like Perl
    20. References
      • http://www.sans.org
      • http://securityfocus.com
      • http://net-security.org
      • http://packetstormsecurity.nl/
      • http://www.softpanorama.org/Security/perl_sec_scripts.shtml
      • http://metasploit.org
      • http://www.cirt.net/nikto2
      • http://www.ioactive.com/tools.html
      • http://www.l0t3k.org/security/tools/honeypot/
      • http://www.catonmat.net/blog/
      • ...
    21. Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

    + Vlatko KosturjakVlatko Kosturjak, 2 years ago

    custom

    1840 views, 3 favs, 0 embeds more stats

    Held at Croatian Perl Workshop 2008 in Zagreb, 15th more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 1840
      • 1840 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 3
    • Downloads 124
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories