Perl Usage In Security and Penetration testing

Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

Perl usage in security
Usage of Perl in security
every day
log parsing, system hardening, system monitoring, ...
in forensics
log/evidence parsing/analyzing
in penetration tests
network layer testing
application layer testing
web application testing
buffer overflow helpers
fuzzing
implementing Proof of Concepts (PoC)

Perl in Security World
Monitoring
mon, nagios, ...
nodewatch, syswatch, ...
Sherpa
system security configuration tool
File Integrity checkers (think: tripwire)
ViperDB, Fcheck, Triplight, ...
Honeypots
rsucker, honeydsum, mydoom.pl, ...
...

Perl in Penetration World
Nikto
web vulnerability scanner
Metasploit <=2.7
exploit framework
Metasploit >= 3.0 in Ruby
Fuzzled - fuzzying framework
snoopy
simple SNMP security scanner
NSS, dnswalk, snark (MiTM), ...
...

Simple TCP portscanner
perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print " ";'
Yes, I do Perl golfing....
You can too - try to shorten this if you dare :)
whitespace optimization excluded

Simple TCP portscanner
perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print " ";' localhost
Example of running port scanner oneliner:

Generating custom packets
#!/usr/bin/perl
use Net::RawIP;
$raw_net = new Net::RawIP({icmp =>{}});
$raw_net -> set(
{
ip =>
{
saddr => '192.168.1.1',
daddr => '192.168.1.15'
},
icmp =>
{
type => 8,
data => "41414141414141414141414141414141"
}
}
);
$raw_net -> send(1,1000);
Example of generating spoofed ICMP packet

Generating custom protocol testers
You can layer up what you have...
CPAN modules for almost every protocol
It has even for really rare and the old ones
Perl is old language, you know... :)
Even for SSL based ones
...and then write the part which is custom

Easy MiTM
ssl_proxy.pl
MiTM Proof of concept
not working well
Wrote MiTM for
socket
HTTP
HTTPS
I'll put it somewhere on the web eventually,
mail me if you need it quicker! :)

Buffer overflow helpers
not common vulnerability in Perl
from theory to practice
from discovery to exploitation
some of the methods (not only for buffer overflows...)
analyzing source
analyzing machine code
fuzzying
reverse engineering patches
...

Generating vulnerable inputs
mostly oneliners to check length of buffer of vulnerable program
on command line
./vuln –vulnbuf `perl -e 'print ”A”x1000'`
enviroment
export VULNENV=`perl -e 'print ”A”x1000'`
./vuln
network protocol
perl -e 'print "GET /"."A"x1000; print " HTTP/1.0 "' | nc www.vuln.host 80

Writing exploits with Perl
Metasploit helper (<= 2.7)
Helps you in finding length of vulnerable buffer
Generate buffer with Perl helper script
perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)'
Run debugger (gdb, ollydbg, ...), note EIP
run another Perl helper script with EIP
sdk/patternOffset.pl 0x68423768 1090
Too easy
It's not just fun any more...

Fuzzying
Custom fuzzying
CPAN modules for almost every protocol
You have to use lower protocol in order to fuzz the protocol itself
Using existing helpers
Fuzlled
have some protocol drivers inside
have some good logic for fuzzing
I recommend
Permutations, manglings, ...

Web vulnerabilities
Nikto
libwhisker
libwww
WWW::Mechanize
Sockets
IO::Socket
IO::Socket::SSL

Example usage of Mechanize
perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www.youtube.com)/watch?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get("$y/v/$i")->request->uri) =~ s/.*&t=(.+)/$1/; $m->get("$y/get_video?video_id=$i&t=$t", ":content_file" => "$i.flv")'
author: Peteris Krumins
Youtube video ripper - oneliner

Web services vulnerabilities
XML
XML::Simple
LibXML
SOAP
SOAP::Lite
XML RPC
RPC::XML
Custom protocol
no problem :)

Example of custom fuzzying

Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server

Conclusion
You don't want to write vulnerable security programs to test other vulnerabilities
You have Encase case ;)
or fakebo :))
It's hard to write vulnerable program in Perl
at least buffer overflow vulnerable
there's still input validation (taint?)
You don't want to spend months writing proof of concept (PoC)
don't use low level :)
except if you're learning... or ..whatever :)
use high level language like Perl

References
http://www.sans.org
http://securityfocus.com
http://net-security.org
http://packetstormsecurity.nl/
http://www.softpanorama.org/Security/perl_sec_scripts.shtml
http://metasploit.org
http://www.cirt.net/nikto2
http://www.ioactive.com/tools.html
http://www.l0t3k.org/security/tools/honeypot/
http://www.catonmat.net/blog/
...

Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

http://www.slideshare.net	30
http://static.slidesharecdn.com	3
http://www.linkedin.com	3
http://www.lmodules.com	1
https://twitter.com	1

Perl Usage In Security and Penetration testing

by Vlatko Kosturjak on May 22, 2008

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 38

Statistics

Perl Usage In Security and Penetration testing Presentation Transcript