Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An EyeWitness View into your Network

2,204 views

Published on

This talk goes over the host identification process we follow, the development of EyeWitness 1.0, the problems which lead to 2.0 and talk about future work on EyeWitness.

Published in: Internet
  • Be the first to comment

An EyeWitness View into your Network

  1. 1. An EyeWitness View into your Network @ChrisTruncer
  2. 2. Whoami ● Christopher Truncer (@ChrisTruncer) ○  Florida State Seminole ○  Open Source Developer ■  Veil Framework ■  Egress-Assess ■  Just-Metadata, etc ○  Mandiant’s Red Team ● Rohan Vazarkar (@CptJesus)
  3. 3. What’s this talk about? ●  Our Host Identification Process ●  Intro to EyeWitness and the Problem it Solves ●  EyeWitness 2.0 ●  Demo
  4. 4. Typical Assessment Lifecycle http://image.slidesharecdn.com/gates-open-source-information-gathering-brucon-111108214432-phpapp02/95/open-source- information-gathering-brucon-edition-9-728.jpg?cb=1320788708
  5. 5. First Step ●  Discovery/Recon - why care? ○  Do you know all your assets? ○  Does your customer? ○  Do you know all the services running on your systems?
  6. 6. Blue Teamers ●  People just randomly plug stuff into your network! ○  Wifi APs ○  Computers ○  Wifi devices (phones) ●  Are you periodically looking for them?
  7. 7. Red Teamers ●  Want to find anything we can attack or use to gain a foothold ○  Rogue access point ○  Long-ago forgotten system ○  Misconfigured services ●  Our initial discovery scans can help identify quick wins ○  Why be sophisticated when I can login w/ tomcat:tomcat
  8. 8. Scans ●  Penetration Test ○  NMap ○  Nessus ●  Red Team ○  Potentially neither ○  Likely highly targeted scans
  9. 9. NMap Timing ●  Timing ○  ping a few live hosts ○  identify the time it took to receive a response
  10. 10. NMap Timing ●  Timing Options ○  --initial-rtt-timeout 200ms ○  --max-rtt-timeout 100ms ○  --max-retries 1 ○  --max-scan-delay 0 ■  Usually
  11. 11. NMap Scan ●  nmap -vvv -Pn -n --open --initial-rtt- timeout 175ms --max-rtt-timeout 100ms --max-retries 1 --max-scan-delay 0 -iL <inputfile> -oA results - p21,22,23,25,135,139,443,445,3306,3389
  12. 12. NMap Scan ●  Once complete, make a list of live systems ●  Full port scan against live systems with -A ○  Potentially provides banner information ○  Useful for parsing and identifying services for screenshots :)
  13. 13. Nessus ●  Obvious use case is for vulnerability information... ●  ...but can be useful for identifying live systems if not needing stealth ●  .nessus files are contain a lot of information we can use ○  Easy to parse xml ○  Essentially provides the same content as nmap xml
  14. 14. Point of Recon & Enumeration ●  Identify live hosts on the network ●  Identify any active services ●  Obtain system/OS version information ●  Generate a list of hosts to investigate further ●  Identify quick wins https://nmap.org/images/nmap-401-demoscan-798x774.gif
  15. 15. Why Automate? ●  Previous steps lead up to this list ●  Find hundreds, or thousands, of HTTP(s) servers ○  Manual review…. no thanks ●  Thousands of RDP servers ●  How do we begin to process/analyze these systems if not in an automated manner?
  16. 16. Development Began
  17. 17. Problems to Solve ●  Automate web screenshots ●  Generate a usable report ●  Take input in multiple formats ●  Identify default credentials ●  Wanted to learn
  18. 18. Existing Tools ●  NMap - NSE Plugin ●  PeepingTom - by Tim Tomes ○  Closest to what I wanted ●  Nessus - Commercial Product
  19. 19. Started With This
  20. 20. StackOverflow http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline- or-with-python
  21. 21. Developed a POC
  22. 22. Needed Improvements ●  File Input: ○  Text File ○  NMap ○  Nessus ●  Report Generation ●  User Agent Switching ●  Default credentials signatures
  23. 23. Report Generation ●  Simple - HTML table tags ●  Store server header and screenshots ●  Multi-Page Reports (don’t crash your browser) ●  Link structure for reports ○  Off by one bugs aren’t fun
  24. 24. EyeWitness 1.0
  25. 25. Improvements (still)
  26. 26. Updates Needed ●  Library Issues ○  Ghost - good, but a hack ●  Spaghetti code ●  Group “similar” pages ●  No way to resume a scan ●  Other protocols? https://c2.staticflickr.com/8/7248/7021453583_c8e2b7597f.jpg
  27. 27. Fix the Problems ●  Drop Ghost ○  Didn’t want to do this - pure python is nice ○  Stability issues forced our hand ○  Lack of development
  28. 28. Library Solution ●  PhantomJS ●  Selenium http://38.media.tumblr.com/c5d6de716be379af2e7bf68dce080cd2/ tumblr_inline_n0b4hyJnfG1sr0bzb.png http://www.seleniumhq.org/selenium-rc.png
  29. 29. Spaghetti Code Fixes ●  What we called the “nuke_it_all” principal ○  rm -rf it all and start over ●  Went from approx 100 variables to more of a OO design
  30. 30. http://cdn.meme.am/instances/54834100.jpg
  31. 31. Result Groupings ●  We investigated multiple solutions ○  Levenshtein Distance (thanks @Digininja) ■  Measure the distance between strings ○  Fuzzy Sorting ■  This was the winner
  32. 32. Introduce Categories ●  Sorting similar pages works ●  Expand into categories ○  High Value Targets ○  iDrac ○  VoIP ○  Crap ○  Printers ■  So annoying, they are worse than Crap
  33. 33. Resuming Scans ●  If a scan died on the last website, the whole scan died ○  You’d have the artifacts ■  Source Code ■  Screenshots ○  No Report ○  Very frustrating for large lists
  34. 34. Resuming Scans ●  Rohan began investigating a fix ○  SQLite to the rescue! ■  We wanted to stay lightweight without a db requirement ■  Track URLs scanned and completed ■  Allows us to tie into this for other purposes
  35. 35. Protocols? ●  We wanted to add in RDP and VNC ●  Found a python library which does exactly what we needed! https://github.com/citronneur/rdpy
  36. 36. EyeWitness 2.0
  37. 37. EyeWitness 2.0 ●  Modularized the tool ○  Future updates/support is significantly easier ●  Added in auxiliary scripts for interacting with the database
  38. 38. Auxiliary Scripts ●  Search - Searches database for website with string specified ●  Recategorize - Creates new report based off of updated sigs ●  Mikto - Generates URL list for Mikto (multi-threaded Nikto) ●  Tomcat (upcoming) - Searches for and brute force tomcat servers
  39. 39. Writing Signatures ●  Signatures are easy to add ●  View the source code, then write it! ○  <sig>|<Name> <Creds> ○  <sig>;<sig>;<sig>...|<Name> <Creds>
  40. 40. Adding to Categories ●  Categories are also easy to add ●  View the source code, then write it! ○  <sig>|<category> ○  <sig>;<sig>;<sig>...|<category> ●  Same signature for default creds can be used for categories
  41. 41. EyeWitness Stats ●  Originally: 409 lines ●  Currently: 3500+ Lines ●  Reasons? ○  signatures ○  report generation ○  .. real guess?
  42. 42. Future Work ●  Additional Aux Modules ●  Additional Protocol Support ○  x11? ○  ideas? ●  Optical Character Recognition ○  Hunt for users via RDP
  43. 43. ? ●  Github ○  https://github.com/ChrisTruncer/EyeWitness ●  Chris Truncer ○  @ChrisTruncer ○  CTruncer@christophertruncer.com ●  Rohan Vazarkar ○  @CptJesus ○  rvazarkar@verisgroup.com

×