Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Practical Approach to Hacking an 
Enterprise with 
YASUO 
Saurabh Harit {@0xsauby} 
Stephen Hall {@_stephen_h}
root@msf:~$>getuid 
Saurabh Harit (@0xsauby) 
Director of Security Research @Security Compass 
Pentester i.e. Domain Admin...
What this talk is not about 
No 
0-days 
No 
Shells
Scenario 
You’re on a red-team 
engagement 
You’ve bypassed 
physical security 
You’ve bypassed NAC 
What next? How would ...
The Problem 
Can’t use network vulnerability scanner 
Have to be Stealth & Quick 
Can’t use Google dorks (internal network...
Where do $hells come 
from? 
It’s not about what, 
it’s about WHERE
Popular Vulnerable Apps 
Apache Tomcat
Popular Vulnerable Apps 
JBoss jmx-console
Popular Vulnerable Apps 
Hudson Jenkins
$hells
Not So Popular Vulnerable 
Apps 
ADManager Plus
Not So Popular Vulnerable 
Apps 
ADManager Plus
Not So Popular Vulnerable 
Apps 
Cyberoam UTM
Not So Popular Vulnerable 
Apps 
Cyberoam UTM
YASUO 
what??? 
Written in ruby 
Did not write it on our flight here 
Scans the network for vulnerable 
applications 
Curr...
Why Yasuo 
Because there are tons of vulnerable 
applications and its not easy to find them
World Without Automation 
Run nmap scan & manually poke each & every web port 
This CANNOT be fun
What’s currently out there 
Nikto by Chris Sullo 
https://www.cirt.net/Nikto2 
Nmap script – http-enum.nse by Ron Bowes, 
...
Exploring Yasuo
Exploring Yasuo
What’s in the Box 
yasuo.rb 
resp200.rb 
default-path.csv 
users.txt 
pass.txt 
GPL
What’s in the Box
Behind the Scenes 
Detects false-positives 
Automatically extracts login form 
Automatically extracts login parameters
What’s New
RaNdOmIzAtIoN!!! 
More robust check to detect false positives 
Properly formatted output table 
More application signature...
Demo Time
Challenges 
Exploit-db – great resource but inconsistent format
Challenges 
Dynamic detection of login page and parameters is regex 
based.
Future Development 
Smarter version detection 
Support masscan output format (because y’all love to scan the 
Interwebs) 
...
CFH (cry for help) 
Signatures Signatures Signatures & Signatures 
Please submit application signatures: 
Post a comment o...
Questions??? or not
Thank You! 
https://github.com/0xsauby/yasuo 
✖ 
0xsauby saurabh.harit@gmail.com 
_stephen_h perfectlylogical@gmail.com
Credit 
Nmap ruby library - https://github.com/sophsec/ruby-nmap 
The Exploit Database (EDB) - http://www.exploit-db.com/ ...
Upcoming SlideShare
Loading in …5
×

Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

1,136 views

Published on

Research talk presented at Derbycon 4.0, Toorcon XVI, Hack3rcon & BSidesTO

  • Be the first to comment

  • Be the first to like this

Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

  1. 1. A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}
  2. 2. root@msf:~$>getuid Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies Have a secret crush on reverse engineering Gym freak / Proud father of two beautiful dogs Stephen Hall (@_stephen_h) Security Consultant @Security Compass … … Owner of a Christmas hat
  3. 3. What this talk is not about No 0-days No Shells
  4. 4. Scenario You’re on a red-team engagement You’ve bypassed physical security You’ve bypassed NAC What next? How would you pwn the network? Vulnerability scanner?
  5. 5. The Problem Can’t use network vulnerability scanner Have to be Stealth & Quick Can’t use Google dorks (internal network) site, link, inurl
  6. 6. Where do $hells come from? It’s not about what, it’s about WHERE
  7. 7. Popular Vulnerable Apps Apache Tomcat
  8. 8. Popular Vulnerable Apps JBoss jmx-console
  9. 9. Popular Vulnerable Apps Hudson Jenkins
  10. 10. $hells
  11. 11. Not So Popular Vulnerable Apps ADManager Plus
  12. 12. Not So Popular Vulnerable Apps ADManager Plus
  13. 13. Not So Popular Vulnerable Apps Cyberoam UTM
  14. 14. Not So Popular Vulnerable Apps Cyberoam UTM
  15. 15. YASUO what??? Written in ruby Did not write it on our flight here Scans the network for vulnerable applications Currently supports around 100+ vulnerable applications All currently supported apps are Metasploit-able
  16. 16. Why Yasuo Because there are tons of vulnerable applications and its not easy to find them
  17. 17. World Without Automation Run nmap scan & manually poke each & every web port This CANNOT be fun
  18. 18. What’s currently out there Nikto by Chris Sullo https://www.cirt.net/Nikto2 Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls http://nmap.org/nsedoc/scripts/http-enum.html Nmap script – http-default-accounts.nse by Paulino Calderon https://www.nmap.org/nmap-exp/ calderon/scripts/http-default-accounts.nse
  19. 19. Exploring Yasuo
  20. 20. Exploring Yasuo
  21. 21. What’s in the Box yasuo.rb resp200.rb default-path.csv users.txt pass.txt GPL
  22. 22. What’s in the Box
  23. 23. Behind the Scenes Detects false-positives Automatically extracts login form Automatically extracts login parameters
  24. 24. What’s New
  25. 25. RaNdOmIzAtIoN!!! More robust check to detect false positives Properly formatted output table More application signatures Signatures for IP Cameras / Encoder / Decoders Modular & Cleaned-up Code – if there is any such thing
  26. 26. Demo Time
  27. 27. Challenges Exploit-db – great resource but inconsistent format
  28. 28. Challenges Dynamic detection of login page and parameters is regex based.
  29. 29. Future Development Smarter version detection Support masscan output format (because y’all love to scan the Interwebs) Add support for more vulnerable applications, Ofcourse Add secondary signature Make current crappy code modular Add multi-threading Add support for vFeed??? Change format of default path file – CSV to YAML? or JSON?
  30. 30. CFH (cry for help) Signatures Signatures Signatures & Signatures Please submit application signatures: Post a comment on Github Update default path file on Github Drop us an Email Send a Pigeon.
  31. 31. Questions??? or not
  32. 32. Thank You! https://github.com/0xsauby/yasuo ✖ 0xsauby saurabh.harit@gmail.com _stephen_h perfectlylogical@gmail.com
  33. 33. Credit Nmap ruby library - https://github.com/sophsec/ruby-nmap The Exploit Database (EDB) - http://www.exploit-db.com/ @funkaoshi Google Image Cache

×