Successfully reported this slideshow.
Your SlideShare is downloading. ×

Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

Check these out next

1 of 33 Ad
1 of 33 Ad

More Related Content

Similar to Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo (20)


Gone in 60 minutes – Practical Approach to Hacking an Enterprise with Yasuo

  1. 1. A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}
  2. 2. root@msf:~$>getuid Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies Have a secret crush on reverse engineering Gym freak / Proud father of two beautiful dogs Stephen Hall (@_stephen_h) Security Consultant @Security Compass … … Owner of a Christmas hat
  3. 3. What this talk is not about No 0-days No Shells
  4. 4. Scenario You’re on a red-team engagement You’ve bypassed physical security You’ve bypassed NAC What next? How would you pwn the network? Vulnerability scanner?
  5. 5. The Problem Can’t use network vulnerability scanner Have to be Stealth & Quick Can’t use Google dorks (internal network) site, link, inurl
  6. 6. Where do $hells come from? It’s not about what, it’s about WHERE
  7. 7. Popular Vulnerable Apps Apache Tomcat
  8. 8. Popular Vulnerable Apps JBoss jmx-console
  9. 9. Popular Vulnerable Apps Hudson Jenkins
  10. 10. $hells
  11. 11. Not So Popular Vulnerable Apps ADManager Plus
  12. 12. Not So Popular Vulnerable Apps ADManager Plus
  13. 13. Not So Popular Vulnerable Apps Cyberoam UTM
  14. 14. Not So Popular Vulnerable Apps Cyberoam UTM
  15. 15. YASUO what??? Written in ruby Did not write it on our flight here Scans the network for vulnerable applications Currently supports around 100+ vulnerable applications All currently supported apps are Metasploit-able
  16. 16. Why Yasuo Because there are tons of vulnerable applications and its not easy to find them
  17. 17. World Without Automation Run nmap scan & manually poke each & every web port This CANNOT be fun
  18. 18. What’s currently out there Nikto by Chris Sullo Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls Nmap script – http-default-accounts.nse by Paulino Calderon calderon/scripts/http-default-accounts.nse
  19. 19. Exploring Yasuo
  20. 20. Exploring Yasuo
  21. 21. What’s in the Box yasuo.rb resp200.rb default-path.csv users.txt pass.txt GPL
  22. 22. What’s in the Box
  23. 23. Behind the Scenes Detects false-positives Automatically extracts login form Automatically extracts login parameters
  24. 24. What’s New
  25. 25. RaNdOmIzAtIoN!!! More robust check to detect false positives Properly formatted output table More application signatures Signatures for IP Cameras / Encoder / Decoders Modular & Cleaned-up Code – if there is any such thing
  26. 26. Demo Time
  27. 27. Challenges Exploit-db – great resource but inconsistent format
  28. 28. Challenges Dynamic detection of login page and parameters is regex based.
  29. 29. Future Development Smarter version detection Support masscan output format (because y’all love to scan the Interwebs) Add support for more vulnerable applications, Ofcourse Add secondary signature Make current crappy code modular Add multi-threading Add support for vFeed??? Change format of default path file – CSV to YAML? or JSON?
  30. 30. CFH (cry for help) Signatures Signatures Signatures & Signatures Please submit application signatures: Post a comment on Github Update default path file on Github Drop us an Email Send a Pigeon.
  31. 31. Questions??? or not
  32. 32. Thank You! ✖ 0xsauby _stephen_h
  33. 33. Credit Nmap ruby library - The Exploit Database (EDB) - @funkaoshi Google Image Cache