A tale of two proxies


Published on

Presentation by Haroon Meer, Roelof Tammingh at black hat USA in 2006.

This presentation is about Suru, the inline proxy tool developed by Roelof Tammingh. How it works and some of it's features are discussed.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A tale of two proxies

  1. 2. <ul><li>From the makers of Wikto , Crowbar and BiDiBLAH , the producers of Hacking by Numbers, Setiri and Putting the Tea in CyberTerrorism , the directors of When the tables turn , several Syngress fairy tales and the inspiration of the Matrix trilogy (…right…) comes a presentation so powerful and compelling… </li></ul>Introduction
  2. 3. <ul><li>We wanted something that: </li></ul><ul><li>Does intelligent file and directory discovery (and Wikto was just not cutting it anymore). </li></ul><ul><li>Does intelligent fuzzing of web applications (without trying to be too clever about it). </li></ul><ul><li>After looking for long at how people use other web application assessment tools we found that: </li></ul><ul><li>There is no ‘one-button’ web application assessment tool </li></ul><ul><li>Those who attempt to provide such tools mostly fail miserably. </li></ul><ul><li>People that are good at web application assessments still want to be in control of every request that they make (that’s why the @stake webproxy rocked so much). </li></ul><ul><li>While they still want to be in control, they perform some actions over and over (but with enough variation that it cannot be automated). </li></ul><ul><li>They need something that can automate *some parts* of the assessment process effectively without taking away flexibility or power of doing it manually. </li></ul><ul><li>The lines between the application and web server are blurring… </li></ul>Why *another* proxy??
  3. 4. <ul><li>We wanted something that works like Nikto, but won’t be fooled by friendly 404s </li></ul><ul><li>We created Wikto in 2004 </li></ul><ul><li>Some people still don’t know how the AI option works  . </li></ul><ul><li>The cleverness of Wikto sits in the content comparison algorithm. </li></ul><ul><li>We created Crowbar early in 2005 </li></ul><ul><li>Most people don’t know how it works  . </li></ul><ul><li>Sadly, most people don’t know how to use it either… </li></ul><ul><li>With Crowbar we expanded the thinking – we wanted to create a generic brute forcer and ended up with something a lot more useful. Of all the tools up to this point, Crowbar was one of the most powerful – yet most people didn’t know how to use it properly. </li></ul><ul><li>We really wanted a proxy (for E-Or actually), so we took some proxy code and started mangling it early in 2006. </li></ul>… it didn’t happen in one day
  4. 5. <ul><li>The content comparison algorithm basically it compares two strings. </li></ul><ul><li>In Wikto it compares the response for a test file with that of a file that will never exist on the system. If the response differs we know that the file is there. </li></ul><ul><li>GET /scripts/moomoomoo.pl HTTP/1.0 [BRR] </li></ul><ul><li>GET /scripts/login.pl HTTP/1.0 [real test] </li></ul><ul><li>In Crowbar it compares the output of a test request with that of a ‘base response’. The user can choose the base response, and choose how she wants to construct the test response. </li></ul><ul><li>GET /scripts/login.pl?user=moo&pass=blah HTTP/1.0 [BRR] </li></ul><ul><li>GET /scripts/login.pl?user=admin&pass=aaa HTTP/1.0 [real test] </li></ul>So…how DOES it work?
  5. 6. <ul><li>Step 1 – crop header (if possible) </li></ul><ul><li>Step 2 – split string A and B on n, > and space => collectionA,B </li></ul><ul><li>Step 3 – count blanks items in both A and B </li></ul><ul><li>Foreach itemA in collectionA </li></ul><ul><li>foreach itemB in collection B </li></ul><ul><li>if (itemA==itemB) </li></ul><ul><li>increment counter </li></ul><ul><li>break </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>Return counter x 2 / ((#collectionA+#collectioB)-blanks) </li></ul>And what about the content compare?
  6. 7. <ul><li>See it in action: </li></ul><ul><li><b> I am testing this </b> <b> doedelsakdoek</b> </li></ul><ul><li><b> I am testing this </b><b> kaaskrulletjies</b> </li></ul><ul><li>Becomes: </li></ul><ul><li>Collection A: I am testing this doedelsakdoek </li></ul><ul><li>Collection B: I am testing this kaaskrulletjies </li></ul><ul><li> Matching count = [I] [am] [testing] [this] = 4 </li></ul><ul><li> Blank count = zero </li></ul><ul><li> #A + #B = 5+5 = 10 </li></ul><ul><li>Return (4 x 2) / 10 = 0.8 or 80% match </li></ul><ul><li><b> I was testing </b> </li></ul><ul><li><b> I am testing them things </b> </li></ul><ul><li>Return (2 x 2)/8 = 0.5 or 50% match </li></ul>And what about the content compare?
  7. 8. <ul><li>Crowbar also started to provide us with the ability to filter certain responses using a fuzzy logic trigger: </li></ul>So…how DOES it work?
  8. 9. <ul><li>Crowbar also allowed us to do content extraction. </li></ul><ul><li>For example consider ‘mining’ information from Google regarding how many results for a certain item (a name in this case): </li></ul>So…how DOES it work?
  9. 10. <ul><li>One of the most used features of Wikto is the ‘BackEnd miner’ used to discover directories and files. </li></ul><ul><li>What if the entire site is located behind /bigsite/ ? It fails to find anything cause its testing in the /. </li></ul><ul><li>That’s why we have mirroring option in Wikto – to find directories and mine within the known directories. </li></ul><ul><li>But what if the site has form based login (or something similar)? </li></ul><ul><li>That’s why Wikto sucks - it wouldn’t test anything beyond the login screen… </li></ul><ul><li>What about finding /bigsite/strange_form.bak from /bigsite/strange_form.asp ? Or .backup or .zip ? What about /bigsite/cgi-bin/bigsite ? </li></ul><ul><li>That’s why Wikto sucks – it does not know anything about the site itself. Wikto is a blind chicken, pecking away at dirt. </li></ul>Why Wikto sucks
  10. 11. <ul><li>Now, if we had a proxy we could see where the user is browsing to and adjust our recon process accordingly: </li></ul><ul><li>If we see /bigsite/content.php </li></ul><ul><ul><li>Automatically start looking for other directories within /bigsite/ </li></ul></ul><ul><li>If we see /bigsite/moo_form.asp </li></ul><ul><ul><li>Automatically start looking for moo_form.XX where XX is all other extensions (like .zip and .backup and .old etc.) </li></ul></ul><ul><li>If we see /scripts/abc_intranet/login.php </li></ul><ul><ul><li>Automatically start looking for /abc_intranet in other places </li></ul></ul><ul><li>And while we’re at it – why not check the indexability of every directory we visited and mined? </li></ul>Why Wikto sucks
  11. 12. Recon demo
  12. 13. <ul><li>If we have a content comparison algorithm, then we can see if an application would react differently when we put ‘junk’ into it compared to ‘good’ data. </li></ul><ul><li>In other words, we can send a whole lot of requests, and see what different responses are generated, and how the ‘good’ responses differ to the ‘bad’ responses. </li></ul><ul><li>We can, in fact, group the responses by looking how they differ from a base response. </li></ul><ul><li>In other words – when I send 1000 different requests to the application modifying a single parameter I could just get back 2 different responses. </li></ul>Fuzzing with Suru
  13. 14. <ul><li>Having a proxy, we can thus parse the request, break in nicely up into pairs and let the user decide what portion she wants to fuzz. </li></ul>Fuzzing with Suru
  14. 15. <ul><li>Of course, you can choose to fuzz ANYTHING in the HTTP request… </li></ul><ul><li>We can also choose to extract anything from the reply… </li></ul><ul><li>..and group results automatically, with adjustable tolerance </li></ul>Fuzzing with Suru (Demo)
  15. 16. <ul><li>Automatic relationship discovery </li></ul><ul><li>Compares md5, sha1, b64e and b64d of every parameter with all other parameters (incl. cookie values) </li></ul><ul><li>WHY? </li></ul><ul><li>Example - after login the application uses the MD5 of your username to populate a cookie that’s used for session tracking (this is a very bad idea), or sending your password Base64 encoded in another parameter (also a bad idea). </li></ul><ul><li>Search and replace on both incoming and outgoing streams with ability to also change binary data. </li></ul>Other reasons why Suru is nice
  16. 17. <ul><li>Usability+++ </li></ul><ul><li>Uses a IE browser object to replay requests [no issues with authentication etc] </li></ul><ul><li>Change and replay request instantly whilst keeping track of what you’ve done. </li></ul><ul><li>Edited requests are marked – you don’t need to find them in a sea of requests. </li></ul><ul><li>Handles XML (for web services) MultiPart POSTs, and shows verb and number of POST/GET parameter instantly (so you can choose the juicy requests quickly). </li></ul><ul><li>Saving & loading of sessions. </li></ul><ul><li>Instantly fuzz any variable (and edit your fuzz strings in the app) </li></ul><ul><li>Free form fuzz strings (supports commenting) – NO limitation – only your imagination – sorted by file name. </li></ul><ul><li>Instant access to HTTP raw request with automatic content length recalculation. </li></ul><ul><li>Raw replay or browsed replay. </li></ul><ul><li>One click file/directory mining from recon tree. </li></ul><ul><li>User defined speed for recon (cause you want to be able to still surf the app). </li></ul><ul><li>Etc.etc.etc. </li></ul>Other reasons why Suru is nice
  17. 18. And now for something completely different.. <ul><li>Suru is a neat well packaged tool that addresses some unique needs </li></ul><ul><li>LR is a collection of other peoples utilities (and some duct-tape^H^H python) </li></ul><ul><li>Almost everything achievable by SP_LR is available through other tools in existence today.. </li></ul><ul><li>What does this mean? </li></ul>I have no future in sales or marketing..
  18. 19. What is it? <ul><li>(Someday) Suru for generic TCP connections </li></ul><ul><li>(Today….) simple, extensible method to alter packets (headers or payloads) within a TCP stream </li></ul><ul><li>(Honestly) A collection of a few scripts around two much smarter open source projects </li></ul><ul><li>Written in Python </li></ul><ul><ul><li>Because all the cool kids were doing it </li></ul></ul>Why ? <ul><li>To free you from current tools.. </li></ul><ul><li>To get the juices flowing </li></ul><ul><li>To demonstrate how easily it can be done </li></ul><ul><li>To ponder some possibilities… </li></ul>
  19. 20. What about … <ul><li>Existing tools: </li></ul><ul><ul><li>ITR, ngrep, …. </li></ul></ul><ul><ul><li>Great when you are in a position to run the proxy on the machine doing the testing </li></ul></ul><ul><ul><li>Generally modify payload or headers (seldom both) </li></ul></ul><ul><ul><li>Are either closed source (or involve scary looking packet-fu) </li></ul></ul>The goal.. <ul><li>The ability to modify packets and payloads.. </li></ul><ul><li>The ability to do this within complex conversation sequences </li></ul><ul><li>The ability to do this comfortably within a scripting environment </li></ul><ul><li>The ability to do this quickly leaving more time for minesweeper… </li></ul>
  20. 21. How it currently works.. <ul><li>Installed on gateway using Linux LIBIPQ or FreeBSD’s IPDIVERT. </li></ul><ul><li>This moves packets from kernel to userspace program </li></ul><ul><li>Heavy lifting then done by: </li></ul><ul><ul><li>Neale Pickett’s ipqueue </li></ul></ul><ul><ul><li>Philippe Biondi’s scapy </li></ul></ul>
  21. 22. A brief interlude.. <ul><li>to pay homage to scapy.. </li></ul><ul><li>available from http://www.secdev.org/projects/scapy by Philippe Biondi </li></ul><ul><li>By far the easiest way to generate arbitrary packets </li></ul><ul><li>#28 on Fyodors Top 100 Security Tools.. </li></ul><ul><li>Which means… </li></ul><ul><ul><li>The majority of the people have yet to discover its coolness </li></ul></ul><ul><li>Some quick examples… </li></ul>
  22. 23. Scapy simpleness
  23. 24. So… SP_LR simply does… <ul><li>Get the packet through libipq </li></ul><ul><li>Decode the packet using scapy </li></ul><ul><li>Mangle the packet using scapy </li></ul><ul><li>Accept or Reject packet through libipq </li></ul><ul><li>s/foo/bar/ </li></ul><ul><li>There is a tiny bit more… </li></ul><ul><ul><li>What about checksums? </li></ul></ul><ul><ul><li>The old sequence number chestnut. </li></ul></ul>
  24. 25. Visio of payload increase + seq number
  25. 26. But hold on.. This is classic mitm <ul><li>Once we alter payload length </li></ul><ul><ul><li>We no longer let sequence or ack numbers through, without first modifying their values. </li></ul></ul><ul><ul><li>Client and Server are both kept happy </li></ul></ul><ul><ul><li>We need to do this till the end of the session (or till we adjust another payload to bring the delta to 0) </li></ul></ul><ul><ul><li>s/foo/SensePost Does Las Vegas/ </li></ul></ul>
  26. 27. Since we are inline… <ul><li>We are in a position to alter data to or from the client. </li></ul><ul><li>Interesting for client fuzzing </li></ul><ul><li>Interesting for lame-client-side security. </li></ul><ul><li>Lame client side security can be read as VNC 4.1 Authentication Bypass.. </li></ul>
  27. 28. And obviously header modification is trivial.. <ul><li>FreeBSD ECE Overloading: </li></ul><ul><li>Old bug: </li></ul><ul><ul><li>“ Overloading in the TCP reserved flags field causes ipfw/ip6fw to treat all TCP packets with the ECE flag set as being part of an established connection. A remote attacker can create a TCP packet with the ECE flag set to bypass security restrictions in the firewall.” </li></ul></ul><ul><li>We simply need to tag all our outgoing packets with the ECE flag. </li></ul><ul><li>SensePost Exploit (2001) - 270 lines of C </li></ul><ul><li>SP_LR version (today) - X lines of python </li></ul>
  28. 29. Other Uses.. <ul><li>Arbitrary DNS resolution </li></ul><ul><li>Malware Analysis </li></ul><ul><li>… </li></ul>What it needs? <ul><li>More fiddling.. </li></ul><ul><li>An int3 </li></ul><ul><ul><li>The client timeout problem… </li></ul></ul><ul><ul><li>An (untested) possible solution.. </li></ul></ul>
  29. 30. Window 0 and int3 <ul><li>TCP Window Size </li></ul><ul><li>Tar Pits? </li></ul><ul><li>Hmmm.. What if ? (visio of win0 int3) </li></ul><ul><li>Watch this space… </li></ul>
  30. 31. So… <ul><li>You should have a easy to use, trivial to extend alternative to current packet mangling options. </li></ul><ul><li>You should be in a position to mangle payloads and headers from the warm cozy python environment </li></ul><ul><li>Most importantly, you should have some ideas about stuff you would like to fiddle with.. </li></ul><ul><li>.tgz will be made available for download off http://www.sensepost.com/research </li></ul>
  31. 32. <ul><li>Suru is a very nice new MITM web application proxy. </li></ul><ul><li>Suru still allow the analyst the freedom of thought, but automates the mundane. </li></ul><ul><li>Suru is a combination between a useful proxy and the best features of Wikto, Crowbar and E-Or. </li></ul><ul><li>If you are new to web application assessment you should perhaps start off with another proxy – Suru is intense. </li></ul><ul><li>Suru was written by people that do hundreds of web application assessments every year. In others words – a web application testing tool by people that do web application testing. </li></ul><ul><li>Suru lives at: </li></ul><ul><li>http://www.sensepost.com/research/suru </li></ul>Conclusion