Post on 29-Jun-2015
description
RAWRRapid Assessment of Web Resourceshttps://www.bitbucket.org/al14s/rawr
Adam Byers [@al14s]
Started with BASIC – Antic mag… the ‘Blue Pages’
• Blue Team• Automation• Wireless• Malware forensics
INTRODUCTION
Tom Moore [@c0ncealed]
• Red Team Menace• Loves creating reports• Cuddles his AK
AOL proggies/punters in the 90’s
AGENDA
• Web Assessments• Meet RAWR• Demo• Plans for the Future• Conclusion/Discussion
WHY WORRY ABOUT WEB?
If you don’t know your organizations web attack surface, expect that someone else already does.
One of the highest threats to organizations today is also one of their most prevalent services available in most cases, web interfaces. The landscape has changed from simple static websites, to fully functional web-based applications that provide access to internal information gold mines. Our belief is that most organizations have little to no knowledge as to how many internal web resources they have within their environmentsthat could lead to network compromise. By taking an approach to ensurethe security of your client’s web interfaces through offensive security, youwill find that there is a lot involved – and usually not a lot of time to getfrom initial scan to report.
WHAT WOULD YOU DO?
You are given the following objective:
Assess your organization’s internal and external web-based attack surface.
Your end goal is to produce a report that can be provided to both technical individuals and executives.
WHICH TOOLS TO LEVERAGE?
Recon Mapping Discovery Exploitation Reporting
Different tools for each step in the process:
These tools, in most cases do not produce output that play nicely with one another.This leaves YOU with the responsibility of interfacing between them…
HOW WOULD YOU PRESENT IT?
Executive Technical
How much work would be involved in obtainingoutput that could be considered acceptable forboth of your intended audiences?
- Visuals and numbers.
- Specific information for remediation.
.. .
.
WHAT IS YOUR TURN-AROUND?
Mapping Formatting data Identify targets of interest Additional information collection Formatting data (again) Validation of findings Composing the report
How long would it take you to go from initialmapping, to producing the deliverable?
WHYUASKSOMANYQUESTION?
I’m glad you asked. =P
So, what really is the answer to this flurry ofquestions?
MEET…
WEB ASSESSMENTS
RAWR
ReconMappingDiscoveryExploitationReporting
• NMap XML (live or from file) *• Nexpose Simple XML• Nexpose XML (v1,v2)• Nessus XML (.nessus) *• OpenVAS XML• Qualys XML (Scan Report) *• Qualys CSV (Port/Services Scan)• Metasploit CSV• ??? CSV
* Parses SSL cert info for these
INPUT
Extract as much as possible from the server response.
INPUT
Default PasswordsGeo-location
CrawlModules
Bing DNS
ENUMERATION
INPUT ENUM
• HTML• CSV• Attack Surface Matrix• SQLite3 db• Site Diagrams• JSON objects• NMap -oA (from live scan)
• Cookies• Robots.txt• SSL Certificates
OUTPUT
RAWR
ReconMappingDiscoveryExploitationReporting
WEB ASSESSMENTS
INP
UT
ENUM
OU
TP
UT
ERRORS
error.log
ERRORS
RAWR IN ACTION
RAWR IN ACTIONRAWR INSTALL
RAWR IN ACTIONRAWR SCAN
…inefficiency kills
Your time is important.
Learn by doing… no matter how small the task.
PYTHON DOESN’T KILL…
PLANS FOR THE FUTURE
• HTML appearance• SSL parser testing• Talk to:
• Malware Researchers• Pentesters• Developers• SysAdmins
CONCLUSION / DISCUSSION
Comments, praise, questions, cash donations:Adam [ al14s@pdrcorps.com ]
Enraged hate mail, insults, threats:Tom [ c0ncealedx64@gmail.com ]
If not, it’s all Tom’s fault.
Thank you for sitting in - we hope you found our talk worthwhile.