Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
-
Upload
chris-john-riley -
Category
Technology
-
view
15.832 -
download
0
description
Transcript of Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
![Page 1: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/1.jpg)
Defense by Numb3r5
Making problems for script k1dd13s and scanner monkeys
@ChrisJohnRiley
![Page 2: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/2.jpg)
![Page 3: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/3.jpg)
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING”
SOCRATES: APOLOGY, 21D
![Page 4: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/4.jpg)
![Page 5: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/5.jpg)
![Page 6: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/6.jpg)
This talk contains: - Numbers - Bad Jokes - Traces of peanuts - Did I mention numbers?
![Page 7: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/7.jpg)
TL ;DR
![Page 8: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/8.jpg)
Goals for this talk
Describe the defensive uses of HTTP status codes
![Page 9: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/9.jpg)
1) What 2) Why 3) How 4) Goals 5) Bringing it together 6) Review
![Page 10: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/10.jpg)
#1
] [ WHAT ?
![Page 11: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/11.jpg)
HTTP STATUS CODES
![Page 12: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/12.jpg)
![Page 13: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/13.jpg)
Seems like such a Small detail
![Page 14: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/14.jpg)
… small detail, big impact
![Page 15: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/15.jpg)
HTTP Status Codes
§ Majority part of RFC 2616 (HTTP/1.1) § 5 main classes of response
§ 1XX informaOonal § 2XX success § 3XX redirecOon § 4XX client error § 5XX server error
![Page 16: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/16.jpg)
HTTP Status Codes
§ Proposed RFC* for 7XX codes § Examples:
§ 701 Meh § 719 I am not a teapot § 721 Known unknowns § 722 Unknown unknowns § 732 Fucking Unic☐de
* h]ps://github.com/joho/7XX-‐rfc
![Page 17: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/17.jpg)
BASICS AKA: THE BORING THEORY BIT
#1.1
![Page 18: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/18.jpg)
1XX Informaeonal
§ Indicates response received § Processing is not yet completed
§ 100 Conenue § 101 Switching Protocols § 102 Processing (WebDAV RFC 2518)
![Page 19: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/19.jpg)
2XX Success
§ Indicates response received § Processed and understood
§ 200 OK § 201 Created § 202 Accepted § 203 Non-‐Authoritaeve Informaeon § 204 No Content
![Page 20: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/20.jpg)
2XX Success (cont.)
§ 205 Reset Content § 206 Pareal Content § 207 Mule-‐Status (WebDAV RFC 4918)
Codes not supported by Apache § 208 Already Reported § 226 IM Used § 250 Low on Storage Space
![Page 21: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/21.jpg)
3XX Redireceon
§ Aceon required to complete request § 300 Muleple Choices § 301 Moved Permanently § 302 Found (Moved Temporarily) § 303 See Other § 304 Not Modified
![Page 22: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/22.jpg)
3XX Redireceon (cont.)
§ 305 Use Proxy § 306 Switch Proxy (unused) § 307 Temporary Redirect
Codes not supported by Apache § 308 Permanent Redirect
![Page 23: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/23.jpg)
4XX Client Error
§ Client caused an error § 400 Bad Request § 401 Unauthorized § 402 Payment Required § 403 Forbidden § 404 Not Found § 405 Method Not Allowed
![Page 24: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/24.jpg)
4XX Client Error (cont.)
§ 406 Not Accessible § 407 Proxy Authenecaeon Required § 408 Request Timeout § 409 Conflict § 410 Gone § 411 Length Required
![Page 25: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/25.jpg)
4XX Client Error (cont.)
§ 412 Precondieon Failed § 413 Request Enety Too Large § 414 Request-‐URI Too Long § 415 Unsupported Media Type § 416 Request Range Not Saesfiable § 417 Expectaeon Failed § 418 I’m a Teapot (IETF April Fools RFC 2324)
![Page 26: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/26.jpg)
4XX Client Error (cont.)
§ 419 / 420 / 421 Unused § 422 Unprocessable Enety (RFC 4918) § 423 Locked (RFC 4918) § 424 Failed Dependency (RFC 4918) § 425 No Code / Unordered Colleceon § 426 Upgrade Required (RFC 2817)
![Page 27: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/27.jpg)
4XX Client Error (cont.)
Codes not supported by Apache § 428 Precondieon Required § 429 Too Many Requests § 431 Request Header Fields Too Large § 444 No Response (NGINX) § 449 Retry With (Microsoo) § 450 Blocked by Win. Parental Controls § 451 Unavailable For Legal Reasons § 494 Request Header Too Large (NGINX) § 495 Cert Error (NGINX) § 496 No Cert (NGINX) § 497 HTTP to HTTPS (NGINX) § 499 Client Closed Request (NGINX)
![Page 28: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/28.jpg)
5XX Server Error
§ Server error occurred § 500 Internal Server Error § 501 Not Implemented § 502 Bad Gateway § 503 Service Unavailable § 504 Gateway Timeout § 505 HTTP Version Not supported
![Page 29: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/29.jpg)
5XX Server Error (cont.)
§ 506 Variant Also Negoeates (RFC 2295) § 507 Insufficient Storage (WebDAV RFC 4918)
§ 508 Loop Detected (WebDAV RFC 5842)
§ 509 Bandwidth Limit Exceeded (apache ext.) § 510 Not Extended (RFC 2274)
Codes not supported by Apache § 511 Network Authenecaeon Required (RFC 6585) § 550 Permission Denied § 598 Network Read Timeout Error (Microsoo Proxy)
§ 599 Network Conneceon Timeout Error (Microsoo Proxy)
![Page 30: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/30.jpg)
OMG Enough with the numb3rs already!!!!
![Page 31: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/31.jpg)
![Page 32: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/32.jpg)
#2
] [ WHY ?
![Page 33: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/33.jpg)
It started as a simple idea…
![Page 34: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/34.jpg)
![Page 35: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/35.jpg)
?
?
? … and started to think
![Page 36: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/36.jpg)
SCREW WITH SCANNERS
![Page 37: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/37.jpg)
… AND SCRIPT K1DD13S
![Page 38: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/38.jpg)
THAT SOUNDS LIKE FUN!
![Page 39: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/39.jpg)
@thegrugq 26 Feb 2013
![Page 40: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/40.jpg)
@thegrugq 26 Feb 2013
![Page 41: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/41.jpg)
INCREASE ATTACKER COSTS
$ $
$
![Page 42: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/42.jpg)
WASTE ATTACKER TIME
![Page 43: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/43.jpg)
![Page 44: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/44.jpg)
-‐ When the tables turn (2004) -‐ Roelof Temmingh, Haroon Meer, Charl van der Walt -‐ h]p://slideshare.net/sensepost/strikeback
-‐ Stopping Automated A]ack Tools (2006) -‐ Gunter Ollmann -‐ h]p://www.technicalinfo.net/papers/
StoppingAutomatedA]ackTools.html
Prior Art
![Page 45: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/45.jpg)
-‐ mod-‐security mailing list (2006) -‐ Status Code 503 together w/ Retry-‐Aoer header -‐ Ryan BarneW -‐ h]p://bb10.com/apache-‐mod-‐security-‐user/
2006-‐12/msg00042.html
Prior Art
SecFilterDefaultAceon "deny,log,status:503" SecFilter ".*" Header set Retry-‐Aoer "120"
![Page 46: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/46.jpg)
#3
] [ HOW ?
![Page 47: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/47.jpg)
BROWSERS HAVE TO BE FLEXIBLE
![Page 48: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/48.jpg)
THIS LEADS TO INTERPRETATION
… which leads to the dark-‐side
![Page 49: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/49.jpg)
RFCS…
THEY’RE MORE OF A GUIDELINE REALLY
![Page 50: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/50.jpg)
WHAT COULD POSSIBLY GO WRONG!
![Page 51: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/51.jpg)
TESTING THE HOW OF THE THING!
#3.1
![Page 52: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/52.jpg)
§ Restricted research to the big 3 § Internet Explorer § Chrome / Chromium § Firefox
![Page 53: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/53.jpg)
NO… SAFARI ISN’T IN THE TOP 10 3
![Page 54: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/54.jpg)
OPERA JUMPED… …or was it pushed?
![Page 55: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/55.jpg)
LYNX THE UNREALISTIC OPTION
![Page 56: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/56.jpg)
§ MITMproxy / MITMdump § Python-‐based § Simple to setup proxy / reverse proxy § Script-‐based aceons
![Page 57: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/57.jpg)
§ PHP § Ability to set response code
§ Must be at the top of the PHP code
§ Can be added to php.ini § auto-‐prepend-‐file = /full/path
§ Limited by web-‐server (apache)
# set response code Header($_server[“SERVER_PROTOCOL”]. ” $status_code”);
![Page 58: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/58.jpg)
§ Teseng browsers automaecally § Created PHP file to set status code
§ h]p://c22.cc/POC/respcode.php?code=XXX
![Page 59: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/59.jpg)
BROWSERS … AND THEIR STATUS CODE HABITS
#3.2
![Page 60: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/60.jpg)
Miss
![Page 61: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/61.jpg)
![Page 62: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/62.jpg)
![Page 63: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/63.jpg)
![Page 64: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/64.jpg)
![Page 65: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/65.jpg)
![Page 66: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/66.jpg)
Browsers handle most things just like
they handle a 200 OK?
![Page 67: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/67.jpg)
YEP… MOSTLY
![Page 68: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/68.jpg)
§ HTML Responses § Almost all response codes are rendered
by the browser correctly § iFrames
§ Some special cases for IE, but other browsers handle this the same as HTML
![Page 69: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/69.jpg)
§ JavaScript/CSS § Limited accepted status codes
§ Limited 3XX support § Chrome is the excepeon here
§ No support for 4XX/5XX codes
![Page 70: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/70.jpg)
So we know what browsers
interpret differently
![Page 71: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/71.jpg)
What do browsers have in common?
![Page 72: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/72.jpg)
§ 1XX code handling § Retries § Confusion
§ Chrome / IE6 try to download the page! § Fun on Android… (never ending download)
§ Times outs (eventually)
![Page 73: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/73.jpg)
§ 204 No Content § Um, no content!
§ 304 Not Modified § Again, no content returned
![Page 74: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/74.jpg)
WHAT ABOUT HEADERS?
#3.3
![Page 75: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/75.jpg)
Just because the RFC says a specific status code
must have an associated header…
![Page 76: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/76.jpg)
…doesn’t mean it HAS to
![Page 77: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/77.jpg)
§ Redireceon codes (301-‐304, 307) § No Locaeon header, no redirect
§ 401 Unauthorized § No WWW-‐Authenecate header, no
authenecaeon prompt § 407 Proxy Authenecaeon Required
§ No Proxy-‐Authenecate header, no prompt
![Page 78: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/78.jpg)
Just because the RFC says a specific status code shouldn’t have an associated header…
![Page 79: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/79.jpg)
…doesn’t mean it can’t
![Page 80: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/80.jpg)
§ 300 Muleple Choices w/ Locaeon Header § Firefox / IE6 follows the redirect § Chrome doesn’t
§ More research needed in this direceon § Most headers are unintereseng / ignored
![Page 81: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/81.jpg)
EACH BROWSER HANDLES THINGS A LITTLE DIFFERENTLY
![Page 82: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/82.jpg)
I WONDER WHAT WE CAN DO WITH THAT!
![Page 83: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/83.jpg)
![Page 84: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/84.jpg)
#4
] [ GOALS
![Page 85: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/85.jpg)
§ Each browser handles things differently § Use known condieons
§ Handled codes § Unhandled codes
§ Browser weirdness
![Page 86: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/86.jpg)
BROWSER FINGERPRINTING
#4.1
![Page 87: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/87.jpg)
§ Doesn’t load JavaScript returned with a 300 ‘Muleple Choices’ status code § Other browsers tested DO (IE/Chrome)
§ Request JavaScript from server § Response Status: 300 Muleple Choices § If JavaScript doesn’t run in the browser
§ Firefox
Firefox
![Page 88: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/88.jpg)
§ Loads JavaScript returned with a 307 ‘Temporary Redirect’ status code § Other browsers tested DON’T (IE/FF)
§ Request JavaScript from server § Response Status: 307 Temporary Redirect § If JavaScript runs in the browser
§ Chrome
Chrome
![Page 89: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/89.jpg)
§ Loads JavaScript returned with a 205 ‘Reset Content’ status code § Other browsers tested DON’T (FF/Chrome)
§ Request JavaScript from server § Response Status: 205 Reset Content § If JavaScript runs in the browser
§ Internet Explorer
Internet Explorer
![Page 90: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/90.jpg)
BROWSER FINGERPRINTING
DEMO
![Page 91: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/91.jpg)
![Page 92: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/92.jpg)
§ Other opeons to fingerprint browsers § 300 Redirect (Chrome)
§ 305 / 306 JavaScript (Firefox) § 400 iFrame (Internet Explorer) § …
POC Script à h]p://c22.cc/POC/fingerprint.html
![Page 93: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/93.jpg)
USER-‐AGENTS CAN BE SPOOFED
![Page 94: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/94.jpg)
BROWSER TRAITS CAN’T
![Page 95: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/95.jpg)
PROXY DETECTION
#4.2
![Page 96: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/96.jpg)
§ Chrome handles proxy config differently § 407 status code isn’t rendered § Unless an HTTP proxy is set!
§ Allows us to detect if an HTTP proxy is set § Just not which proxy
§ Can only detect HTTP proxies ;(
Chrome Proxy Deteceon
![Page 97: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/97.jpg)
§ Request page from server § Response Status: 407 Proxy Authenecaeon
§ w/o Proxy-‐Authenecate header § If Chrome responds HTTP proxy is set
Chrome Proxy Deteceon
![Page 98: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/98.jpg)
![Page 99: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/99.jpg)
§ Privoxy 3.0.20 (CVE-‐2013-‐2503) § 407 Proxy Authenecaeon Required
§ w/ Proxy-‐Authenecate header
§ User prompted for user/pass § Prompt appears to be from Privoxy
§ Privoxy passes user/pass to remote site § Profit???
Side-‐Effect: Owning Proxies
![Page 100: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/100.jpg)
§ Not just Privoxy that’s effected § Any transparent proxy
§ e.g. Burp, ZAP, …
§ Not really a vuln for most § Works as designed!
Side-‐Effect: Owning Proxies
![Page 101: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/101.jpg)
#5
] [ BRINGINGITALL TO GETHER
![Page 102: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/102.jpg)
What we have
§ Status codes all browsers treat as content § Status codes all browsers can’t handle
§ 1XX, etc.. § Lots of browser quirks
![Page 103: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/103.jpg)
What can we do
§ F*ck with things § Screw with scanner monkeys § Make RFC lovers cry into their beer § Break things in general
![Page 104: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/104.jpg)
Let’s try to…
§ Use what we’ve discovered to… § Break spidering tools § Cause false posieves / negaeves § Slow down a]ackers
§ The fun way!
§ Blocking successful exploitaeon
![Page 105: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/105.jpg)
BREAKING SPIDERS
#5.1
![Page 106: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/106.jpg)
Simplisec view of spiders
![Page 107: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/107.jpg)
§ Access target URL § Read links / funceons § Test them out § If true: conenue § What is TRUE?
![Page 108: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/108.jpg)
§ What happens if: § Every response is
§ 200 OK § 404 Not Found § 500 Internal Server Error
![Page 109: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/109.jpg)
200 OK
§ IF 200 == True: § Problems! § Never-‐ending spider
![Page 110: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/110.jpg)
404 Not Found
§ IF 404 == False: § What website?
![Page 111: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/111.jpg)
500 Internal Server Error
§ Skipfish != happy fish
![Page 112: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/112.jpg)
False Posieves /Negaeves
#5.2
![Page 113: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/113.jpg)
§ Most scanners use status codes § At least to some extent
§ Inieal match (prior to more costly regex) § Speed up deteceon § Easy solueon
![Page 114: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/114.jpg)
§ What happens if: § Every response is
§ 200 OK § 404 Not Found § 500 Internal Server Error § raNd0M*
* Using codes that are accepted by all browsers as content
![Page 115: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/115.jpg)
Vulnerability Baseline
§ w3af § Informaeon Points à 79 § Vulnerabiliees à 65 § Shells à 0 shells L § Scan eme à 1h37m23s
![Page 116: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/116.jpg)
Every response 200 OK
§ No change in discoveries § All points discovered -‐ per baseline
§ 79 Informaeon Points § 65 Vulnerabiliees § 0 Shells
§ Scan eme à 9h56m55s § Lots more to check ;)
![Page 117: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/117.jpg)
Every response 404 Not Found
§ Less to scan == Less to find § False negaeves
§ 44 Informaeon Points (-‐35) § 37 Vulnerabiliees (-‐28)
§ Scan eme à 7m13s
§ Much quicker scan § Less paths traversed
![Page 118: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/118.jpg)
Every response 500
§ Server Error == OMG VULN SANDWICH! § False posieves+++
§ 9540 Informaeon points (+9461) § 9526 Vulnerabiliees (+9461)
![Page 119: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/119.jpg)
Random Status Codes
§ Muleple test runs § All tests produced False posieves++
§ avg. 619 Informaeon points (+540) § avg. 550 Vulnerabiliees (+485)
§ Avg. scan eme à 11m37s
§ Ooen much quicker scans § Lots of variaeon in scan emes
![Page 120: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/120.jpg)
Random Status Codes
§ Skipfish + $random_status = chaos § False Posieves + False Negaeves § Scan jobs killed (due to lack of scanner resources)
§ Scan emes § 1st scan eme à 10h3m35s § 2nd scan eme à 0h0m4s § 3rd scan eme à 16h47m41s
![Page 121: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/121.jpg)
Slowing a]ackers down!
#5.3
![Page 122: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/122.jpg)
What does your WAF really do?
![Page 123: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/123.jpg)
§ OMG A]ack § Block / Return error
§ 403, 500, … § Profit???
![Page 124: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/124.jpg)
Why?
![Page 125: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/125.jpg)
Remember that list of status codes browsers don’t handle well?
![Page 126: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/126.jpg)
Yeah well, scanners don’t usually handle them well either!
![Page 127: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/127.jpg)
Especially the 1XX codes
![Page 128: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/128.jpg)
§ Remember LaBrea tarpit? § Tim Liston 2001 * § Designed to slow spread of Code Red § Slows down scans / a]ackers
* h]p://labrea.sourceforge.net
![Page 129: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/129.jpg)
![Page 130: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/130.jpg)
How about an HTTP Tarpit!
![Page 131: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/131.jpg)
![Page 132: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/132.jpg)
HTTP Tarpit Scenario
§ WAF detects scan / a]ack § Adds source IP to “naughty” list § Rewrite all responses from the server
§ 100|101|102 status codes only (random) § 204|304 might also be useful (no content)
![Page 133: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/133.jpg)
Let’s do some science!*
* Science not included
![Page 134: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/134.jpg)
vs. the HTTP TARPIT NIKTO
![Page 135: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/135.jpg)
Baseline HTTP Tarpit
Scan eme
2m 18s
Findings
18
14h 33m 2s
10
![Page 136: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/136.jpg)
vs. the HTTP TARPIT W3AF
![Page 137: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/137.jpg)
Baseline HTTP Tarpit
Scan eme
1h 37m 23s
Findings
65
18m 10s
0
![Page 138: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/138.jpg)
vs. the HTTP TARPIT SKIPFISH
![Page 139: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/139.jpg)
Baseline HTTP Tarpit
Scan eme
18m 10s
Findings
Low: 2519 Med: 2522 High: 12
Low: Med: High:
05s
0 0 3
![Page 140: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/140.jpg)
vs. the HTTP TARPIT ACUNETIX
![Page 141: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/141.jpg)
Baseline HTTP Tarpit
Scan eme
1h 19m
Findings
Info: 1104 Low: 30 Med: 32 High: 24
Info: Low: Med: High:
33m
3 3 1
0
![Page 142: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/142.jpg)
HTTP Tarpit Results
§ HTTP Tarpit Results * § Slow down scans
§ Nikto: 340x as long § Others give up quicker ;)
§ Unreliable / aborted scans § Up to 100% less findings
* Not scienefically sound ;)
![Page 143: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/143.jpg)
Blocking successful exploitae0n
#5.4
![Page 144: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/144.jpg)
We’ve made it hard to find the vulnerabiliees
![Page 145: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/145.jpg)
We’ve made it Ome consuming for a]ackers
![Page 146: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/146.jpg)
Now let’s stop the sk1dd13s using
Metasploit to pop $hells
![Page 147: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/147.jpg)
Q: How ooen does Metasploit reference status codes? rgrep -‐E 'res[p|ponse]?\.code' *
à 958 *
* Not scienefically sound ;)
rgrep -‐E 'res[p|ponse]?\.code' *
![Page 148: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/148.jpg)
Lots of dependency on status codes*
* yep, even the stuff I wrote
![Page 149: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/149.jpg)
if (res.code < 200 or res.code >= 300) case res.code when 401 print_warning("Warning: The web site asked for authentication: #{res.headers ['WWW-‐Authenticate'] || res.headers ['Authentication']}") end fail_with(Exploit::Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]") end
![Page 150: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/150.jpg)
No match, No shell*
* exploit dependent
![Page 151: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/151.jpg)
#6
] [ RE VIEW
![Page 152: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/152.jpg)
§ Using status codes to our benefit is fun § … and useful!
§ Browsers can be quirky § Scanners / a]ack toolkits are someemes
set in their ways § Take the easy route § Easy to fool
![Page 153: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/153.jpg)
§ WAFs need to get more offensive about their defense § More than just blocking a request
§ Even if you use a snazzy message
§ Hacking back is bad § Slowing down known a]acks is good § Make life harder for skiddies is pricele$$
![Page 154: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/154.jpg)
§ Current tools are much the same as APT § APT (Adequate Persistent Threat) § Only as advanced as they NEED to be
![Page 155: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/155.jpg)
…because screwing with sk1dd13s
is fun!
![Page 156: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/156.jpg)
Implementaeon #6.1
![Page 157: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/157.jpg)
![Page 158: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/158.jpg)
§ PHP (the lowest common denominator) § auto-‐prepend-‐file § Limited to resources PHP handles
§ MITMdump § MITMproxy == memory hog § Reverse proxy mode
Ghe]o Implementaeon
![Page 159: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/159.jpg)
![Page 160: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/160.jpg)
§ Usable implementaeon § Nginx as reverse proxy
§ Requires: ngx_lua § ngx.status = XXX § Bugs in non-‐git version
§ 203, 305, 306, 414, 505, 506 return nil
h]ps://github.com/ChrisJohnRiley/Random_Code/blob/master/nginx/nginx.conf
![Page 161: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/161.jpg)
![Page 162: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/162.jpg)
§ Ease adopeon § Implement into mod-‐security
§ Not a simple task § Already been discussed many emes § Help wanted ;)
![Page 163: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/163.jpg)
Countering this research
#6.2
![Page 164: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/164.jpg)
§ Less reliance on status codes § More reliance on content / headers § Pros
§ Be]er matching / intelligence
§ Cons § Slower? (regex matching) § More resource intensive
![Page 165: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/165.jpg)
![Page 166: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/166.jpg)
Queseons?
![Page 167: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/167.jpg)
CODE / SCRIPTS AVAILABLE
HTTP://GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE
![Page 168: Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys](https://reader034.fdocuments.net/reader034/viewer/2022051314/54b732444a795912438b45c0/html5/thumbnails/168.jpg)