Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for...
Transcript of Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for...
![Page 1: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/1.jpg)
Web Exploitation Framework“wXf”
Seth Law
Chris Gates
Ken Johnson
![Page 2: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/2.jpg)
Seth Law Bio
Seth Law is a Principal Consultant at FishNet Security, specializing in
Application Security. He has specialized in information security since 2004 and enjoys researching
complex vulnerabilities and exploits. He has worked previously as an unix administrator, coder, and
security administrator. Seth is currently based in Salt Lake City
where he lives for the winter snowboarding and summer climbing.
![Page 3: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/3.jpg)
Chris Gates Bio
➔ Blogger-->carnal0wnage.attackresearch.com
➔ Metasploit Project
➔ AttackResearch
➔ Security Twit → carnal0wnage
![Page 4: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/4.jpg)
Ken Johnson BioBlog: cktricky.blogspot.com
BtoD
Dirchex/Dirsnatch
NoVA Hacker
![Page 5: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/5.jpg)
Framework Overview
![Page 6: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/6.jpg)
Another framework?
Prior experience with other web centric frameworks
![Page 7: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/7.jpg)
What about Metasploit?
➔ Educational, fun, challenging
➔ Unrestricted core development
➔ Web 2.0
➔ AppSec community involvement
➔ We want more pwnage
![Page 8: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/8.jpg)
Interface Design
➔ ...Speaking of MetaSploit
➔ “Easy Way” = proprietary design
➔ “wXf Way” = Hard for us, easy for you
![Page 9: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/9.jpg)
Interface Design
![Page 10: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/10.jpg)
Framework Core
![Page 11: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/11.jpg)
Console
➔ Rb-readline, readline
➔ Commands – use, set, help, etc
➔ DB Interface provided thru console
![Page 12: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/12.jpg)
Storage
➔ DB Based Exploits and Payloads, SQLite3
➔ File based modules
➔ Deciding which storage to use...
![Page 13: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/13.jpg)
WebStack
✔ Hosts RFI Shell
✔ LFILE / LHTML
✔ Instances limited by port numbers
✔ Ability to manage
✔ Various uses for WebStack...
![Page 14: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/14.jpg)
WebStack
Potential uses for WebStack, conceptual
Phish and report
User-Agent detection, redirection (mobile pwnage)
Java Version detection and subsequent processing
Login form overlay, snatch credentials
![Page 15: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/15.jpg)
WebStack
Examples
Respond to simple webdav requests
Java JNLP vuln via webdav
Do “stuff” based on user agent received
Serve up an empty applet to determine java version, then do “stuff”
Phishing
General ability to respond to requests...
![Page 16: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/16.jpg)
WebStack Demo
Video Demonstration
![Page 17: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/17.jpg)
wXf Application Extensions (wAx)
● Means of extending what wXf can do
● Contains web libraries, re-usable console libraries. Anything that can be re-used should be contained in wAx
● Gem inclusion, version control for wrappers
![Page 18: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/18.jpg)
Current Libraries
Mechanize
Nokogiri
Savon
Can be extended
![Page 19: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/19.jpg)
Planned/Future Libraries
● Requirements
● Must be tested
● License must allow for inclusion
● Has to be stable
● Must have a use case
● Examples
● JSON
● FLASH/AMF
● DB Translation (candidate SEQUEL)
![Page 20: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/20.jpg)
*Nix
Mac OSX
Ruby 1.8.6, 1.8.7 and testing 1.9.1 (plan for 1.9)
HIGHLY dependent on libxml2
Requirement for mechanize/nokogiri anyway
Support Platform, Architecture
![Page 21: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/21.jpg)
Modules, Exploits and Payloads
![Page 22: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/22.jpg)
Modules
Auxiliary, currently, is the only file based module
'Assists', think 'mixins' – Wrappers
Shims provide interoperability and flexible porting
Allows you to do send_request_cgi, print_status
Global and Local Options
![Page 23: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/23.jpg)
Exploits / Payloads
Video Demonstration(s)
![Page 24: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/24.jpg)
Exploits
● Current
● RFI
● XSS
● Future
● Blind SQLi
● Oracle
● Directory Traversal
● Command Injection
● File Upload Exploitation
![Page 25: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/25.jpg)
Payloads (current)
● RFI
*PHP Shell
● XSS
*alert_from_file
*beef hook
*webserver stack files
![Page 26: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/26.jpg)
Auxiliary
Chris Gates - Aux Mods Demo
![Page 27: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/27.jpg)
Auxiliary
● user_agent_test
– Port of Chris John Riley's user agent tester
● dir_trav_fuzz
– Fuzz http services for directory traversals
● passive_enum
– Gather info based on return server headers
– Server version from headers
– Web service toolkits id from cookies, x-powered-by, etc
![Page 28: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/28.jpg)
Auxiliary
Ken Johnson – Aux Mods Demo
![Page 29: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/29.jpg)
Future Framework uses
WAF Detection and Evasion
IDS Detection / Evasion
Scanner Modules, exploit tie-in
![Page 30: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/30.jpg)
Reporting
● Planned future reporting methods (out)
– Dradis hook
– XML Export
● Planned future reporting methods (in)
– Burp Import
– Nikto Import
![Page 31: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/31.jpg)
Summary
● AppSec community involvement pivotal in success
● Road-Map
● Release
● Beta Testers
![Page 32: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/32.jpg)
Contact Information
@wXframework
@sethlaw
@carnal0wnage
@cktricky
● Email - [email protected]
![Page 33: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/33.jpg)
Questions?
![Page 34: Seth Law Chris Gates Ken Johnson - Carnal0wnage · 2017. 1. 21. · Requirement for mechanize/nokogiri anyway Support Platform, Architecture. Modules, Exploits and Payloads. Modules](https://reader036.fdocuments.net/reader036/viewer/2022071219/605710aa217e6a4efb392ff2/html5/thumbnails/34.jpg)
Thank you!!!
Web Exploitation Framework