Post on 01-Jan-2016
description
Gone in 60 minutes
A Practical Approach to Hacking an Enterprise with
YASUO
Saurabh Harit {@0xsauby}Stephen Hall {@_stephen_h}
root@msf:~$>getuid
Saurabh Harit (@0xsauby)Director of Security Research @Security Compass
Pentester i.e. Domain Admin at many companies
Have a secret crush on reverse engineering
Gym freak / Proud father of two beautiful dogs
Stephen Hall (@_stephen_h)Security Consultant @Security Compass
…
…
Owner of a Christmas hat
What this talk is not about
No 0-days
No Shells
ScenarioYou’re on a red-team engagement
You’ve bypassed physical security
You’ve bypassed NAC
What next? How would you pwn the network?
Vulnerability scanner?
The ProblemCan’t use network vulnerability scanner
Have to be Stealth & Quick
Can’t use Google dorks (internal network)site, link, inurl
Where do $hells come from?
It’s not about what, it’s about
WHERE
Popular Vulnerable Apps
Apache Tomcat
Popular Vulnerable Apps
JBoss jmx-console
Popular Vulnerable Apps
Hudson Jenkins
$hells
Not So Popular Vulnerable Apps
ADManager Plus
Not So Popular Vulnerable Apps
ADManager Plus
Not So Popular Vulnerable Apps
Cyberoam UTM
Not So Popular Vulnerable Apps
Cyberoam UTM
YASUO what???
Written in ruby
Did not write it on our flight here
Scans the network for vulnerable applications
Currently supports around 100+ vulnerable applications
All currently supported apps are Metasploit-able
Why YasuoBecause there are tons of vulnerable applications and its not easy to find them
World Without Automation Run nmap scan & manually poke each & every web port
This CANNOT be fun
What’s currently out there
Nikto by Chris Sullohttps://www.cirt.net/Nikto2
Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls
http://nmap.org/nsedoc/scripts/http-enum.html
Nmap script – http-default-accounts.nse by Paulino Calderon
https://www.nmap.org/nmap-exp/calderon/scripts/http-default-accounts.nse
Exploring Yasuo
Exploring Yasuo
What’s in the Box
yasuo.rb
resp200.rb
default-path.csv
users.txt
pass.txt
GPL
What’s in the Box
Behind the ScenesDetects false-positives
Automatically extracts login form
Automatically extracts login parameters
What’s New
RaNdOmIzAtIoN!!!
More robust check to detect false positives
Properly formatted output table
More application signatures
Signatures for IP Cameras / Encoder / Decoders
Modular & Cleaned-up Code – if there is any such thing
Demo Time
ChallengesExploit-db – great resource but inconsistent format
ChallengesDynamic detection of login page and parameters is regex based.
Future Development
Smarter version detection
Support masscan output format (because y’all love to scan the Interwebs)
Add support for more vulnerable applications, Ofcourse
Add secondary signature
Make current crappy code modular
Add multi-threading
Add support for vFeed???
Change format of default path file – CSV to YAML? or JSON?
CFH (cry for help)
Signatures Signatures Signatures & Signatures
Please submit application signatures:Post a comment on Github
Update default path file on Github
Drop us an Email
Send a Pigeon.
Questions??? or not
Thank You!
_stephen_h perfectlylogical@gmail.com
✖
0xsauby saurabh.harit@gmail.com
https://github.com/0xsauby/yasuo
Credit
Nmap ruby library - https://github.com/sophsec/ruby-nmap
The Exploit Database (EDB) - http://www.exploit-db.com/
@funkaoshi
Google Image Cache