KJO11: Onze Club - Doede Jaarsma en Thijs Box, Vrienden van AT5
Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis...
Transcript of Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis...
![Page 1: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/1.jpg)
Automated vulnerability scanning and exploitation
Dennis Pellikaan Thijs Houtenbos
University of AmsterdamSystem and Network Engineering
October 22, 2013
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 40
![Page 2: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/2.jpg)
Introduction
Open Source scriptsShared on the internet, can be used by anyoneLots of attention for large projects (Wordpress, Joomla, etc)What about the rest?
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 40
![Page 3: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/3.jpg)
System overview
Completely automated system which gathers source code as inputand outputs a list of vulnerable servers.
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 40
![Page 4: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/4.jpg)
Sourceforge
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 40
![Page 5: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/5.jpg)
Github
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 40
![Page 6: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/6.jpg)
Github
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 40
![Page 7: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/7.jpg)
System parts
Collect a large number of projectsAnalyse code for possible vulnerabilitiesExploit the findings in a local environment to confirmSearch installations of the project onlineValidate the found installation matches the project
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 40
![Page 8: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/8.jpg)
Collect projects
Two sourcesSourceforgeGitHub
Focus on PHP scriptsAutomated download and extraction
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 40
![Page 9: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/9.jpg)
Collect projects
Collected projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 40
![Page 10: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/10.jpg)
Analyse code
SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
File Inclusionrequire $_POST["lang_install"].".php";
Command Injectionexec ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 40
![Page 11: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/11.jpg)
Regular Expressions
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 40
![Page 12: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/12.jpg)
Analyse projects
Vulnerable projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 40
![Page 13: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/13.jpg)
Analyse projects
Vulnerable projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 40
![Page 14: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/14.jpg)
Analyse projects
Vulnerability categories
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 40
![Page 15: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/15.jpg)
Exploit vulnerabilities
SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
File Inclusionrequire $_POST["lang_install"].".php";
Command Injectionexec ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 40
![Page 16: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/16.jpg)
Exploit vulnerabilities
SQL Injectionoverride_function (mysql_query, log_function);
Script sourcesmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
Executedlog_function ("SELECT * FROM users WHERE id=’$_GET[id]’");
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 40
![Page 17: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/17.jpg)
Exploit vulnerabilities
File Inclusionrequire $_POST["lang_install"].".php";log_function ($_POST["lang_install"].".php");
Command Injectionexec ($_GET[’com’], $result);log_function ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 40
![Page 18: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/18.jpg)
Exploit vulnerabilities
Request the pagehttp://localhost/myscript/admin.php?id=hacklu
Log functionWrite the function arguments to a logfile
Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hacklu’
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 40
![Page 19: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/19.jpg)
Exploit vulnerabilities
Request the pagehttp://localhost/myscript/admin.php?id=hack’lu
Log functionWrite the function arguments to a logfile
Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hack’lu’
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 40
![Page 20: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/20.jpg)
Exploit vulnerabilities
Confirmation of results
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 40
![Page 21: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/21.jpg)
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 21 / 40
![Page 22: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/22.jpg)
Search
Google Advanced Search Operators
allinurlpage.php: require $_GET[’page_id’];allinurl:"/page.php?page_id="allintitleindex.php: echo "<title>" . $title . "</title>";allintitle:"My special script v0.2a"
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 22 / 40
![Page 23: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/23.jpg)
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 23 / 40
![Page 24: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/24.jpg)
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 24 / 40
![Page 25: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/25.jpg)
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 25 / 40
![Page 26: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/26.jpg)
Search
Rotate between 13 IPv4 addressesPause for 8 seconds between each request
20,000 search queries per day120,000 results with 22,000 queries
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 26 / 40
![Page 27: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/27.jpg)
Validate search results
Find the project’s installation rootIdentify six common file typesCompare locally identified files with the remote hostCalculate a score
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 27 / 40
![Page 28: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/28.jpg)
Validate search results
Installation root: deterministic approach
Google result: http://example.com/user/app/login.php?token=432
Local script Remote script/script/app/admin/login.php /example.com/user/app/admin/login.php/script/app/admin/ /example.com/user/app/admin//script/app/ /example.com/user/app//script/ /example.com/user/
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 28 / 40
![Page 29: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/29.jpg)
Validate search results
Installation root: probabilistic approach
Google result: http://example.com/user/app/guide.html
Local script/script/a/docs/examples/index.php/script/b/index.html/script/index.php/script/
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 29 / 40
![Page 30: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/30.jpg)
Validate search results
Common file types
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 30 / 40
![Page 31: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/31.jpg)
Validate search results
Comparing files
Local file Remote file/script/images/file1.gif /example.com/user/images/file1.gif/script/images/logo.png /example.com/user/images/logo.png/script/app/js/code.js /example.com/user/app/js/code.js/script/contact.html /example.com/user/contact.html
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 31 / 40
![Page 32: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/32.jpg)
Validate search results
Text matching
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 32 / 40
![Page 33: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/33.jpg)
Validate search results
Text matching
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 33 / 40
![Page 34: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/34.jpg)
Validate search results
MD5 Hash Matching
md5(Local File) 6= md5(Remote File)LocalScore = 0RemoteScore = 0
md5(Local File) = md5(Remote File)LocalScore = 100RemoteScore = 100
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 34 / 40
![Page 35: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/35.jpg)
Validate search results
Calculating the final score
Score between 0 and 100Number of identified files is taken into accountLocalScore and the RemoteScore are weighted
Score =∑N
i=1 SiN +
∑Ni=1 Si ∗ 1
6
Si = LocalScorei+RemoteScorei4
N = Total number of selected files
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 35 / 40
![Page 36: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/36.jpg)
Validate search results
Validated website scores
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 36 / 40
![Page 37: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/37.jpg)
Results
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 37 / 40
![Page 38: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/38.jpg)
System overview
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 38 / 40
![Page 39: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/39.jpg)
Questions
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 39 / 40
![Page 40: Dennis Pellikaan Thijs Houtenbos · Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering October](https://reader036.fdocuments.us/reader036/viewer/2022071212/6025883161a1ca33762cf124/html5/thumbnails/40.jpg)
Contact
Contact:Dennis: [email protected]: [email protected]
Paper reference:http://rp.delaat.net/2012-2013/p91/report.pdf
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 40 / 40