Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching....
Transcript of Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching....
![Page 1: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/1.jpg)
Don’t be a tool’s fool
![Page 2: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/2.jpg)
About Me
• Dave van Stein• 40 years
• Started testing in 2001
– Functional Testing
– Interface / Legacy Testing– Interface / Legacy Testing
– Performance Testing
– Web Application Security Testing
• ISTQB certified tester
• EC-Council C|EH
• SANS 542 / GIAC GWAPT
• Hobbies: World of Warcraft, Geocaching
![Page 3: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/3.jpg)
Goal
• Not the goal:
– Promote or push tool X
– Put tool Y in a bad light
• But instead
– Show easy to forget options
– Show how to be creative
– Discussion
![Page 4: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/4.jpg)
Outline
• History
• Some tools with demos
• Security Testing
![Page 5: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/5.jpg)
The old days
![Page 6: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/6.jpg)
Nowadays
![Page 7: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/7.jpg)
Tools, tools, tools
![Page 8: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/8.jpg)
Metasploit
• Metasploit
– Collection of exploits
– Framework driven
• Pro• Pro
– High quality, often updated
– Fun to demo :)
• Con
– Exploit based
![Page 9: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/9.jpg)
Demo 1
vs
(just for the fun of it)
![Page 10: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/10.jpg)
Things to remember
• Know the limitations of your tool
• No result != no vulnerabilities• No result != no vulnerabilities
• Update tools often
![Page 11: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/11.jpg)
Nikto
• Nikto
– Webserver configuration issues
– Known and common locations, files, options, etc
• Pro• Pro
– Finds a lot of easy to miss items
• Con
– SSL sometimes gives out-of-memory
– By default assumes / is root folder
– Only shows positives
![Page 12: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/12.jpg)
Demo 2
Toolchaining nikto with Burp
![Page 13: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/13.jpg)
Things to remember
• Know the quirks of your tool
• Testing > hacking• Testing > hacking
– Negatives are just as important
• Combine tools for additional information
![Page 14: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/14.jpg)
SQLmap
• SQLmap
– SQL injection scanner and exploiter (yeah, really)
• Pro
– Huge amount of options– Huge amount of options
– Contains lots of evasion filters
• Con
– Huge amount of options
– Default option are in ‘safe mode’
![Page 15: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/15.jpg)
Demo 3
![Page 16: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/16.jpg)
Things to remember
• Always review default options
• In white-box and grey-box scenarios identify relevant • In white-box and grey-box scenarios identify relevant
information
![Page 17: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/17.jpg)
Firefox add-ons
• Firefox add-ons
– Additional functionality
• Pro
– Flexible, many different add-ons– Flexible, many different add-ons
– Great for ‘quick & dirty’ testing
• Con
– Every add-on makes firefox slower
– Cluttered interface
![Page 18: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/18.jpg)
Demo 4
Multiple profiles in FirefoxMultiple profiles in Firefox
"C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profilemanager
![Page 19: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/19.jpg)
Things to remember
• Be careful with add-ons
• Use profiles and templates where possible
![Page 20: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/20.jpg)
Structured Security Testing
• Don’t bet on a single tool
Source: The Web Application Hacker’s Handbook
![Page 21: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/21.jpg)
Structured Security Testing
• Use a result collection tool
Gremwell Magictree (local)
• Burp (as of Burp Suite version 1.3.07)
• Nmap
• Nikto
• Nessus XML v.1
Dradis Framework (web application)
• Burp Scanner
• Metasploit
• Nessus
• NeXpose• Nessus XML v.1
• Nessus XML v.2
• OpenVAS
• Qualys
• Imperva Scuba
• w3af
• Acunetix
• Rapid 7 NeXpose
• Arachni
• OWASP Zed Attack Proxy
• Metasploit
• IBM Rational AppScan
• NeXpose
• Nikto
• Nmap
• OpenVAS
• OSVDB
• Retina
• SureCheck
• VulnDB
• w3af
• wXf
• Zed Attack Proxy
![Page 22: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/22.jpg)
Recap
• Know the limitations of your tool
• Know the quirks of your tool
• Update tools often
• Always review default options
• In white-box and grey-box scenarios identify relevant information
• No result != no vulnerabilities
• Testing > hacking– Negatives are just as important
• Combine tools for additional information
• Use a result collection tool
• Be careful with add-ons
• Use profiles and templates where possible
![Page 23: Don’t be a tool’s fool - OWASP · 2020. 1. 17. · • Hobbies: World of Warcraft, Geocaching. Goal • Not the goal: – Promote or push tool X – Put tool Y in a bad light](https://reader035.fdocuments.us/reader035/viewer/2022071402/60f055746f7bb223e370fec8/html5/thumbnails/23.jpg)
Q&A