Synergy! A world where the tools communicate
description
Transcript of Synergy! A world where the tools communicate
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Synergy! A world where the tools communicate
Joshua “Jabra” AbrahamRapid7 [email protected]@rapid7.com
AppSec 09November 12, 2009
OWASP 2
Purpose of this talk
Raising the bar on pentestingBuild upon current toolsLeverage XML to automate pentesting tasksExtract data for a correlation engine
What we are doing todayHigh-level overview of an improved process
(COE)Releasing several modules and Fierce v2 Beta
OWASP 3
Why should you care?
Focus on tasks that require contextMore excitingBetter/Larger
assessments Reduce reporting time!! Customer’s get better
quality for less time Raising the bar on the
Industry
OWASP 4
Things to remember about Automation
Can’t automate manual review
Not all tools can be automated
Manual testing required Context: “P!A!S!S!W!0!
R!D=test”Working towards the
goals of the assessment
Enumeration
Port Scanning
Vulnerability Scanning
Manual Review and Additional
Testing
Analysis and
Reporting
OWASP 5
Encourage developers to build tools with XML and APIs
OWASP 6
Flow Diagram of Tools Fierce
Enumeration domain (company.com) Found several hosts, the most interesting:
test.company.com Nmap
Looking for open Ports Found an open HTTP service on 8080
Nikto Scan HTTP service Found interesting directory /admin
Dirbuster Bruteforce directory Found /admin/secret/ Fierce
Nmap
Nikto
Dirbuster
OWASP 7
Programming Language
Sounds like Earl, but starts with a “P” The programming language is Perl
The following are NOT programming languages: PERL, perl, Pearl
Cross Platform Built for Scripting and Object Orientation Libraries = modules
Load a module: use My::Module; Docs
perldoc perl perldoc My::Module
OWASP 8
Fierce (Network Reconnaissance tool)
Enumerate non-contiguous address spaceVersion 1.0 built by RsnakeVersion 2.0 re-written by Jabra
Techniques in version 2Find NS, MX records, Reverse Lookups +
Wildcards Improved Zone Transfer Testing for all DNS
ServersNew method of Enumeration for
prefixes, extensions and subdomains(ask me if you are curious)
New Virtual Host detection Improved Range enum based on subnet
(PTRname)New ARIN, ARPNIC, etc enumeration….
OWASP 9
Zone Transfer, who has that enabled?.....
Ns1.secure.net Ns2.secure.net
OWASP 10
Fierce (Network Reconnaissance tool)
OWASP 11
Example Usage of the Perl Modules
OWASP 12
Setup Phase
The rest of the talk will be all code! Loading the following modules:
use Nikto::Parser;use Dirbuster::Parser;use Sslscan::Parser;use Fierce::Parser;use Burpsuite::Parser;
OWASP 13
Setup Phase
Creating parser objects:
my $np = new Nikto::Parser;my $dp = new Dirbuster::Parser;my $sp = new Sslscan::Parser;my $fp = new Fierce::Parser;my $bp = new Burpsuite::Parser;
OWASP 14
Fierce::Parser
my $parser = $np->parse_file(‘google.xml’);
my $node = $np->get_node(‘google.com’); my $bf = $node->bruteforce;
print “Prefix Bruteforce:\n”; foreach my $n ( $bf->nodes ) { print “Hostname:\t” . $n->hostname . “\
n”; print “IP:\t\t” . $n->ip . “\n”; }
OWASP 15
Dirbuster::Parser
my $parser = $dp->parse_file(‘dirbuster.xml’);
my @results = $parser->get_all_results(); print “Directories:\n”; foreach(@results) { print “Path“ . $_->path . “\n”; print “Type“ . $_->type . “\n”; print “Response “ . $_->response_code .
“\n”; }
OWASP 16
Burpsuite::Parser
my $parser = $bp->parse_file(‘burpsuite.xml’); my @issues = $parser->get_all_issues(); foreach(@issues) { print $_->name . “\n”; print “Severity:“ . $_->severity . “\n\n”; print “Description:\n” . $_->issue_background .
“\n”; print “Proof of Concept:\n” . $_->issue_detail . “\
n”; print “Recommendation:\n”;
print $_->remediation_background . “\n”; }
OWASP 17
Sslscan::Parser
Options for usage:Parse XML outputScan and parse XML inline
OWASP 18
Sslscan::Parser
my $parser = $sp->parse_file(‘domain.xml’);
my $host = $parser->get_host(‘domain.com’);
my $port = $host->get_port(‘443’); foreach my $i ( grep($_->status =~
/accepted/, @{ $port->ciphers }) ) { print “sslversion “ . $i->sslversion . “\n”; print “cipher “ . $i->cipher . “\n”; print “bits “ . $i->bits . “\n”; }
OWASP 19
Nikto::Parser
Options for usage:Scan and save XML for parsing later.Scan and parse XML inline
OWASP 20
Nikto::Parser
my $parser = $np->parse_file(‘nikto.xml’); my $h = $parser->get_host(‘127.0.0.1’); my $p = $h->get_port(’80’);
print “Target is: “ . $h->ip . “:” . $p->port . “\n”;
print “Banner is: “ . $p->banner . “\n\n”; foreach my $v ( @{ $p->get_all_items(); } )
{ print $v->description . “\n\n”; }
OWASP 21
Summary
Extracting Data for Reporting and/or Correlation
Automated Testing
Recon
Vulnerability Scan
Port Scan
Central Storage EngineCorrelation
Reporting
View/Modify/Delete Data
Manual Testing
Context Based
Focus Driven
OWASP 22
Encourage developers to build tools with XML and APIs
OWASP 23
Contact Information
Joshua “Jabra” Abraham [email protected] [email protected]
Updated slides will be online this weekend: http://spl0it.wordpress.comhttp://blog.rapid7.com
Code online!http://trac.assembla.com/fiercehttp://search.cpan.org/~jabra/ (comments, suggestions and patches welcome!)
OWASP 24
Fierce::Parser
OWASP 25
Dirbuster::Parser
OWASP 26
Burpsuite::Parser
OWASP 27
Sslscan::Parser
OWASP 28
Nikto::Parser