Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Synergy! A world where the tools communicate

Joshua “Jabra” AbrahamRapid7 LLCjabra@spl0it.orgjabra@rapid7.com

AppSec 09November 12, 2009

OWASP 2

Purpose of this talk

Raising the bar on pentestingBuild upon current toolsLeverage XML to automate pentesting tasksExtract data for a correlation engine

What we are doing todayHigh-level overview of an improved process

(COE)Releasing several modules and Fierce v2 Beta

OWASP 3

Why should you care?

Focus on tasks that require contextMore excitingBetter/Larger

assessments Reduce reporting time!! Customer’s get better

quality for less time Raising the bar on the

Industry

OWASP 4

Things to remember about Automation

Can’t automate manual review

Not all tools can be automated

Manual testing required Context: “P!A!S!S!W!0!

R!D=test”Working towards the

goals of the assessment

Enumeration

Port Scanning

Vulnerability Scanning

Manual Review and Additional

Testing

Analysis and

Reporting

OWASP 5

Encourage developers to build tools with XML and APIs

OWASP 6

Flow Diagram of Tools Fierce

Enumeration domain (company.com) Found several hosts, the most interesting:

test.company.com Nmap

Looking for open Ports Found an open HTTP service on 8080

Nikto Scan HTTP service Found interesting directory /admin

Dirbuster Bruteforce directory Found /admin/secret/ Fierce

Nmap

Nikto

Dirbuster

OWASP 7

Programming Language

Sounds like Earl, but starts with a “P” The programming language is Perl

The following are NOT programming languages: PERL, perl, Pearl

Cross Platform Built for Scripting and Object Orientation Libraries = modules

Load a module: use My::Module; Docs

perldoc perl perldoc My::Module

OWASP 8

Fierce (Network Reconnaissance tool)

Enumerate non-contiguous address spaceVersion 1.0 built by RsnakeVersion 2.0 re-written by Jabra

Techniques in version 2Find NS, MX records, Reverse Lookups +

Wildcards Improved Zone Transfer Testing for all DNS

ServersNew method of Enumeration for

prefixes, extensions and subdomains(ask me if you are curious)

New Virtual Host detection Improved Range enum based on subnet

(PTRname)New ARIN, ARPNIC, etc enumeration….

OWASP 9

Zone Transfer, who has that enabled?.....

Ns1.secure.net Ns2.secure.net

OWASP 10

Fierce (Network Reconnaissance tool)

OWASP 11

Example Usage of the Perl Modules

OWASP 12

Setup Phase

The rest of the talk will be all code! Loading the following modules:

use Nikto::Parser;use Dirbuster::Parser;use Sslscan::Parser;use Fierce::Parser;use Burpsuite::Parser;

OWASP 13

Setup Phase

Creating parser objects:

my $np = new Nikto::Parser;my $dp = new Dirbuster::Parser;my $sp = new Sslscan::Parser;my $fp = new Fierce::Parser;my $bp = new Burpsuite::Parser;

OWASP 14

Fierce::Parser

my $parser = $np->parse_file(‘google.xml’);

my $node = $np->get_node(‘google.com’); my $bf = $node->bruteforce;

print “Prefix Bruteforce:\n”; foreach my $n ( $bf->nodes ) { print “Hostname:\t” . $n->hostname . “\

n”; print “IP:\t\t” . $n->ip . “\n”; }

OWASP 15

Dirbuster::Parser

my $parser = $dp->parse_file(‘dirbuster.xml’);

my @results = $parser->get_all_results(); print “Directories:\n”; foreach(@results) { print “Path“ . $_->path . “\n”; print “Type“ . $_->type . “\n”; print “Response “ . $_->response_code .

“\n”; }

OWASP 16

Burpsuite::Parser

my $parser = $bp->parse_file(‘burpsuite.xml’); my @issues = $parser->get_all_issues(); foreach(@issues) { print $_->name . “\n”; print “Severity:“ . $_->severity . “\n\n”; print “Description:\n” . $_->issue_background .

“\n”; print “Proof of Concept:\n” . $_->issue_detail . “\

n”; print “Recommendation:\n”;

print $_->remediation_background . “\n”; }

OWASP 17

Sslscan::Parser

Options for usage:Parse XML outputScan and parse XML inline

OWASP 18

Sslscan::Parser

my $parser = $sp->parse_file(‘domain.xml’);

my $host = $parser->get_host(‘domain.com’);

my $port = $host->get_port(‘443’); foreach my $i ( grep($_->status =~

/accepted/, @{ $port->ciphers }) ) { print “sslversion “ . $i->sslversion . “\n”; print “cipher “ . $i->cipher . “\n”; print “bits “ . $i->bits . “\n”; }

OWASP 19

Nikto::Parser

Options for usage:Scan and save XML for parsing later.Scan and parse XML inline

OWASP 20

Nikto::Parser

my $parser = $np->parse_file(‘nikto.xml’); my $h = $parser->get_host(‘127.0.0.1’); my $p = $h->get_port(’80’);

print “Target is: “ . $h->ip . “:” . $p->port . “\n”;

print “Banner is: “ . $p->banner . “\n\n”; foreach my $v ( @{ $p->get_all_items(); } )

{ print $v->description . “\n\n”; }

OWASP 21

Summary

Extracting Data for Reporting and/or Correlation

Automated Testing

Recon

Vulnerability Scan

Port Scan

Central Storage EngineCorrelation

Reporting

View/Modify/Delete Data

Manual Testing

Context Based

Focus Driven

OWASP 22

Encourage developers to build tools with XML and APIs

OWASP 23

Contact Information

Joshua “Jabra” Abraham jabra@spl0it.org jabra@rapid7.com

Updated slides will be online this weekend: http://spl0it.wordpress.comhttp://blog.rapid7.com

Code online!http://trac.assembla.com/fiercehttp://search.cpan.org/~jabra/ (comments, suggestions and patches welcome!)

OWASP 24

Fierce::Parser

OWASP 25

Dirbuster::Parser

OWASP 26

Burpsuite::Parser

OWASP 27

Sslscan::Parser

OWASP 28

Nikto::Parser