SlideShare a Scribd company logo

Sensepost assessment automation

SensePost, profile picture
SensePost

This document discusses the automation of penetration testing and vulnerability assessments. It introduces BiDiBLAH, a tool created by SensePost to automate parts of their assessment methodology. The document outlines which steps of the methodology can be easily automated by BiDiBLAH, such as footprinting, fingerprinting, targeting, vulnerability discovery with Nessus, and exploitation with Metasploit. More challenging areas for automation include steps with exceptions or non-standard processes. The document demonstrates BiDiBLAH performing automated tasks and discusses considerations for releasing the tool to balance security and usability.

Technology
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Assessment automation: Deux ex Machina || Rube Goldberg Machine? 2005 LAS VEGAS
• Before we begin….you can find all of this at: • http://www.sensepost.com/research/bidiblah • As promised at Amsterdam…E-Or release! • http://www.sensepost.com/research/eor • (web application scanner) • Time considerations… • Shows in Vegas…
Introduction SensePost has done hundreds of external assessment Tried and trusted methodology So…in search of an automated assessment tool This talk is about: • What is this methodology? • Can it be automated? • Where does automation really work well? • Where does it simply suck? • Why does it fail? (and can it be corrected?) • Implications for penetration testers
Principles of automation To have an automatic process we need to code it To code it we need to have an algorithm or flow In order to have an algorithm or flow it we need to understand the process To understand the process we need to have done it many times If you cannot write the process down on paper you probably don’t understand it completely Exceptions on the rule – the root of all evil Tradeoffs – if it will work in 99.99% of cases and will take me 2 months to code support for the 0.01% of cases…is it worth it?
Weird perceptions Unix good….Windows baaaad! (meeaaaaa) ‘Hard core’ hackers will tell you that Windows sucks. GUI apps limit you to do complex things Problem is not the OS – it’s the implementation of the GUI People think that, because it’s a GUI app, it needs to be “dumbed down” People think that, because it’s a GUI app, it needs to user friendly People think that, because it’s a GUI app, stupid people will use it Unix command line tools are mostly “fire and forget” Unix command line tools are not interactive Unix makes it hard to write X11 interfaces – so ppl stick to text based interfaces BiDiBLAH uses “hot” text boxes – you can copy and paste & grep and awk and sed all you wish
The demos you are about to see… BiDiBLAH is a tool for doing attacks/assessments Its built for large networks …we don’t have a large network …but our clients do …but we don’t want to show their network …no...we don’t…really… SO: Passive: IBM,Playboy Active: SensePost/VMWare There’s just too much risk in doing this live …but everything you see is real (some time lapse in places – I’ll tell you where)
SensePost external methodology
Methodology: Footprinting
Sensepost assessment automation
Methodology:Footprint:Find domains Initial domain TLD expansion Name expansion Related domains Content matching Network (MX/NS/IP) matching Meta data Final domain matching list
Methodology: Footprinting: Find subdomains
Video 1 – BiDiBLAH’s footprinting : Sub domains (5 minutes)
Methodology: Footprinting: Forward DNS entries Domain / subdomain MX/NS records ZT possible? Hit lists yes Perform forward All forwards
Video 2 – BiDiBLAH’s footprinting : Forwards (3min per domain)
Methodology: Footprint: Netblocks
Video 3 – BiDiBLAH footprinting : NetBlocks
Methodology: Footprint: Reverse DNS
Video 4 – BiDiBLAH’s footprinting : Reverse DNS (5min/ClassC)
Methodology: Footprint: Vitality
Vitality : Async scanning
Video 5 - BiDiBLAH – Vitality (SensePost network) 2min/port/classB
Sensepost assessment automation
Automation of footprint Pheeww…glad that’s over! Which steps are difficult to automate & why? • Domain finding • works semi OK, but never complete [not implemented] • currently, you can learn a lot from reverse entries • Sub domain finding – easy - [DONE] • Forwards – easy - [DONE] • Netblocks – difficult… • AS expansion is not always good for smaller (hosted) blocks. • Whois info on these blocks are pretty unless. • No standard interface to registrars • [Currently set to manual] • Reverse scans – easy - [DONE] • Vitality – easy [DONE (tcp only)]
Why should you care about footprinting?? Finding one vulnerability on one box vs Finding the one box with one vulnerability…
SensePost external methodology So, where are we now?
Methodology: Fingerprinting OS detection from the Internet to a firewalled host is difficult…Not just technically, but conceptually : An Apache box protected by a FireWall-1 running on Win32 and 1:1NAT will report itself as a Windows machines on a network level…but as a Unix machine on app level..so what will it be?? BiDiBLAH does not try to do OS detection, but rather just do banner grabbing Using Async banner grabbing for 21,22,25,80,110,143 Multithreaded 443 (SSL) Any banner/version can be grabbed asynchronously but it gets increasingly tricky..
Async banner grabbing – the process
Video 6 - BiDiBLAH: Async banner grabbing (2000 banners / 3 min)
SensePost external methodology So, where are we now?
Methodology: targeting With a great deal of potential targets, we want to be able to select only those that really interests us. Targetting system should be able to target using • Certain/All open ports (in all netblocks, or certain netblocks) • – e.g. all open on TCP 53 • Keywords in service banners • – e.g. wuftp* • Keywords in DNS names • – e.g. PRT* • All hosts in a specific netblock • – e.g. all in 172.16.43.0/24 • Particular OSes of version of OS [a problem - we don’t have it] • - e.g. MS Windows XP SP1 • Certain keywords within vulnerability descriptions (later more) • - e.g. RPC*
Video 7 – BiDiBLAH - Targeting
SensePost external methodology So, where are we now?
Methodology: Vulnerability discovery Why reinvent the wheel? Use a solid, widely used scanner: Nessus… Thus…we write a Nessus client.. Give the user the ability to choose a set of plugins ..and let him save the list.. Thus – you can choose *all* plugins (if you are doing an assessment), or you can choose one plugin (if you are looking throughout your whole network for a particular problem) Scans are executed against what was marked as targets
Video 8 - BiDiBLAH: Plugin selection
Video 9 – BiDiBLAH vulnerability discovery
SensePost external methodology So, where are we now?
Methodology: Vulnerability exploitation Why reinvent the wheel? Use a solid, widely used exploitation framework: MetaSploit! Thus…we write a MetaSploit client.. Problem with MetaSploit – its very operating system specific ….and we DON’T KNOW the OS… Don’t specify target and hope for the best – hopefully it will brute force. Use Nessus to identify the weakness, MetaSploit to exploit it Thus … we need a NessusID to MetaSploit sploit name list We built it (thanks GP), and wrote plugins as needed Hopefully it can be an attribute of the sploit (looks at HD..) RHOST, SSL, LHOST – all known to us RPORT known via Nessus scanner Let the user choose the playload and additional parameters
Video 10 – BiDiBLAH exploitaion (VMware server)
SensePost external methodology So…we are done? In a perfect world…yes... In the real world we have false positives, we have to moderate Nessus results, and we have to write !=*|||(ing reports!!!
Video 11 - advance targeting and reporting
The Bottom line BiDiBLAH does 80% of the work within 20% of time it takes us The last 20% of the work takes 80% of the project time Some steps in the methodology are really hard to automate This is usually where things are “non-standard”, or an exception It would hopefully raise the bar on mediocre “pen testing” companies Release considerations Group1: “Surely you will not release this to the world – you arming script kiddies with dangerous point and click hacking tools!!? Group2: “Where do we download it? Thus: crippled version (20min run time, no save) released at http://www.sensepost.com/research/bidiblah Full version available on request
EXTRA: E-Or release Web APPLICATION assessment tool •http://www.sensepost.com/research/eor

More Related Content

PDF
Packers
Ange Albertini
 
PPTX
Software Security : From school to reality and back!
Peter Hlavaty
 
PPT
scaling compiled applications - highload 2013
ice799
 
PPTX
EhTrace -- RoP Hooks
Shane Macaulay
 
PDF
Puppet Camp LA 2/19/2015
ice799
 
PDF
Chef Conf 2015: Package Management & Chef
ice799
 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
PDF
Scratching the itch, making Scratch for the Raspberry Pie
ESUG
 
Packers
Ange Albertini
 
Software Security : From school to reality and back!
Peter Hlavaty
 
scaling compiled applications - highload 2013
ice799
 
EhTrace -- RoP Hooks
Shane Macaulay
 
Puppet Camp LA 2/19/2015
ice799
 
Chef Conf 2015: Package Management & Chef
ice799
 
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
Scratching the itch, making Scratch for the Raspberry Pie
ESUG
 

What's hot (15)

PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PPTX
Try harder or go home
jaredhaight
 
PPTX
Hacking - high school intro
Peter Hlavaty
 
PDF
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet
 
PDF
JavaScript nicht nur für Programmierer: Einblicke in die weltweit am meisten ...
Peter Hecker
 
PDF
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
PPTX
Rooted con 2020 - from the heaven to hell in the CI - CD
Daniel Garcia (a.k.a cr0hn)
 
PPT
Testing Multithreaded Java Applications for Synchronization Problems, ISTA 2011
Vassil Popovski
 
PPT
Testing multithreaded java applications for synchronization problems
Vassil Popovski
 
PDF
Perl-Critic
Jonas Brømsø
 
PDF
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
ODP
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
David Glick
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PDF
Puppet Camp LA 2015: Package Managers and Puppet (Beginner)
Puppet
 
ODP
Is Python still production ready ? Ludovic Gasc
Pôle Systematic Paris-Region
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Try harder or go home
jaredhaight
 
Hacking - high school intro
Peter Hlavaty
 
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet
 
JavaScript nicht nur für Programmierer: Einblicke in die weltweit am meisten ...
Peter Hecker
 
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Daniel Garcia (a.k.a cr0hn)
 
Testing Multithreaded Java Applications for Synchronization Problems, ISTA 2011
Vassil Popovski
 
Testing multithreaded java applications for synchronization problems
Vassil Popovski
 
Perl-Critic
Jonas Brømsø
 
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
David Glick
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Puppet Camp LA 2015: Package Managers and Puppet (Beginner)
Puppet
 
Is Python still production ready ? Ludovic Gasc
Pôle Systematic Paris-Region
 
Ad

Viewers also liked (9)

PDF
It's all about the timing
SensePost
 
PDF
A new look into web application reconnaissance
SensePost
 
PDF
Putting the tea back into cyber terrorism
SensePost
 
PPTX
Threats to machine clouds
SensePost
 
PPT
Denial of services : limiting the threat
SensePost
 
PPTX
Web 2.0 security woes
SensePost
 
PPT
Attacks and Defences
SensePost
 
PPTX
A Brave New World
SensePost
 
PPTX
State of the information security nation
SensePost
 
It's all about the timing
SensePost
 
A new look into web application reconnaissance
SensePost
 
Putting the tea back into cyber terrorism
SensePost
 
Threats to machine clouds
SensePost
 
Denial of services : limiting the threat
SensePost
 
Web 2.0 security woes
SensePost
 
Attacks and Defences
SensePost
 
A Brave New World
SensePost
 
State of the information security nation
SensePost
 
Ad

Similar to Sensepost assessment automation (20)

PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
PDF
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PDF
Tech w23
SelectedPresentations
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
KEY
How to break web applications
Dinis Cruz
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PPT
Integris Security - Hacking With Glue ℠
Integris Security LLC
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PPTX
Continuous security testing - sharing responsibility
VodqaBLR
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Tech w23
SelectedPresentations
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
How to break web applications
Dinis Cruz
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
The Web Application Hackers Toolchain
jasonhaddix
 
Integris Security - Hacking With Glue ℠
Integris Security LLC
 
Teensy Programming for Everyone
Nikhil Mittal
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Continuous security testing - sharing responsibility
VodqaBLR
 

More from SensePost (20)

PDF
objection - runtime mobile exploration
SensePost
 
PPTX
Vulnerabilities in TN3270 based Application
SensePost
 
PDF
Ruler and Liniaal @ Troopers 17
SensePost
 
PDF
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
PPTX
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
PPTX
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
PDF
Heartbleed Overview
SensePost
 
PDF
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
PPTX
Rat a-tat-tat
SensePost
 
PDF
Hacking Z-Wave Home Automation Systems
SensePost
 
PPTX
Offence oriented Defence
SensePost
 
PPTX
Inside .NET Smart Card Operating System
SensePost
 
PDF
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
PPT
Its Ok To Get Hacked
SensePost
 
PPT
Web Application Hacking
SensePost
 
PPT
Major global information security trends - a summary
SensePost
 
PDF
Corporate Threat Modeling v2
SensePost
 
PPS
OK I'm here, so what's in it for me?
SensePost
 
PPT
Security threats facing SA businessess
SensePost
 
PPT
Security in e-commerce
SensePost
 
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
SensePost
 
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
SensePost
 
Major global information security trends - a summary
SensePost
 
Corporate Threat Modeling v2
SensePost
 
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
SensePost
 
Security in e-commerce
SensePost
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Sensepost assessment automation

  • 1. Assessment automation: Deux ex Machina || Rube Goldberg Machine? 2005 LAS VEGAS
  • 2. • Before we begin….you can find all of this at: • http://www.sensepost.com/research/bidiblah • As promised at Amsterdam…E-Or release! • http://www.sensepost.com/research/eor • (web application scanner) • Time considerations… • Shows in Vegas…
  • 3. Introduction SensePost has done hundreds of external assessment Tried and trusted methodology So…in search of an automated assessment tool This talk is about: • What is this methodology? • Can it be automated? • Where does automation really work well? • Where does it simply suck? • Why does it fail? (and can it be corrected?) • Implications for penetration testers
  • 4. Principles of automation To have an automatic process we need to code it To code it we need to have an algorithm or flow In order to have an algorithm or flow it we need to understand the process To understand the process we need to have done it many times If you cannot write the process down on paper you probably don’t understand it completely Exceptions on the rule – the root of all evil Tradeoffs – if it will work in 99.99% of cases and will take me 2 months to code support for the 0.01% of cases…is it worth it?
  • 5. Weird perceptions Unix good….Windows baaaad! (meeaaaaa) ‘Hard core’ hackers will tell you that Windows sucks. GUI apps limit you to do complex things Problem is not the OS – it’s the implementation of the GUI People think that, because it’s a GUI app, it needs to be “dumbed down” People think that, because it’s a GUI app, it needs to user friendly People think that, because it’s a GUI app, stupid people will use it Unix command line tools are mostly “fire and forget” Unix command line tools are not interactive Unix makes it hard to write X11 interfaces – so ppl stick to text based interfaces BiDiBLAH uses “hot” text boxes – you can copy and paste & grep and awk and sed all you wish
  • 6. The demos you are about to see… BiDiBLAH is a tool for doing attacks/assessments Its built for large networks …we don’t have a large network …but our clients do …but we don’t want to show their network …no...we don’t…really… SO: Passive: IBM,Playboy Active: SensePost/VMWare There’s just too much risk in doing this live …but everything you see is real (some time lapse in places – I’ll tell you where)
  • 10. Methodology:Footprint:Find domains Initial domain TLD expansion Name expansion Related domains Content matching Network (MX/NS/IP) matching Meta data Final domain matching list
  • 12. Video 1 – BiDiBLAH’s footprinting : Sub domains (5 minutes)
  • 13. Methodology: Footprinting: Forward DNS entries Domain / subdomain MX/NS records ZT possible? Hit lists yes Perform forward All forwards
  • 14. Video 2 – BiDiBLAH’s footprinting : Forwards (3min per domain)
  • 16. Video 3 – BiDiBLAH footprinting : NetBlocks
  • 18. Video 4 – BiDiBLAH’s footprinting : Reverse DNS (5min/ClassC)
  • 20. Vitality : Async scanning
  • 21. Video 5 - BiDiBLAH – Vitality (SensePost network) 2min/port/classB
  • 23. Automation of footprint Pheeww…glad that’s over! Which steps are difficult to automate & why? • Domain finding • works semi OK, but never complete [not implemented] • currently, you can learn a lot from reverse entries • Sub domain finding – easy - [DONE] • Forwards – easy - [DONE] • Netblocks – difficult… • AS expansion is not always good for smaller (hosted) blocks. • Whois info on these blocks are pretty unless. • No standard interface to registrars • [Currently set to manual] • Reverse scans – easy - [DONE] • Vitality – easy [DONE (tcp only)]
  • 24. Why should you care about footprinting?? Finding one vulnerability on one box vs Finding the one box with one vulnerability…
  • 25. SensePost external methodology So, where are we now?
  • 26. Methodology: Fingerprinting OS detection from the Internet to a firewalled host is difficult…Not just technically, but conceptually : An Apache box protected by a FireWall-1 running on Win32 and 1:1NAT will report itself as a Windows machines on a network level…but as a Unix machine on app level..so what will it be?? BiDiBLAH does not try to do OS detection, but rather just do banner grabbing Using Async banner grabbing for 21,22,25,80,110,143 Multithreaded 443 (SSL) Any banner/version can be grabbed asynchronously but it gets increasingly tricky..
  • 27. Async banner grabbing – the process
  • 28. Video 6 - BiDiBLAH: Async banner grabbing (2000 banners / 3 min)
  • 29. SensePost external methodology So, where are we now?
  • 30. Methodology: targeting With a great deal of potential targets, we want to be able to select only those that really interests us. Targetting system should be able to target using • Certain/All open ports (in all netblocks, or certain netblocks) • – e.g. all open on TCP 53 • Keywords in service banners • – e.g. wuftp* • Keywords in DNS names • – e.g. PRT* • All hosts in a specific netblock • – e.g. all in 172.16.43.0/24 • Particular OSes of version of OS [a problem - we don’t have it] • - e.g. MS Windows XP SP1 • Certain keywords within vulnerability descriptions (later more) • - e.g. RPC*
  • 31. Video 7 – BiDiBLAH - Targeting
  • 32. SensePost external methodology So, where are we now?
  • 33. Methodology: Vulnerability discovery Why reinvent the wheel? Use a solid, widely used scanner: Nessus… Thus…we write a Nessus client.. Give the user the ability to choose a set of plugins ..and let him save the list.. Thus – you can choose *all* plugins (if you are doing an assessment), or you can choose one plugin (if you are looking throughout your whole network for a particular problem) Scans are executed against what was marked as targets
  • 34. Video 8 - BiDiBLAH: Plugin selection
  • 35. Video 9 – BiDiBLAH vulnerability discovery
  • 36. SensePost external methodology So, where are we now?
  • 37. Methodology: Vulnerability exploitation Why reinvent the wheel? Use a solid, widely used exploitation framework: MetaSploit! Thus…we write a MetaSploit client.. Problem with MetaSploit – its very operating system specific ….and we DON’T KNOW the OS… Don’t specify target and hope for the best – hopefully it will brute force. Use Nessus to identify the weakness, MetaSploit to exploit it Thus … we need a NessusID to MetaSploit sploit name list We built it (thanks GP), and wrote plugins as needed Hopefully it can be an attribute of the sploit (looks at HD..) RHOST, SSL, LHOST – all known to us RPORT known via Nessus scanner Let the user choose the playload and additional parameters
  • 38. Video 10 – BiDiBLAH exploitaion (VMware server)
  • 39. SensePost external methodology So…we are done? In a perfect world…yes... In the real world we have false positives, we have to moderate Nessus results, and we have to write !=*|||(ing reports!!!
  • 40. Video 11 - advance targeting and reporting
  • 41. The Bottom line BiDiBLAH does 80% of the work within 20% of time it takes us The last 20% of the work takes 80% of the project time Some steps in the methodology are really hard to automate This is usually where things are “non-standard”, or an exception It would hopefully raise the bar on mediocre “pen testing” companies Release considerations Group1: “Surely you will not release this to the world – you arming script kiddies with dangerous point and click hacking tools!!? Group2: “Where do we download it? Thus: crippled version (20min run time, no save) released at http://www.sensepost.com/research/bidiblah Full version available on request
  • 42. EXTRA: E-Or release Web APPLICATION assessment tool •http://www.sensepost.com/research/eor