330 likes | 448 Views
Gone in 60 minutes. A Practical Approach to Hacking an Enterprise with YASUO. Saurabh Harit {@0xsauby} Stephen Hall {@_ stephen_h }. root@msf : ~$> getuid. Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies
E N D
Gone in 60 minutes A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}
root@msf:~$>getuid • Saurabh Harit (@0xsauby) • Director of Security Research @Security Compass • Pentester i.e. Domain Admin at many companies • Have a secret crush on reverse engineering • Gym freak / Proud father of two beautiful dogs • Stephen Hall (@_stephen_h) • Security Consultant @Security Compass • … • … • Owner of a Christmas hat
What this talk is not about No 0-days No Shells
Scenario • You’re on a red-team engagement • You’ve bypassed physical security • You’ve bypassed NAC • What next? How would you pwn the network? • Vulnerability scanner?
The Problem • Can’t use network vulnerability scanner • Have to be Stealth & Quick • Can’t use Google dorks (internal network) • site, link, inurl
Where do $hells come from? It’s not about what, it’s about WHERE
Popular Vulnerable Apps Apache Tomcat
Popular Vulnerable Apps JBossjmx-console
Popular Vulnerable Apps Hudson Jenkins
Not So Popular Vulnerable Apps ADManager Plus
Not So Popular Vulnerable Apps ADManager Plus
Not So Popular Vulnerable Apps Cyberoam UTM
Not So Popular Vulnerable Apps Cyberoam UTM
YASUO what??? • Written in ruby • Did not write it on our flight here • Scans the network for vulnerable applications • Currently supports around 100+ vulnerable applications • All currently supported apps are Metasploit-able
Why Yasuo Because there are tons of vulnerable applications and its not easy to find them
World Without Automation • Run nmapscan & manually poke each & every web port This CANNOT be fun
What’s currently out there • Nikto by Chris Sullo • https://www.cirt.net/Nikto2 • Nmap script – http-enum.nseby Ron Bowes, Andrew Orr, Rob Nicholls • http://nmap.org/nsedoc/scripts/http-enum.html • Nmap script – http-default-accounts.nse by PaulinoCalderon • https://www.nmap.org/nmap-exp/calderon/scripts/http-default-accounts.nse
What’s in the Box • yasuo.rb • resp200.rb • default-path.csv • users.txt • pass.txt • GPL
Behind the Scenes • Detects false-positives • Automatically extracts login form • Automatically extracts login parameters
RaNdOmIzAtIoN!!! • More robust check to detect false positives • Properly formatted output table • More application signatures • Signatures for IP Cameras / Encoder / Decoders • Modular & Cleaned-up Code – if there is any such thing
Challenges • Exploit-db – great resource but inconsistent format
Challenges • Dynamic detection of login page and parameters is regex based.
Future Development • Smarter version detection • Support masscan output format (because y’all love to scan the Interwebs) • Add support for more vulnerable applications, Ofcourse • Add secondary signature • Make current crappy code modular • Add multi-threading • Add support for vFeed??? • Change format of default path file – CSV to YAML? or JSON?
CFH (cry for help) • Signatures Signatures Signatures & Signatures • Please submit application signatures: • Post a comment on Github • Update default path file on Github • Drop us an Email • Send a Pigeon.
Thank You! https://github.com/0xsauby/yasuo 0xsauby saurabh.harit@gmail.com ✖ _stephen_h perfectlylogical@gmail.com
Credit • Nmap ruby library - https://github.com/sophsec/ruby-nmap • The Exploit Database (EDB) - http://www.exploit-db.com/ • @funkaoshi • Google Image Cache