SlideShare ist ein Scribd-Unternehmen logo

Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t

pseudor00t overflow
pseudor00t overflow

Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t

Internet
1 von 29
Downloaden Sie, um offline zu lesen
Conducting Massive Attacks With Open Source Distributed Computing By Alejandro Caceres (@DotSlashPunk) DEF CON 21
How to (almost) get fired from your job Step 1: Speak at a hacker con on your open source community-focused side project (PunkSPIDER) - Combined distributed computing (my main area of research) with web application fuzzing - Was pretty cool (if I do say so myself) Step 2: Have a friend of a high-level executive at your company stumble upon talk at said con Step 3: Have said friend confuse community-focused web app security side project for a “cyber weapon” and tell executive that you’re building a cyber weapon in your spare time. Step 4:  DEF CON 21
Why did I just tell you that story? • It was the inspiration for this talk – got me thinking about the following: – What would it take to build true distributed network attack tools? – Where can distributed computing help the most? – How can one simply and quickly build distributed attack tools to do whatever it is you’re into • We won’t judge - but don’t do anything illegal. Seriously. Please? Ah whatever, you’re not listening anyway. • My goal is simply to explore some of the possible answers to these questions DEF CON 21
Distributed Computing Today • Great advances in distributed computing lately – Apache Hadoop – Google’s MapReduce papers and implementation details • We’ve seen some great stuff come out of this – Data Analytics – Super fast data processing (for faster analytics) – Counting things (analytics) – Analyzing things (analytics) • You might notice a trend in the above uses of distributed computing or “big data” technologies if you’re into buzzwords (looking at you Splunk, IBM, EMC, etc. etc. etc.) – Spoiler: we’re mostly using it for data analytics – This bores me DEF CON 21
Distributed Computing In the (distant) Future • My main “thing” is using distributed computing / ”big data” technologies for massive attacks – Most of my research thus far has been in application-level attacks • I want to dive into this area and see what’s possible! DEF CON 21
High-level idea behind distributed attacks • Much respect for the 1337 hackers out there, working on extremely complex low-level problems to break into things • However, much of the time this isn’t needed. Especially on the web application side, if you choose a big enough target (e.g. a country), you’re going to break into things. Lots of things. – We’ve seen the awful state of web application security in our distributed fuzzer unleashed on the Internet. (http://punkspider.hyperiongray.com) • <analogy> Try enough door knobs, and some of them will be open. In many environments, lots of them will be open. Or at least have a broken lock that you can kick in easily. </analogy> DEF CON 21
Why Distributed Attacks? • Often the time required to attack a target is way too long • Longer attack times may mean more chance of being detected and stopped • Extremely large beds of targets may be completely infeasible due to time restrictions and coordination issues • E.g. PunkSPIDER – our target was the entire Internet • The Internet is a big place, it would take years to scan it properly, even just for high level vulnerabilities • Coordination between computing resources – Without coordination between various computing resources, you may end up duplicating a lot of effort and the attack may be less effective DEF CON 21
But distributed computing sounds hard... • It’s not! Huge advances in recent years make it really easy to get up and running • In this talk we’ll focus on Apache Hadoop, one of the best, and simplest, implementations of distributed computing DEF CON 21
Hadoop and Me (and You) • I really like love Hadoop • Hadoop is an implementation of the MapReduce distributed computing concept – You write a Map function that gets distributed across the cluster – it takes in several key-value pairs as inputs and emits several key-value pairs as outputs – You write a reduce function. A partitioner sorts the output from the map function by its keys – each set of key-value pairs with common keys are sent through the map function, which emits a final set of key-value pairs. This final set should be the solution to the original problem you were trying to solve • If you’re confused, it’s actually pretty simple in practice. It’s also awesome, and easy to implement. DEF CON 21
Using MapReduce – PunkSCAN Example • The classic example for MapReduce is a “word count” example. It counts words real fast, cool huh? False. This is uber boring. – I even tried adding animated .gif flames and spinning .gif skulls to my word count job and it was still way too boring to show you • Let’s take a better example – You have a list of a ton of websites, you want to see if they have obvious vulnerabilities • In this case, lets assume we just have the list of sites • In PunkSPIDER our list comes from automated crawling of the Internet using a distributed crawler DEF CON 21
Using MapReduce PunkSCAN Example (cont.) DEF CON 21
Using MapReduce PunkSCAN Example (cont.) DEF CON 21
Demo Time! • Let’s see PunkSCAN in action • This is live production data being indexed to PunkSPIDER! DEF CON 21
My Love Affair With MapReduce • If you’re astute you noticed a few things in my example – It’s written in Python – It’s only a few lines of code • Some additional stuff I can tell you – As far as fuzzing goes, what I showed you is the only part of PunkSCAN that is “distributed computing-focused” code (the rest is a pretty standard fuzzer that I wrote and other basic python code) – It works REALLY well – we’ve scanned over 1.5 million domains using this code and found hundreds of thousands of vulnerabilities. It’s really stable and very very fast – More nodes means faster fuzzing – simple as that DEF CON 21
What is a Hadoop and Where Can I Get One? • Apache Hadoop is a free and open source implementation of distributed computing with MapReduce • It’s very easy to set up on pretty much any Linux distro (I recommend trying it out on Kali, it works great!) • A small cluster in the cloud can be built within a couple of hours • Alternately you can build your own off of really old hardware • Various other options – Amazon’s EMR provides a Hadoop-like environment on demand – They don’t like you hacking on Amazon’s EMR – I got kicked off of AWS so take my advice on this with a grain of salt DEF CON 21
Use Cases • Now that we have the basics out of the way – it’s time to talk about what we can do with this • Three Examples we will be covering – Distributed recon – Distributed attack – Distributed password cracking DEF CON 21
Use Case 1: Distributed Recon • Why distribute recon? – Greatly speed up repetitive tasks – Wonderful for finding a massive number of low hanging fruit – Can make deep recon across a massive number of targets (e.g. an entire country’s IP ranges) feasible in a short period of time) DEF CON 21
Use Case 1: Distributed Recon • The best example is PunkSCAN – We use Hadoop Streaming, a Hadoop function that reads input and output from stdout, allowing you to write code in whatever language you want (this is why PunkSCAN was in Python) • Heads up: Consider your problem – are you in need of CPU, Memory, or bandwidth? – If the former two are needed, any old cluster will do. If bandwidth, you need to carefully plan where your nodes are from a network standpoint – Always think before you code. You could waste time distributing something that might not help you that much to have distributed – In the case of PunkSCAN we did some pre-research to ensure that distributed fuzzing would help us (fuzzing is highly CPU and memory-intensive – bandwidth is a minor consideration – even for remote fuzzing) DEF CON 21
How to get your own • You can download PunkSCAN from BitBucket – We’ll give you a link at the end of the talk • You can write your own pretty easily: – Pick your favorite URL fuzzing library (there’s a bunch out there) – Grab a library that will help you abstract the process of writing a mapper and reducer for Hadoop (we used the MRJob Python library in PunkSCAN) – Write a mapper and reducer leveraging the libraries – Run it across your cluster and watch it fly • It really is that simple – Though admittedly testing and debugging is a pain DEF CON 21
Use Case 2: Distributed Attacks • Why distribute exploitation? – It’s fun – You can conduct large-scale automated attacks in a short period of time – owning massive targets in a short time (such as entire countries) • We’ll be looking at the example of automated SQL Injection attacks by distributing everyone’s favorite automated SQLi tool, SQLMap DEF CON 21
Use Case 2: Distributed Attacks • The basics – We use SQLMap’s code as a “library” of sorts – We pick an abstraction library for writing a MapReduce job • In this case we picked the MRJob Python library • We write a mapper • We write a reducer • We run the job • You may already notice a pattern – it’s all about writing a MapReduce job – To see our detailed Mapper and Reducer, please visit www.hyperiongray.com and check out our code downloads section DEF CON 21
Use Case 2: Distributed Attacks • Demo (against our cloud test environment) DEF CON 21
Use Case 2: Distributed Attacks • Notice the simplicity of the code and the few lines of code/customization required to run this • In the end, we end up with a bunch of stolen databases in Hadoops HDFS – HDFS is a central file system that Hadoop creates – it is accessible via any of the nodes – How much easier can it get? We don’t even need to worry about which node we’re on to store or retrieve data • Now that we have all of these stolen databases, now what? DEF CON 21
Use Case 3: Distributing Post-Exploitation Activities • Why distribute? • Attacking a *lot* of targets at once will leave the attacker with a ton of extracted data • Password hashes to crack, data to analyze and parse • From the vulnerabilities we’ve seen in PunkSPIDER this could be a LOT of data especially for password cracking – we need a better solution than single node cracking • Why not repurpose old, commodity hardware to build your own cracking cluster? DEF CON 21
Use Case 3: Distributing Post-Exploitation Activities • Admittedly, this is one of the more complex tasks – We went with Java instead of Python (for performance) – Partitioning the job is non-trivial • Luckily, you can just download our cracker PunkCRACK, free and open source, and use it and not worry too much about the internals • However, for those of you more curious folks, you can see our detailed Mapper and Reducer at www.hyperiongray.com in the code downloads section. DEF CON 21
Use Case 3: Distributing Post-Exploitation Activities • Demo (again, against our own test data in our own environment) DEF CON 21
Bringing It All Together • We’ve thoroughly enjoyed proving the concept here, but what does this mean for you? – Leveraging distributed computing from an offensive perspective gives you the power to run massive attack scenarios – this lets you build custom tools to do that using open source technology and commodity hardware – Imagine “pen testing” an entire country – it’s entirely feasible with the tools and concepts I’ve presented • We think the security implications of this concept are broad – if we can feasibly simulate a massive attack scenario, then we can better study this and prepare for it. DEF CON 21
Wrap-up • Follow me on Twitter: @DotSlashPunk – I’ll answer your questions if you are following me (personal questions answered on a case-by-case basis…) • See more about us and more details on this presentation at http://www.hyperiongray.com • See Check out PunkSPIDER at http://punkspider.hyperiongray.com DEF CON 21
Thanks • Thanks to: – Tomas – Mark – The SQLMap project (and everyone involved) – The Apache Software Foundation (and the Nutch and Hadoop community) – And of course THANKS to all of you for coming to my talk! – DEF CON 21 and everyone involved DEF CON 21

Empfohlen

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocolEnter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
David Dias
 
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftKafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Bhasker Kode
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 ccc
Dan Kaminsky
 
hover.in at CUFP 2009
hover.in at CUFP 2009hover.in at CUFP 2009
hover.in at CUFP 2009
Bhasker Kode
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Erlang as a cloud citizen, a fractal approach to throughput
Erlang as a cloud citizen, a fractal approach to throughputErlang as a cloud citizen, a fractal approach to throughput
Erlang as a cloud citizen, a fractal approach to throughput
Paolo Negri
 
Erlang factory 2011 london
Erlang factory 2011 londonErlang factory 2011 london
Erlang factory 2011 london
Paolo Negri
 

Empfohlen

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocolEnter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
Enter Gossipsub, A scalable, extensible & hardened P2P PubSub Router protocol
David Dias
 
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftKafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Bhasker Kode
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 ccc
Dan Kaminsky
 
hover.in at CUFP 2009
hover.in at CUFP 2009hover.in at CUFP 2009
hover.in at CUFP 2009
Bhasker Kode
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Erlang as a cloud citizen, a fractal approach to throughput
Erlang as a cloud citizen, a fractal approach to throughputErlang as a cloud citizen, a fractal approach to throughput
Erlang as a cloud citizen, a fractal approach to throughput
Paolo Negri
 
Erlang factory 2011 london
Erlang factory 2011 londonErlang factory 2011 london
Erlang factory 2011 london
Paolo Negri
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
FunctionalConf '16 Robert Virding Erlang Ecosystem
FunctionalConf '16 Robert Virding Erlang EcosystemFunctionalConf '16 Robert Virding Erlang Ecosystem
FunctionalConf '16 Robert Virding Erlang Ecosystem
Robert Virding
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Erlang factory SF 2011 "Erlang and the big switch in social games"
Erlang factory SF 2011 "Erlang and the big switch in social games"Erlang factory SF 2011 "Erlang and the big switch in social games"
Erlang factory SF 2011 "Erlang and the big switch in social games"
Paolo Negri
 
Combining the strength of erlang and Ruby
Combining the strength of erlang and RubyCombining the strength of erlang and Ruby
Combining the strength of erlang and Ruby
Martin Rehfeld
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Introduction to Apache Storm - Concept & Example
Introduction to Apache Storm - Concept & ExampleIntroduction to Apache Storm - Concept & Example
Introduction to Apache Storm - Concept & Example
Dung Ngua
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wiki
Takashi Yamanoue
 
Recursion & Erlang, FunctionalConf 14, Bangalore
Recursion & Erlang, FunctionalConf 14, BangaloreRecursion & Erlang, FunctionalConf 14, Bangalore
Recursion & Erlang, FunctionalConf 14, Bangalore
Bhasker Kode
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
How to use packet tracer
How to use packet tracerHow to use packet tracer
How to use packet tracer
Yunita Siswanti
 
Big Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache SparkBig Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache Spark
Kenny Bastani
 
Spark
SparkSpark
Spark
Nitish Upreti
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Fast and Scalable Python
Fast and Scalable PythonFast and Scalable Python
Fast and Scalable Python
Travis Oliphant
 
Functional Ideas for a Cloudy Future
Functional Ideas for a Cloudy FutureFunctional Ideas for a Cloudy Future
Functional Ideas for a Cloudy Future
Richard Minerich
 
Hive and Pig for .NET User Group
Hive and Pig for .NET User GroupHive and Pig for .NET User Group
Hive and Pig for .NET User Group
Csaba Toth
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013
Travis Oliphant
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challenges
bcantrill
 
Matt Franklin - Apache Software (Geekfest)
Matt Franklin - Apache Software (Geekfest)Matt Franklin - Apache Software (Geekfest)
Matt Franklin - Apache Software (Geekfest)
W2O Group
 
Cloud computing and Hadoop introduction
Cloud computing and Hadoop introductionCloud computing and Hadoop introduction
Cloud computing and Hadoop introduction
christian.perez
 

Weitere ähnliche Inhalte

Was ist angesagt?

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
How to use packet tracer
How to use packet tracerHow to use packet tracer
How to use packet tracer
Yunita Siswanti
 

Was ist angesagt? (11)

Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
FunctionalConf '16 Robert Virding Erlang Ecosystem
FunctionalConf '16 Robert Virding Erlang EcosystemFunctionalConf '16 Robert Virding Erlang Ecosystem
FunctionalConf '16 Robert Virding Erlang Ecosystem
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
Erlang factory SF 2011 "Erlang and the big switch in social games"
Erlang factory SF 2011 "Erlang and the big switch in social games"Erlang factory SF 2011 "Erlang and the big switch in social games"
Erlang factory SF 2011 "Erlang and the big switch in social games"
 
Combining the strength of erlang and Ruby
Combining the strength of erlang and RubyCombining the strength of erlang and Ruby
Combining the strength of erlang and Ruby
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Introduction to Apache Storm - Concept & Example
Introduction to Apache Storm - Concept & ExampleIntroduction to Apache Storm - Concept & Example
Introduction to Apache Storm - Concept & Example
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wiki
 
Recursion & Erlang, FunctionalConf 14, Bangalore
Recursion & Erlang, FunctionalConf 14, BangaloreRecursion & Erlang, FunctionalConf 14, Bangalore
Recursion & Erlang, FunctionalConf 14, Bangalore
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
How to use packet tracer
How to use packet tracerHow to use packet tracer
How to use packet tracer
 

Ähnlich wie Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t

Big Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache SparkBig Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache Spark
Kenny Bastani
 
Taboola's experience with Apache Spark (presentation @ Reversim 2014)
Taboola's experience with Apache Spark (presentation @ Reversim 2014)Taboola's experience with Apache Spark (presentation @ Reversim 2014)
Taboola's experience with Apache Spark (presentation @ Reversim 2014)
tsliwowicz
 

Ähnlich wie Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t (20)

Big Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache SparkBig Graph Analytics on Neo4j with Apache Spark
Big Graph Analytics on Neo4j with Apache Spark
 
Spark
SparkSpark
Spark
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Fast and Scalable Python
Fast and Scalable PythonFast and Scalable Python
Fast and Scalable Python
 
Functional Ideas for a Cloudy Future
Functional Ideas for a Cloudy FutureFunctional Ideas for a Cloudy Future
Functional Ideas for a Cloudy Future
 
Hive and Pig for .NET User Group
Hive and Pig for .NET User GroupHive and Pig for .NET User Group
Hive and Pig for .NET User Group
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challenges
 
Matt Franklin - Apache Software (Geekfest)
Matt Franklin - Apache Software (Geekfest)Matt Franklin - Apache Software (Geekfest)
Matt Franklin - Apache Software (Geekfest)
 
Cloud computing and Hadoop introduction
Cloud computing and Hadoop introductionCloud computing and Hadoop introduction
Cloud computing and Hadoop introduction
 
Taboola's experience with Apache Spark (presentation @ Reversim 2014)
Taboola's experience with Apache Spark (presentation @ Reversim 2014)Taboola's experience with Apache Spark (presentation @ Reversim 2014)
Taboola's experience with Apache Spark (presentation @ Reversim 2014)
 
Ruby codebases in an entropic universe
Ruby codebases in an entropic universeRuby codebases in an entropic universe
Ruby codebases in an entropic universe
 
"R, Hadoop, and Amazon Web Services (20 December 2011)"
"R, Hadoop, and Amazon Web Services (20 December 2011)""R, Hadoop, and Amazon Web Services (20 December 2011)"
"R, Hadoop, and Amazon Web Services (20 December 2011)"
 
R, Hadoop and Amazon Web Services
R, Hadoop and Amazon Web ServicesR, Hadoop and Amazon Web Services
R, Hadoop and Amazon Web Services
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever Code
 
Data science and Hadoop
Data science and HadoopData science and Hadoop
Data science and Hadoop
 
SDN Demystified, by Dean Pemberton [APNIC 38]
SDN Demystified, by Dean Pemberton [APNIC 38]SDN Demystified, by Dean Pemberton [APNIC 38]
SDN Demystified, by Dean Pemberton [APNIC 38]
 
Introduction to Hadoop and Big Data
Introduction to Hadoop and Big DataIntroduction to Hadoop and Big Data
Introduction to Hadoop and Big Data
 
Map reducecloudtech
Map reducecloudtechMap reducecloudtech
Map reducecloudtech
 

Mehr von pseudor00t overflow

Mehr von pseudor00t overflow (15)

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00t
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
fingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00tfingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00t
 
EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00t
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00t
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
 
Hacking Etico by pseudor00t
Hacking Etico by pseudor00tHacking Etico by pseudor00t
Hacking Etico by pseudor00t
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00t
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00t
 

Kürzlich hochgeladen

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 

Kürzlich hochgeladen (20)

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t

  • 1. Conducting Massive Attacks With Open Source Distributed Computing By Alejandro Caceres (@DotSlashPunk) DEF CON 21
  • 2. How to (almost) get fired from your job Step 1: Speak at a hacker con on your open source community-focused side project (PunkSPIDER) - Combined distributed computing (my main area of research) with web application fuzzing - Was pretty cool (if I do say so myself) Step 2: Have a friend of a high-level executive at your company stumble upon talk at said con Step 3: Have said friend confuse community-focused web app security side project for a “cyber weapon” and tell executive that you’re building a cyber weapon in your spare time. Step 4:  DEF CON 21
  • 3. Why did I just tell you that story? • It was the inspiration for this talk – got me thinking about the following: – What would it take to build true distributed network attack tools? – Where can distributed computing help the most? – How can one simply and quickly build distributed attack tools to do whatever it is you’re into • We won’t judge - but don’t do anything illegal. Seriously. Please? Ah whatever, you’re not listening anyway. • My goal is simply to explore some of the possible answers to these questions DEF CON 21
  • 4. Distributed Computing Today • Great advances in distributed computing lately – Apache Hadoop – Google’s MapReduce papers and implementation details • We’ve seen some great stuff come out of this – Data Analytics – Super fast data processing (for faster analytics) – Counting things (analytics) – Analyzing things (analytics) • You might notice a trend in the above uses of distributed computing or “big data” technologies if you’re into buzzwords (looking at you Splunk, IBM, EMC, etc. etc. etc.) – Spoiler: we’re mostly using it for data analytics – This bores me DEF CON 21
  • 5. Distributed Computing In the (distant) Future • My main “thing” is using distributed computing / ”big data” technologies for massive attacks – Most of my research thus far has been in application-level attacks • I want to dive into this area and see what’s possible! DEF CON 21
  • 6. High-level idea behind distributed attacks • Much respect for the 1337 hackers out there, working on extremely complex low-level problems to break into things • However, much of the time this isn’t needed. Especially on the web application side, if you choose a big enough target (e.g. a country), you’re going to break into things. Lots of things. – We’ve seen the awful state of web application security in our distributed fuzzer unleashed on the Internet. (http://punkspider.hyperiongray.com) • <analogy> Try enough door knobs, and some of them will be open. In many environments, lots of them will be open. Or at least have a broken lock that you can kick in easily. </analogy> DEF CON 21
  • 7. Why Distributed Attacks? • Often the time required to attack a target is way too long • Longer attack times may mean more chance of being detected and stopped • Extremely large beds of targets may be completely infeasible due to time restrictions and coordination issues • E.g. PunkSPIDER – our target was the entire Internet • The Internet is a big place, it would take years to scan it properly, even just for high level vulnerabilities • Coordination between computing resources – Without coordination between various computing resources, you may end up duplicating a lot of effort and the attack may be less effective DEF CON 21
  • 8. But distributed computing sounds hard... • It’s not! Huge advances in recent years make it really easy to get up and running • In this talk we’ll focus on Apache Hadoop, one of the best, and simplest, implementations of distributed computing DEF CON 21
  • 9. Hadoop and Me (and You) • I really like love Hadoop • Hadoop is an implementation of the MapReduce distributed computing concept – You write a Map function that gets distributed across the cluster – it takes in several key-value pairs as inputs and emits several key-value pairs as outputs – You write a reduce function. A partitioner sorts the output from the map function by its keys – each set of key-value pairs with common keys are sent through the map function, which emits a final set of key-value pairs. This final set should be the solution to the original problem you were trying to solve • If you’re confused, it’s actually pretty simple in practice. It’s also awesome, and easy to implement. DEF CON 21
  • 10. Using MapReduce – PunkSCAN Example • The classic example for MapReduce is a “word count” example. It counts words real fast, cool huh? False. This is uber boring. – I even tried adding animated .gif flames and spinning .gif skulls to my word count job and it was still way too boring to show you • Let’s take a better example – You have a list of a ton of websites, you want to see if they have obvious vulnerabilities • In this case, lets assume we just have the list of sites • In PunkSPIDER our list comes from automated crawling of the Internet using a distributed crawler DEF CON 21
  • 11. Using MapReduce PunkSCAN Example (cont.) DEF CON 21
  • 12. Using MapReduce PunkSCAN Example (cont.) DEF CON 21
  • 13. Demo Time! • Let’s see PunkSCAN in action • This is live production data being indexed to PunkSPIDER! DEF CON 21
  • 14. My Love Affair With MapReduce • If you’re astute you noticed a few things in my example – It’s written in Python – It’s only a few lines of code • Some additional stuff I can tell you – As far as fuzzing goes, what I showed you is the only part of PunkSCAN that is “distributed computing-focused” code (the rest is a pretty standard fuzzer that I wrote and other basic python code) – It works REALLY well – we’ve scanned over 1.5 million domains using this code and found hundreds of thousands of vulnerabilities. It’s really stable and very very fast – More nodes means faster fuzzing – simple as that DEF CON 21
  • 15. What is a Hadoop and Where Can I Get One? • Apache Hadoop is a free and open source implementation of distributed computing with MapReduce • It’s very easy to set up on pretty much any Linux distro (I recommend trying it out on Kali, it works great!) • A small cluster in the cloud can be built within a couple of hours • Alternately you can build your own off of really old hardware • Various other options – Amazon’s EMR provides a Hadoop-like environment on demand – They don’t like you hacking on Amazon’s EMR – I got kicked off of AWS so take my advice on this with a grain of salt DEF CON 21
  • 16. Use Cases • Now that we have the basics out of the way – it’s time to talk about what we can do with this • Three Examples we will be covering – Distributed recon – Distributed attack – Distributed password cracking DEF CON 21
  • 17. Use Case 1: Distributed Recon • Why distribute recon? – Greatly speed up repetitive tasks – Wonderful for finding a massive number of low hanging fruit – Can make deep recon across a massive number of targets (e.g. an entire country’s IP ranges) feasible in a short period of time) DEF CON 21
  • 18. Use Case 1: Distributed Recon • The best example is PunkSCAN – We use Hadoop Streaming, a Hadoop function that reads input and output from stdout, allowing you to write code in whatever language you want (this is why PunkSCAN was in Python) • Heads up: Consider your problem – are you in need of CPU, Memory, or bandwidth? – If the former two are needed, any old cluster will do. If bandwidth, you need to carefully plan where your nodes are from a network standpoint – Always think before you code. You could waste time distributing something that might not help you that much to have distributed – In the case of PunkSCAN we did some pre-research to ensure that distributed fuzzing would help us (fuzzing is highly CPU and memory-intensive – bandwidth is a minor consideration – even for remote fuzzing) DEF CON 21
  • 19. How to get your own • You can download PunkSCAN from BitBucket – We’ll give you a link at the end of the talk • You can write your own pretty easily: – Pick your favorite URL fuzzing library (there’s a bunch out there) – Grab a library that will help you abstract the process of writing a mapper and reducer for Hadoop (we used the MRJob Python library in PunkSCAN) – Write a mapper and reducer leveraging the libraries – Run it across your cluster and watch it fly • It really is that simple – Though admittedly testing and debugging is a pain DEF CON 21
  • 20. Use Case 2: Distributed Attacks • Why distribute exploitation? – It’s fun – You can conduct large-scale automated attacks in a short period of time – owning massive targets in a short time (such as entire countries) • We’ll be looking at the example of automated SQL Injection attacks by distributing everyone’s favorite automated SQLi tool, SQLMap DEF CON 21
  • 21. Use Case 2: Distributed Attacks • The basics – We use SQLMap’s code as a “library” of sorts – We pick an abstraction library for writing a MapReduce job • In this case we picked the MRJob Python library • We write a mapper • We write a reducer • We run the job • You may already notice a pattern – it’s all about writing a MapReduce job – To see our detailed Mapper and Reducer, please visit www.hyperiongray.com and check out our code downloads section DEF CON 21
  • 22. Use Case 2: Distributed Attacks • Demo (against our cloud test environment) DEF CON 21
  • 23. Use Case 2: Distributed Attacks • Notice the simplicity of the code and the few lines of code/customization required to run this • In the end, we end up with a bunch of stolen databases in Hadoops HDFS – HDFS is a central file system that Hadoop creates – it is accessible via any of the nodes – How much easier can it get? We don’t even need to worry about which node we’re on to store or retrieve data • Now that we have all of these stolen databases, now what? DEF CON 21
  • 24. Use Case 3: Distributing Post-Exploitation Activities • Why distribute? • Attacking a *lot* of targets at once will leave the attacker with a ton of extracted data • Password hashes to crack, data to analyze and parse • From the vulnerabilities we’ve seen in PunkSPIDER this could be a LOT of data especially for password cracking – we need a better solution than single node cracking • Why not repurpose old, commodity hardware to build your own cracking cluster? DEF CON 21
  • 25. Use Case 3: Distributing Post-Exploitation Activities • Admittedly, this is one of the more complex tasks – We went with Java instead of Python (for performance) – Partitioning the job is non-trivial • Luckily, you can just download our cracker PunkCRACK, free and open source, and use it and not worry too much about the internals • However, for those of you more curious folks, you can see our detailed Mapper and Reducer at www.hyperiongray.com in the code downloads section. DEF CON 21
  • 26. Use Case 3: Distributing Post-Exploitation Activities • Demo (again, against our own test data in our own environment) DEF CON 21
  • 27. Bringing It All Together • We’ve thoroughly enjoyed proving the concept here, but what does this mean for you? – Leveraging distributed computing from an offensive perspective gives you the power to run massive attack scenarios – this lets you build custom tools to do that using open source technology and commodity hardware – Imagine “pen testing” an entire country – it’s entirely feasible with the tools and concepts I’ve presented • We think the security implications of this concept are broad – if we can feasibly simulate a massive attack scenario, then we can better study this and prepare for it. DEF CON 21
  • 28. Wrap-up • Follow me on Twitter: @DotSlashPunk – I’ll answer your questions if you are following me (personal questions answered on a case-by-case basis…) • See more about us and more details on this presentation at http://www.hyperiongray.com • See Check out PunkSPIDER at http://punkspider.hyperiongray.com DEF CON 21
  • 29. Thanks • Thanks to: – Tomas – Mark – The SQLMap project (and everyone involved) – The Apache Software Foundation (and the Nutch and Hadoop community) – And of course THANKS to all of you for coming to my talk! – DEF CON 21 and everyone involved DEF CON 21