This document discusses techniques for going beyond automated tools and scans to hunt for vulnerabilities and gather intelligence as an information security professional. It provides defensive use cases like analyzing pcap files with tcpdump and Dshell to profile network activity. Offensive techniques discussed include pushing past roadblocks during pentests, abusing features like contact forms, and testing remediation. It emphasizes the value of learning scripting languages like Python to build your own tools for tasks like vulnerability scanning and demonstrating proof of concepts. The overall message is that security professionals should adopt a hunter/gatherer mindset to find issues missed by automated tools alone.
2. Who Are We?
• Primal Security: www.primalsecurity.net
–Blog, Podcast, Tutorials
•Our blog and tutorials documented a lot of our
experience through OSCP/OSCE
2
3. Zack Meyers
@b3armunch
• Continuous Monitoring Enthusiast
• PrimalSec team member and Web
Application Pentester
GET
• Any and all information I can EVER find on
offensive techniques, tools and procedures.
POST
• I love hot sauce and will eat small meals
periodically throughout the day aka “Zack
Snacks” :)
3
4. Andrew McNicol
@PrimalSec
• Security consultant
• Co-Founder and one of the lead authors of
Primal Security blog/podcast
try:
print ‘I enjoy writing error-free Python with Google
and stackoverflow”
except:pass
• I spend my day abusing features in web
applications - previous IR (pcap, malware)
4
5. Quick Outline
• Hunter/Gatherer
• Defensive Use Cases:
– Slicing and dicing pcap w/tcpdump + Dshell
– Staying ahead of the game
• Offensive Use Cases:
– A pentest is not a scan
– Pushing Past Walls
– Abusing Contact Us/Feedback Features
– Testing Remediation #ThinkDifferently
• Making Your Own Tools - A quick look at Python 5
6. We didn’t do it
• We are not lawyers and/or giving you any
legal advice.
• We are not giving you permission or
authorizing you in any way to do anything.
• In fact don’t do anything ever...
6
7. This talk
• Too many people only leverage automated tool
output to perform their job function
• We plan to share some of our experience on going
beyond automated tools.
• Note: We do like automated tools – This is not a
talk on bashing them!
7
8. What is a Gatherer?
• Someone who leverages automated tools:
– Find vulnerabilities with scanners
– Find interesting network traffic with an IDS
8
9. What is a Hunter?
• One who goes beyond automated tools to:
– Find vulnerabilities missed by vulnerability scanners
– Find evil in a sea of pcap
– Writes their own tools
9
13. Hunting with tcpdump
• The ability to rip through pcap using
tcpdump/Bash is a very useful skill
• Profiling network activity can help you find
what might be missed
• We have a whole talk just on this topic:
–www.primalsecurity.net/being-the-hunter-
with-tcpdump
13
14. Hunting with tcpdump Cont.
• How do you deal with the output?
– BPFs and Linux Utilities
14
15. Hunting with tcpdump: Linux Utilities
• grep / egrep - Powerful search utilities
–Useful switches -i, -v
• sort / uniq
• awk - Awesome utility, lots of functionality - I
use it to prints parts of a line
–Useful switch -F
15
16. Hunting with tcpdump: BPFs
• Berkeley Packet Filter (BPFs) can filter for
packets of interest:
– host
– net
– port
– src / dst
– Boolean logic (and, or)
– Protocol specific (tcp, udp, icmp, etc.)
16
17. Useful Bash 1-liner for tcpdump
• Useful 1 liner to read in multiple files at once
with tcpdump:
for i in `ls *.pcap`; do <tcpdump_comm>; done
• This for loop can be useful for really any
command you need to run through a loop
17
18. Hunting with tcpdump: DNS
• I see DNS as a treasure trove of information
• You may find me getting dragon sickness over
all the gold in DNS :)
18
19. Hunting with tcpdump: DNS Cont.
• Summarizing DNS with tcpdump/Bash:
–for i in `ls *.pcap`; do tcpdump -ttttnnr $i
udp and port 53; done | grep ‘ A? ‘
19
24. Hunting with tcpdump: Outbound
Connections
• Find the SYN every hour ☺ #NeedleInHaystack
• Same approach as DNS, but we will focus on summarizing the
dst IP in SYN packet
24
25. Hunting with tcpdump: Outbound
Connections Cont.
• Quick BPF to key in on SYNs “tcp[13]=2”
• Next we will use “awk” to grab just the dst IP
25
26. Hunting with tcpdump: Outbound
Connections Cont.
• Now we can summarize the dst IP with “awk” and “sort/uniq”
26
27. Hunting with tcpdump: Outbound
Connections Cont.
• Now to speed things up we can extract just the IP and then
toss into a script to lookup network info (CIDR/Net Owner)
27
28. Hunting with tcpdump: Outbound
Connections Cont.
• Now we can add in a bit of Python to lookup network info
using Team Cymru’s Python whois module:
28
30. Hunting with Dshell
• Dshell is a Python based network hunting tool
• Takes stuff spread across several packets and
puts relevant details on an evenly spaced line
30
31. Hunting with Dshell Cont.
• Dshell has several modules for hunting:
– dns: matches up request/response
– synrst: SYN followed by RST/ACK
– netflow
– web: parses HTTP request/response
• Check out the blog post on SANS:
– https://isc.sans.edu/diary/Another+Networ
k+Forensic+Tool+for+the+Toolbox+-
+Dshell/19277 31
32. Be in the Know
• As InfoSec professionals we all sit on a throne of
vulnerability data and system versioning
information that can ideally look overwhelming
from a glance.
• So adjust your approach to keep yourself alert…
• Be the Continuous Monitoring Hunter and
Gatherer for your firm through these
techniques...
32
33. Follow, Read, Apply, Repeat
• Follow other info sec professionals via twitter for the
latest news.
• Read security blogs and rss feeds for information on the
newest vulnerabilities/ exploits that are trending today.
• Apply what you read and identify your firm's footprint if
applicable (via vuln data or hunting with tools) or create
a lab environment (VM) to test a recent exploit.
• Repeat do this process again throughout the day when
you can or have downtime.
33
34. Some CM Examples
• Any security professional can appreciate a
heads up!
- Knowing info on the next BIG SCARY VULN
before management does…#Heartbleed
#Shellshock #POODLE #GHOST
• Even knowing something as simple as a
software having an out of band patch,
security bulletin or approaching EOL
- (i.e Java SE v7 EOL by the end of this month April 2015)
34
35. Spread Awareness
• Sharing information and
knowledge about threats as
they emerge can not only help
you, but more importantly your
TEAM.
• Reference blogs and the NIST
NVD once a CVE is released to
help track/ communicate
amongst your team.
35
37. Scans Ran Found Nothing…So Secure,
Right?
• Often the focus of an assessment is to run
tools and get things “scanned”:
– “Did you run your scans?”
– “How many checks did it fail?”
37
41. Pushing Past Walls Cont.
• Recent pentest we found a WordPress server
•Could access login panel - So brute force is in!
–Enumerate valid usernames via login error messages
•Wpscan found some stuff to play with:
–Avada Theme with Revslider
–Paid Memberships Pro Path Traversal Vulnerability
–Photo Gallery <= 1.2.7 - Unauthenticated SQL injection
41
42. Pushing Past Walls: Attack Plans
• Brute Force:Had a valid username - very slow ☹
• Paid Memberships Pro 1.7.14.2 Path Traversal:
– Worked! Sweet LFI (Grabbed wp-config.php)
– It was via a php readfile() so no code execution
42
43. Pushing Past Walls: Attack Plans
• Photo Gallery <= 1.2.7 - SQL injection
• In lab:
– Read up on the vulnerability
– Replicated in lab
– Tested it in lab environment and w00tw00t worked
– On Assessment Server:
– Needed to have a valid Gallery ID for the server
– Attempted MSF module and failed ☹
– Dug through pcap, few requests in RSTs from the
server…hmm potential WAF
43
44. Pushing Past Walls: Attack Plans
• Figured out how to replicate the finding on lab
setup with sqlmap:
• sqlmap -u “<target_URL>” -p “order_by” --random-
agent --tamper=between --dbms=mysql --level=5 --
risk=3
– Sqlmap on the target site – Still blocked!
– Added in “--delay=“ and figured out I needed a 4
second delay to not trigger the WAF
44
46. Pushing Past Walls: Attack Plans
• Result? Took a long time, but (DB Enum, Table
Enum, --dump wp_users):
– Screen shot from lab setup:
46
47. Pushing Past Walls
• Was able to crack user hashes and authenticate to
server and completely comprise the web app
• Great win here, but lots of places I nearly stopped
and had to push past to be successful
• Much easier to give up
47
49. Example: SSRF open relay
•Server Side Request Forgery (SSRF) vulnerabilities
can make the web app your puppet:
–Contact Us Forms
–Feedback Forms
–Forms to request external services:
•tweets-grab.php
49
50. Example: SSRF open relay Cont.
• Another team gave this site a clean bill of health
after a WebInspect scan + remediation
• Automated tools weren’t really working too well
(Automated tool said 30 days)
• Started to manually test features with Burp as
proxy and found SSRF open relay ☺
50
51. Example: SSRF open relay Cont.
• Gave me the ability to send emails to anyone coming
from anyone in the organization (#BeefHook)
51
52. Example: Vulns in Unlinked Content
• Sharepoint sites are guilty of this where you may see a
default IIS page at when visiting the FQDN, but then after
some Google Fu, Burps Engagement Tool, etc.
• site:<FQDN> or inurl:<FQDN> then from there leverage
additional search operators to discover interesting
information
file:<extension> (maybe a .bak or .old) or (-) <FQDN>
(kinda like a grep -v)
• You find a new source of unlinked directories and
resources that now establish a whole new attack surface!
52
53. Example: Vulns in Unlinked Content
• Most automated tools will only evaluate linked
content
• Enumerating technology in use and making requests
for default content – lots of wins (default admin
panels, vulnerable resources, etc.)
– Google searching “<technology> exploit”
• Lots of vulns could be hanging out unlinked in the
app
53
54. Username Enumeration
• Difference in login messages
•Password reset feature?
– Attempting to reset the web admin “Which admin
username did you want to reset?”
• Metadata in documents on site
54
55. Username Enumeration Cont.
• In our experience web applications commonly
don’t have strong password complexity
requirements
– “password3” “p@ssword”….yes they still work
• Enumerating usernames, combined with no
lockout features, and some wordlists =
account compromise:
– Deploy code, emails, upload files, etc.
55
56. OSINT Example
• Found Admin video on Youtube
• Found Admin’s Github, LinkedIn, Facebook
• Found Admin’s email in README of source code
• Validated username via “Forgot my username” feature
• Found additional connections to admin who liked his
post on facebook and worked for same organization:
– Brute forced accounts and gained access to application
•We have a whole talk on OSINT:
www.primalsecurity.net/osint/
56
57. Scanner Takes Too Long
• Not uncommon for an automated tool to say
“Estimated time 34 days…”
57
58. Automated Tool Crashes App
• Not uncommon for an automated tool to tip
over a server
• Throw an automated tool at a sensitive web
application... You might see something like
this:
58
59. Automated Tool Crashes App Cont.
• Should still be noted in the
report as a finding
- The big boy internet
scans applications
•You should also be able to
perform manual testing to
ensure other vulnerabilities
are enumerated
59
60. Testing Remediation Example
• fileupload.php (client-side mime type check)
bypass it by changing the “Content-Type”
60
61. Testing Remediation Example
• Developer fixes with additional server side
checks and names the file fileupload2.php
• How would you go about testing this?
61
62. Testing Remediation Example
Cont.
• I saw my input pass to “fileupload2.php”
• I thought “Hmm, I wonder if fileupload.php is
still accessible…”
62
64. Learning a Scripting Language
• I find it a necessary part of my day to day
• Learning a scripting language isn’t that hard
• It’s like starting a friction fire
64
65. Python
• Python is my weapon of choice
• This talk won't teach you how to write Python, but
we plan to show some examples
–We have a whole talk and tutorial on Python:
•Talk: www.primalsecurity.net/introduction-to-python-
for-security-professionals/
•Tutorial: www.primalsecurity.net/tutorials/python-
tutorials/
• We suggest picking a small project and tackle it
65
66. Python Resources
• Courses:
– SecurityTube’s Python Scripting Expert Course
– Google has a free course on Python
– Codecademy Python course
• Books:
– Violent Python by TJ O‘Connor
– Gray Hat and Black Hat Python by Justin Seitz
66
67. Python Modules
• Python has a lot of built-in and 3rd party modules
that can do the heavy lifting for you
• OS command:
• whois lookup:
67
68. Python Web Scanner
• During our assessments we find it very useful
to make custom scripts to automate
interaction with web applications
• Making web requests in Python is a very
practical use case
68
70. More Advanced Web Scanner
•PrimalSec <!-- Web Testing Framework -->
70
71. Python examples - ShellShock
• In Corelan training at DerbyCon …..deprived of sleep
and overdosed on red bull -> Enter ShellShock
–Had to spin up a tool to check for ShellShock
71
72. Python - ShellShock Cont.
• Below is a quick Proof of Concept (PoC) for Shellshock
72
73. Python - ShellShock Cont.
•Example output - this illustrates how to automate a
RCE to make it feel like a web shell
73
74. Writing Scripts for Assessment Report
• Writing a script to demonstrate a vulnerability
or the report can help land the impact
– LFI/RFI -> Shell
– Automating an RCE / web shell capability
– Automating a SSRF to show potential impact
74
75. Useful Training
• Offensive Security: OSCP/OSCE
• eLearnSecurity
• SANS
• Vulnhub.com
• We have a talk covering this in more depth:
–www.primalsecurity.net/how-to-be-an-infosec-geek/
75
76. In Summary
• We hope this talk inspired more people to:
– Be a Hunter and Gatherer
– Pick up a scripting language or Bash Kung Fu
#StartTheFire
• Hopefully you can go out tomorrow and find
bad guys or vulnerabilities that may have
been missed for days, months, or even years!
76