1. InfoSec Hunters and Gatherers
By Primal Security
1

2. Who Are We?
• Primal Security: www.primalsecurity.net
–Blog, Podcast, Tutorials
•Our blog and tutorials documented a lot of our
experience through OSCP/OSCE
2

3. Zack Meyers
@b3armunch
• Continuous Monitoring Enthusiast
• PrimalSec team member and Web
Application Pentester
GET
• Any and all information I can EVER find on
offensive techniques, tools and procedures.
POST
• I love hot sauce and will eat small meals
periodically throughout the day aka “Zack
Snacks” :)
3

4. Andrew McNicol
@PrimalSec
• Security consultant
• Co-Founder and one of the lead authors of
Primal Security blog/podcast
try:
print ‘I enjoy writing error-free Python with Google
and stackoverflow”
except:pass
• I spend my day abusing features in web
applications - previous IR (pcap, malware)
4

5. Quick Outline
• Hunter/Gatherer
• Defensive Use Cases:
– Slicing and dicing pcap w/tcpdump + Dshell
– Staying ahead of the game
• Offensive Use Cases:
– A pentest is not a scan
– Pushing Past Walls
– Abusing Contact Us/Feedback Features
– Testing Remediation #ThinkDifferently
• Making Your Own Tools - A quick look at Python 5

6. We didn’t do it
• We are not lawyers and/or giving you any
legal advice.
• We are not giving you permission or
authorizing you in any way to do anything.
• In fact don’t do anything ever...
6

7. This talk
• Too many people only leverage automated tool
output to perform their job function
• We plan to share some of our experience on going
beyond automated tools.
• Note: We do like automated tools – This is not a
talk on bashing them!
7

8. What is a Gatherer?
• Someone who leverages automated tools:
– Find vulnerabilities with scanners
– Find interesting network traffic with an IDS
8

9. What is a Hunter?
• One who goes beyond automated tools to:
– Find vulnerabilities missed by vulnerability scanners
– Find evil in a sea of pcap
– Writes their own tools
9

10. Hunter Mindset
• General Zod or John Wick mode #Focus
#Confidence
10

11. Defensive Use Cases
11

12. WARNING – PCAP Ahead
12

13. Hunting with tcpdump
• The ability to rip through pcap using
tcpdump/Bash is a very useful skill
• Profiling network activity can help you find
what might be missed
• We have a whole talk just on this topic:
–www.primalsecurity.net/being-the-hunter-
with-tcpdump
13

14. Hunting with tcpdump Cont.
• How do you deal with the output?
– BPFs and Linux Utilities
14

15. Hunting with tcpdump: Linux Utilities
• grep / egrep - Powerful search utilities
–Useful switches -i, -v
• sort / uniq
• awk - Awesome utility, lots of functionality - I
use it to prints parts of a line
–Useful switch -F
15

16. Hunting with tcpdump: BPFs
• Berkeley Packet Filter (BPFs) can filter for
packets of interest:
– host
– net
– port
– src / dst
– Boolean logic (and, or)
– Protocol specific (tcp, udp, icmp, etc.)
16

17. Useful Bash 1-liner for tcpdump
• Useful 1 liner to read in multiple files at once
with tcpdump:
for i in `ls *.pcap`; do <tcpdump_comm>; done
• This for loop can be useful for really any
command you need to run through a loop
17

18. Hunting with tcpdump: DNS
• I see DNS as a treasure trove of information
• You may find me getting dragon sickness over
all the gold in DNS :)
18

19. Hunting with tcpdump: DNS Cont.
• Summarizing DNS with tcpdump/Bash:
–for i in `ls *.pcap`; do tcpdump -ttttnnr $i
udp and port 53; done | grep ‘ A? ‘
19

20. Hunting with tcpdump: DNS Cont.
•Summarizing DNS with tcpdump/Bash:
20

21. Hunting with tcpdump: DNS Cont.
•Summarizing DNS with tcpdump/Bash:
21

22. Hunting with tcpdump: DNS Cont.
•Advanced DNS BPF:
22

23. Hunting with tcpdump: DNS Cont.
•Advanced DNS BPF:
23

24. Hunting with tcpdump: Outbound
Connections
• Find the SYN every hour ☺ #NeedleInHaystack
• Same approach as DNS, but we will focus on summarizing the
dst IP in SYN packet
24

25. Hunting with tcpdump: Outbound
Connections Cont.
• Quick BPF to key in on SYNs “tcp[13]=2”
• Next we will use “awk” to grab just the dst IP
25

26. Hunting with tcpdump: Outbound
Connections Cont.
• Now we can summarize the dst IP with “awk” and “sort/uniq”
26

27. Hunting with tcpdump: Outbound
Connections Cont.
• Now to speed things up we can extract just the IP and then
toss into a script to lookup network info (CIDR/Net Owner)
27

28. Hunting with tcpdump: Outbound
Connections Cont.
• Now we can add in a bit of Python to lookup network info
using Team Cymru’s Python whois module:
28

29. Hunting with tcpdump: Outbound
Connections Cont.
•Advanced BPF Example:
29

30. Hunting with Dshell
• Dshell is a Python based network hunting tool
• Takes stuff spread across several packets and
puts relevant details on an evenly spaced line
30

31. Hunting with Dshell Cont.
• Dshell has several modules for hunting:
– dns: matches up request/response
– synrst: SYN followed by RST/ACK
– netflow
– web: parses HTTP request/response
• Check out the blog post on SANS:
– https://isc.sans.edu/diary/Another+Networ
k+Forensic+Tool+for+the+Toolbox+-
+Dshell/19277 31

32. Be in the Know
• As InfoSec professionals we all sit on a throne of
vulnerability data and system versioning
information that can ideally look overwhelming
from a glance.
• So adjust your approach to keep yourself alert…
• Be the Continuous Monitoring Hunter and
Gatherer for your firm through these
techniques...
32

33. Follow, Read, Apply, Repeat
• Follow other info sec professionals via twitter for the
latest news.
• Read security blogs and rss feeds for information on the
newest vulnerabilities/ exploits that are trending today.
• Apply what you read and identify your firm's footprint if
applicable (via vuln data or hunting with tools) or create
a lab environment (VM) to test a recent exploit.
• Repeat do this process again throughout the day when
you can or have downtime.
33

34. Some CM Examples
• Any security professional can appreciate a
heads up!
- Knowing info on the next BIG SCARY VULN
before management does…#Heartbleed
#Shellshock #POODLE #GHOST
• Even knowing something as simple as a
software having an out of band patch,
security bulletin or approaching EOL
- (i.e Java SE v7 EOL by the end of this month April 2015)
34

35. Spread Awareness
• Sharing information and
knowledge about threats as
they emerge can not only help
you, but more importantly your
TEAM.
• Reference blogs and the NIST
NVD once a CVE is released to
help track/ communicate
amongst your team.
35

36. Offensive Use Cases
36

37. Scans Ran Found Nothing…So Secure,
Right?
• Often the focus of an assessment is to run
tools and get things “scanned”:
– “Did you run your scans?”
– “How many checks did it fail?”
37

38. Managers will ask
38

39. Pushing Past Walls
•Hacking is all about massive amounts of
failure and not giving up
•The right mindset is critical to being
successful
39

40. Pushing Past Walls
40

41. Pushing Past Walls Cont.
• Recent pentest we found a WordPress server
•Could access login panel - So brute force is in!
–Enumerate valid usernames via login error messages
•Wpscan found some stuff to play with:
–Avada Theme with Revslider
–Paid Memberships Pro Path Traversal Vulnerability
–Photo Gallery <= 1.2.7 - Unauthenticated SQL injection
41

42. Pushing Past Walls: Attack Plans
• Brute Force:Had a valid username - very slow ☹
• Paid Memberships Pro 1.7.14.2 Path Traversal:
– Worked! Sweet LFI (Grabbed wp-config.php)
– It was via a php readfile() so no code execution
42

43. Pushing Past Walls: Attack Plans
• Photo Gallery <= 1.2.7 - SQL injection
• In lab:
– Read up on the vulnerability
– Replicated in lab
– Tested it in lab environment and w00tw00t worked
– On Assessment Server:
– Needed to have a valid Gallery ID for the server
– Attempted MSF module and failed ☹
– Dug through pcap, few requests in RSTs from the
server…hmm potential WAF
43

44. Pushing Past Walls: Attack Plans
• Figured out how to replicate the finding on lab
setup with sqlmap:
• sqlmap -u “<target_URL>” -p “order_by” --random-
agent --tamper=between --dbms=mysql --level=5 --
risk=3
– Sqlmap on the target site – Still blocked!
– Added in “--delay=“ and figured out I needed a 4
second delay to not trigger the WAF
44

45. So I am back to this again…..
45

46. Pushing Past Walls: Attack Plans
• Result? Took a long time, but (DB Enum, Table
Enum, --dump wp_users):
– Screen shot from lab setup:
46

47. Pushing Past Walls
• Was able to crack user hashes and authenticate to
server and completely comprise the web app
• Great win here, but lots of places I nearly stopped
and had to push past to be successful
• Much easier to give up
47

48. Contact Us and Feedback Forms
48

49. Example: SSRF open relay
•Server Side Request Forgery (SSRF) vulnerabilities
can make the web app your puppet:
–Contact Us Forms
–Feedback Forms
–Forms to request external services:
•tweets-grab.php
49

50. Example: SSRF open relay Cont.
• Another team gave this site a clean bill of health
after a WebInspect scan + remediation
• Automated tools weren’t really working too well
(Automated tool said 30 days)
• Started to manually test features with Burp as
proxy and found SSRF open relay ☺
50

51. Example: SSRF open relay Cont.
• Gave me the ability to send emails to anyone coming
from anyone in the organization (#BeefHook)
51

52. Example: Vulns in Unlinked Content
• Sharepoint sites are guilty of this where you may see a
default IIS page at when visiting the FQDN, but then after
some Google Fu, Burps Engagement Tool, etc.
• site:<FQDN> or inurl:<FQDN> then from there leverage
additional search operators to discover interesting
information
file:<extension> (maybe a .bak or .old) or (-) <FQDN>
(kinda like a grep -v)
• You find a new source of unlinked directories and
resources that now establish a whole new attack surface!
52

53. Example: Vulns in Unlinked Content
• Most automated tools will only evaluate linked
content
• Enumerating technology in use and making requests
for default content – lots of wins (default admin
panels, vulnerable resources, etc.)
– Google searching “<technology> exploit”
• Lots of vulns could be hanging out unlinked in the
app
53

54. Username Enumeration
• Difference in login messages
•Password reset feature?
– Attempting to reset the web admin “Which admin
username did you want to reset?”
• Metadata in documents on site
54

55. Username Enumeration Cont.
• In our experience web applications commonly
don’t have strong password complexity
requirements
– “password3” “p@ssword”….yes they still work
• Enumerating usernames, combined with no
lockout features, and some wordlists =
account compromise:
– Deploy code, emails, upload files, etc.
55

56. OSINT Example
• Found Admin video on Youtube
• Found Admin’s Github, LinkedIn, Facebook
• Found Admin’s email in README of source code
• Validated username via “Forgot my username” feature
• Found additional connections to admin who liked his
post on facebook and worked for same organization:
– Brute forced accounts and gained access to application
•We have a whole talk on OSINT:
www.primalsecurity.net/osint/
56

57. Scanner Takes Too Long
• Not uncommon for an automated tool to say
“Estimated time 34 days…”
57

58. Automated Tool Crashes App
• Not uncommon for an automated tool to tip
over a server
• Throw an automated tool at a sensitive web
application... You might see something like
this:
58

59. Automated Tool Crashes App Cont.
• Should still be noted in the
report as a finding
- The big boy internet
scans applications
•You should also be able to
perform manual testing to
ensure other vulnerabilities
are enumerated
59

60. Testing Remediation Example
• fileupload.php (client-side mime type check)
bypass it by changing the “Content-Type”
60

61. Testing Remediation Example
• Developer fixes with additional server side
checks and names the file fileupload2.php
• How would you go about testing this?
61

62. Testing Remediation Example
Cont.
• I saw my input pass to “fileupload2.php”
• I thought “Hmm, I wonder if fileupload.php is
still accessible…”
62

63. Making Your Own Tools
63

64. Learning a Scripting Language
• I find it a necessary part of my day to day
• Learning a scripting language isn’t that hard
• It’s like starting a friction fire
64

65. Python
• Python is my weapon of choice
• This talk won't teach you how to write Python, but
we plan to show some examples
–We have a whole talk and tutorial on Python:
•Talk: www.primalsecurity.net/introduction-to-python-
for-security-professionals/
•Tutorial: www.primalsecurity.net/tutorials/python-
tutorials/
• We suggest picking a small project and tackle it
65

66. Python Resources
• Courses:
– SecurityTube’s Python Scripting Expert Course
– Google has a free course on Python
– Codecademy Python course
• Books:
– Violent Python by TJ O‘Connor
– Gray Hat and Black Hat Python by Justin Seitz
66

67. Python Modules
• Python has a lot of built-in and 3rd party modules
that can do the heavy lifting for you
• OS command:
• whois lookup:
67

68. Python Web Scanner
• During our assessments we find it very useful
to make custom scripts to automate
interaction with web applications
• Making web requests in Python is a very
practical use case
68

69. Python Web Scanner Cont.
• A basic web scanner example
69

70. More Advanced Web Scanner
•PrimalSec <!-- Web Testing Framework -->
70

71. Python examples - ShellShock
• In Corelan training at DerbyCon …..deprived of sleep
and overdosed on red bull -> Enter ShellShock
–Had to spin up a tool to check for ShellShock
71

72. Python - ShellShock Cont.
• Below is a quick Proof of Concept (PoC) for Shellshock
72

73. Python - ShellShock Cont.
•Example output - this illustrates how to automate a
RCE to make it feel like a web shell
73

74. Writing Scripts for Assessment Report
• Writing a script to demonstrate a vulnerability
or the report can help land the impact
– LFI/RFI -> Shell
– Automating an RCE / web shell capability
– Automating a SSRF to show potential impact
74

75. Useful Training
• Offensive Security: OSCP/OSCE
• eLearnSecurity
• SANS
• Vulnhub.com
• We have a talk covering this in more depth:
–www.primalsecurity.net/how-to-be-an-infosec-geek/
75

76. In Summary
• We hope this talk inspired more people to:
– Be a Hunter and Gatherer
– Pick up a scripting language or Bash Kung Fu
#StartTheFire
• Hopefully you can go out tomorrow and find
bad guys or vulnerabilities that may have
been missed for days, months, or even years!
76

77. Contact Us
• Primal Security
–Website: www.primalsecurity.net
–Email: andrew@primalsecurity.net
–Twitter: @PrimalSec, @b3armunch
77