Page 1
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Synergy! A world where the tools communicate
Joshua “Jabra” AbrahamRapid7 [email protected] @rapid7.com
AppSec 09November 12, 2009
Page 2
OWASP 2
Purpose of this talk
Raising the bar on pentestingBuild upon current toolsLeverage XML to automate pentesting tasksExtract data for a correlation engine
What we are doing todayHigh-level overview of an improved process
(COE)Releasing several modules and Fierce v2 Beta
Page 3
OWASP 3
Why should you care?
Focus on tasks that require contextMore excitingBetter/Larger
assessments Reduce reporting time!! Customer’s get better
quality for less time Raising the bar on the
Industry
Page 4
OWASP 4
Things to remember about Automation
Can’t automate manual review
Not all tools can be automated
Manual testing required Context: “P!A!S!S!W!0!
R!D=test”Working towards the
goals of the assessment
Enumeration
Port Scanning
Vulnerability Scanning
Manual Review and Additional
Testing
Analysis and
Reporting
Page 5
OWASP 5
Encourage developers to build tools with XML and APIs
Page 6
OWASP 6
Flow Diagram of Tools Fierce
Enumeration domain (company.com) Found several hosts, the most interesting:
test.company.com Nmap
Looking for open Ports Found an open HTTP service on 8080
Nikto Scan HTTP service Found interesting directory /admin
Dirbuster Bruteforce directory Found /admin/secret/ Fierce
Nmap
Nikto
Dirbuster
Page 7
OWASP 7
Programming Language
Sounds like Earl, but starts with a “P” The programming language is Perl
The following are NOT programming languages: PERL, perl, Pearl
Cross Platform Built for Scripting and Object Orientation Libraries = modules
Load a module: use My::Module; Docs
perldoc perl perldoc My::Module
Page 8
OWASP 8
Fierce (Network Reconnaissance tool)
Enumerate non-contiguous address spaceVersion 1.0 built by RsnakeVersion 2.0 re-written by Jabra
Techniques in version 2Find NS, MX records, Reverse Lookups +
Wildcards Improved Zone Transfer Testing for all DNS
ServersNew method of Enumeration for
prefixes, extensions and subdomains(ask me if you are curious)
New Virtual Host detection Improved Range enum based on subnet
(PTRname)New ARIN, ARPNIC, etc enumeration….
Page 9
OWASP 9
Zone Transfer, who has that enabled?.....
Ns1.secure.net Ns2.secure.net
Page 10
OWASP 10
Fierce (Network Reconnaissance tool)
Page 11
OWASP 11
Example Usage of the Perl Modules
Page 12
OWASP 12
Setup Phase
The rest of the talk will be all code! Loading the following modules:
use Nikto::Parser;use Dirbuster::Parser;use Sslscan::Parser;use Fierce::Parser;use Burpsuite::Parser;
Page 13
OWASP 13
Setup Phase
Creating parser objects:
my $np = new Nikto::Parser;my $dp = new Dirbuster::Parser;my $sp = new Sslscan::Parser;my $fp = new Fierce::Parser;my $bp = new Burpsuite::Parser;
Page 14
OWASP 14
Fierce::Parser
my $parser = $np->parse_file(‘google.xml’);
my $node = $np->get_node(‘google.com’); my $bf = $node->bruteforce;
print “Prefix Bruteforce:\n”; foreach my $n ( $bf->nodes ) { print “Hostname:\t” . $n->hostname . “\
n”; print “IP:\t\t” . $n->ip . “\n”; }
Page 15
OWASP 15
Dirbuster::Parser
my $parser = $dp->parse_file(‘dirbuster.xml’);
my @results = $parser->get_all_results(); print “Directories:\n”; foreach(@results) { print “Path“ . $_->path . “\n”; print “Type“ . $_->type . “\n”; print “Response “ . $_->response_code .
“\n”; }
Page 16
OWASP 16
Burpsuite::Parser
my $parser = $bp->parse_file(‘burpsuite.xml’); my @issues = $parser->get_all_issues(); foreach(@issues) { print $_->name . “\n”; print “Severity:“ . $_->severity . “\n\n”; print “Description:\n” . $_->issue_background .
“\n”; print “Proof of Concept:\n” . $_->issue_detail . “\
n”; print “Recommendation:\n”;
print $_->remediation_background . “\n”; }
Page 17
OWASP 17
Sslscan::Parser
Options for usage:Parse XML outputScan and parse XML inline
Page 18
OWASP 18
Sslscan::Parser
my $parser = $sp->parse_file(‘domain.xml’);
my $host = $parser->get_host(‘domain.com’);
my $port = $host->get_port(‘443’); foreach my $i ( grep($_->status =~
/accepted/, @{ $port->ciphers }) ) { print “sslversion “ . $i->sslversion . “\n”; print “cipher “ . $i->cipher . “\n”; print “bits “ . $i->bits . “\n”; }
Page 19
OWASP 19
Nikto::Parser
Options for usage:Scan and save XML for parsing later.Scan and parse XML inline
Page 20
OWASP 20
Nikto::Parser
my $parser = $np->parse_file(‘nikto.xml’); my $h = $parser->get_host(‘127.0.0.1’); my $p = $h->get_port(’80’);
print “Target is: “ . $h->ip . “:” . $p->port . “\n”;
print “Banner is: “ . $p->banner . “\n\n”; foreach my $v ( @{ $p->get_all_items(); } )
{ print $v->description . “\n\n”; }
Page 21
OWASP 21
Summary
Extracting Data for Reporting and/or Correlation
Automated Testing
Recon
Vulnerability Scan
Port Scan
Central Storage EngineCorrelation
Reporting
View/Modify/Delete Data
Manual Testing
Context Based
Focus Driven
Page 22
OWASP 22
Encourage developers to build tools with XML and APIs
Page 23
OWASP 23
Contact Information
Joshua “Jabra” Abraham [email protected] [email protected]
Updated slides will be online this weekend: http://spl0it.wordpress.comhttp://blog.rapid7.com
Code online!http://trac.assembla.com/fiercehttp://search.cpan.org/~jabra/ (comments, suggestions and patches welcome!)
Page 24
OWASP 24
Fierce::Parser
Page 25
OWASP 25
Dirbuster::Parser
Page 26
OWASP 26
Burpsuite::Parser
Page 27
OWASP 27
Sslscan::Parser
Page 28
OWASP 28
Nikto::Parser