1 / 33

Gone in 60 minutes

Gone in 60 minutes. A Practical Approach to Hacking an Enterprise with YASUO. Saurabh Harit {@0xsauby} Stephen Hall {@_ stephen_h }. root@msf : ~$> getuid. Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies

alden-gallagher
Download Presentation

Gone in 60 minutes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gone in 60 minutes A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h}

  2. root@msf:~$>getuid • Saurabh Harit (@0xsauby) • Director of Security Research @Security Compass • Pentester i.e. Domain Admin at many companies • Have a secret crush on reverse engineering • Gym freak / Proud father of two beautiful dogs • Stephen Hall (@_stephen_h) • Security Consultant @Security Compass • … • … • Owner of a Christmas hat

  3. What this talk is not about No 0-days No Shells

  4. Scenario • You’re on a red-team engagement • You’ve bypassed physical security • You’ve bypassed NAC • What next? How would you pwn the network? • Vulnerability scanner?

  5. The Problem • Can’t use network vulnerability scanner • Have to be Stealth & Quick • Can’t use Google dorks (internal network) • site, link, inurl

  6. Where do $hells come from? It’s not about what, it’s about WHERE

  7. Popular Vulnerable Apps Apache Tomcat

  8. Popular Vulnerable Apps JBossjmx-console

  9. Popular Vulnerable Apps Hudson Jenkins

  10. $hells

  11. Not So Popular Vulnerable Apps ADManager Plus

  12. Not So Popular Vulnerable Apps ADManager Plus

  13. Not So Popular Vulnerable Apps Cyberoam UTM

  14. Not So Popular Vulnerable Apps Cyberoam UTM

  15. YASUO what??? • Written in ruby • Did not write it on our flight here • Scans the network for vulnerable applications • Currently supports around 100+ vulnerable applications • All currently supported apps are Metasploit-able

  16. Why Yasuo Because there are tons of vulnerable applications and its not easy to find them

  17. World Without Automation • Run nmapscan & manually poke each & every web port This CANNOT be fun

  18. What’s currently out there • Nikto by Chris Sullo • https://www.cirt.net/Nikto2 • Nmap script – http-enum.nseby Ron Bowes, Andrew Orr, Rob Nicholls • http://nmap.org/nsedoc/scripts/http-enum.html • Nmap script – http-default-accounts.nse by PaulinoCalderon • https://www.nmap.org/nmap-exp/calderon/scripts/http-default-accounts.nse

  19. Exploring Yasuo

  20. Exploring Yasuo

  21. What’s in the Box • yasuo.rb • resp200.rb • default-path.csv • users.txt • pass.txt • GPL

  22. What’s in the Box

  23. Behind the Scenes • Detects false-positives • Automatically extracts login form • Automatically extracts login parameters

  24. What’s New

  25. RaNdOmIzAtIoN!!! • More robust check to detect false positives • Properly formatted output table • More application signatures • Signatures for IP Cameras / Encoder / Decoders • Modular & Cleaned-up Code – if there is any such thing

  26. Demo Time

  27. Challenges • Exploit-db – great resource but inconsistent format

  28. Challenges • Dynamic detection of login page and parameters is regex based.

  29. Future Development • Smarter version detection • Support masscan output format (because y’all love to scan the Interwebs) • Add support for more vulnerable applications, Ofcourse • Add secondary signature • Make current crappy code modular • Add multi-threading • Add support for vFeed??? • Change format of default path file – CSV to YAML? or JSON?

  30. CFH (cry for help) • Signatures Signatures Signatures & Signatures • Please submit application signatures: • Post a comment on Github • Update default path file on Github • Drop us an Email • Send a Pigeon.

  31. Questions??? or not

  32. Thank You! https://github.com/0xsauby/yasuo 0xsauby saurabh.harit@gmail.com ✖ _stephen_h perfectlylogical@gmail.com

  33. Credit • Nmap ruby library - https://github.com/sophsec/ruby-nmap • The Exploit Database (EDB) - http://www.exploit-db.com/ • @funkaoshi • Google Image Cache

More Related