![Page 1: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/1.jpg)
Ruby for Pentesters:
The Workshop
Timur DuehrCory ScottMike Tracy
![Page 2: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/2.jpg)
ruby for pentesters
agenda
1415: Introductions1420: The 20 minute tour of Ruby 1440: Blackbag1445: Webby Blackbag1500: Protocol Blackbag 1515: Break1530: Fuzzing and Redis 1550: Ragweed: Part 11610: Ragweed: Part 21630: Coffee Service1700: Making Burp better with Buby 1715: JRuby1725: FFI
![Page 3: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/3.jpg)
ruby for pentestersruby for pentesters
Setup
![Page 4: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/4.jpg)
ruby for pentestersruby for pentesters
Ruby in 20 Minutes
![Page 5: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/5.jpg)
ruby for pentesters
Stuff we like
ruby for pentesters
Gems and packages
NokogirieventmachinerbkbragweedNerveBubylots of others
Stuff we use
Metasploitroninwatir
whatwebArachni
![Page 6: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/6.jpg)
ruby for pentestersruby for pentesters
Lab: The basics
Ruby basics
![Page 7: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/7.jpg)
ruby for pentestersruby for pentesters
Ruby Blackbag (rbkb)
![Page 8: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/8.jpg)
ruby for pentestersruby for pentesters
Do less typing
plugboardsencoders / decodersutilities
Command line tools
Object mixin
s
The same stuff butfor scripts and IRB
![Page 9: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/9.jpg)
ruby for pentestersruby for pentesters
Lab: rbkb
IRB + rbkb
![Page 10: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/10.jpg)
ruby for pentestersruby for pentesters
Scripted Webby Stuff
![Page 11: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/11.jpg)
ruby for pentesters
What do we need to script a webapp?
ruby for pentesters
Transport
Parsing
Encoding / Decoding
![Page 12: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/12.jpg)
ruby for pentestersruby for pentesters
Lab: Simple SQLi scanner
Curb,Nokogiri,rbkb
![Page 13: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/13.jpg)
ruby for pentestersruby for pentesters
Protocol Reversing w/ Blackbag
![Page 14: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/14.jpg)
ruby for pentesters
General protocol approach
Establish the flow
Observe it
Understand it
Manipulate it
![Page 15: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/15.jpg)
ruby for pentesters
demo: when all you have is pcap...
FeedImport
![Page 16: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/16.jpg)
ruby for pentesters
demo: the blackbag flow
binary / protocol analysis
⌘ rbkb - Matasano’s ruby black bag ⌘ Protocol Analysis: MITM: Blit, Telson, PlugSrv
⌘ Structure Creation with Bindata⌘ Extracting payloads with FeedImport
Real Client Plugsrv Real Server
TelsonBlit
Download all of the content at: http://bit.ly/baythreat
![Page 17: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/17.jpg)
ruby for pentesters
exercise: tcp protocol lab
Get in the middle
Observe and replay
Manipulate
Exploit
![Page 18: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/18.jpg)
ruby for pentesters
exercise: build protocol structures
BinData
![Page 19: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/19.jpg)
ruby for pentesters
demo: eventmachine and UDP
event loops
manipulate dns
![Page 20: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/20.jpg)
ruby for pentesters
demo: TLS tricks
TLS MITM & self
signed certs
SSL version scanning
![Page 21: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/21.jpg)
ruby for pentestersruby for pentesters
Fuzzing
![Page 22: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/22.jpg)
ruby for pentesters
the what
smart
dumbProtocol AwareUser AwareSession AwareError State Aware
Bit FlippingBoundary Trampling
Switch-a-rooRandom random everywhere
![Page 23: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/23.jpg)
ruby for pentesters
the why
memory corruption
unexpected behavior
access control test
crypto analysisparsers
![Page 24: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/24.jpg)
ruby for pentesters
demo: generator patterns
DFuzz + BinData
![Page 25: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/25.jpg)
ruby for pentesters
demo: the harder stuff
instrumentat
ionprocess control
binning
![Page 26: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/26.jpg)
ruby for pentesters
intro to redis
redis-server
redis object
redis data types
strings, lists, sets
key:value
push & popadd & delete
set & get
![Page 27: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/27.jpg)
ruby for pentesters
lab: fuzzing with redis
grab your structs
mutate & sendstore in redis
query
![Page 28: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/28.jpg)
ruby for pentestersruby for pentesters
Ragweed:Instrumentation & Getting Started
![Page 29: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/29.jpg)
ruby for pentesters
Fuzzing
runtime changes
ruby for pentesters
Why a scriptable debugger?
Hittracing
less clicking
![Page 30: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/30.jpg)
ruby for pentestersruby for pentesters
What do we script?
Events
sigtrapsigtermevent_fork
Actionsget registers
set breakpointsmanipulate memory
![Page 31: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/31.jpg)
ruby for pentestersruby for pentesters
How?
IDAobjdumpruntime calls
memory locat
ions
inspection/manipulationget_registersshared_librariesread set_registers
write
![Page 32: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/32.jpg)
ruby for pentestersruby for pentesters
The target
in_circleout_circle
![Page 33: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/33.jpg)
ruby for pentestersruby for pentesters
Demo: arguments and registers
reading me
mory
getting registers
![Page 34: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/34.jpg)
ruby for pentestersruby for pentesters
Exercise: function arguments
SSL_writ
e
SSL_readread SSL requests that our client is making
![Page 35: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/35.jpg)
ruby for pentestersruby for pentesters
Walkthrough: function arguments
int SSL_read(SSL *ssl, void *buf, int num);
int SSL_write(SSL *ssl, const void *buf, int num);
![Page 36: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/36.jpg)
ruby for pentestersruby for pentesters
Ragweed:Hit Tracing and in Memory Fuzzing
![Page 37: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/37.jpg)
ruby for pentestersruby for pentesters
What do we mean by that?
Tracking function calls and logic flow
Modifying memory locations as the program runs
![Page 38: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/38.jpg)
ruby for pentestersruby for pentesters
Automate this!
accountingbreakpointsHash
CSVIPCRedis CSV
Nervemetaprogramming
![Page 39: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/39.jpg)
ruby for pentestersruby for pentesters
Exercise: Break stuff!
in memory fuzzing
read argumentswrite new arguments
hit tracing
output function hittrack order and count
![Page 40: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/40.jpg)
ruby for pentestersruby for pentesters
Ragweed: the intermission
![Page 41: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/41.jpg)
ruby for pentestersruby for pentesters
Recap
in memory fuzzing
hittracingscreenshot TBA
screenshot TBA
![Page 42: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/42.jpg)
ruby for pentestersruby for pentesters
Burp + Jruby = Buby
![Page 43: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/43.jpg)
ruby for pentestersruby for pentesters
buby is your friend
Extend with modulesInline extraction
Inline manipulation
Access Burp
data
Extend itProxy HistoryRepeaterIntruderScan Results
![Page 44: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/44.jpg)
ruby for pentestersruby for pentesters
Lab: CookieMonster
Grab and dec
ode all cook
ies
evt_http_message
IHttpRequestResponse
#response_headers
Fires when an HTTP message is received
Extender object
Buby convenience method
![Page 45: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/45.jpg)
ruby for pentestersruby for pentesters
Lab: CookieMunger
Modify cookie values inlineevt_http_message
IHttpRequestResponse
#get_request
#request=
Automatically:
Grab the request
Modify the cookie
Forward the request
![Page 46: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/46.jpg)
ruby for pentesters
Jruby tricks
![Page 47: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/47.jpg)
ruby for pentesters
demo: extending our buby example
load jar
import objects
make pretty
graphs
![Page 48: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/48.jpg)
ruby for pentestersruby for pentesters
FFI: interfacing with C
![Page 49: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/49.jpg)
ruby for pentestersruby for pentesters
No gem, no problem
rubypython libusb ffi-libc ragweed ffi-pcap OpenCV-FFI
the ac
tual l
ist
is uni
mporta
nt
![Page 50: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/50.jpg)
ruby for pentestersruby for pentesters
This is your C struct
![Page 51: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/51.jpg)
ruby for pentestersruby for pentesters
This is your C struct on Ruby
![Page 52: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/52.jpg)
ruby for pentestersruby for pentesters
Calling C functions
setup
call
definition
![Page 53: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/53.jpg)
ruby for pentestersruby for pentesters
Exercise: execv
definition
a pointer
OK 1-2-3 GO!
![Page 54: ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected](https://reader030.vdocuments.site/reader030/viewer/2022040712/5e16e06c64d1751e82680ead/html5/thumbnails/54.jpg)
ruby for pentestersruby for pentesters
Walkthrough: execv spoiler
Follow
along
with
me