perl usage in security and penetration testing
TRANSCRIPT
Croatian Perl Workshop 2008
USAGE OF PERL IN PENETRATION TESTINGS
Vlatko Koturjak, CISSP, CEH, MBCI, LPI, ...IBM / HULK / Zagreb.pmkost monkey linux dot hr
Perl usage in security
Usage of Perl in security
every day
log parsing, system hardening, system monitoring, ...
in forensics
log/evidence parsing/analyzing
in penetration tests
network layer testing
application layer testing
web application testing
buffer overflow helpers
fuzzing
implementing Proof of Concepts (PoC)
Perl in Security World
Monitoring
mon, nagios, ...
nodewatch, syswatch, ...
Sherpa
system security configuration tool
File Integrity checkers (think: tripwire)
ViperDB, Fcheck, Triplight, ...
Honeypots
rsucker, honeydsum, mydoom.pl, ...
...
Perl in Penetration World
Nikto
web vulnerability scanner
Metasploit = 3.0 in Ruby
Fuzzled - fuzzying framework
snoopy
simple SNMP security scanner
NSS, dnswalk, snark (MiTM), ...
...
Simple TCP portscanner
perl -MIO::Socket -e 'for($i=1;$inew(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print "\n";'
Yes, I do Perl golfing....
You can too - try to shorten this if you dare :)
whitespace optimization excluded
Simple TCP portscanner
perl -MIO::Socket -e 'for($i=1;$inew(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print "\n";' localhost
Example of running port scanner oneliner:
Generating custom packets
#!/usr/bin/perl
use Net::RawIP;
$raw_net = new Net::RawIP({icmp =>{}});
$raw_net -> set(
{
ip =>
{
saddr => '192.168.1.1',
daddr => '192.168.1.15'
},
icmp =>
{
type => 8,
data => "41414141414141414141414141414141"
}
}
);
$raw_net -> send(1,1000);
Example of generating spoofed ICMP packet
Generating custom protocol testers
You can layer up what you have...
CPAN modules for almost every protocol
It has even for really rare and the old ones
Perl is old language, you know... :)
Even for SSL based ones
...and then write the part which is custom
Easy MiTM
ssl_proxy.pl
MiTM Proof of concept
not working well
Wrote MiTM for
socket
HTTP
HTTPS
I'll put it somewhere on the web eventually,
mail me if you need it quicker! :)
Buffer overflow helpers
not common vulnerability in Perl
from theory to practice
from discovery to exploitation
some of the methods (not only for buffer overflows...)
analyzing source
analyzing machine code
fuzzying
reverse engineering patches
...
Generating vulnerable inputs
mostly oneliners to check length of buffer of vulnerable program
on command line
./vuln vulnbuf `perl -e 'print Ax1000'`
enviroment
export VULNENV=`perl -e 'print Ax1000'`
./vuln
network protocol
perl -e 'print "GET /"."A"x1000; print " HTTP/1.0\r\n\r\n"' | nc www.vuln.host 80
Writing exploits with Perl
Metasploit helper (new; ($t = $m->get("$y/v/$i")->request->uri) =~ s/.*&t=(.+)/$1/; $m->get("$y/get_video?video_id=$i&t=$t", ":content_file" => "$i.flv")'
author: Peteris Krumins
Youtube video ripper - oneliner
Web services vulnerabilities
XML
XML::Simple
LibXML
SOAP
SOAP::Lite
XML RPC
RPC::XML
Custom protocol
no problem :)
Example of custom fuzzying
Example of custom fuzzying 2
PERL script doing MiTMFuzzying each request and response to client/server
Conclusion
You don't want to write vulnerable security programs to test other vulnerabilities
You have Encase case ;)
or fakebo :))
It's hard to write vulnerable program in Perl
at least buffer overflow vulnerable
there's still input validation (taint?)
You don't want to spend months writing proof of concept (PoC)
don't use low level :)
except if you're learning... or ..whatever :)
use high level language like Perl
References
http://www.sans.org
http://securityfocus.com
http://net-security.org
http://packetstormsecurity.nl/
http://www.softpanorama.org/Security/perl_sec_scripts.shtml
http://metasploit.org
http://www.cirt.net/nikto2
http://www.ioactive.com/tools.html
http://www.l0t3k.org/security/tools/honeypot/
http://www.catonmat.net/blog/
...
Croatian Perl Workshop 2008
?QUESTIONS(and maybe answers)
Vlatko Koturjak, CISSP, CEH, MBCI, LPI, ...IBM / HULK / Zagreb.pmkost monkey linux dot hr
Muokkaa otsikon tekstimuotoa napsauttamalla
Muokkaa jsennyksen tekstimuotoa napsauttamalla
Toinen jsennystaso
Kolmas jsennystaso
Neljs jsennystaso
Viides jsennystaso
Kuudes jsennystaso
Seitsems jsennystaso
Kahdeksas jsennystaso
Yhdekss jsennystaso