A Practical Approach to Hacking an Enterprise with YASUO

i was hoping to get a drink to calm my nerves but that's a total fail so don't mind the shaking legs and i won't be making any eye contact we're going to talk about gun in 60 minutes uh practical approach to hacking an enterprise with yes this talk is going to be about speed hacking your cooperation when you are on tight schedule or on red team engagement and about a two years ago that we wrote to aid um in this kind of stuff i am sarah bharat i'm director of security research at security campus and um my day to day job is to do pen testing that's what i do and nothing else matters so i'm stephen hall i work with rob at

security compass as well uh you can see me wearing my santa hat throughout the year other than that i won't go into much specifics right i mean i don't look like a guy who would have old days so like just reset the record straight we don't have no holidays won't be dropping any shells here so the scenario is that you're on a red team engagement or you actually broke into a corporation um and um so yeah like the one of the one of the requirements for team engagement is that you have to be kind of stealthy and and quick if you want to do your job right and another assumption is that you've bypassed revolve um your bypass to

physical security how many of you have revolving towards i mean if you if the doors are not revolving it's not secure what if they always revolve you can make them revolt it's not the right way to do it uh and you bypass snack so like we have seen some of the clients that they implement network access control i'm talking about knack is going to be out of scope with this talk but uh from my own experience um the best thing to do if it's a big company is just look for unprotected knack ports um and like if you see a router hanging from the roof lying on the ground that should give you access um

so what next your goal obviously is to get the keys to the kingdom um get get access to maximum data max importance enterprise admin domain admin mainframe whatever and um so how are you going to go about it because running a a generic volumetric scanner may not be the best idea because it just lights up all the network security devices like a christmas tree so all right so the problem is that we we can't use network uh volatility scanners we we have to be stealthy and quick because the security is on our ass uh like we can't use google docs when you're doing external security assessments you can use google docs like site link that can give you some

information too where you're on an internal network you can't do that a guy used to work with rule of chiming from paterva the guy who wrote multigo he always used to say that it's not about what and about where and i think the gist of the message that's not 1980s anymore um no matter how much we moan security devices are getting better up like if you look at firewalls ids ips they're getting smarter there's a lot of awareness in the community so um you won't find network admins that that configure um these devices in a pathetic manner like you actually so if you're dealing with someone who knows how to do his job it becomes very difficult to get around

those things um so like the trick is to find that one server one application that can give you access and unfortunately once you do have access it becomes very easy to pivot from system to system and escalate your privileges so some of the easy ways that you get that shell is tomcat who doesn't love tomcat who also doesn't love jboss because they're both the same you upload your either my temperature shell if you want to make that much noise or a lightweight jsp shell there's also hudson jenkins which is a build man build automation tool so and they were nice enough to give you an easy way to pop the box the two highlighted links

are just links you click and you can run java groovy typically unauthenticated so they were nice to know you didn't even need to upload the shell just like here take it so the first shell the first window on the top is the hudson jenkins so that is where that is the script console that you would just drop your java groovy scripting in and go sorry the bottom one is the ludenium script shell for either jboss or tomcat sarab is going to speak about some more horrible fails that might not be known every time someone says hudson jenkins i see paul o'grady chuckles uh and also like i strongly believe that like if you're a pen tester you would have

exploited tomcat i think it just installs itself on the network i mean i mean like it's well known um that you can pawn it to gain access to the server and we'll still find it in terms of numbers and uh i'm pretty sure even like if if it doesn't install itself on the network it definitely reverts back to the default credentials once you configure it with the proper ones yeah that's just me so like these are some of the very popular applications like i said if you're a pentester you probably would have exploited any of these applications but uh how many favorite exploited ad manager plus thank god it's like everyone so i was um i was doing a pen test and

actually i hadn't even started doing a pen test i was in a kickoff meeting with the sales guys and the point of contact on the other side and they were talking sales stuff and um i was already plugged onto the network and conference room so i started look like trolling through the network and um i was lucky enough to find ad manager plus so it's a third-party product that that allows you to um integrate into active directory and then um i guess they say that they allow easy management of users and and roles through this product and if it's configured with default username and password there you go it's it's the fastest phonage ever and during a

kickoff meeting you become domain adam because you can just add um yourself as a domain admin user you you think uh yeah i didn't even know what to do for next two weeks thankfully i had internet access there um the other big fail i came across was a cyber home app fortunately unfortunately it's it's a security device utm unified threat management device and again i was doing an external pen test and it was one of those contests when you get like 10 or 12 ips from the client and there's nothing running on eight of them um so i didn't have anything to do i was about to give up but like i started looking at um at the very front end of

um cyber room utm and so i came across two oda's that i reported never heard back from cyber rom so i just published them like that's what you do right you've got to become famous sometime so the first one was that um this thing had an um remote code execution so like like it again when you install it it's configured with default username password uh it doesn't prompt you to change it and there's remote code execution there but the second velocity is much more interesting um it it this thing also integrates with active directory and there's a there's a test functionality so there's a test button and you can click on it to see if it's connected to

active directory or not so like um you know like out it's kind of a health check um can anyone think what could go wrong here you just right click on the page and the credentials are there on the client side due to some reason no one knows i think um so the other port that i found open conveniently was the vpn port so that due to the nature of the device it's most likely be configured with a high privileged domain user like a network administrator and so on so forth so so yeah since the credentials are client-side you can just drop the credentials off the page and then connect to the vpn port to main

admin again in next two hours or so and again you can watch go back to watching movies on netflix right so so the the point i'm trying to make is that um hudson jenkins tomcat these these may be more uh popular applications that all of us exploit um so that got me curious so we started looking at exploit eb and if you actually pass through exploit db you'll find that there are over twelve thousand unique entries that can allow you to compromise or opponent server in a similar kind of manner and that's where we started working on yes here so i'll let steven talk about it now so like he says why did we write this

12 000 entries on exploit db i can barely remember what i had for breakfast much less that much ways to get a box so we wrote this tool in ruby no we didn't write it on our flight here we didn't have a flight here it was a long street car ride so just as bad uh what else so it is not a vulnerable it's not an application vulnerability scanner it's a application that helps you identify vulnerable applications so that's the big difference it's not as noisy it's not uh it's not your web inspect it's not burp it totally different beast altogether we support about 100 applications which we identify by a pretty bad way right now which is

the unique url that applications generate for themselves and all of the applications right now are apps that support metasploit so yasuo will give you the metasploit link that you can just go use metasploit and if it is vulnerable to that it lets you figure out it is there he said uh why did we write it 12 000 entries it that just speaks for itself yeah so like say these 12 000 entries are for remote web apps that are not xss and cserv these are all exploits that are remote code execution sql injection local file inclusion remote file inclusion uh all that fun stuff that gets you the shell in a world without automation like so

easy a cat can do this now so what we did uh we were on a client site one day and they're like hey scope's for about 5000 we want you to do your due diligence with nessus so we did took about 24 hours everybody knew we were there and they're like all right you've gone and done this now now we're just going to give you free reign to do whatever you want across what about 60 000 ips 65 65 000 so a slash sixteen and like try to be as quiet as you can all right okay so we ran yeah so it took about three to two hours and we found 25 applications across their net across the

65 000 hosts that we could pop and get admin and we were done by the end of the day so nessus took 24 hours and we took eight to get domain admin from start to finish this took 24 hours for 5000 ips yep so 24th uh 24 hours was for 5000 and the 2 hours were for was for 65 000. so and currently that's on a single thread because we actually haven't quite figured out how to do multithreading yet so there are things out there there's nessus plugins and map scripts nick2 rar but what they lack is that they don't help you identify vulnerabilities that you might be able to exploit so they let you they help you

know that hey this is hair uh it might have these creds but what yasuo does is it's like this is hair it might have these creds and if it's vulnerable you can use this to exploit it right so i mean in my opinion nessus won't even pick up 20 of these applications this is in most cases will tell you that hey there's this application on this ip that's bird and it's configured with default credentials it only picks a very few applications and tells you that these applications actually weren't able to remote code execution um right so um these are some of the search options that we provide with esuo and um dash f takes um an n

n map output file in xml format so if you don't want user to perform the pod scan you can do your own port scan and provide the file with the dash f option um dash r accepts an ip range or cid array and it's pretty much the same format that nmap takes rest of the options are kind of standard nmap options no paying if if you're on a filtered network then you can avoid pinging with dash n dash p you can provide all the port numbers um dash uppercase d uh it only scans for all the default parts uh so on and so forth dash b is um is interesting because uh through dashb you can brute

force applications that you're so fine so in the end yes you will tell you that hey i found this application on this port and this is vulnerable to remote code execution or rfi lfi but this application also implements http basic or form business authentication so so if you choose to using dash b option you can either root first form-based authentication um or http basic authentication or all of them um so if you do just dashb all it'll root worth everything so i wanted to write a nice program chart for um for years ago like how this how the flow works and everything and i was working um on my laptop i was trying to create a

flowchart using those shady powerpoint boxes and my wife walked past me and she's like yeah that looks like a crappy flowchart and i told that so why don't you make it and so she came up with this tetris style flowchart i'm i'm sorry if you can't read it but i did not have the balls removed from my slide we did agree to i i i barely raised my voice and asked her to make another readable version so i think this is more readable so like i said if you if you want your suit to perform per scanning you can use dash our option to provide ip range or cidr range it starts performing the port

scan it saves the output in xml format on the disk and starts parsing that file if you don't want user to perform depth scanning you can do it on your own and then provide the output in xml format using the dash ff option and um so after that starts passing that file only looks for the open web-based code so http https http old web sim so and so forth and then it creates a very primary url so i p address colon pert after that it starts using the unique application signatures from from defaultpath.csv file and right now as steven mentioned we support around 115 applications and all of them have exploits and metasploits um plus it then creates the full request

and sends to the server and um and based on the response you get it tells you if the application is there on um if that application is on the server or not if it does and if you do choose to brute force it performs the boot first we provide a very minimalistic username and password file if you want you can provide your own file and then do heavy brute forcing of those applications and in the end it will give you a table which will tell you that this ip this board has this application installed these are the default username and passwords or weak username and passwords and yeah um when you download the code um you get

the main rubyscript seo.rb that responds to 200 rpgs rb or ruby file which mainly deals with um like form-based brute force um and stuff like that defaultpad.csv is the core file it contains all the default application signatures he uses the txt passed or txt as the default username has files it released in the gpl version 3. this is what the current uh default pad.csv file looks like and we are in process of changing it adding a secondary signature right now we made it really simple we have good first column has all the unique application signatures the second column has the unique path so you right now we support only metasploit applications so it has all the pads or exploit paths

from meresploit so yeah we plan to implement a segment secondary signature and also a string to match after you you pass the page uh behind the scenes um it tries to detect false positives so you know before it sends out any requests for enumerating applications a sense of the bogus request for a file something like this file will never exist or txt and this file will never exist directory and then you know those servers that send 200 401 for each and every garbage while you request for so if you get 200 back for these files it just discards that particular port and ip and then moves on to the next one

what's new is we have tried to um we are actually not right we have actually finally implemented randomization so we were talking about being stealth but initially what was happening was that um it would create an initial url so i apologize port number and then start sending like starts reading the default path dot csv file so if there are 200 applications in there it will send 200 requests to that particular ip input uh which is not really being stealth so now it randomizes all the ips and ports so it doesn't target one ip1 port at the same time it just randomizes the stuff uh more robust check for to detect false positive um initially we were only

checking for a file name now we also check with file and directory name the the output table was pretty shitty but thanks to steven we now have a pretty output table um obviously more application signatures so i think we recently added um application signatures for ip cameras um so that's the thing like you can add your own signatures if you do some recon beforehand uh like if you look at the wiki page of that particular company you find out what technology they're using you can just wipe out all the application signatures from in there and just put your own signatures in there and then try to find those applications so the code is generic um

code is modular now thanks to ram yeah means to even mess up the code really bad so ram fixed that all right demo time um so the for the for the purpose of this demo i've already done um an nmap scan save the output file can you see

better i can barely see that i'm here wait all right so this is what it looks like initially dash so right now i'm not trying to brute force anything just and in the end you get the table because it's blown up the table is a bit broken but you will see that the first column is the application and the second column is the exploit path uh the third and fourth columns of the default are weak username and passwords and um they're not there because we did not brute force it so it's a four column table

and now i'm just trying to brute force everything be it http form basic or form based authentication

so the green the green lines that you can't see are good things it means it's found something either an application or credentials also like sarab said it the the default file is pretty much is pretty simple so if you want to use it to find the wiki as well you can do that something i do is i have different default files and that i use for different purposes so i have one that looks for wikis chef puppet stuff like that and then i have one that either will look for just jboss tomcat because i've noticed sometimes that nessus will find like the jmx invoker but it won't check for default credits on the invoker so if the invoker exists

but has like admin admin nessus won't report it so it gives you that kind of flexibility to go through things a bit quicker right so like it passed applications and then as it passes the application because we chose to brute force it starts brute forcing those particular applications um again we got our table now application exploit path the second column and then what tomcat champion of course it's got to be there um because we all know it reverts back to the default credentials um and then there are like four more applications on different ips and then the exploit path from metasploit so we don't support exploitation at this point of time and we probably won't because there are

thousands of exploits and exploit db and i don't necessarily trust all of them rightly so right some of the challenges that we had that um parsing like initially when i started writing this thing we thought that it's going to be super easy but it's not easy to to get application unique signatures you have to install uh applications and and get the application packs um we do uh we do dynamic extraction of using um login forms username and password fields when requesting http basic authentication and so if your page is in french it's going to bum out it's not going to work so we try to do all the pen testing work in north america and to avoid going to the uk or stuff

future development uh we plan to implement smarter version detection um support for more vulnerable applications and that's um actually i'll come back to that um support secondary signature add multithreading um i'm not sure if you will be able to able to support v feed it's a vulnerability aggregator um it's pretty awesome and uh of course we are working on changing the format of default path dot csv file so that it's not 1980s style we can definitely use signatures if you happen to come across applications um i mean drop us a line a tweet like post it on on github contribute to defaultpath.csv on github send a pigeon it doesn't really matter um as soon as we have um

we have signatures it becomes more popular with each and every signature you put in um i suppose we don't have time for questions so i'll be smoking outside and then you can catch me stephen will be here with santa hat easy to spot um you can download your search code from here and um you can shoot uh connect with us on twitter or send us an email all abuse email goes to sarah yeah thank you