Introducing The OWASP Nettacker Project

hello everyone my name is Sam Stepanian and I'm going to talk to you about Oh Aspen attacker project first I'll briefly about me as I said my name is Sam steep an Yin I am one of Las London chapter leaders I'm an ex developer I come from software development background I am an application security consultant in financial services in the City of London and I am a defender so why am i presenting a talk about a tool which consists of words network and attacker a quick background back in December 2018 dr. Greg Franco's and I were asked to demo Hassan attacker at blackhat Europe 2018 as an attacker project leaders could not get to London

in time so Greg and I we had to learn the attacker overnight to be able to demo it at blackhat arsenal then this happened you can see where huge crowds of penetration testers and security researchers gathering around our stand watching the live demo of this tool everybody loved the tool and we liked it as well and we liked it so much that we decided to present it the following year in 2019 and then the same thing happened and blackhat Europe 2019 even bigger crowd of people gathered to watch the demo of this tool so what is I was the attacker and why is it so popular just like all always projects or was the attacker is an open-source tool and it

is an open source software tool which assists with penetration testing by automating information gathering and vulnerability scanning tasks the tool is written in Python and it can be run on Windows Linux or Mac OS and it is compatible with both Python 2 and Python 3 another important thing to mention about net occur is that it is a project on the google Summer of Code if you don't know what google Summer of Code is it is an initiative by Google which has been run since I think 2005 where Google pays students to work on an open-source project during the summer break and we're very happy to report that an attacker was accepted as google Summer of Code project so what is our static er

I'd like you to think about it as Swiss Army knife and just like a Swiss Army knife it's a tool consisting of many tools not necessarily compatible with each other but can they be all used together good question so just like a Swiss Army knife OS an attacker is a collection of tools or modules so it has modular structure the modules are all written in Python and it's relatively easy to create your own modules should you want to it is quite fast compared with some other tools because it's using pythons multi-threading it has customizable profiles which are bundles of modules focused on specific tasks and most importantly it's automatable so you can automate and run the tool from the

command line so our static er is a relatively young project what we call a novice incubator project so it is not officially released yet it is not even in beta the current version is 0 0 1 yet it is an awesome tool why it already has a command-line interface web UI and API report generator multigo transforms and it has over 62 modules first of all you can find OS the attacker on OS org a website on OS project page here's the URL on the screen all the documentation that you need to install the attacker and how to use it is actually available on github under wiki so when you navigate to the github repository for the project please

make sure you click on the wiki to get access to the documentation installing the attacker is relatively simple and very very quick all you need to do to install it from github you just do a git clone from github then you run people install of all the dependencies or the requirements and then you can install the tool using the Python setup the py install command before we move any further I would like to warn everyone about responsible use of offensive security tools you shall not misuse this tool nor any other security tool for unauthorized access and I would like to remind you that performing security scans without permission from the owner of the computer system is illegal so first of

all the attacker has multiple modules as we know and we can classify an attacker modules into three different types scan modules for example port scan vole modules or vulnerability modules so these are the modules which are looking for a specific vulnerability an example of that would be an Apache struts vulnerability and the third type of module is brute module or brute force in module again an example of such module would be an SSH brute so here is the list of all the attacker scan modules at the moment there are 21 scan modules here I'm showing on the screen whole sorted in alphabetical order to make it easy for you to understand what they are of course I'm not gonna read out all of

them but I would like to bring your attention to some of them for example CMS detection scan module will help you to find content management systems ICMP scan will help you to ping your whole network and find posts which are responding to ICMP pings port scan is probably one of the most popular module allows you first to perform port scans subdomain scan is another popular one allows you to find all the subdomains so the particular domain and there are several modules around WordPress like WordPress version scans plug-in scan themes can they use the scan and several others then here is the list of netiquette vulnerability scanning modules there are 30 vulnerable scanning modules that occur at the

moment in quite all of them I'm not going to read out on this slide they all presented in alphabetical order I only want to bring your attention to some interesting ones for example a recent addition was the citrix EBE vulnerability scanning module this is about citrix ivi citrix vulnerability from December 2019 which affected quite a lot of organizations another interesting vulnerability scanning modules are server version one which allows you to find service which lick the penis and the server version headers also ssl certificate expired valve which basically helps you find service whether expired SSL certificate an attack of brute force modules or Brit modules we currently have eight brute force modules available for FTP HTTP basic of a CD perform HTTP

ntlm brute forcing smtp ssh telnet and wordpress xml RPC brute forcing so net tucker originally was designed to be an IOT scanner and the idea was that you can use it to scan your network for Internet of Things devices or you can scan your IOT device for open ports and you can scan it for default credentials so IOT scan was the original name of cosmetic er so as you can guess port scanning is probably one of the main modules of net occur and the port scanner inside the attacker is easy to use and fast faster compared with nmap and a lot of people who use nmap are usually quite frustrated with the fact that this this tool is not easy to use

and nmap actually take some time to get used to and to understand how it works net exports camera Joe is very simple and essentially all that you need to do to scan it is either use it without any parameters or use with a dash G command-line switch where you can list the specific ports you want to scan and because this attacker uses Python multi-threading you can add dash T and - M command-line options to increase the number of threads to make the port scanning process much much faster so before I move on to actually show the demo often attacker need to understand how to run that hacker first of all so to run the attacker you need

to specify two command switches is a minimum of two things you need to define when you run it so you have to define the target and you have to define the module so the target is usually defined with a dash I switch and the target can be a single IP address or for example the whole network or IP range and the dash M where you define the name of the module that you would like to use on this specific target so targets can be not just an IP address or an IP range you can define for example a starting IP or and ending IP it can also be a CIDR range like this you can also define a

domain name and you can also define a specific URL as a target and specific URL you need to provide the full URL with a protocol so no attackers will support both um HTTP and HTTPS URLs so these are all the various targets that net attacker can scan in one go you can also put you can also create a list of all the targets you want an attacker to run against in a file in a text file and in this case you will run their Tucker with a command-line switch - el chaining modules so this is the coolest feature of net occur where it actually allows you to use several Swiss Army knife tools at once okay I'm going to switch to my Kali

Linux and log in here I already have met Tucker installed so I'm not going to show you how to install an attacker but this is how you can run the tangka so because I'm already in the attacker folder and just run it by typing Python the Tucker dot py and if I run it with no other parameters as you can see it spits out its usage helping you can see it's quite a lot of information which is presented to you as you need to read and understand and so when running attacker you need to define two things as you remember we need to define the target and we need to define the module so here

I'm going to demonstrate to you how to run the attacker for performing a port scan so I'm going to define my target in - I switch and my target in this case is going to be a single IP address 192 168 1 3 2 1 9 2 192 and - M or the module that I'm going to use on this target is going to be port scan report undisclosed um and then I run the Tucker as you can see now it's running when it starts just could scroll up so you can see how quickly it performed the port scan when the attacker scans first of all it checks if you're in the latest version tells you how many modules are loaded my

current version has 64 modules it also then tells you which target is about to scan and as you can see it's very quickly discovered all the open ports on my target and then it displayed the findings here in a text table and you can also see that at the bottom of the screen net hacker also told us that the report was saved in this file the next thing I'm going to talk about is another cool feature of the attacker which is chaining modules so you can actually pull more than one tool out of your Swiss Army knife and you can run several modules on your target and the way you do it is the that you list the

modules that you would like to use separated by a comma so for example in this exam so for example if we want to run a port scan and phpMyAdmin scan on this IP address I'll just list port scan and comma and then PMI scan similarly for example if I would like to run two modules on OS dot org domain trying to do a subdomain scan and a server version vulnerability scan I can just separate them by a comma so let me do a demonstration of the module chaining there so I'm going to run an attacker then I am going to define the target so in this case we're going to show you how to chain port scan with the server

version alone so I'm going to select Hospital org domain as a target this time and as modules I'm going to define a subdomain scan and then I'm going to add a comma and I'm going to add a ports again and because the port scan will take quite a while to complete I'm going to only define the port scan on the ports 80 and on the port 443 okay so let's double check everything so we have that Tucker which runs on OS the torque to do subdomain scan and also to perform a port scan on these ports so if I want to run the port scan on all the subdomains as well I will need to

and a - s-parameter so let's run this and see what happens so again we can see the attacker stats and you can see now it discovers the subdomain of Oh Hospital org and submits them into the engine for scanning and you can see already some of the subdomains respond back with an open port so you can see for example Oh CMS has our ports 80 + 4 4 3 open and then you can see all the other subdomains responding as well you can see I'm saying because now I using two modules it will take a while to complete but you can see the process and you can see how every single discovered subdomain is being scanned so when this process

completes you will get the similar result in a text format so let's just wait for it to complete as you can see again it dives into every single discovered subdomain and a attempts to scan it for port 80 or port 443 okay so here is the scan which is now complete and as you can see we had we used two methods we'll use port scan and we used the subdomain scan you can see that all the results are now in this table so this is not it we can add one more module and we can add as many as we want so I'm now going to add a server version bone as well I am going to add a server version

role and run this again so here in this an example OS the attacker is going to run a subdomain scan on hostile cork then for every single discovered subdomain it is now going to try to discover what is the type of the server used in the server banner then it is going to try to do a port scan and see if port 80 and port 443 is open you can see it's doing it recursively for every single subdomain of hospital org and here is the result in the text file but what use is a result in a text file well now let's have a look at the HTML report we can see here that the report was saved

in this HTML file so let me let me copy paste this file and open it with Firefox okay with Firefox browser ok and here we're going to see one of the coolest features of Poznan Tucker and the traditional testing graphs and as you can see how the attack was started you can see all the subdomains of OS dot org which were discovered when attacker and then you can see the further scans that were done on each subdomain so you can see that there was a port scan performed and was a server version or ability perform and you can see these are the open ports and these are the sever banners of each subdomain and at the

bottom of the report we can see that all the results of the scan displayed in the tabular format let's compare our stat occur with some other scanners so you can understand the difference so here's let's have a look at the popular scanners such as burp suite or what's up so what the scanners do they scan one web site for many web application vulnerabilities and these are whatever vulnerabilities the scanner is able to find on that one web site and usually this chemist would crawl one website to discover all the URLs all the parameters and it tries to detect as many vulnerabilities as possible usually on one website so the difference with OS an attacker is that it scans one

many and that can be hundreds of thousands of IP addresses networks or subdomains websites for open ports with one or more specific vulnerabilities and you listed by the user as you can see we list which specific vulnerabilities were looking for but the actual targets can be one device can be one IP address or one website but it could be hundreds of thousands and that is the greatest an advantage of OS an attacker so how I saw was an attacker can be useful in your enterprise network here's an old tweet about OS a zero from Jeremiah Grossman's so Jeremiah suggested that the OS top-10 2017 to include an a zero or asset inventory and Jeremiah saying these days the biggest

upset risk are websites that you don't know that you own and netiquette actually solves this problem because if we look at some of them attacker use cases in the enterprise so you can use it for asset discovery you can discover your subdomains your web service your applications you can scan your network for open ports and you can scan it internally or you can scan it from outside externally you can scan your network for any new hosts you can scan your network for default credentials so for example how many devices on your network have default admin admin credentials enabled or was the attacker allows you to discover it very quickly OS the attacker allows you to discover

it quite easily you can also monitor subdomains and open ports on them you can monitor expired SSL certificates in your IP ranges and you can find sub domains hosting vulnerable versions of WordPress Drupal and Joomla CMS so these are just a few examples of how you can use the attacker in your corporate network just like all of us projects we welcome all contributions if you know Python and you would like to enhance and improve OS an attacker please familiarize yourself with developer wiki which is located that this URL so please read and follow the contributor guidelines before submitting any pull request and also one last thing before I finish that was the attacker tool also has a logo so this the Loretto

circle is always an attack a logo so next time you see it you'll be able to recognize the tool so this is it for me so thank you very much for listening and if you've got any questions about the tool you can contact me email assemblance the pinion and os2 org or you can also contact me on twitter and my twitter handle is