OWASP Nettacker Project Presentation

[Music] hi everyone my name is sam stepanyan i'm a norwasp chapter leader and owas nadaka project co-leader i work in london in the financial services sector as an application security consultant today i'm going to talk to you about the owasp attacker project so um a few more words about me uh apart from being a noaa's london chapter leader i also lead the owas chat chapter committee where we help all of us chapters to succeed to be healthy to be active i originally come from the software development background i'm an application developer and i'm an application security guy and i am a defender so why am i presenting a talk about a tool which consists of two words

network and attacker well i am a defender and an application security guy i had a bit of a history with um obasan attacker because i didn't know about this tool until i was pinged by the original uh netaka project leaders in 2018 where they asked me and um oh as london chapter co-leader dr greg fracos to go to black cat europe 2018 conference and present this project because the nethacka project leaders were unable to travel to london at that time so myself and dr greg frackos we had to learn this tool overnight uh on the zoom session and we absolutely absolutely loved it we knew very very little about this tool because it was a brand new tool back

then we saw it appearing on the list of os projects but we didn't really know what it is and once we learned what it is we were really really happy to go and present it at uh black cat europe um 2018 in london and then suddenly this happened we had huge crowds of season penetration testers um software developers security engineers um even some information security managers gathering around our stand at the black cat europe arsenal booth watching the presentation of the tool so i said okay this is good people like the tool so um i became a co-leader of uh was the tucker project and proposed that it would be also presented the following year in 2019

and then suddenly this happened even bigger crowds uh gathered around watching this tool and absolutely everybody loved this tool but why what is it about obasa attacker that um everybody um is so uh intrigued about so ova's attacker first of all is an open source software tool just like all of us projects uh and os the attacker's um goal is to assist with penetration testing by automating tasks such as information gathering and vulnerability scanning because this tool is written in 100 python it doesn't require any external tools to be present in the operating system and it can be run on windows linux or mac os um very important thing to mention about austin attacker that it is actually

written and enhanced by students who participated in initiative called google summer of code and if you don't know what google summer of code is it is a great initiative uh by google which is running every year and that is essentially a paid internship for students to select an open source project of their liking and apply to work on that project during the summer break and this is how we at always benefited by having students to uh help us to enhance the tool and actually it's not just the august attacker there are many other owasp um projects like owasp for example or orwas jew shop which benefited from google summer of code and it's not just

oas which participates many other open source organizations do as well so if you're a student watching this or you know any students who you think might be interested in spending their summer break working on open source and gathering some real experience um please do check out google summer of code it usually runs from march every year until the end of august so what is ova's attacker you can think of ova's attacker as a swiss army knife kind of tool because just like a swiss army knife it is a collection of tools it has a modular structure it's relatively easy to create your own modules we recently changed how you write your modules from python to yaml i

will talk about this a little bit later it is a fast performing tool because it's using multi-threading which you can control it's using python's multi-threading model important thing is that it has customizable profiles which are bundles of modules focused on a specific task so if you can imagine you can pull out several blades out of your swiss army knife uh to perform a specific task to make it uh quicker or more efficient and of course the most important thing is automation because you can automate and run this tool from the command line so um a few other bits about osne attacker that it is not an officially released tool yet it's not even in beta it's

still in research and development phase so the current versions are zero zero two and zero zero three uh and we're always looking for more contributors i will um tell you how to contribute to the project at the end of my presentation however what is great about uh taka that it is usable right now and it is a great tool which already has a command line interface web user interface an api report generator it also has multigo transform so people who use multigo which is a great investigation tool available for example in kali linux and netaca currently has over 70 modules so you can find oasm attacker on the main owasp.org website under projects this is

the url where you can learn about the project and see some quick demonstration there important bit about documentation that we use the wiki part on the github so if you would like to read the documentation please click on the wiki button once you visit the uh osn attacker on github and there is an installation section there where you can learn how to install it you can install an attacker uh relatively simply and it will run on anything so uh i prefer uh using it for uh perfect using it in kali linux but you can use it on any platform there are several requirements for installation so please do follow the installation instructions because there's some dependencies that you need

to install however if you are using black arch linux distribution which is a linux distribution specifically targeting uh penetration testing engagements you will find out that recently netaka was included in black arch and you can see it's uh currently being listed under the black arch automation tools and the version zero zero two is actually built into black arch which is absolutely great and we're very thankful to the black arch linux team which included our tool in the linux distribution so um in order for you to understand what orwas attacker is and how it compares with other scanners that you might know for example with scanners such as burp suite of or wasp zap so scanners like burp or wasp zap

they usually would scan one website for many web application vulnerabilities and that's whatever the scanner is able to find so these tools will go and crawl one website to discover all urls all parameters all all forms you know all the buttons will try to click on all the links and then it will try to see uh if there are any vulnerabilities or what's net hacker doesn't work like that it doesn't scan just one website it scans one or many and that can be hundreds or thousands of ip addresses networks or subdomains and what is it scanning them for for open ports or one or more specific vulnerabilities listed by the user and these are basically what our modules are and you

can bundle the modules in a profile to search for specific things so nettacker consists of three types of modules modules of type scan for example port scan modules of type bone these are the modules which are looking for a specific vulnerability for example apache struts valve module will look for apache strats vulnerability and it has modules of type brood for brute forcing so for example an ssh brute module we will perform brute forcing on over the ssh protocol so that's essentially what the module types are and that what makes this tool great because it combines three different types of activities scanning for in information gathering scanning for specific vulnerability and brute forcing so how do you run the attacker in order

to run the attacker from the command line you need to define two parameters you need to define the target what do you want to scan and the module which module do you want to use to scan it with and you do it with the dash i command line switch where you define your target and dash m for your module so for example if i want to perform a port scan on ip address 192 168. i will call an attacker with dash i and the ip address and m with the module with the port scan you can also scan not just one ip address but the whole network for example if you provide 192.168.1.0 24 you will scan the entire class c

network or 255 ip addresses and actually an attacker has more targets available you can scan a single ip address as i've just shown you before you can also scan an ip address range by providing a starting ip address and an ending ip address you can also scan a network by providing the cidr bits notation but what is also very interesting that you can scan a domain for example owasp.org and you can also scan urls uh using http or https protocol so these are the various types of attacker targets but that is not all because if you are if you work for a larger organization that means you will have a multitude of networks you will have several domain

names and lots of ip addresses so what you can do you can actually create a text file which lists all the uh targets that you want to scan uh one target per line in the text file and then just load the list of targets using the l parameters so that is another way of running the attacker and again for example if you want to run a specific module for example a port scan on all your networks all your domains and subdomains that is what you can do and this is what is making net tucker so great so let me now do a quick live demo let me just switch to my kali linux installation here

where i already have net tucker installed and again a reminder if you want to uh learn how to install an attacker just check out documentation on github under the github wiki uh so because attacker is a tool written in python i'm going to use python to run it so if i run nettacker with um no parameters what is going to happen it's just going to return a usage instructions you can see there's a lots of information being displayed on the screen which can be quite confusing this is why please do check out the documentation where you will be able to find out about all the modules available what they do and uh any additional parameters

that you might need to use but um here and in my first example let me actually try to run net tucker on an ip address and perform a port scan actually i want to scan this particular ip address now so this is what i need to specify i just need to provide the ip address and then port scan as the module of course many of you probably using tools such as nmap for port scanning and um usually people will have like a love and hate relationship with nmap and in attacker what is great about port scanning that it is actually quite simple very powerful and it is written in python so you don't even need to

install nmap on your system all you need to do is just to have python installed so there you go you can see how quickly an attacker scanned it and returned us the results where you can see all the port numbers which were open and also you can see in the description column here it tries to identify what they are and you can see that it was telnet ssh sunrpc but for example you can see on ports 1884 and 1890 on this particular target it thinks that it is actually running http which is very important because as you can see people can run things like web service or ssh servers on some obscure ports and attacker can

actually identify what is running there you can see that the attacker after it completed the scan it displays the information in its tabular format and it also stores the data in html file as you can see here and the database so the database bit is actually quite important because it's not like other tools which complete the scan and then that's it and they have to do something with it no attacker actually stores everything in database and again that is a very uh good feature because you can actually search the database and i'll talk about this a little bit later now we have seen how to use that tucker for port scanning but let me show you some other ways how

you can use an attacker by using multiple modules and how you can use it on a domain name so for example if i want to scan owasp.org domain and i want to perform a subdomain scan right i can run this command and obasantaka now is going to go and discover all the subdomains of oas.org and give us the list you can see how quickly this was done however what netaka has it has a unique feature which allows you to combine sub-domain scan with any other module available so for example there is a module which is called server version phone and server version vuln is a module which is trying to detect if the web server in question is

returning or leaking the type of the web server in the response headers in the server header and we can see if we run it on ovals.org that oauth.org is actually linking it's server header and it says that it's running cloudflare so okay great now we know what the obas.org is running on but this is not all because what we can also do we can add another module so i can change for example x powered by vulnerability and that will return another header which is the x powered by header and we you can also see any extra information provided by the x powered by header of that web server and uh that is not all you can see this is all

on os.org website um and we can see that the attacker actually discovered um open ports port 80.443 and told us in this information gathering session um what type of the server and technologies are being run on ours.org but what is great as i mentioned you can actually add subdomain scan to this and by adding s parameter and what's going to happen now is an attacker is actually going to go and discover all the subdomains of obas.org and it's going to run the uh these two modules that i listed on every single sub domain and as a result as you can see it is very quick and literally within a few seconds now we have information about all the

sub-domains of oas.org and everything that they are running so this is absolutely great feature and what you can do after this because obviously how do you consume the results you can check out the report so you can see for example here the report is stored in the html file so let's see if we can open this uh html file with a web browser so i have a firefox here let's see if we can open this file and see what is shown in this html file you can see a great feature in attacker here called penetration testing graph and you can see that the attacker started it attack and started connecting to various sub-domains of owasp.org and

we can see that on every single target here uh the server version vulnerability index powered by vulnerability modules they return a result and you can see uh what was actually running on them and why the graph is important because by looking at the shape of the graph you can see that and spot some patterns for example you can see that one of the subdomains of oauth.org did not have x power by vulnerability returning anything because that header was not present you can see it was just server version one and we can see in this case this was nginx and if you scroll down of this report you will find the results in the same familiar tabular

format you will see all the hosts which will be either the subdomain or a specific ip address if you scan your network the username and password columns which are currently blank they are used for brute forcing so if you try to run a brute forcing attack uh for example to discover if there are any uh servers on your network which are using default credentials such as admin admin or uh whatever default credentials you are looking for they will be displayed here in this username and password columns uh if there is a match you can see the port number you can see the type of the module which was in use and you can see the description column there's a bit of

a visual effect so if i want to focus your attention on a particular line in this table i can just hover over the row of data and you can see that this particular host for example was running nginx so that is the results in html format however an attacker has um ability to run some other reports as well and uh again what makes it great is that apart from the um the graphs it can also output results in uh csv and json formats and why is it important because we with using json people can actually consume these results for integration with other tools because json is structured data and after you run attacker on your networks you can take

that json file and feed it into any other tool which can consume it and for example provide you a different reporting analytics or perhaps say further vulnerability scanning and why is it important to have csv it's because you get results in a spreadsheet format and this is probably what is so great about the waste attacker it's probably the only tool i know which is free and open source and it allows you to scan your network discover all the open ports all the service all the vulnerabilities and they give you results in excel spreadsheet format which is fantastic and everybody gets the spreadsheet everybody loves the spreadsheet you can easily of course filter that spreadsheet filter the data

search for whatever is needed and it is absolutely uh fantastic for uh companies to basically run this free and open source tool and get a list of all the um assets open ports and vulnerabilities in one very convenient spreadsheet format so this is a unique feature of an attacker which uh i think probably one of the best features of this little tool so um what nethacker is solving by storing the results in the database format and giving you the spreadsheet it's it's uh solving something called owasp a0 if you don't know what oasp a0 is it's something that jeremiah grossman the veteran of our application security industry suggested a few years ago when we were due to release obas top 10 2017

and the top suggestion from jeremiah was to include a0 or asset inventory because these days the biggest application security risk websites that you don't know you own why because if you don't know what you own you cannot possibly secure it and attacker solves this challenge for you because it allows you to um to create your asset inventory by scanning your network and scanning your assets and of course uh the recommended way of using the attacker is to use it on your own network but um you can also use it for penetration testing engagements or for bug bounty work where you can attack somebody else's network but of course always make sure that you have permission to do that so some of the

attacker use cases you can use it for asset discovery so you can scan your network for open ports you can you can scan networks for new hosts you can scan network for default credentials for example admin admin if you use brute forcing you can quickly scan the network and find out uh if there any service with default credentials configured on it you can scan your network for a specific vulnerability for example a big vulnerability this year has been microsoft exchange ssrf cve which affected thousands and thousands of organizations worldwide and we have a free and open source tool called oas netaka with a module which actually allows you to scan all your networks and discover vulnerable service you can also

discover sub-domains and open ports on them you can discover things like expired ssl certificates and your ip ranges why is it important because if you have service with expired ssl sets that means that the server is probably abandoned and probably not patched you can also find sub domains hosting vulnerable versions of content management systems such as wordpress drupal and joomla and of course what is important that you can run any netaca modules on all sub domains of a specific domain you can automate an attacker using the command line and you get results using csv json and html format you can use it in docker in your organization when you spin it up in docker it will actually

use the web ui or the api mode and you can search for previous scan results and discovered assets in the database that's what makes it great i have a slide here which shows quickly what the os web ui looks like it's quite simple and you can see different colors because different modules are color coded and you can see that the brute forcing modules are orange the vulnerability scanning modules are red and the scanning modules are green so when you select a particular profile for example all vulnerability scanning modules selected here they will all will be ticked and they will all be used um important thing about the modules is that in the latest version of an

attacker zero zero three uh the modules are written in yaml which means that it is very simple to write new modules and contribute new modules please definitely do check out this new feature the latest version is a bit unstable yet so we're still working on it but the fact that it's using yaml actually will allows us will allow the project to respond quickly to the new vulnerabilities and release new modules allowing you to scan for these vulnerabilities in your network just like all of us projects it is open source so we welcome contributions if you want to contribute please do check out the developer wiki which is available on the documentation page do read and follow the contributor

guidelines and if you know python you can of course help us with coding if you know yaml you can help us with the vulnerability modules we can also help us with translations and documentation if you want to contribute a non in a non-technical way so um that's it about the tucker please uh use it to attack your own network before the real attackers do i'm now ready to take any questions uh and as you have heard from the moderators uh we're taking questions today in oahu's slab channel and the current was slack channel for this track is 20th anniversary temporal you can also contact me via email or via twitter at secure step 9. thank you