mastering advanced security profiling language (aspl)
TRANSCRIPT
Mastering Advanced Security Profiling Language(ASPL)
Tyler Reguly, Manager of Security Research & DevelopmentAugust 5th, 2015
2
AgendaProducing content that powers Tripwire IP360
Inserting Custom Vulnerabilities in IP360 Writing Rules for Windows Writing Rules for Linux Writing Remote Rules Writing Advanced Rules VERT Update
3
Discover Custom ASPL Vulnerabilities
4
Create a New Vuln
5
Submit Vuln Details
6
Associate an Application
7
Create A Rule
8
Insert Your Rule
9
Associate an Operating System (Optional)
10
Select an OS (Optional)
11
Finished
12
ASPL CommandsASPL Basics
13
ASPL Instructions – SEND / RegistryQueryASPL Basics
14
ASPL Instructions - CHECKASPL Basics
15
ASPL ModifiersASPL Basics
16
Python 101 – Data TypesPython Basics
17
Python 101 - ConditionalsPython Basics
18
Python 101 - OperatorsPython Basics
19
Python ResourcesPython Basics
20
Using Python - ruleAdvanced ASPL
21
Using Python - ruleAdvanced ASPL
22
Using Python – envAdvanced ASPL
23
Basic ASPL – Rule Sample #1The Simplest Rule
RegistryQuery GetKey[HKLM] THEN CHECK Exists
24
Basic ASPL – Rule Sample #2Basic Remote Rule
SEND String[GET / HTTP/1.0\x0d\x0a\x0d\x0a] THEN
CHECK Contains/HTTP\/1\.[01] 200/ WITH Offset[0], Length[12]
25
Basic ASPL – Rule Sample #3Putting It All Together
RegistryQuery GetValue[HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductName] THEN
IF Contains[Windows 7] THEN
RegistryQuery GetValue[HKLM\Software\Microsoft\Windows NT\CurrentVersion\CSDVersion] THEN
CHECK Contains[Service Pack 1]
THEN STOP WITH Match
ELSE
STOP WITH Match
END THEN
STOP WITH NoMatch
26
Pure Python – Rule Sample #1Reading a File
EXECUTE {
rule.CIFSGetFile('C$:\\Windows\\WIN.INI')
if not rule.success: rule.STOP(False)
rule.transcript = rule.buffer
rule.transcriptIsFull = True
}
EXECUTE {
import aspl_sshcore
aspl_sshcore.startSSH(rule)
rule.SEND('cat /etc/resolv.conf')
rule.waitForData()
if '8.8.8.8' not in rule.buffer and '8.8.4.4' not in rule.buffer:
rule.STOP(True)
rule.STOP(False)
}
27
Pure Python – Rule Sample #2File Versions
EXECUTE {
import smb_file
rule.RegistryGetValue('HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools\\InstallPath')
if not rule.success:
rule.STOP(False)
version = smb_file.GetFileVersion(rule, None, rule.buffer + '\\vmtoolsd.exe')
env.target.putHostData('custom1', 'SMB', '.'.join(str(ver) for ver in version).strip('.'))
}
28
Pure Python – Rule Sample #3Remote Rules
EXECUTE {
rule.SEND('GET / HTTP/1.1\x0d\x0aHOST: localhost\x0d\x0a\x0d\x0a')
rule.waitForData()
if rule.buffer[0:4] =='HTTP' and rule.buffer[9:12] == '401':
header, body = rule.buffer.split('\x0d\x0a\x0d\x0a', 1)
headerList = header.split('\x0d\x0a')
for item in headerList:
if item.lower().startswith('www-authenticate'):
if 'Basic' in item:
rule.STOP(True)
rule.STOP(False)
}
JULY IN REVIEWA VERT Perspective
Tyler Reguly, Manager of Security Research & DevelopmentAugust 5th, 2015
30
ASPL-627Available Today!
• Contains coverage for:• CVE-2015-5477 on CentOS, RHEL, OEL, Suse, Debian, and Ubuntu
• Oracle Express Coverage
• Exchange Server 2013 CU9, Exchange Server 2010 SP3, Exchange Server 2007 SP3
• Windows 10
31
Tripwire IoT VillageVisit us at SecTor
• Why Visit?• Get Hands-On with the Hardware
• Demos on device hacking
• Run entirely by members of Tripwire VERT
• Short presentations on IoT Hacking
• Where?• SecTor in Toronto, CA
• October 20-21
32
Register for the next webinar
Best Practices for Securing Web Applications
Wednesday, September 2, 2015, - 11:00 a.m. - noon Pacific
Understand how to maximize use of WebApp360, Tripwire IP360’s non-invasive production web application security scanner, for dynamic detection of Web application vulnerabilities and exposures such as cross-site scripting and SQL injection. Attendees will walk away with a solid understanding of: The types of web application vulnerabilities covered by Tripwire IP360 How to configure the WebApp360 Scan Module Reporting options available for web app vulnerabilities How WebApp360 assists with PCI DSS compliance efforts
Register: http://tripwire.me/1HkZYbU
33
Q&A
Questions? Submit them via the chat window
tripwire.com | @TripwireInc
THANK YOU