ruby for pentesters the workshop - black hat briefings · ⌘ rbkb - matasano’s ruby black bag...
TRANSCRIPT
Ruby for Pentesters:
The Workshop
Timur DuehrCory ScottMike Tracy
ruby for pentesters
agenda
1415: Introductions1420: The 20 minute tour of Ruby 1440: Blackbag1445: Webby Blackbag1500: Protocol Blackbag 1515: Break1530: Fuzzing and Redis 1550: Ragweed: Part 11610: Ragweed: Part 21630: Coffee Service1700: Making Burp better with Buby 1715: JRuby1725: FFI
ruby for pentestersruby for pentesters
Setup
ruby for pentestersruby for pentesters
Ruby in 20 Minutes
ruby for pentesters
Stuff we like
ruby for pentesters
Gems and packages
NokogirieventmachinerbkbragweedNerveBubylots of others
Stuff we use
Metasploitroninwatir
whatwebArachni
ruby for pentestersruby for pentesters
Lab: The basics
Ruby basics
ruby for pentestersruby for pentesters
Ruby Blackbag (rbkb)
ruby for pentestersruby for pentesters
Do less typing
plugboardsencoders / decodersutilities
Command line tools
Object mixin
s
The same stuff butfor scripts and IRB
ruby for pentestersruby for pentesters
Lab: rbkb
IRB + rbkb
ruby for pentestersruby for pentesters
Scripted Webby Stuff
ruby for pentesters
What do we need to script a webapp?
ruby for pentesters
Transport
Parsing
Encoding / Decoding
ruby for pentestersruby for pentesters
Lab: Simple SQLi scanner
Curb,Nokogiri,rbkb
ruby for pentestersruby for pentesters
Protocol Reversing w/ Blackbag
ruby for pentesters
General protocol approach
Establish the flow
Observe it
Understand it
Manipulate it
ruby for pentesters
demo: when all you have is pcap...
FeedImport
ruby for pentesters
demo: the blackbag flow
binary / protocol analysis
⌘ rbkb - Matasano’s ruby black bag ⌘ Protocol Analysis: MITM: Blit, Telson, PlugSrv
⌘ Structure Creation with Bindata⌘ Extracting payloads with FeedImport
Real Client Plugsrv Real Server
TelsonBlit
Download all of the content at: http://bit.ly/baythreat
ruby for pentesters
exercise: tcp protocol lab
Get in the middle
Observe and replay
Manipulate
Exploit
ruby for pentesters
exercise: build protocol structures
BinData
ruby for pentesters
demo: eventmachine and UDP
event loops
manipulate dns
ruby for pentesters
demo: TLS tricks
TLS MITM & self
signed certs
SSL version scanning
ruby for pentestersruby for pentesters
Fuzzing
ruby for pentesters
the what
smart
dumbProtocol AwareUser AwareSession AwareError State Aware
Bit FlippingBoundary Trampling
Switch-a-rooRandom random everywhere
ruby for pentesters
the why
memory corruption
unexpected behavior
access control test
crypto analysisparsers
ruby for pentesters
demo: generator patterns
DFuzz + BinData
ruby for pentesters
demo: the harder stuff
instrumentat
ionprocess control
binning
ruby for pentesters
intro to redis
redis-server
redis object
redis data types
strings, lists, sets
key:value
push & popadd & delete
set & get
ruby for pentesters
lab: fuzzing with redis
grab your structs
mutate & sendstore in redis
query
ruby for pentestersruby for pentesters
Ragweed:Instrumentation & Getting Started
ruby for pentesters
Fuzzing
runtime changes
ruby for pentesters
Why a scriptable debugger?
Hittracing
less clicking
ruby for pentestersruby for pentesters
What do we script?
Events
sigtrapsigtermevent_fork
Actionsget registers
set breakpointsmanipulate memory
ruby for pentestersruby for pentesters
How?
IDAobjdumpruntime calls
memory locat
ions
inspection/manipulationget_registersshared_librariesread set_registers
write
ruby for pentestersruby for pentesters
The target
in_circleout_circle
ruby for pentestersruby for pentesters
Demo: arguments and registers
reading me
mory
getting registers
ruby for pentestersruby for pentesters
Exercise: function arguments
SSL_writ
e
SSL_readread SSL requests that our client is making
ruby for pentestersruby for pentesters
Walkthrough: function arguments
int SSL_read(SSL *ssl, void *buf, int num);
int SSL_write(SSL *ssl, const void *buf, int num);
ruby for pentestersruby for pentesters
Ragweed:Hit Tracing and in Memory Fuzzing
ruby for pentestersruby for pentesters
What do we mean by that?
Tracking function calls and logic flow
Modifying memory locations as the program runs
ruby for pentestersruby for pentesters
Automate this!
accountingbreakpointsHash
CSVIPCRedis CSV
Nervemetaprogramming
ruby for pentestersruby for pentesters
Exercise: Break stuff!
in memory fuzzing
read argumentswrite new arguments
hit tracing
output function hittrack order and count
ruby for pentestersruby for pentesters
Ragweed: the intermission
ruby for pentestersruby for pentesters
Recap
in memory fuzzing
hittracingscreenshot TBA
screenshot TBA
ruby for pentestersruby for pentesters
Burp + Jruby = Buby
ruby for pentestersruby for pentesters
buby is your friend
Extend with modulesInline extraction
Inline manipulation
Access Burp
data
Extend itProxy HistoryRepeaterIntruderScan Results
ruby for pentestersruby for pentesters
Lab: CookieMonster
Grab and dec
ode all cook
ies
evt_http_message
IHttpRequestResponse
#response_headers
Fires when an HTTP message is received
Extender object
Buby convenience method
ruby for pentestersruby for pentesters
Lab: CookieMunger
Modify cookie values inlineevt_http_message
IHttpRequestResponse
#get_request
#request=
Automatically:
Grab the request
Modify the cookie
Forward the request
ruby for pentesters
Jruby tricks
ruby for pentesters
demo: extending our buby example
load jar
import objects
make pretty
graphs
ruby for pentestersruby for pentesters
FFI: interfacing with C
ruby for pentestersruby for pentesters
No gem, no problem
rubypython libusb ffi-libc ragweed ffi-pcap OpenCV-FFI
the ac
tual l
ist
is uni
mporta
nt
ruby for pentestersruby for pentesters
This is your C struct
ruby for pentestersruby for pentesters
This is your C struct on Ruby
ruby for pentestersruby for pentesters
Calling C functions
setup
call
definition
ruby for pentestersruby for pentesters
Exercise: execv
definition
a pointer
OK 1-2-3 GO!
ruby for pentestersruby for pentesters
Walkthrough: execv spoiler
Follow
along
with
me