Perl Usage In Security and Penetration testing

Croatian Perl Workshop 2008 USAGE OF PERL IN PENETRATION TESTINGS Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

Perl usage in security Usage of Perl in security every day log parsing, system hardening, system monitoring, ... in forensics log/evidence parsing/analyzing in penetration tests network layer testing application layer testing web application testing buffer overflow helpers fuzzing implementing Proof of Concepts (PoC)

Perl in Security World Monitoring mon, nagios, ... nodewatch, syswatch, ... Sherpa system security configuration tool File Integrity checkers (think: tripwire) ViperDB, Fcheck, Triplight, ... Honeypots rsucker, honeydsum, mydoom.pl, ... ...

Perl in Penetration World Nikto web vulnerability scanner Metasploit <=2.7 exploit framework Metasploit >= 3.0 in Ruby Fuzzled - fuzzying framework snoopy simple SNMP security scanner NSS, dnswalk, snark (MiTM), ... ...

Simple TCP portscanner perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print "\n";' Yes, I do Perl golfing.... You can too - try to shorten this if you dare :) whitespace optimization excluded

Simple TCP portscanner perl -MIO::Socket -e 'for($i=1;$i<65536;$i++) { if (my $s=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$i,Proto =>'tcp')) { print "$i "; close ($s); } } print "\n";' localhost Example of running port scanner oneliner:

Generating custom packets #!/usr/bin/perl use Net::RawIP; $raw_net = new Net::RawIP({icmp =>{}}); $raw_net -> set( { ip => { saddr => '192.168.1.1', daddr => '192.168.1.15' }, icmp => { type => 8, data => "41414141414141414141414141414141" } } ); $raw_net -> send(1,1000); Example of generating spoofed ICMP packet

Generating custom protocol testers You can layer up what you have... CPAN modules for almost every protocol It has even for really rare and the old ones Perl is old language, you know... :) Even for SSL based ones ...and then write the part which is custom

Easy MiTM ssl_proxy.pl MiTM Proof of concept not working well Wrote MiTM for socket HTTP HTTPS I'll put it somewhere on the web eventually, mail me if you need it quicker! :)

Buffer overflow helpers not common vulnerability in Perl from theory to practice from discovery to exploitation some of the methods (not only for buffer overflows...) analyzing source analyzing machine code fuzzying reverse engineering patches ...

Generating vulnerable inputs mostly oneliners to check length of buffer of vulnerable program on command line ./vuln –vulnbuf `perl -e 'print ”A”x1000'` enviroment export VULNENV=`perl -e 'print ”A”x1000'` ./vuln network protocol perl -e 'print "GET /"."A"x1000; print " HTTP/1.0\r\n\r\n"' | nc www.vuln.host 80

Writing exploits with Perl Metasploit helper (<= 2.7) Helps you in finding length of vulnerable buffer Generate buffer with Perl helper script perl -I lib -e 'use Pex; print Pex::Text::PatternCreate(1090)' Run debugger (gdb, ollydbg, ...), note EIP run another Perl helper script with EIP sdk/patternOffset.pl 0x68423768 1090 Too easy It's not just fun any more...

Fuzzying Custom fuzzying CPAN modules for almost every protocol You have to use lower protocol in order to fuzz the protocol itself Using existing helpers Fuzlled have some protocol drivers inside have some good logic for fuzzing I recommend Permutations, manglings, ...

Web vulnerabilities Nikto libwhisker libwww WWW::Mechanize Sockets IO::Socket IO::Socket::SSL

Example usage of Mechanize perl -MWWW::Mechanize -e '$_ = shift; ($y, $i) = m#(http://www\.youtube\.com)/watch\?v=(.+)#; $m = WWW::Mechanize->new; ($t = $m->get("$y/v/$i")->request->uri) =~ s/.*&t=(.+)/$1/; $m->get("$y/get_video?video_id=$i&t=$t", ":content_file" => "$i.flv")' author: Peteris Krumins Youtube video ripper - oneliner

Web services vulnerabilities XML XML::Simple LibXML SOAP SOAP::Lite XML RPC RPC::XML Custom protocol no problem :)

Example of custom fuzzying 2 PERL script doing MiTM Fuzzying each request and response to client/server

Conclusion You don't want to write vulnerable security programs to test other vulnerabilities You have Encase case ;) or fakebo :)) It's hard to write vulnerable program in Perl at least buffer overflow vulnerable there's still input validation (taint?) You don't want to spend months writing proof of concept (PoC) don't use low level :) except if you're learning... or ..whatever :) use high level language like Perl

References http://www.sans.org http://securityfocus.com http://net-security.org http://packetstormsecurity.nl/ http://www.softpanorama.org/Security/perl_sec_scripts.shtml http://metasploit.org http://www.cirt.net/nikto2 http://www.ioactive.com/tools.html http://www.l0t3k.org/security/tools/honeypot/ http://www.catonmat.net/blog/ ...

Croatian Perl Workshop 2008 ? QUESTIONS (and maybe answers) Vlatko Košturjak, CISSP, CEH, MBCI, LPI, ... IBM / HULK / Zagreb.pm kost monkey linux dot hr

Perl Usage In Security and Penetration testing

More Related Content

What's hot (20)

Similar to Perl Usage In Security and Penetration testing (20)

More from Vlatko Kosturjak (6)

Recently uploaded (20)

Perl Usage In Security and Penetration testing