gone in 60 minutes – practical approach to hacking an enterprise with yasuo

Gone in 60 minutes

A Practical Approach to Hacking an Enterprise with

YASUO

Saurabh Harit {@0xsauby}Stephen Hall {@_stephen_h}

root@msf:~$>getuid

Saurabh Harit (@0xsauby)Director of Security Research @Security Compass

Pentester i.e. Domain Admin at many companies

Have a secret crush on reverse engineering

Gym freak / Proud father of two beautiful dogs

Stephen Hall (@_stephen_h)Security Consultant @Security Compass

…

…

Owner of a Christmas hat

What this talk is not about

No 0-days

No Shells

ScenarioYou’re on a red-team engagement

You’ve bypassed physical security

You’ve bypassed NAC

What next? How would you pwn the network?

Vulnerability scanner?

The ProblemCan’t use network vulnerability scanner

Have to be Stealth & Quick

Can’t use Google dorks (internal network)site, link, inurl

Where do $hells come from?

It’s not about what, it’s about

WHERE

Popular Vulnerable Apps

Apache Tomcat


JBoss jmx-console


Hudson Jenkins

$hells

Not So Popular Vulnerable Apps

ADManager Plus

Not So Popular Vulnerable Apps

Cyberoam UTM

YASUO what???

Written in ruby

Did not write it on our flight here

Scans the network for vulnerable applications

Currently supports around 100+ vulnerable applications

All currently supported apps are Metasploit-able

Why YasuoBecause there are tons of vulnerable applications and its not easy to find them

World Without Automation Run nmap scan & manually poke each & every web port

This CANNOT be fun

What’s currently out there

Nikto by Chris Sullohttps://www.cirt.net/Nikto2

Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls

http://nmap.org/nsedoc/scripts/http-enum.html

Nmap script – http-default-accounts.nse by Paulino Calderon

https://www.nmap.org/nmap-exp/calderon/scripts/http-default-accounts.nse

Exploring Yasuo

What’s in the Box

yasuo.rb

resp200.rb

default-path.csv

users.txt

pass.txt

GPL

What’s in the Box

Behind the ScenesDetects false-positives

Automatically extracts login form

Automatically extracts login parameters

What’s New

RaNdOmIzAtIoN!!!

More robust check to detect false positives

Properly formatted output table

More application signatures

Signatures for IP Cameras / Encoder / Decoders

Modular & Cleaned-up Code – if there is any such thing

Demo Time

ChallengesExploit-db – great resource but inconsistent format

ChallengesDynamic detection of login page and parameters is regex based.

Future Development

Smarter version detection

Support masscan output format (because y’all love to scan the Interwebs)

Add support for more vulnerable applications, Ofcourse

Add secondary signature

Make current crappy code modular

Add multi-threading

Add support for vFeed???

Change format of default path file – CSV to YAML? or JSON?

CFH (cry for help)

Signatures Signatures Signatures & Signatures

Please submit application signatures:Post a comment on Github

Update default path file on Github

Drop us an Email

Send a Pigeon.

Questions??? or not

Thank You!

_stephen_h [email protected]

✖

0xsauby [email protected]

https://github.com/0xsauby/yasuo

Credit

Nmap ruby library - https://github.com/sophsec/ruby-nmap

The Exploit Database (EDB) - http://www.exploit-db.com/

@funkaoshi

Google Image Cache

https://github.com/sophsec/ruby-nmap

https://github.com/sophsec/ruby-nmap

http://www.exploit-db.com/

http://www.exploit-db.com/

gone in 60 minutes – practical approach to hacking an enterprise with yasuo

Presentations & Public Speaking

vulnerable applicationsall

whats new

security compasspentester

security compassowner

inconsistent format

githubupdate default

automationrun nmap scan

theinterwebsadd support