I Love my BFF (Brute Force Framework) - Kirk Hayes

so i was going to talk about my bff today unfortunately my bff wasn't able to be here uh if anybody wants to come up i'll talk about you for the next half hour how about that no no um no um my bff is a tool i wrote and uh it's kind of sad but over the last six months or so i've probably spent more time with this tool than i have with my actual bff but i guess that's just uh the uh information security uh industry right um so like i like the uh announced i'm kirk i'm a husband i'm a father i have two great kids at home a beautiful wife at home i'm also a geek of course probably

like everybody else in here i'm a security consultant for rapid 7 doing penetration testing i've created a few different open source tools backhack might be one of the more popular if you will it's a android application file system analysis tool for non-rooted devices so you can actually access the file system and and it's great for showing risk to customers but it's also great for giving your wife unlimited lives and candy crush actually the reason i wrote it she stopped playing pretty quickly after that she thought it got boring i've been in it for about 13 years the last four in penetration testing specifically i also blog on the community site for rapid seven so you can check that out if

you want so today we're going to talk about different authentication methods i'll start off there this is kind of the more basic stuff you'll see the kittens and at least one dog in there i didn't want to offend either side i don't want to choose a side on the kitten versus puppy debate although i am a dog person more well then we'll then go into techniques for attacking authentication specifically passwords that's why we're here we're going to talk about web application login forms mybff is a tool for attacking login against web applications currently it will be expanded to other protocols as well we'll talk about kind of tools that are out there for web application testing

and guessing their strengths and weaknesses and then i'll talk about my bff we'll get into deep uh into that how that works the different modules uh what you can do to add into it if you want i'll do a quick demo on its functionality and then we'll talk about mitigations for these kinds of attacks since you know that we really want to be able to protect against those so different authentication techniques first one up biometric you know it's something that you are you have fingerprints retinal scans voice recognition facial recognition biometrics kind of about 10 years ago i was working for a company we wanted to implement biometrics it was just technology wasn't as good then

it was also very cost prohibitive but something changed in the last two years or so anybody know what that is it's kind of bringing biometrics to mainstream that's right iphone android phones if you have one within the last two years most likely as a fingerprint reader mine doesn't it's old but um biometrics is great uh it makes it very easy to log in and we're seeing more than just logging into your phone with biometrics now a lot of bank apps and stuff are starting to implement those biometrics which is great this cat is actually using biometrics to log into its computer right here if you didn't know cats have a unique forehead print it's kind of like a zebra

and they can authenticate that way that was totally made up just kidding around the other thing we have is a pin personal identification number it's usually four digits could be longer we use it to log into phones use it to log in when you want to get money from the atm you have to use your pin don't do that here i wouldn't trust any atms not with all of you people around but pin numbers are great log into your phone with it you could also use pins as a second factor if you think about it right your rsa tokens your google authenticator essentially that's a pin it's a unique id that you have and that's what i think pins are best

for best used for is a second factor not a primary if it's four numbers you only have about 10 000 possibilities and it's pretty easy to brute force and figure out and lastly we have usernames and passwords by far the most common you use plug into everything computer your bank account different web applications uh different protocols we use it everywhere and so usernames are easy to get right how do we get usernames

we just asked the users we uh we could scrape linkedin for the data i find more and more on tests that companies are putting their entire directory structure all the employees on their websites i'm not sure why but they think it's not a risk and that's fine if that's what their decision was but it makes my job very easy and in the worst case scenario when it's hard to find we just use census data we run against some kind of timing attack against some kind of service and and gain a bunch of usernames passwords become a little harder um realistically people are pretty predictable with their passwords right so those are usually pretty easy to

guess but that's we have a couple different ways to figure out what those passwords are once we have user names first versus brute force like this kitten it used brute force to get through this wall just kept pounding in one spot until it got through brute force is as many passwords as we can throw at an account until we get in um simple password spraying uh here's the puppy um password spraying is kind of the inverse of brute forcing right where instead of brute forcing a password against the user we're brute forcing users against the password i'm going to try thousands of usernames against 1password and likely i'm going to get in and that's going to do

one major thing which is prevent account lockout and to understand the account lockout we'll look at online versus offline online any service that's that's authenticating and checking with the database real time they usually have a account lockout policy and so we want to use password spraying we don't want to lock out accounts that's going to cause denial of service and we're not going to get in we want to get in right so if we're an online service such as a web application we're going to use password spraying on that whereas offline there's no risk of account lockout but we need something for offline guessing anybody know what that is hashes right so how do we get hashes

there's numerous ways but once we get that hash we can use brute force whether it's dictionary attack or pure brute force trying every single combination possible there's some tools that we have to try those things like i said we're going to focus on web applications and so that's online so we'll focus on password spraying for the most part web application login forms are very straightforward and simple they all are common they all have three common components you have your username your password and the submit button it's essentially all there is the username field the password field uh they can change names they can be completely whatever unique whatever they want but this is essentially what uh

a web app login form looks like this is one i created in probably 30 seconds so um the submit button is going to take whatever is the username the password as a payload and submit it to the form to the page it's going to and that will do a check on the database and return a valid or invalid response so we have different tools to to check on this first up is burp suite i highly recommend burp suite if you don't have it go get it but it's very manual that's that's the only problem with burp suite um i need to review the traffic i need to figure out what the username field is what the

password field is and then once i run intruder now i need to go back and look at what's an invalid versus a valid response that's okay for one offs but if you're doing that test after test after test on this different or the same web apps it it comes it's a little bit of a pain so there are scripts uh written different languages but these scripts are specific to uh one kind of application right uh there may be a citrix portal that you're trying to get into and you can run a script and it'll tell you if it's valid or invalid but if that citrix portal changes which there's multiple different versions and every couple of years citrix seems to

change all their code well now i need a new script and that could be a pain so so i created my bff what is my bff it's a brute force framework it's modular so we can just easily add new modules for different web applications or even different protocols it's intelligent what i mean by that is i don't want to have to pick out and choose what the username field is what the password field is what the valid response is i don't want to have to put all that in i just wanted to figure out what kind of application is pointing at a url find out what what application is call the right module and and just give me the information

and it goes beyond just brute forcing and that's kind of the secret sauce on this and i'll get into that more in a little bit currently we have i have about five modules there's some of them up there so for each module first we're going to fingerprint we're going to find out what kind of application this is this could be many different ways it could be a url it could be a string within the body of the response from that page it could be a cookie value anything that separates that application or that protocol apart from others we'll fingerprint off and then we'll call a module and in the module first thing is the payload like i said that username

password can be different it could be username it could be user underscore name it could be j underscore username it could be user dot name could be user it could be something totally different so we create that payload and then once we do that we're going to do a connect test and this is where scripts at this point stop we're going to tell you if it's valid or invalid and that's great but i want more and so lastly we're going to do something cool with that and explain that about six months ago when i was starting to create this tool i was on an external engagement for a customer and doing my testing and enumerated about three or four thousand

usernames off a flaw they had on one of their apps and then i needed to do password guessing right so i ran through with my favorite password season and year right so at the time it was spring 2016. how many use that password yeah all right um hopefully not but it's a very very very common password um that we see everywhere so i have about 15 valid accounts at this point after using that and they have a citrix portal i love citrix because i can escape it pretty easily and once i escape the citrix sandbox now i have internal access and get to you know destroy the internal network um so i tried with the first account

and the response that from the page was there's no applications assigned to this user so all right try another one try the second one no valid applications assigned to this user third one what do you think that was no valid okay fourth fifth six i got to the seventh or eighth and i said this is ridiculous there's got to be a better way to do this so i ended up scripting out the whole thing ran through all 15 and every single one didn't have any applications so at this point i'm like this kind of sucks but now i have a script run that script and using my second favorite password companyname1234 and ended up getting three or four with

that and one of them actually had applications so get in escape the citrix environment get internal access end up owning the entire domain they had multiple domains and took all that over so it was very successful on my my part and that's what i mean by going beyond so each module is going to do something different and that's going to depend on the module on the web application or on the protocol for the outlook web access and owa and office 365. we're going to parse the email we're going to look for sensitive information we're going to print that out for you we're also going to pull out all the contacts and save that off for the citrix we list those apps out so

now i can tell if it's a internet explorer browser a third-party application or a full windows desktop and i can decide which one i want to attack for juniper we do something cool before the authentication often juniper has multi-factor enabled but we can usually bypass that depending on how it's set up so we'll attempt that bypass we'll see if it works and if it does then we'll do our brute forcing against that and so each module is like that something different so so we'll go into a quick demo just a little bit of that and it might be if it's a little small i can zoom in on it for you but to start off

we're going to just run python mybff we're going to pass it the host now the host has to include the protocol that you're going to use in this case https and the ip or the host name that you're going to attack the capital u is for user list and so this list has a few users and the p lowercase p is for a single password again one of my favorite passwords to try this this particular app actually failed it's a small business server and so if you don't know small business servers when you go to the initial web page it redirects you to a virtual host which is remote remote web workplace where you can

remote control all the systems inside for the for this i want to tacko wwa which is slashwa so we're going to rerun this clear this out we'll rerun this using a v host option the v host option is going to we're going to add in the owa so we can specify that specific host and after we run this we'll see that it finds that it's an office 365 or owa server and then it tries password guessing we'll find that user three was successful with spring 2016. we then search for sensitive emails looking for keywords such as password in there we find that there's some password helps in for emails from the domain admin and it's kind of sad that the domain admin

actually has the same password so good job there and you'll notice at the bottom we we take any contacts and we add it to a file under temp and then contacts dash and then the username and that splits that out so now we can use this information to do other attacks such as such as phishing attacks or or just trying to email through that or more password guests and things like that now the second module last year i found a zero day in a hp site scope application sitescope is a application that allows you to monitor your system servers network from this web console and so they had a exploit in that and so this is the

module for that so we run my bff again this time the host is actually it's the service is running a port 8080 so once we put in the url we add the port and it's not a separate option it's all within that host um the module is going to call a metasploit module that will then exploit and get us a shell through this dns tool lookup where we have command execution and in this case we're going to use a lowercase u we're going to try one user and one password admin and password

and we'll run this and we'll see it's successful it's going to call that meta split module it's going to run through once it loads up we'll get our interpreter shell and we'll run get uid to see who it's running as and we see it's nt authority system which is which is great now we have access to go beyond with that

so the my bff is is going to be available today right after this presentation it'll be located on the moose dojo github page so go check that out i'll be adding more modules as i go currently we have i have plans for wordpress cisco vpns and a couple other web apps as well as ftp telnet ssh and other protocols as well so a lot of cool things coming and each one of them is going to do something different right that's the whole point of this is i don't want just to know if this is uh if if the username password's correct i want to be able to have it do something with it um and who knows what else and so if you

have ideas let me know i'd love to talk to you about that and so we have passwords attacks how do we protect against that right what good is knowing that you can get attacked on your passwords if you can't do anything about it first thing is we want to detect detection is key organizations that can't detect these kinds of attacks or attacks against them are going to fail and so if you can put in place brute force detection and whether that's password spraying or brute forcing against accounts within if it's a windows domain it's all it's easy it's all built in you can just enable that kind of those kind of thresholds in that monitoring

so it's all right there second is multi-factor authentication as long as you're implementing it correctly and there's not a bypass like the juniper often has this drastically reduces my ability to attack your system i need that second factor now so now i need to social engineer an employee or i need to some other way gain access to that second factor and then lastly strong passphrases are key um if your password is long complex i'm not going to be able to guess it easily and i'm not wanting to brute force to lock out your account so it's going to make things much harder for me so that's everything this is my contact information uh both my

personal github as well as the news dojo where my bff is um if there's questions i'd love to take them if not we can talk later love to meet you guys

how many metasploit modules do you have integrated with this is it just the one or yep so for uh for metasploit modules it's just the one it's the hp site scope that i've written um it'd be easy to add as modules go but um yeah that's the only one we have currently um do you have like an optional switch to specify like an rc file uh i don't currently it writes out the rc file and then calls that rc file to run everything those are things that might be worth looking into and adding though okay so we're going to move on to next speaker so i have to cut it off there i just want to remind people also about

the one of the mana rules of pastors come we are doing this for good so any tools and any techniques being released and mentioned here at the conference use them for good if you use them for evil i will tell you two things number one i do not believe in violence number two i really know a cool party trick and that is i can delete your social security number okay so thank you kirk really interesting and the tool is available online