Hop The Fences, Steal The Cars

so um my talk title is based on the lyrics of a song by lisa hannigan she's a local irish musician and it's a song about not taking time to appreciate the here and now as we all race ahead towards our goals and advancing our lives and my girlfriend introduced me to her music and it just just melts my heart so just thought the kind of uh lyric was quite cool um so i'm i'm a dublin local i've lived here my whole life uh northsider and there we go uh so yeah enjoy a single point to get guinness on a friday night uh like a responsible adult should uh or at least i used to and i also enjoy gaelic football and

dublin winning sam maguire every year we're a real pack of winners here in dublin so uh you know luckily all you cultures are muted right now so you know i can't hear you telling me to shut up and i recently started a company named slandall research limited after working as a sole trader for a few years and a true subcontract and i've seen how lots of different consultancies do their thing i've also had to review a lot of different reports by a lot of different companies over the years and i genuinely believe i can deliver something unique and kind of do try to sculpt my tests in a collaborative way kind of getting access to source code

and digging deep and spending more time than probably would be normal so my prices are cheaper so over the years i've been exposed to a lot of different roles i've advised in vulnerability management i've worked incident response with apts on the network i regularly do internal and external penetration tests and i've luckily been exposed to a lot of different industries and kind of seen how a lot of different businesses of all sizes operate and to me consulting is really rewarding as you're just constantly learning and there's always new things to be on top of so i kind of hope with setting up a company to kind of eventually give other people the same opportunities i've had

and uh hopefully create a few jobs so i had a pretty good run in the book benny space with my skills improving year on year this just kind of little graph is just from bug crowd and kind of see that criticalities were higher as time progressed and i kind of just packed it in a bit in 2019 because the workload working with my clients it's got to be too much so i kind of enjoy my free time um and yeah i find the book benny community is a real phenomenal place to learn it's unlike anything i've experienced and i do hope to dip back into it at some point my favorite work at the moment is

working with startups and i kind of like that you can see over time you know a startup starts small with a small team and you know if you get them kind of aware of security from the beginning over time that kind of cascades as the organization grows um so the security game uh this is going to be me reading a kind of spiel so we find ourselves in a precarious game the digital landscape and environment changes daily expectations and rules don't always apply and when you play the security game for long enough you lose the ability to be surprised so security is a state of being free from danger threat which on the internet or greater society

in general is never assured so online we live on the front lines of where worlds and modern culture collide relentlessly and all at once crime and all the negative caveats of society manifest in bulk here it's more anonymous and secure for criminal groups to operate online it's not only are they distance from their victims they they benefit from the same automations and convenience e-commerce does so even criminals have to minimize their own operational risks and all of you in security are the defenders and attackers builders and breakers and the advances in the neighbor enablers of business in this space so the creators of progress in general and potentially we're the arbitrators of a future that harmoniously merges

technology with society so on behalf of the planet we're hacking right now i want to say thank you for all the work you do it's not too much for a saturday morning maybe so the problems i see everywhere are the following web services are a fun and large attack surface and by nature they're publicly exposed so vulnerability management and maintaining networks is a difficult task stuff always and eventually gets lost in space and falls through the cracks there's a need to move towards a kind of continuous validation of security controls and asset management and perimeter monitoring are just a growing area and they're they're so essential so to participate in this cyber space you need the right tools and resources

you need visibility of your network you need visibility of the playing field in this day and age there's a lot of free or paid network info tools you can use out there um you need to spend the time evaluating your attack surface and what's out there and we've always reached a point reached the point of needing reconnaissance tools to find the latest and greatest tools to achieve this task so one of these tools is project sonar it's my favorite uh resource it um it has historical dns data and network scans and goes back to i think 2012 or 2013. so i use russ scripts to parse out this data into formats i need and it makes searching it quite easy and

there's a few other tools there listed that can do the same thing but having historical data to me is incredibly useful and it gives you a really kind of unique insight into uh where a company has has how a company has developed so you know where their assets used to be what domains they used to use and you know you can find a lot of hidden things if you're looking through that historical data so um with network discovery a lot of time is spent kind of enriching the data you already have and over the years i've created a lot of kind of tools to to leverage other tools so just kind of hacking stuff together

um there's a lot of benefits i feel to get familiar with the network discovery process and by building your own unique workflows uh and you know uniting sources in kind of unique ways you can identify new unexplored attack services so hacking to me has always meant like leveraging the tools or resources at your disposal to kind of achieve a greater objective so you know you can use data in unexpected ways or build on top of the tools or things that have come before and it's just essentially thrown a solution together to get the job done for the task at hand so in discovery anything you do different could be an advantage and lead lead to you finding kind of easy wins

and unexpected results so you know you've gathered all the data ips domains and ports for your target you've mapped out the attack surface what what do you do next so the way i approached this was i kind of created my own tool and it it was developed over a number of years and just to help me achieve my objectives so it's developed in python and it you know runs on most platforms i've i've kind of enjoyed the process of optimizing and it's pretty fast for a point and till in in this space and there's a lot of other good tools out there written in go and i suppose naturally faster languages and but i like this because i've been

maintaining over time and i've managed to keep the features i want in a single tool so you know there's a million different scripts out there and web testing tools and but i tried to build something kind of flexible generic and quite automated so it allows me to create modules that kind of i can run a lot of different kinds of web attacks and i i use it for ad hoc tasks too so in defense you know a new vulnerability comes out i can create a proof of concept and scan the whole network you know in a matter of minutes and over over time you you build up modules and it's kind of nice to have them all in one place

instead of grabbing you know 10 different github projects to do 10 different things i can do them all with one too so i kind of feel like the next step for this tool is to open source it and i'm releasing it today under an agpl license and i suppose the big question people might have is like does it actually work or do anything different than what's out there already so last august i turned my sights on 5i infrastructure sorry i meant i meant fireeye there's only one letter in the difference so it's an easy mistake to make i i turned their skin only on their all the info i found all the network info i'd gathered

uh fire eyes kind of public face and network resources so as anomaly kind of can store the full response data and it's in an sqlite database it's it's very easy to search for things and i essentially ran this across all the open ports all the domains i found all the ips i found historical and current and one example here is i found the splunk application exposed to the internet so i suppose for anyone familiar with splunk they know it runs as route and it's possible to install your own app plugins so i popular root web shell as you do and i submitted my report to book crowd and even though the host impacted was only a

lab it's you know probably insignificant in the grand scheme of things for far eye but it's still a foothold that could have been leveraged within that effective net affected network so you know with root you could have recovered user password hashes or done anything you want to the operating system and the plugins already installed on this tool also had like multiple api keys for different things like forest total and it's a bad exposure but they rewarded meter maximum bounty anyway which isn't bad for an evening's work and considering i only ran one scan with anomaly so it should be clear that you know even the giants in the security world can let stuff fall through the cracks

this this wasn't meant to be public facing but it could have been exposed accidentally or temporarily oops um so a few weeks later i i ran some more content discovery scans uh using the same tool and kind of looked for common directories on all the web applications i identified so in this case i found the kind of interesting one where it was just the root direct the root domain and forward slash welcome so i started probing this endpoint and basically identified a kind of weird uh insecure direct direct object reference attack so i don't know if people are familiar with this but it's uh where a developer uses a kind of guessable or innumerable or brute

forceable value to reference a data object so this data could be loaded from the database for example but the data is returned without validating if the current user has actual permissions to view it so i was able to discover email accounts of fireeye customers that hadn't completed a sign up process so as you can see kind of on the picture on the left i don't know if laser pointer works it does there we go so you can kind of see like this is a form to create an account and you know once i created the account i was able to bypass their octa which is their single sign-on and it granted me access to their customer portal

so if i was you know a filthy hacker from here i could have downloaded firearms products and firmware patches and you know i could have reverse engineered them and potentially found some zero days in them but instead i did the right thing and reported the issue and they were more rewarded me two thousand dollars for this finding maybe maybe i upset them and they didn't give me the fuller full amount so uh i guess there's a lot of different modules i've built over over the past while to do a lot of different things there's a lot of other tools out there to do these things but i guess my kind of generic solution allows me to take any kind of

web web-based tool and incorporate it into this kind of framework so i can do directory brew forcing i can do generic fuzzing of parameters i can do v host brew forcing etc etc and and basically because of the way i've built this it's it's configurable and essentially you can configure what you want to run on specific results so if you get a like 403 directory you could run a module that tries to bypass 403 or issues to kind of expose additional things or you know you find a directory it'll recursively go through the directories and brute force for new things and if it identifies a kind of http auth endpoint it'll automatically run a kind of default

user and password brute force stack so i was going to prepare videos to kind of uh avoid messing up in a live presentation but uh i do have kind of i do have had a few kind of examples in mind i was going to write an example uh and show how easy it is to kind of manipulate web requests and and then scan for them across a wide attack surface but i'm going to i'm going to do it live instead i'm just hopefully everything breaks

so i'm trying to exit out of my there we go sorry folks

and hopefully you can see my screen now so i kind of just prepared a little demo to show the tool running and what you can see here in the center is a kind of the config how it works so i can choose which statuses to ignore i can choose which modules to run on which statuses so i'm just i kind of created this directory to kind of just give a quick idea of how the tail works

so i'm going to just run a direct rebrew force and i think that's everything i need i'll leave i'll leave that run in the meantime it's kind of running in the background and when you see the results it kind of will make more sense i can okay that didn't work two seconds i knew i forgot a flag there we go so i've had a pass tool before called paramet where i brute force to try identify get and post parameters on an endpoint and essentially just i just want to kind of show how much quicker this skin anomaly tool makes proof of concept and kind of fuzzing ideas so i take the same tool i had written

before it's just a script it's like a few hundred lines of uh of python so now you can see it there but basically i just what kind of want to show how generic uh skenomy is and how easy it is to kind of write plugins and modules for this so hey kieran paul here is it is there any chance you can increase your font on your terminal let the the folks see a little bit better just getting some comments yeah yeah sure a little bit easier easier if you can change it sorry for interrupting thanks oh you're grounded it's not a i forget where it is i'm not too familiar with windows terminals

i need anyone to want to assist hey don't worry about it it's only if it's an easy ass don't don't worry yeah no i i just i don't know how to increase the font it's probably easy enough to do so i just i'll show you the module for parameter so in the in this kind of module it does a lot more than my old parameter script did and it's only you know this amount of code so what i what i can do now is i can brute force to try identify cookies the application's using i can try identify different headers that the application is using and essentially just fuzz and use kind of common strings or data to identify get and post

parameters so the tool takes in a list of requests you can pass in a file containing a list of urls you can pass with it with a minus or like i don't know if people are familiar with sql map but you can pass in an entire request so you could just copy out of burp suite and essentially run run this tool and detect the anomalies that happen when when the request is made so i don't know if you see there uh on the left-hand side but there's one response from the directory brute force that's expected but that that that's running through there and you know it's making 136 000 requests in a matter of minutes

and it's the kind of thing where because the data stored you can just leave this run overnight and come back to it and assess what the results are in the morning

um

i kind of expected to have a bit longer here or to not go through the talk as quick

so i just have a kind of example module to kind of show you what kind of different things you can do

so yeah the module takes in a list of requests you can you can manipulate these requests in any way you want and i have a lot of different kind of functions to do this so you can update the module name you can update the proxy it uses you know you could you could fire each different request through a different proxy if you wanted you can import files and one of the parameters it passes in as rules so you could pass in a different config file that you want to use that kind of does a multi-us multi-staged attack so i don't know if you can see there it's just brute force in the directory and the kind of cool thing is is you

know finds a new directory it'll recursively do that but also if it if it finds different things it'll it'll run you can you can kind of configure it to run what modules you want on on whatever

results

so i do i do also have a project roadmap for this i have a few kind of ways i want to take the tool and i suppose develop it further but i'm kind of interested to see how a community input could help so the reason i initially built it was mostly for speed so i got kind of maybe go back two or three years burp suite was very slow and at the time there was a plug-in called um i think it was like turbo intruder or something like that but you're essentially writing python scripts directly into burp as a plugin or you know to do custom attacks and i was kind of like why why you use burp for that when you

can just write your own tool to do it i mean if you're going to be writing code directly into a tool i guess it's it loses its kind of reusability and it seems kind of annoying to me so i like i like the idea of having custom tools that you can configure yourself so yeah and also just because because the data stored in sql-like database you can do anything with it you can do a lot of additional stuff on top you can you know import this into other tools you can use the data in in interesting ways

i'm happy to take questions now anyway if anyone has any

yeah so i think we have um two questions so the first one there is and does skin normally have helper man pages so this is definitely something i wanted to have done before i released this but not not right now so i was going to do a wiki on it and i suppose as people add modules we could document how do you how it works you can probably see that it's it's a bit of a mess at the minute and it takes a lot of different parameters the idea is for it to be flexible and you can pass in you know headers you can pass in anything i feel that i would need to configure so just just here it's run

through the first the first two modules i specified so i specified a dirt brew forest and kind of a repo attack which would be like common of common files and configuration files and you can see that i found one 200 response and one one 301 response which is another directory so it's just recursively going through that and from the kind of yaml configuration it knows what to run on what different responses and you can kind of play around with this and do a lot of interesting things um i guess like for me you know being able to write just four lines of code to create a custom kind of template for an attack is is really useful

it's really it speeds up a lot of things i do just kind of show there it's just running through the same thing again on on the next directory it found i think it ends after this one but it'll it'll print out the results in a kind of interesting way once it's done but another thing i kind of used this tool for was say you know you're doing kind of white box testing where you have access to the server so the other thing you can kind of do is pull a list of all the the files in a web directory and then you can run this school this tool over it very easily i have flags to do diffs between different

databases so if you run if you run like a scan you know once a day and something changes there might be something interesting happening there that you can go and investigate afterwards um and that's kind of interesting when you start running it across a whole entire network of assets because you know a new website might appear that's a new attack surface that you haven't looked at yet

so we have a couple more questions there if you want to take them cool and one of them there is so when will it be available to the public and where i'm going to publicly release it and now once once the talk is finished i'm going to just change it from private to public but it should be up there so it's it's it's been an old version of it's been public for a while but i'm after adding a lot of different new things so i guess document is my primary kind of goal at the minute and and kind of making it more user-friendly okay and then we have another question there so have you built any sort of all that

reporting that sits on top of or besides screen only that runs against the cpu light findings so yeah i i do a lot of kind of um additional things on top of this so uh at the beginning before i kind of built in the the anomaly detection into it i had a kind of web app dashboard that i could kind of it would alert me on changes so if i was like fuzzing the same web app multiple times you know a different result could indicate a kind of new development or a new um feature of that application so uh you know you could you could export your entire burp uh crawl into and and just basically use

the urls i'm running through this tool so kind of i've found some really interesting like authorization or authentication bypass attacks using that so you log in with burp and you just test as you normally would and then just export all the urls and run it with this unauthenticated and see what endpoints you can hit while unauthenticated and that can sometimes lead to some interest in information leaks and data leaks from software

okay i think we got we have two minutes there and i get another question in um can the two be used for disputed scanning content discovery at scale it can so you might see here it takes each url and stores it into its own database so i suppose like a kind of a a roadmap for the tool would be kind of unifying all them into one kind of nice app that you can just view easily kind of browse through all the data but i think this this should finish now shortly but i guess i just kind of want to show how much request it's making so it's already gone through a quarter of a million requests in

the last like five minutes or so but um it's it has some downsides so i i store the sqlite databases while it's running in in memory and you know understandably if the tool crashes it'll it'll wipe that scan that was running but on the other side i guess it's it's a lot quicker so once the scan finishes i just dump the memory out into a file but you can do a lot of different interesting things i'm kind of hoping it'll develop with open source and people can kind of build more interesting modules but it's very easy to take kind of python proof of concept someone wrote online and just incorporated into the tool and it now has all the features

that i suppose you don't have to rewrite it's like saving you a lot of time it ran quicker when i tested it

but yeah there's some kind of cool flags as well you can have it only store unique responses you can have it uh so it's quite nice for fuzzing um and because you can pass your own list into it it's very kind of flexible so this should finish now and kind of dump out the results from all the scans it did so this is the kind of format and you can kind of see it's what what kind of method request method was used the url and how many you know headers were in the response the number of string tokens in the response and how long the request took the size of the response that kind of thing

but then this data is obviously in the in the database so it can be reused and used elsewhere so we're kind of up on time there now and a very tight schedule unfortunately oh yeah perfect so um thank you very much kieran for that talk um and i think the link was shared in the chat there if anybody wants to have a look at that tool once it's released and i think it is either now or will be very very soon but thank you very much for your time karen appreciate it thanks folks