AksharTank

foreign [Music] this stock would be around not that much of technical standpoint that how we can do this and that it will be more focused around that why and how should we do this okay uh so without getting into jargons a little bit about myself uh I am a security engineer currently working at Bobby body soft Tech I have more than three years of experience uh to be honest I would be more into love into Bob marleys but as we all know that uh with the time we like to switch or as well as try to see other fields just to get a bit of case so currently I'm doing devops automations and the code reviews is what I'm lacking more these days uh apart from that I'm really active in people boundaries uh firstly I hunted on mostly hacker one and background but now I mostly party on select currently have England code and apart from all these tech jobs I like to play games of course and I play F exclusion so if you want to say hi there this is why I do okay so uh let's uh start with the actual Talk itself so uh whenever you are doing a black box and testing uh you don't know what might be the code behind or what is lying behind and uh how you want to test it right but uh let's try to shift left and try to think as a developer right that uh while uh coding we know that most of the developer share the same mindset if not say 100 of the developers but at least the team of that uh specific company of that specific project have a same mindset right so you can uh think that the code written at one place would be similar to the other functionality right let's say uh access control on one API will be same as access control code right and uh more more to add on to this uh the company I mean many companies have guidelines that how the other developers should prove so this also favorites to the first factor that most of the coding patterns will be seen through our application right so and moreover we know that stack over here is that to copy uh the code I mean one can copy the code of another person and that goes on right uh and uh also just to add on that whenever someone copies the code that code is not actually verified that whether it is secure or not which adds two more longer so I guess that this leads to same mistake over and over and over again at multitude of places if someone is here pen tested then they might be knowing that they are able to find same type of balls with same throughout many of the projects or throughout many of the applications right so so why why this is so I mean uh there should be a reason right so the uh biggest reason is that they lack the mentality of shift lab uh basically shift map is a mentality where you continuously push your code and pass it through the security uh controls so that such low hanging fruits such as let's say a SQL I or easy to find xss or even let's say some vandalities that are present in the project uh many of you might be knowing that software composition analysis and tools such as fast can find a low uh hinging Foods thank you so uh most I can say that uh not most of the companies but more around 50 percent of the companies uh lacks the sdsd hdlc controller in their uh environment and uh basically uh there are no SAS tools Dash tools uh assessment static analyzer or dynamic analysis to eliminate such low hanging unlims so what happened is that whenever a project is uh there is no budget for uh security itself and let's say once uh there is a security incident then 90 or even the 70 percent is given to uh of the security is given to the security of that project right everyone might be doing the Uber hack right even though they are extremely uh I would say well defined in their security we have that bug Bounty platform and everything uh they got hacked and just after some days there were many security openings into work so even let's see if it's Uber then you might be uh able to think that how would be the scenario for the uh company that are not that much security advanced uh okay so let's uh this was all the reason right but uh the talk is about automation into pen testing so okay let's start from here and feel free to ask any question into the comment box uh so just I can see that uh if you have any questions we can address it in between and okay so the automation part right that uh but let's take a step before and try to think that whenever we do append test uh we do some tasks such as recognizance on scope or let's say some fingerprinting and that all stuff let's just listing some domains or code scanning or checking the service that they offer the legendary Dash as we flag of lenses to find the version then to try to find the bundle rupees around that so that that are the test I guess most of the people might be doing right and uh let's say the second step is after fingerprint D that if you see a Cisco Esa product you would see part traversal right let's say if it is a Firebase uh database that is uh you have that URL extracted from the Android app then it would be the you'll be checking that dot Json endpoint is accessible or not uh just to give you an idea that in Firebase database if let's say you have set ABC entity to public then just by adding slash dot Json you can access the whole database but mostly it's a kind of a rare mentality these days and the final is that let's say if there is a a service such as an FTP Service you can check with anonymous anonymous works or not or let's say for SSH you will be checking Route 2 admin 123 test such passwords so uh I guess uh as far as I understand the Black Box Black Box fantastic I think that this could be easily uh automated uh but and as there are so much time consuming and we have deadlines right to meet the targets that at this particular time we need to deliver the project so instead of wasting the stand we can automate it easily right so how can we do this well let's see okay so uh before we dive into that specific part I just wanted to uh give you some reality checks into this that many of people might be thinking that automation is so much boring or even coding is so much boring and from the starting we have been feed this agenda that coding is not necessary in pen testing but everyone knows that after some years uh there would be this uh reality check that coding is actually necessary even if you don't a lot of as hardcore as a developer uh just by knowing a little bit of coding here and then it can make your life much much better right so back on the topic that many people might be thinking that no we don't want to do that let's grab some automation framework and we'll be good to go with it right but just to be uh clear more on that that this type of Frameworks are not the contextual about I mean uh what type of testing you might be doing or whatever uh type of let's say test cases you might be following they might be doing not doing that because they are contextually aware with that okay second thing is that that automation or might be using let's say a word list that is quite huge let's say the size is in MBS right and uh you might not want to flood your target with some irrelevant data so rather than using uh that I I say that automation is transported right the last point is that this leads to much much noise right that uh I mean uh your client might not be liking it that you are sending 500 or 600 uh requests per second which is not wise right so and that is quite less efficient so yeah so uh the light bulb moment I would say that that let's say what if some basic checks as I mentioned the service then finding one and it is related to that or even uh let's say making a word list out of the application itself how how you can automate it right so uh it might be that a five minute task can take hours to automate but collectively if you add up the time in the I would say our future then it would be quite quite efficient I have followed this approach by myself when I was starting as a pen tester and to be honest some uh automation uh scripts that I have built in my initial days are still relevant today even though I just had to change some earn it bits here and there but they still are working right uh let me give you a specific example that how can you approach to make a this type of automation so I have divided into two parts let's say that many times it happened that let's say if you are in a product based company you might be uh stick to a particular stand right a text tag let's say it could be mean stack month stack right so you might be knowing that you are you are going to work only on this deck so you can build all your automation around it like let's see if it is a node application uh you can write test cases according to it and then you can write your uh automation into that let's say if your application is.net you can write your test cases around that right so the biggest uh so let's get on with an example so I guess the biggest uh proof for this is that other move myself everyone might have been used mode or using mode myself right that uh in Android pendant state so it just disassembles the file and they give you all the content in a nice way so that it could be processed by you for manual analysis right uh but let's say or you are working in a service based computer uh so they are in many companies follows a checklist or even they let it on the uh pen tested itself that what they want to test right uh so let's see if the pen tester is cocktail framework then he can write a little little scripts in dash or in python or any language of your choice that these are some of the tests that I want to do let's say I want to uh check SQL injection in each and every parameter each and every header let's see if it is a rest APA then each and every uh item that is present into that so you can do that with uh I can uh I can share some ideas in the end of that in this presentation that how you can do that okay uh just uh one thing please feel free to drop any of the I would say questions if you have I I would be fair I mean but it won't uh interrupt the presentation okay so back on to the presentation uh a simple dash line one liner that I had written uh in my initial days that it would let's say I want to collect as much some domains as I want to uh I guess in uh when I was starting there were no sub tools such as all formal or SubFinder that are great for I mean they are in it's a framework to do that single job but they were not available at that time so what I did was this ugly uh sorry uh ugly bash online that what you do is that basically it gets uh your domains from search quarter cert.sh as well as the DNS overall right uh and what it would do that it would process it and let's say I have given my uh a list of domains that let's say a.comb.com c.com so the final file that would be uh I would be getting uh would be uh like second level sub domains third level or even fourth level if they are present in this data set so uh in future let's say whenever I uh got that uh pen test which uh bites or spoke I used to use this bachelor to dump as much as uh data as I've got uh this is the second example that uh I uh I was using I'm not currently using it but it was in again starting this that let's say if I'm getting a domain I would be feeding this uh domain into this so I would say uh script what it would do is list out some domains for me from sublister as well as Linus Oren as well as a mass right and let's say once uh everything is done I would be getting a clean output in a I would say a dxt file which I can later feed on to the next part so it was a part of the whole framework that I built and uh it was again same as this patch planner but it was a bit a little bit of meat and clean format which I later involved so uh I would say that the aim of to show this to example is that how I went from this to this is all because I had that mentality that I want I don't want to do some some boring tasks I easily could have I want to go into the debit hold of finding a deserialization Mobility rather than finding as much room as I want so uh this was a little bit of dirtier version and the second example was a much cleaner and let's say if I want to share my code with someone to I would say uh edit it or let's say elongate the script then I could easily have done it right so this was uh for the Recon part now let's say for the extrude expedition all right uh okay so uh that was this now when I was working in IBM I mean before this uh I was working in IBM with one of our big client which was on in Telecom industry and uh they had their uh one of the feature that let's see if you have a discount people you can uh like get the discount by applying the same code right uh and uh what I was able to found that that same coupon can be used for multiple times I just wanted to uh just want to change the two digits and uh I could keep circling it over and try to catch as much as uh discount on a subscription plan as I want so uh what happened was that I reported this that first of all there is this rate limiting and seconded there is this uh discount people that is uh that has this business logic so instead of rate limiting the end point as well as to uh fix the logic of a discount coupon generation what developer do is Implement just a csrf protocol so let's say if I uh click once and submit the discount coupon at the second time it won't be giving me the csrf token and uh I will be able to submit it the next time uh so I guess that this uh fix was a bit bizarre and uh not secure so what I did was that I took the request uh put it into the uh call command I mean I was using bash at that time now I have mostly shifted towards go I use a bit of python but I think that go is much better nowadays and yes what I did was I uh put that request to the call one and fetch the csrf token and again uh fetch this I mean another uh put this CSF Demand with that call command and you look that over so this this uh seven lines of code uh gave me the ability to uh let's say gram hmos as discount as I want so actually uh this was the thing and and later even the developer didn't realize everything to fix it but after some escalations he did think so right okay so this was a bit about my journey I mean how I was able to do such things and everything uh the thing is that how you can uh start building your automation I mean uh let's see even the little scripts I would select their automation they are just the scripts that make your life easy okay so I would suggest that first of all start learning a language such as bash or python even if you are good to go with Ruby or any of the language that can Leverage The your computing power as much as you can then I guess learn that okay the second thing is that uh start Maker list the of I would say a checklist that or the list of checks that you do every time let's say you check for SQL injection in each and every parameter okay let's say you find uh you want to find reflection let's say you pass a canary into a parameter let's say ABCD and the same is reflected into a response so everyone might be doing that it's for accesses right and uh once this uh list is built so I guess then you need to give a thought that how you can uh automate it with your the language that is one as I told that in initial uh 10 the code will be quite quite dirty I mean if a developer sees that they would be like you don't know how to do it but I guess I would say that keep it unless uh as we all know that if it works don't touch it okay so try to use it in your daily life and with the time just try to develop it okay and let's say when those checks are up and running combine the relevance gifts together so that you can have a whole set of room uh I would say that just in days or weeks you won't be able to uh build hold your framework but little by little within some months or let's even a year or so you would have a chunk of little internships that work together and make your life easy so let me share some ideas that have you uh can I would say make a Implement some things in your own uh automation framework so first thing is that you can make some fuzzing scripts or fuzzy scripts uh basically officer is a program that throws random input at a particular place and uh let's say processes or I would say hold that data or the response into a particular place I would say process because uh if you might be knowing what to expect in return you can process it and just uh you can save the relevant output data or uh let's say you can uh storage as the responses and could later I would say that you can process that okay so let's say such programs can be made that make whole requests as an argument with the word list of your choice okay as well as let's say uh you want to um check it on the time that what the data is going you can simply proceed your data through an exam in the response let's say if you don't want to save it somewhere else uh you can do it inbox I have done it many times that I made some SQL for this fuzzy scripts and passing my all of the data through book so that I can have all the record that I have needed on the client and I it could be passed on to someone else so that I can also show that that I have tested this okay now let's say uh you have made this scripts and with the time you can change I as I mentioned again that changes can be made according to that probability that they found okay uh if it is access you can let's say instead of passing our kennel you can have a word list that is of access payload and this script would throw all the periods to that versatility particularly I would say not to go harsh on the application because it might crash and again we can be not workers uh second thing is that you can find one abilities from the historical data itself I guess everyone might be knowing that way back URLs in end world and there are many other services that holds historical internet data for example what GMail looks now in the present day and if you compare it with what it might be looking in three or four uh years ago before it might be completely different so this data Institute somewhere right so you can fetch it let's say you can use this vbank URLs as well as alien what to get it there is a tool called Gau which get all the URLs from both of the data source so that you don't have to go online okay now let's see you can parse it and uh once it is passed let's say for parameters or even for URLs or even for GIS files let's say you want to mine secrets from it uh just to uh give a context that this idea could be used to wellverse in the in let's say if you're hunting for vitalities in a bounty platform or let's all know about Bounty program uh it could be useful for you and let's say you can cross and back to the idea and you can process such a top uh such and it's a patterns and data to find One Direction then uh I would say that let's say you are getting all these URLs but uh you don't you want to find SQL injection in each and every panel uh just one thing that everything of here would be just in form of URL so in case you want to find post parameters then you need to First it then which parameters are working right but let's recall to the URLs only you can pass it to the SQL method for just the detection phase I won't suggest to go over this expectation phase because it would create hundreds or thousands of requests and even the F can block you that line can block you or anything can happen so I would say that and then uh once the detection is confirmed you can uh go for the exploitation part part by yourself memory okay same ideology as I told that could be used for exercise uh get all the URLs or get your script to process every parameter uh get your word list for the payloads and enter uh it into its parameters and run it and just try to save the response for later examination okay uh we are approaching at the end of the top uh again questions are welcoming between as well and uh again this this was just u