BSides Glasgow 2018 - Paul Ritchie - Hacking with Git

hi everybody I'm not used to being pretty loud about a microphone anyway so this is this is going to be pretty raucous so my name is Paul Richey I've met an awful lot of you today on the floor hi thanks for coming the tailslide bear has the the sort of agenda for this talk reconnaissance post exploitation infill getting tools into places and exfiltration getting data out and then a reverse shell that's what's coming up that's what's on the menu guys right and what this talk isn't really is a talk about get although there's a little bit on that in a minute so first off I'll say thanks for checking me out right so I'm trying to find the level of them

here people don't want get related puns checking me out no wake up I know you've had lunch right but you had you had a choice of talks at the moment you could be at the embedded firmware down there you could be over at the insider with Neil lines and my talk has a little bit of insider threat in there I don't think his has anything on git so you've hedged your bets what I'm really here to do is to educate and inform and entertain all the way until the cake anyone recognize that cake points for that one at the back it's a lie I have actually seen the cake this cake is not alive but that's

from the game portal right so what we'll do is we'll move on to the next slide which is the the slide about get just for the grounding purposes all you're really going to need to know about git for the purposes of this talk are that git is a version control system a VCS for tracking changes in computer files and coordinating work of those files among multiple people so how do you developer teams develop together how they collaborate on the same source code they need to use a VCS of some sort and get is one of those it's an open source project the git project and there you go and their alternative VCS is out there

like visual visual studio team services subversion CVS lots of those exist so what I'm gonna say is the techniques that are in this talk are I believe transferable to all those different versioning systems is just that I had to pick on somebody to make proof of concept and why not pick on the biggest bully in the schoolyard get because by any objective measure that I could find get is the most popular version control system today and that URL there from 2016 and had had a whole bunch of different ways of trying to infer what is the most popular version control system which is actually hard to do because a lot of the the vcs's are going to be internal so

you can't really quantify them so the way that the most interesting statistic I found is that one at the bottom there that in 2016 more than 20,000 questions were asked on Stack Overflow everyone's favorite website 87 percent of all the questions about version control systems were to do with git right so that's that's a pretty that's a very high stat there and you can debate them but it's always going to come out being the most popular so that's why the techniques are shown in this talk are relevant to get now a lot of people are going you know is you're talking about get I was getting lots of people on Twitter basically sending in their how to use

get guides well I've got all you're gonna need to know in a very friendly way designed for the modern audience with an attention span of 18 seconds whole universe was in a hot dense state there nearly 14 billion years ago expense it started wait the earth began to cool the autotrophs began to drool D&R falls to another tool see build a wall we built the pyramids math science history unraveling the mystery it all started with a big bang

well thank you very much I think we found the level of the room and I believe at this point you are now committed to the talk you know can't leave to go to Neal and you can't go downstairs because you've bought into that so here at you're responsible for the rest of this and so what that was to show is a long road pretty good at procrastinating so simply to show that I'm not gonna be talking about get I have made 25 slides for an alternative play within a play to show you 18 seconds that's the level of detail dealing with here the play within a play is an entirely different totally reasonable talk about get that you can't

see it enjoy on full terms but the people watching at home beyond the fourth wall can pause that and see that there is actually a legit talk on get right anyway we're don't need to know all that stuff those are just commands it's incredibly complicated I wouldn't say that I'm actually an expert and how it used get I am one of those stack overflow question askers I have to look up pretty much everything but anyway not being an expert and it doesn't mean I can't use it to help me hack stuff which is the the point of the talk so using it for reconnaissance so hands up people that are jobbing pen testers in the room

it's a few of you right so others are just familiar with our pen testing methodology looks like right and for those that are asleep there's always one and it's him right so reconnaissance is one of the phases along and your penetration testing project so it occurs at the start of any decent pen test and it's where you try and learn about targets as quietly as possible to find stuff you can act on that's that's roughly my definition of reconnaissance so we've got free topics there are two that are pre-existing and one that is a new so I've told I'm kind of discussing a releasing today called get fingerprint get explorers so don't go around googling for the term explorers and

scrapers I've just made that up for today like I'm like in the king of get hacking an explorer is I'm going to categorize as a passive form of reconnaissance so no requests are sent to the target site it works if you have access to the repository right so you're able to clone it down so if you can clone down a repository you can use an explorer it's basically a script that will have regular expressions things like that it will Bill rifle through all the files have been versioned by git and it will look for all the commit history and some of the instances and I'll go through all the branches and it will try and find

sensitive information that's what Explorer is going to do for you so the impact of that would be a loss of confidentiality of sensitive information like credentials that kind of stuff whatever you've uploaded to get and you didn't really think about it so to try this out I made the vulnerable repository so we have a very simple repository there with a readme file and in the text file you would see an admin and a password username and password hash right sorry username and password so pretty common for people to put default credentials out in that kind of way so you can see how it might be a problem so deploy that repository cool it down use some of the pre-existing

tools these are Getty leaks great name that I love it Getty leaks truffle hog not so keen in that one hmm get robbed good name I think just solid name there so these are the things they will have regular expressions Getty leaks will be pretty good at finding you passwords truffle hog is really good at looking for like AWS keys PTFE keys that's looking for API keys generally so it's pretty good next slide will show you a screenshot of how to use get leaks it's a good simple install if you're if you're using Kali just a pip install Getty leaks and there we go we got ourselves using own password it's nice to find that pretty simple like you

should be doing that on pen test every day of the week if you've got access to the repository get explorers defending yourself so don't put sensitive information in a repository at the end put online everyone okay nobody does that you wouldn't even dream of it right but people do so the solution and that came up online for this was quite simply and if you're gonna put a config file in there and use the sort of Linux approach make sure that there's a config sample dot txt or whatever other ships but it doesn't have any live config data it's all commented out and then you know use a git ignore file to essentially make sure that that

doesn't become part of the repository that's the sort of workflow that people recommend but you got to be aware of that caveat there these are underlyings says from the the man page of get ignore files already tracked by git are not affected by the get ignore file so if you've already added config dot txt it's it's there right so be aware of that to stop tracking it you've got to remove it first and get explorers defend yourself part 2 you can use tooling these these two tools here get hound and repo supervisor are like the inverse of the Explorers they will use regular expressions and things like that to essentially look for the content before

it gets put into a repository or a commit so it'll it'll give you that little extra hurdle before you're putting in so those for the defenders get scrapers a form of active reconnaissance if an explorer was a passive one this is active because you mean you're gonna be making a couple of requests at least to the target site and it is applicable to use a scraper when the target a site you don't have access to the repo publicly in the same way you did for Explorer you can't just download the repo but what you have got as a website that in somewhere inside the web root someone has cloned out repository and you can find the dot git folder

right because the way it works is it needs to index all the files that it's them and it's those responsible for that it's managing so the dot git slash index file will contain essentially a directory listing of the site so the penta has in room do you like a directory listing right when you find one of those right you're happy right that's what get slash index is going to get you and you're gonna party like it's 1999 it's just this is it I know know what all the contents of the web root is I can enumerate that I can download that and really look for it so the impact of a scraper is going to be directory

listing so the cwe entry for that is fine the specific risks and consequences vary depending on which files are listed so that's that's a good line there right so let's jump on to the making a vulnerable repository for a scraper so we've added into the same sensitive for another folder and that folder is called never gonna give you up I'm gonna let you down private key dot txt right so what you've just been Rick Rolled room yeah indeed so why I am why is it got such a ridiculous folder I'm struck for the neighbor get there it's not gonna be in your word list unless you're already Rick in yourself right so if you're gonna use Derby to try and enumerate

content which is like a good part of your first step of attacking a website you're not gonna have never gonna give you up or let you down as a folder name so you're gonna need direct your listings most likely to find that so you make your vulnerable repository you hide it there you turn off directory listing and Apache just to make it more realistic and there's this is exactly how customers make themselves vulnerable the CD in at the web route wherever that is they do get cloned they pull down and repository from public a little break from the scenario here I've renamed the folder to admin because it's likely to be in a word list and then that's us so

we've made ourselves a vulnerable target and using der buster Derby um you will locate slash admin and then you'll locate slash admin don't get and so you know that it exists and then you move on to the next one so what's the problem the index file isn't a flat text file it's got a format and there are loads of tools out there that will parse it but the one that I like is gin so there we go gin you can download the docket slash index using double you get that's what the screenshot shows and then you just use a gin pipe it for a grep for a name cut and then you get a nice tasty list

of files at the bottom there was never going to give you up / that you don't private key what would you do with that folks word list straight to burp intruder or something like that download from the site eww get whatever in a loop and that's how you'll that's how you'll use your directory listings so how would you disable that first of all always be aware of what's in the web brew just because someone doesn't link to it doesn't mean someone will not be trying an infinitely long word list to try and guess it or there will be some other future technique like the get dog get slash in Dex file it will let you index it so

number one defending yourself first let's do a little bit incident response not really my area of specialty here but the fighting command to find all folders I've got get in the name within the web route and then okay let's see that I have a in the first place was I even in even slightly at risk the next command shows looking at the the access log to see if anyone's accessed the docket folder or slash index so you can see did anyone actually practically have it even if I had one and then fire it over to blocking it literally how do you stop people accessing it I just used HT access with a redirect there a nice 404 solution

it's quite quite simple at regular expression will match any request that starts get and any subfolder or any file in those folders so it's pretty handy so we'll test at the defense as well that's a 404 for admin / get slash index so even though we know that file is there in our target you get the 404 you can't now determine its presence based on even a not real URL it's you can't get to it so it's a good it's a good solid solution nice and simple right onto the on to the the first new tool the new technique get finger get fingerprint right so your problem is as a pen tester is that you need to try and find the

version of the software that you're targeting so you can then look for what was fixed in the most recent version versus the version that your targets running so you can then run it your customer and go I know how many CVS or running in your your environment I know that there's a an exploit and I know that it works phone up the customer can I run that exploit I'm pretty sure it's stable if you're not having those conversations maybe you've crashed a few more sites in your life that I have so that's a pen tester specific tasks having to figure out the version and then figure out the applicable vulnerabilities and then the exploits is

you know if it's most of the time these are these these four actors are probably going to be automated if they're exploiting it they will just fire it they will just fire the missile they don't care they're already trying to do something illegal why would they bother trying and not crash the site at the same time unless of tasked with being stealthy but anyway that's the problem for the pen tester and the jobbing pen tester I find the version of the target so it came from but I had to target a site where the site admin had gone through a lot of lockdown steps to remove all the sort of change log files the HTML files the kind

of basic things that your your standard fingerprint whorl will sort of go ahead and pull down so I thought well the targets burning something that's in the public repository what if I cloned out in that repository use that to generate that word list similar to the directory listing thing earlier download from the target site all of the files that I can from the from the website and then use a bit of magic to figure out the specific commits of those files in the repository so this is what we're fingerprinting it's not the version number it's not 7.50 and Drupal and it's it's literally the day that the day that that file was committed to the thing and we can

roughly determine from that when the person installed the code in their site so it works for files which are not altered by the download process so if you've got a PHP file it's going to be converted to HTML it's going to get mangled right and so you're not gonna be able to use that has to be sha hashable md5 hash table identical to the version that was put the repository so you're gonna need a file like a dot J s at CSS or some custom X and file extension that the application is gonna use so I'm gonna sharp for a minute and then I'm gonna talk in a video for you hello Glasgow B sites so the thing on the

right here the text editor is showing the commands that are going to be executed during this this video showing the run of get fingerprint if you're if you're watching this video in the future you should be able to pause that get these commands and use them wish it's gone so let's just say our target here today happens to be a Drupal site looking at the source we know that it's running Drupal 7 over here that's a little breadcrumb that we can use and so that the workflow from that point is we would use the get claudin command to call out the branch seven of Drupal here's the folder we would CD in to get fingerprint and launch the the interface

it's a Python three only script so Python three there we go a little bit of ASCII art the hoodie guy the workflow at this point is suggested by the the options here on the initial help this is a reasonable command-line interface if you type help you'll have that it's got tab complete and all kinds of things like that but okay let's stick to our workflow set repo path dot slash tab we want Drupal and set target URL that's the URL that we had in the web browser seventeen dollar 0.3 and the next part of our workflow is set files and commit code so I'll hit that and we'll see what it's going to do so what it does is it

goes into every directory in the repo it finds every file and just sort of get gets a listing of the the content of the repository armed with that it then uses a git log command to find out how many commits that file has had the command will take a little while to run here so what we're going to do is skip to the end that was a bit scary wasn't it the final output of that command is this table over here which is ordered by the total number of commits so in the most recent version of the Drupal repository the most commonly committed file would be commenting right the higher the number of tool commits that the more

useful it is for fingerprinting at target so what we're gonna do at this point is go back down we're gonna and execute the finger print version command and what this does is it for every file in the local repository attempts to download that file from the target website and then it uses a get checkout command to effectively roll back the version in the local repository and then it will attempt to confirm whether the file that's come down from the target site and has you know has been recognized effectively and when it's found when it finds a match it will then add it to a list of table for the output this command takes a while so

we're gonna skip to the end again [Music] welcome back time travelers of Glasgow b-sides command has finished running so here's the final results table what we're really interested in or fingerprinting a target is the files there at the bottom here because it's roughly ordered by the time stamp you know not brilliantly ordered but it's roughly ordered by the time stamp so we would say our target website has been installed from the code around about October 2016 it's got have happened after this date and that's based on the file commit version which is the the sort of number that the target site is running versus the total number of commits when it says free or free that's

the oldest version of the file that's possible when it is fifty seven out of eight three one that's the 50s that's fifty seven away from being that the most recent well there's a tool and right it can obviously a bit be a bit slicker and quicker and then what it's currently doing but it's a proof of concept stage really and so what you would you do from that point knowing the date to work from you would you know because the point is this isn't just about a new enumerate Drupal it's about a numerating a website arbitrary website that's got the source code in gear right so you check whatever the repository is for some sort of changelog some sort of

version string somewhere in there and then you would look back in the commit history for around about the date that you have and you've got your answer that's that's how you're going to get the fingerprint version we can't really automate that and in the future get fingerprint will probably support you better by just spitting it spit me out all the the commit log messages newer than that date or what you're looking for and then obviously if you're really lucky they're gonna be tracking their security vulnerabilities with like CDE references or some sort of custom vendor application specific reference so if you've got that you're gonna be able to then go categorically I've got a pretty good idea that it's

vulnerable to these so it doesn't quite do that yet but that's that's where it's going and sort of recap there at the end using get in this manner I believe is a new technique and so we could all enjoy that and and it will work whenever the target site uses a version control code you can download the POC as courses and get we can we can do it and I believe for other version control systems but it's just not implemented right so moving on using git for post exploitation I definitely look like that when I get a shell its beautified but I must have more right that's why I look like true true facts post exploitation in in the

line of the pen testing methodology flow we talked about it will occur after you've got a shell on a box you've got interactive command execution or whatever you're gonna try and gather more information about the target the day it has adjacent networks and you're looking to steal high-value information or search for lateral moves where a lateral move is I'm just gonna jump on at this other box does I've got a password or I've talking or something so get has a few options for that when it will fill it for that for the budding person who's enjoying a shell who's looking to take it further and get uses three different kinds of our education options plaintext passwords being the

top number one if you can get a password in the in the users home space get paestum credentials because that file is created if some developer goes I don't want to ever type my password again when I'm making pushes up to the server and that's where is gonna be stored tilde slash get - credentials you can store plaintext community dentals in that file and it does of course warn you about that and the manage that that's a bad idea and but I imagine some people be doing it mmm plaintext passwords and authentication tokens are sort of handled in the same manner and the the URL if the URL has a token in it that will stand as the username in

the logon field that's how get github handles that and passwords are generally used where the repository is being cloned down over HTTPS whereas the SSH public key happens where people are doing their their there up upstream pushes over SSH right so either these options will be good lateral movement type things you're gonna have new credentials or tokens to work with number one password is best because password would mean I will have the person's github password I will be able to or get lab if it's internal I'll be able to log in change that everything about that users account are full control their account I can see the private repositories all that sort of stuff authentication tokens I've only looked

at github stuff entick asian tokens they're a bit less valuable they can be as valuable as their credentials plaintext passwords but you can also generate the token to have specific privileges you can say don't let it access the web interface don't let it change my my avatar you could literally just say allow this guy to commit allow this guy a push/pull though it's very fine-grained there's about a hundred little check boxes on the github website for that so the authentication token if someone's doing it right is using it with the least privileges so it might be a lot less useful than the plaintext password and what we're looking for lateral moves what you've got is remote

repository locations so when you do that git clone command and you go HTTP whatever and you pull it down that URL HTTP becomes the remote location in the local git repository so if you then are updating fetching pulling all that kind of stuff that touches the server it's going to be going over HTTP if you clone down over the ssh URL it will then be making its commits over ssh so remote repository locations right that's going to be stored in the dot get slash config file and looking in that file you'll be able to figure out if it's going over ssh you know they'll figure out if it's going over HTTP and more importantly looking for a lateral move you little

tell if it's going to an internal and server you've already got a box in their network but do they store their accord in an internal gitlab does he put it in a private repository in github you're going to learn that from looking at the URL right so quite quite useful things if you come out of the box and you've got a bunch of get folders to look into and obviously you can source code analyze any repositories that you find looking for more vulnerabilities you can write the privileges of those tokens and passwords and stuff to poison the repository with malware and possibly lots more things you can do with it so to help us out there I've made my

first ever mass blight module get enum I love Ruby everything about it it will check and dump those authentication options it would find any docket folders and it will spit out the URL so not sure underneath it is all the URLs for the repositories so a little bit a little bit of used towards your post exploitation help point you towards things that you can play with a little bit so we'll move on a little bit away from the standard pen testing methodology over to rogue employee scenario so this is the little snapshot of the insider talk that imagines happening downstairs and so lots of customers have had many many years of penetration testing though they know

what it's like some dude in a suit sits down hack to network a lot of vulnerabilities great that's totally valid and we're up for it but increasingly customers have been going what kind of standard user do with their privileges and I really enjoy these projects so a sort of ranging question here it's like what can they get onto their workstation what can they send out though the network how can they do it those questions are kind of fun to answer so around about 2012 2013 it was the first time I used github to bypass or at least send stuff in and out for a corporate proxy that was pretty restrictive the the target was a

customer that decided to outsource and development out of the country and then fundamentally not trust the people thinks that they've outsourced the development to so they would operate they might imagine try to develop an application under these conditions you have to VPN into the external VPN into all environment you can't see anything else you've got an RDP jump box no copy/paste no routes from the you know basically launches Visual Studio and that's all they had so it's like but they but they also developers do need to update support libraries or whatever github related stuff that they were that they were using so the corporate proxy through the standard web browser was was allowing that out so I was like on the day quick

cookie idea let's just use a git repository to put tools into the environment to help me enumerate the privileges of the user and then exfilled the data obviously with a bit of crypto before I put it up on the Internet and so yeah effectively the next couple of slides are going to show how to do that just using the web browser but the impact I have to say there's a meme coming up bang I want to stop employees but I also have to give them the Internet this is a fundamental fundamental Hedy as a pen test I don't generally have to deal with it but is that anyone's struggle in their day job right those nodding was a hand that's

consensus it's a problem right absolutely so I don't envy the people that have to fight that bowel because the second it there's an internet connection you've given someone an infill route where they can pull tools in an exfil route and there's no real magic box that can stop that I don't think really but yeah anywho infiltration via the web browser so an attacker can make a repository a bit like this where I just put some binaries and some word lists in there that's going to help me enumerate some stuff on the network whatever you want you know you can hide your tools a little bit you can use AV bypassing techniques or whatever but I'm not going to go into

them and pretty simple technique not using github per se would be if I want a binary in on a machine I can use base64 to encode the exe save it as dot txt and then the great tip is cert util which appear on Windows for a long time and it's often overlooked because but it's got a built in base64 decoder so if you want a nice binary over a play over a text connection and you don't want to get caught by a proxy that's blocking thought eh sees no what yo Hey so there's nothing really difficult here and it's just that want to stop employees but also has to give them access the internet and I'm not picking

on github for this I could use a wordpress for this I could post a comment on a site if it's allowed through the proxy I can still do the base64 thing right drag it down no problem it's just a repository has a nice web interface it'll allow me just upload files willy-nilly and so it's quite useful it's a quite easy way to do it and it just needs to use the browser and getting tools in part two and when you're when you're on the workstation so I presume you've prepared your repository outside at your place of work you come in you can just go straight to the download zip file option now I do sort of remember when the get web just

allowed me to download individual files but now it's download zip which is really much more useful and that's great because there's no dependency on the workstation everyone's got web browser baked in that's going through the corporate proxy all is gold getting there oh you can structure that a little bit and you can use the git web interface to create a folder I'll save you the googling this is how you make a folder and get web you you go create new file you start typing something you take the forward slash and then you create a new temporary file it shows like a down at the bottom there that'll create a new file but also create a new folder at the

same time then obviously you can just use the web interface to go file upload add to repository you don't need to keep that a file now you've got a nice folder to put your tools and stuff or your data back out so as we as we sort of barrel towards the end of the talk if you've got a root in and you've got a root out it would be absolutely rude of me not to make a shell come back over again so a reverse shell over again go here is Windows 10 workstation - standing in for the the workstation of our victim they operate in an environment where there's a corporate proxy that blocks arbitrary connections

to the internet over they can see as part of their day job they can see anything that's github.com or a few associate domains here's a repository and we're going to communicate through in a minute here is the get shell victim executable let's run that what's that going to do the first thing it does is it clones down the the repository here and then it starts a loop where it's just going to pull and see if there are any new changes and if it determines there's a change if there's anything new insight in dot txt it will then just pipe it straight through the command prompt and save the output into out dot txt so the

attacker site is over in the Kali virtual machine pretty simple git shell attacker pointer to the URL that repository you're going to use a location on disk where you're going to clone that down to and then a github and medication API token don't you worry we're gonna scrub I've already scrubbed that API token you won't be able to use it and so what have we got Who am I let's just run a Windows command on the victim it's gonna have saved that into in dot txt it's currently uploading it to the repository and then the victim's checking it out and bang there you have an answer so let's let's make sure that we're we have

no doubts that this shell actually operates so karma labs fire that into C colon backslash users slash user is the user account we've got stick it on their desktop so we can see it test dot txt and let's see if we can race that look we've beaten it way pop-pop-pop shells for we get up got the water with pyrotechnics that's us right around up we've used we've had a lovely time it's been fun thank you very much get emotional and we we used git for reconnaissance we talked a bit about pre-existing techniques get explorers get scrapers and one will find your sensitive information if you can download the repository and you have access to it get scrapers will get you

directory listings if someone's made the mistake of downloading a repository could be a private repository whatever into the web root and and then they've deployed that put it online and always make sure you know what's in the web root is the answer to that one get fingerprinting a relatively I think a decent transferable technique for getting a decent guess at what the version is if the admin has done a really good job of locking down the version also means that I think too lazy to start like using reg X is to pull little little nuggets of information to then have a database that stores that this is version X of whatever product and then do that for every product that

possibly exists sounds like a lot of work doesn't it so I don't want to have a massive fingerprint database what this is is a generic way of doing it when maybe there isn't a pre-existing tool for that application like is it droops can for Drupal did a pretty good job of that Drupal site anyway so it's not really for Drupal but in if there's a domain where the application is less popular or whatever and using fingerprint can get you a decent answer right we've used we talked about the post the post shelling sort of options there you can steal credentials you can enumerate remotes you can locate systems that you're going to be able to know

influence so that's what you do post there's a there's a Metasploit module for that which is not committed anywhere at some point I'll a lot blood that to Metasploit and then we talked we showed pretty simply just using the web browser in in in a workstation to pull information through github if you can access it send it out and then yeah why not a shell and why not some pyrotechnics if you can manage it right so and what do we go from here none of these tools are gonna be available right now immediately and they are gonna come out of the sea karma labs blog they're gonna be visible if you follow us on so karma labs on

Twitter they're gonna be coming out over the next couple of months and probably a bit faster a bit Whittier bit nicer looking and so please you know follow along and and sort of see them as they come out the next slide is unfortunately the end of our journey so I don't know if there's a if there's a get final command or is that just our own - RFP we've killed it right next slide says questions and thanks for having me right [Applause] questions no everyone I believe that the video goes online in 10 minutes I think is that an answer yes because like everything I put the tools in github / - caramel labs always always pimp in that

brand yeah so the top this the slides and actually everything will go online via so caramel labs but I think the video for the talk that you've just seen and will mean that you can go back and examine the play within a play I can see it see how you'd get so it's going online soon right anymore for anymore nope straight on to cake for everybody right crypto cake downstairs