A Practical Approach to Hacking an
Enterprise with
YASUO
Saurabh Harit {@0xsauby}
Stephen Hall {@_stephen_h}
getuid
root@msf:~$>
Saurabh Harit (@0xsauby)
Director of Security Research @Security Compass
Pentester i.e. Domain Admin at many companies
Have a secret crush on reverse engineering
Gym freak / Proud father of two beautiful dogs
Stephen Hall (@_stephen_h)
Security Consultant @Security Compass
…
…
Owner of a Christmas hat
What this talk is not about
No
0-days
No
Shells
Scenario
You’re on a red-team
engagement
You’ve bypassed
physical security
You’ve bypassed NAC
What next? How would
you pwn the network?
Vulnerability scanner?
The Problem
Can’t use network vulnerability scanner
Have to be Stealth & Quick
Can’t use Google dorks (internal network)
site, link, inurl
Where do $hells come from?
It’s not about what,
it’s about WHERE
Popular Vulnerable Apps
Apache Tomcat
Popular Vulnerable Apps
JBoss jmx-console
Popular Vulnerable Apps
Hudson Jenkins
$hells
Not So Popular Vulnerable Apps
ADManager Plus
Not So Popular Vulnerable Apps
ADManager Plus
Not So Popular Vulnerable Apps
Cyberoam UTM
Not So Popular Vulnerable Apps
Cyberoam UTM
YASUO what???
Written in ruby
Did not write it on our flight here
Scans the network for vulnerable
applications
Currently supports around 100+
vulnerable applications
All currently supported apps are
Metasploit-able
Why Yasuo
Because there are tons of vulnerable
applications and its not easy to find them
World Without Automation
Run nmap scan & manually poke each & every web port
This CANNOT be fun
What’s currently out there
Nikto by Chris Sullo
https://www.cirt.net/Nikto2
Nmap script – http-enum.nse by Ron Bowes,
Andrew Orr, Rob Nicholls
http://nmap.org/nsedoc/scripts/http-enum.html
Nmap script – http-default-accounts.nse by
Paulino Calderon
https://www.nmap.org/nmapexp/calderon/scripts/http-default-accounts.nse
Exploring Yasuo
Exploring Yasuo
What’s in the Box
yasuo.rb
resp200.rb
default-path.csv
users.txt
pass.txt
GPL
What’s in the Box
Behind the Scenes
Detects false-positives
Automatically extracts login form
Automatically extracts login parameters
What’s New
RaNdOmIzAtIoN!!!
More robust check to detect false positives
Properly formatted output table
More application signatures
Signatures for IP Cameras / Encoder /
Decoders
Modular & Cleaned-up Code – if there is any
such thing
Demo Time
Challenges
Exploit-db – great resource but inconsistent format
Challenges
Dynamic detection of login page and parameters is regex
based.
Future Development
Smarter version detection
Support masscan output format (because y’all love to scan the
Interwebs)
Add support for more vulnerable applications, Ofcourse
Add secondary signature
Make current crappy code modular
Add multi-threading
Add support for vFeed???
Change format of default path file – CSV to YAML? or JSON?
CFH (cry for help)
Signatures Signatures Signatures & Signatures
Please submit application signatures:
Post a comment on Github
Update default path file on Github
Drop us an Email
Send a Pigeon.
Questions??? or not
Thank You!
https://github.com/0xsauby/yasuo
0xsauby
saurabh.harit@gmail.com
✖
_stephen_h
perfectlylogical@gmail.com
Credit
Nmap ruby library - https://github.com/sophsec/ruby-nmap
The Exploit Database (EDB) - http://www.exploit-db.com/
@funkaoshi
Google Image Cache