A Practical Approach to Hacking an Enterprise with YASUO Saurabh Harit {@0xsauby} Stephen Hall {@_stephen_h} getuid root@msf:~$> Saurabh Harit (@0xsauby) Director of Security Research @Security Compass Pentester i.e. Domain Admin at many companies Have a secret crush on reverse engineering Gym freak / Proud father of two beautiful dogs Stephen Hall (@_stephen_h) Security Consultant @Security Compass … … Owner of a Christmas hat What this talk is not about No 0-days No Shells Scenario You’re on a red-team engagement You’ve bypassed physical security You’ve bypassed NAC What next? How would you pwn the network? Vulnerability scanner? The Problem Can’t use network vulnerability scanner Have to be Stealth & Quick Can’t use Google dorks (internal network) site, link, inurl Where do $hells come from? It’s not about what, it’s about WHERE Popular Vulnerable Apps Apache Tomcat Popular Vulnerable Apps JBoss jmx-console Popular Vulnerable Apps Hudson Jenkins $hells Not So Popular Vulnerable Apps ADManager Plus Not So Popular Vulnerable Apps ADManager Plus Not So Popular Vulnerable Apps Cyberoam UTM Not So Popular Vulnerable Apps Cyberoam UTM YASUO what??? Written in ruby Did not write it on our flight here Scans the network for vulnerable applications Currently supports around 100+ vulnerable applications All currently supported apps are Metasploit-able Why Yasuo Because there are tons of vulnerable applications and its not easy to find them World Without Automation Run nmap scan & manually poke each & every web port This CANNOT be fun What’s currently out there Nikto by Chris Sullo https://www.cirt.net/Nikto2 Nmap script – http-enum.nse by Ron Bowes, Andrew Orr, Rob Nicholls http://nmap.org/nsedoc/scripts/http-enum.html Nmap script – http-default-accounts.nse by Paulino Calderon https://www.nmap.org/nmapexp/calderon/scripts/http-default-accounts.nse Exploring Yasuo Exploring Yasuo What’s in the Box yasuo.rb resp200.rb default-path.csv users.txt pass.txt GPL What’s in the Box Behind the Scenes Detects false-positives Automatically extracts login form Automatically extracts login parameters What’s New RaNdOmIzAtIoN!!! More robust check to detect false positives Properly formatted output table More application signatures Signatures for IP Cameras / Encoder / Decoders Modular & Cleaned-up Code – if there is any such thing Demo Time Challenges Exploit-db – great resource but inconsistent format Challenges Dynamic detection of login page and parameters is regex based. Future Development Smarter version detection Support masscan output format (because y’all love to scan the Interwebs) Add support for more vulnerable applications, Ofcourse Add secondary signature Make current crappy code modular Add multi-threading Add support for vFeed??? Change format of default path file – CSV to YAML? or JSON? CFH (cry for help) Signatures Signatures Signatures & Signatures Please submit application signatures: Post a comment on Github Update default path file on Github Drop us an Email Send a Pigeon. Questions??? or not Thank You! https://github.com/0xsauby/yasuo 0xsauby saurabh.harit@gmail.com ✖ _stephen_h perfectlylogical@gmail.com Credit Nmap ruby library - https://github.com/sophsec/ruby-nmap The Exploit Database (EDB) - http://www.exploit-db.com/ @funkaoshi Google Image Cache