Information Security Specialists.
After a few minor adjustments to the scanner and some additional tweaks to the web crawler, it is time to release the very first version of STS Scanner. All the information about the scanner and where to download is available online here
Requirements:
Bugs:
Send all bugs to bugs [at ] securitytechscience [dot] com
Please test responsibly…
Hello everyone!
Sorry for the delay in the release but I have spent the last few months traveling around Asia and haven’t had much time for coding, testing, debugging, etc… Also, I have been spending my weekends down by the beach enjoying myself on Sydney’s sunny shores 
I promise to have a release out very soon, possible a New Years Eve treat?
Anyway, one thing is for sure and that is coding is a winter sport.
Before the release of the sts-scanner, I plan to add on some crawling capabilities as the strategy is to take the tool to a level where there is minimal human interaction (i.e., no manual crawling of the web application). Note: I am a big fan of the manual crawl, as it is possibly the best assurance you have that every link of a web application has been clicked and all forms have been correctly submitted. So the idea of building a crawler that can do perform like or even better than a human sounds like a nice challenge…
Firstly, some the obvious problems with basic crawlers are things like malformed html, frames, forms, javascript, ajax, web services, web 2.0, etc to name a few breaking the crawling algorithm. Some crawlers simply fall apart when faced with these challenges and as a result, you end up with a minimal or in extreme cases no attack surface area to test.
This blog is about how I plan to overcome some of these challenges and implement them within the sts-scanner. I will only focus on web 1.0 for now as I will concentrate on web services, web 2.0, ajax and javascript at a later date.
The concept of writing your own tools has always appealed to me as it offers so many rewards. Apart from the obvious where automating a process provides more time to spend on other bleeding edge areas, some other benefits include:
- Putting into practice all the concepts you have learnt on the job or from whitepapers and presentations etc.
- Being able to share these ideas with a large audience via the Internet and the use of the GPL
- The journey that research and development takes you on and where you don’t really know where you may end up
I want to chat about the last point and some of the work I have been doing over the last month in the development of an application scanner. Continuing on from the educational scanners placed on our site, I have expanded on these ideas to see the difficulty in building an open source scanner that could be comparable to some of the proprietary scanners on the market. Read the rest of this entry »
Following on from the last post, extended scanner is capable of enumerating the back-end DBMS if it is MS SQL, Oracle or MySQL. If these DBMS are discovered, then the tool can enumerate the column number and data types. But what then? How do you use this information to exploit the vulnerability to extract sensitive information or takeover the server? What if the DBMS is say something other than listed above?
To solve this, there are plenty of tools out there (see below) but one pretty cool tool to brute force this information out from the vulnerable application is SQLMap. I recommend that anytime you find a blind SQL injection point, the next step should be to run this tool (or a similar tool) every time. All the information and downloads can be found here and there are plenty of examples in the README. Below is an example of how SQLMap performed on one of our vulnerable test servers.
If you are interested in checking out some other SQL injection tools then see http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners
As promised the extended scanner has been released with more intelligent exploitation algorithms to enumerate the SQL backend database. Of course credit should be given where credit is due and the algorthms are all from Ch 9 Network Security Tools by Justin Clarke et al. The only thing I have added is the MySQL code as my demo app has a MySQL backend. Before I chat about this, the code can now perform the following:
Of the above points, the last point is a little dubious when it comes to MySQL. You see, to enumerate the data type of a MS SQL column, you first try a string. If there is no error then it is a string. If not then try a date. If there is no error it is a date. If not then try an integer. Hopefully it is an integer, otherwise the code throws an error. MySQL behaves a little differently when employing the above algorithm. Say you have an integer and you try a string, unlike MS SQL the MySQL databse will have a warning in the backend (which is not visible via the app) but will allow the string. Hence, all columns are enumerated as strings even if the actual backend contains an integer. Nonetheless, the reason to identify the string columns is important so that you can later inject a query to retrieve sensitve information via these string columns. So if MySQL allows strings through integer columns, theoretically then it may not matter if it is a string or an integer and you can retreive the data via any column…this is yet to be tested.
Might chat with Justin to see if he can incorporate MySQL into his tool SQL Brute. For those unaware, when you find the above SQL injection, all you need to do is point his tool at the string columns and it will enumerate (via brute force) the rest of the database procedurally. That is, database names, database tables, database columns and finally database data. You can find a real nice howto here.
Note that I did not incorporate my other promises of more advanced Ruby libraries and better object oriented design schemas. I have kept the code as close to the original so that you at home can follow along with the book. Sorry for those who wanted something with a little more grunt but you are going to have to wait a little while longer…
Nearly forgot: To download click here
Around this time last year I decided to switch languages and regress back to Python. I guess the main reason was all the add-ons that were being discussed and I wanted to double check I wasn’t missing out on anything since I had left a year or two earlier. At the time I had no real inspiration to write anything in particular, so I focused on writing a wrapper for the Pyton urllib libraries. The idea was to make an object that acted much the same as a lite browser. Basically you could load it up with a URL and any authentication necesary (basic auth, ntlm, cookies, etc) and feed it file paths – The browser should just handle the rest.
The high level plan was to write a wrapper that handled HTTP requests and then place a front-end on it (command line and later a GUI). I drew most of my inspiration from mechanize to build the wrapper and noticed the front-end was just another (albeit smaller) version of cURL. In the end I decided to drop the project due to the rejection of PEP 268 - Due to Python’s design, it is impossible to tunnel anything over a proxy and keep the the same level of authentication and/or SSL.
FYI, I called the project WebGet and the only conceivable use for it is code re-use in other projects. It is licensed under GPL and you can find it here.
Anyway, enough about the past…
This long weekend I decided to take a couple of hours out and based on the above design I ported WebGet over to Ruby. Once it has passed unit testing I will release it in the resources section of the web site.
The first packaged release of WebGet is now available for download here. Briefly, WebGet is a Python Package interfacing urllib2 and handlers, cookielib, http and ntlm modules to provide for quick-turnaround applications.
To install just run “python setup.py install” using an administrative account.
To use just type import WebGet from your Python Interpreter or script. Here is a quick example:
import WebGet, os
# create a WebGet cookie
c = WebGet.WebGetCookie()
c.browsertype = WebGet.MOZILLA
c.path = os.path.join(os.environ["HOME"], "/.netscape/cookies.txt")
# create a WebGet instance
wg = WebGet.WebGet('http', 'www.securitytechscience.com', 80, c)
# set some variables
wg.add_header('Country','Australia')
wg.set_proxy('http', "127.0.0.1', 8080)
# request the page -> sets both a wg.request and wg.response value
wg.open('/')
print wgThe first version of sts-requester was released today. Nothing flashy about this tool, if anything it is just a trimmed down version of Curl written in Python. The reason wasn’t to release a copy of Curl but to build a command line interface to the Webget module that comes with the tool – Webget is a pure Python library written by me interfacing the Python urllib2 module from the Python library. By releasing this tool as open source, hopefully it gets more of an audience who will eventually test it on different applications and report back on bugs, if any .
You can find out more information and download the tool here.
Here is some quick code on how to use the Webget module that comes with sts-requester for those Python coders out there:
# import Webget
from Webget import *
# create a cookie
c = webget.WebGetCookie()
c.browsertype = MOZILLA
c.path = os.path.join(os.environ["HOME"], "/.netscape/cookies.txt")
# create a webget instance
wg = webget.WebGet('http', 'www.securitytechscience.com', 80, c)
# set some variables
wg.add_header('Country','Australia')
wg.set_proxy('http', "127.0.0.1', 8080)
# request the page -> sets both a wg.request and wg.response value
wg.open_url('/')
print wg
That’s it! In the coming weeks I will test and at the ntlm components. After that maybe Webdav and digital certificates with open ssl.