ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected

Ruby for Pentesters:

The Workshop

Timur DuehrCory ScottMike Tracy

ruby for pentesters

agenda

1415: Introductions1420: The 20 minute tour of Ruby 1440: Blackbag1445: Webby Blackbag1500: Protocol Blackbag 1515: Break1530: Fuzzing and Redis 1550: Ragweed: Part 11610: Ragweed: Part 21630: Coffee Service1700: Making Burp better with Buby 1715: JRuby1725: FFI

ruby for pentestersruby for pentesters

Setup


Ruby in 20 Minutes

ruby for pentesters

Stuff we like

ruby for pentesters

Gems and packages

NokogirieventmachinerbkbragweedNerveBubylots of others

Stuff we use

Metasploitroninwatir

whatwebArachni


Lab: The basics

Ruby basics


Ruby Blackbag (rbkb)


Do less typing

plugboardsencoders / decodersutilities

Command line tools

Object mixin

s

The same stuff butfor scripts and IRB


Lab: rbkb

IRB + rbkb


Scripted Webby Stuff

ruby for pentesters

What do we need to script a webapp?

ruby for pentesters

Transport

Parsing

Encoding / Decoding


Lab: Simple SQLi scanner

Curb,Nokogiri,rbkb


Protocol Reversing w/ Blackbag

ruby for pentesters

General protocol approach

Establish the flow

Observe it

Understand it

Manipulate it

ruby for pentesters

demo: when all you have is pcap...

FeedImport

ruby for pentesters

demo: the blackbag flow

binary / protocol analysis

⌘ rbkb - Matasano’s ruby black bag ⌘ Protocol Analysis: MITM: Blit, Telson, PlugSrv

⌘ Structure Creation with Bindata⌘ Extracting payloads with FeedImport

Real Client Plugsrv Real Server

TelsonBlit

Download all of the content at: http://bit.ly/baythreat

ruby for pentesters

exercise: tcp protocol lab

Get in the middle

Observe and replay

Manipulate

Exploit

ruby for pentesters

exercise: build protocol structures

BinData

ruby for pentesters

demo: eventmachine and UDP

event loops

manipulate dns

ruby for pentesters

demo: TLS tricks

TLS MITM & self

signed certs

SSL version scanning


Fuzzing

ruby for pentesters

the what

smart

dumbProtocol AwareUser AwareSession AwareError State Aware

Bit FlippingBoundary Trampling

Switch-a-rooRandom random everywhere

ruby for pentesters

the why

memory corruption

unexpected behavior

access control test

crypto analysisparsers

ruby for pentesters

demo: generator patterns

DFuzz + BinData

ruby for pentesters

demo: the harder stuff

instrumentat

ionprocess control

binning

ruby for pentesters

intro to redis

redis-server

redis object

redis data types

strings, lists, sets

key:value

push & popadd & delete

set & get

ruby for pentesters

lab: fuzzing with redis

grab your structs

mutate & sendstore in redis

query


Ragweed:Instrumentation & Getting Started

ruby for pentesters

Fuzzing

runtime changes

ruby for pentesters

Why a scriptable debugger?

Hittracing

less clicking


What do we script?

Events

sigtrapsigtermevent_fork

Actionsget registers

set breakpointsmanipulate memory


How?

IDAobjdumpruntime calls

memory locat

ions

inspection/manipulationget_registersshared_librariesread set_registers

write


The target

in_circleout_circle


Demo: arguments and registers

reading me

mory

getting registers


Exercise: function arguments

SSL_writ

e

SSL_readread SSL requests that our client is making


Walkthrough: function arguments

int SSL_read(SSL *ssl, void *buf, int num);

int SSL_write(SSL *ssl, const void *buf, int num);


Ragweed:Hit Tracing and in Memory Fuzzing


What do we mean by that?

Tracking function calls and logic flow

Modifying memory locations as the program runs


Automate this!

accountingbreakpointsHash

CSVIPCRedis CSV

Nervemetaprogramming


Exercise: Break stuff!

in memory fuzzing

read argumentswrite new arguments

hit tracing

output function hittrack order and count


Ragweed: the intermission


Recap

in memory fuzzing

hittracingscreenshot TBA

screenshot TBA


Burp + Jruby = Buby


buby is your friend

Extend with modulesInline extraction

Inline manipulation

Access Burp

data

Extend itProxy HistoryRepeaterIntruderScan Results


Lab: CookieMonster

Grab and dec

ode all cook

ies

evt_http_message

IHttpRequestResponse

#response_headers

Fires when an HTTP message is received

Extender object

Buby convenience method


Lab: CookieMunger

Modify cookie values inlineevt_http_message

IHttpRequestResponse

#get_request

#request=

Automatically:

Grab the request

Modify the cookie

Forward the request

ruby for pentesters

Jruby tricks

ruby for pentesters

demo: extending our buby example

load jar

import objects

make pretty

graphs


FFI: interfacing with C


No gem, no problem

rubypython libusb ffi-libc ragweed ffi-pcap OpenCV-FFI

the ac

tual l

ist

is uni

mporta

nt


This is your C struct


This is your C struct on Ruby


Calling C functions

setup

call

definition


Exercise: execv

definition

a pointer

OK 1-2-3 GO!


Walkthrough: execv spoiler

Follow

along

with

me

Documents

ruby for pentesters the workshop - Black Hat Briefings · ⌘ rbkb - Matasano’s ruby black bag ... Random random everywhere. ruby for pentesters the why memory corruption unexpected