Nikto::Parser 0.01

October 16, 2009

Recently, I released several new security modules on CPAN. One of the modules is Nikto::Parser. It provides a module for extracting information from nikto so that users can build powerful web application testing tools. Nikto::Parser can be found here.

Here is an example of performing a nikto scan and then parsing the results with Nikto::Parser:


my $npx = new Nikto::Parser;
my @ips;
push(@ips,"127.0.0.1");
my $parser = $npx->parse_scan("/pentest/svn/nikto/", "", @ips);
foreach my $h ( $parser->get_all_hosts() ) {
    print "ip: " . $h->ip . "\n";
    foreach my $p ( $h->get_all_ports() ) {
        print "port: " . $p->port . "\n";
        print "banner: " . $p->banner . "\n";
        foreach my $i ( $p->get_all_items ) {
             print "Description:\n" . $i->description . "\n";
        }
    }
    print "---\n";
}


Burpsuite::Parser 0.01

October 15, 2009

Just to get everyone excited for my talk, “Synergy! A world where the tools communicate” at OWASP NYC today, I decided to release Burpsuite::Parser 0.01 a little early.

Here is an example of using the module:


my $bpx = new Burpsuite::Parser;
my $parser = $bpx->parse_file('burpsuite.xml');
#a Burpsuite::Parser Object
my @results = $parser->get_all_issues();
#an Array of Burpsuite::Parser::Issue Objects
foreach my $h ( @results ) {
     print "Severity: " . $h->severity . "\n";
     print "Host: " . $h->host . "\n";
     print "Name: " . $h->name . "\n";
     print "Path: " . $h->path . "\n";
     print "Proof of Concept:\n " . $h->issue_detail . "\n";
}

Version 0.01 of the module can be found at http://search.cpan.org/~jabra/Burpsuite-Parser-0.01/lib/Burpsuite/Parser.pod

One good thing to note, all of the request/responses are automatically included in the XML. To reduce the size of the XML, it may be helpful to generate an XML file without them. This will make parsing faster.

Enjoy!
Jabra


Burpsuite::Parser Example Script

October 12, 2009

For those know don’t already know… Portswigger released XML support for Burpsuite last week! Once I heard about this, I started working on a Perl XML parsing module. After the long weekend I have a version that is ready to be considered alpha quality. I plan to release the beta version on October 15th at during my presentation at OWASP NYC. Here is an example script demonstrating how easy it is to use Burpsuite::Parser:
#!/usr/bin/perl -w
use strict;
use Burpsuite::Parser;
my $bparser = new Burpsuite::Parser;
my $file;
if ( $ARGV[0] ) {
    $file = $ARGV[0];
}
else {
    print "usage: $0 [file.xml]\n";
    exit;
}
my $parser = $bparser->parse_file("$file");
foreach my $h ( $parser->get_all_issues() ) {
    print "Type: " . $h->type . "\n";
    print "Serial: " . $h->serial_number . "\n";
    print "Severity: " . $h->severity . "\n";
    print "Host: " . $h->host . "\n";
    print "Name: " . $h->name . "\n";
    print "Location: " . $h->location . "\n";
    print "Path: " . $h->path . "\n";
    print "Issue Background: " . $h->issue_background . "\n";
    print "Remediation Background: " . $h->remediation_background . "\n";
    print "Issue Detail: " . $h->issue_detail . "\n";
}

DM me on twitter(jabra), if you would like to help test the module.

Regards,
Jabra


OWASP NYC – Raising the bar on Pentesting!

October 11, 2009

I will be giving a talk at OWASP NYC/NJ this coming Thursday(October 15, 2009). The talk is heavily focused on improving the penetration testing process. It is important for the tools that are used during a penetration assessment to communicate because it will allow for the assessment to streamline much of the tasks that have been manual in the past. The goal of this presentation is to discuss the need for communication between security tools and to demonstrate several examples in which integration can provide the ability to reduce the amount of time spent manually correlating information. This will improve the penetration testing process! If you were to perform an assessment manually (ie without any tools communicating) and compare the results to an assessment in-which all the tools were communicating, the results would clearly demonstrate that communication between tools leads to a better assessment. Therefore, all security assessments need to move in this direction.

For this presentation, I will be demonstrating several modules that I have been working on to provide communication abilities to many of the most popular security testing tools for pentesting and web application security assessments. This presentation will be filled with tons of new tools and modules that I will be releasing for the first time. Many of these tools will make pentesting easier and help to automate much of the tedious tasks of security testing.

I look forward to hanging out with people after the talk and getting their feedback on ways to improve the functionality that I have built.

-Jabra


CSI – Web Application Panel

September 18, 2009

I have been asked by Rafal Los (a good friend of mine) to join him on a panel at CSI in October to discuss the current state and future of Web Application Security. I’m really excited for the Panel and it will be fun to catch up with many people that didn’t make it to BlackHat and DefCon.

Here is the information on the presentation:

Title: Web Summit
Date/Time: Monday (October 26, 2009) 2:00pm — 5:30pm
Topic: Web 2.0

Abstract:
An informed host and select group of expert speakers tackle web issues. After brief presentations, debates and open forums, you’ll more fully understand the issues and solutions, and have the insight that will guide you to better, more confident decisions regarding those complex and challenging issues.

Morphing more business functions into Web 2.0 applications offers both irresistible business opportunities and undeniable security threats. Criminals are using the Web as an attack vector and crafting more sophisticated, exceptionally targeted attacks. Yet who needs to exploit vulnerabilities when there are plenty of malicious ways to use legitimate applications, like social networking sites and microblogs. And what about the browser? A browser is in a position to both protect the local device from Web-borne threats and thwart attacks that take place solely within the Web—but are current browsers proactively shouldering their security responsibilities? Learn how to both secure your organization’s own Web site and protect your sensitive data from attacks launched from other vulnerable Web sites. Get to know the Web-based threats of today and tomorrow, and explore what next-generation security tools could live up to the promise of revolutionizing Internet security.

I. Web application vulnerabilities and attacks
II. Browser attacks
III. Mitigating Web security threats and next-gen solutions


"Unmasking You!" at BlackHat 09 and DefCon 17

August 7, 2009

Last week, I gave a presentation with Robert “RSnake” Hansen called “Unmasking You!” at BlackHat 09 and DefCon 17.

The slides and demos can be found at: http://spl0it.org/files/talks/defcon09/

Originally, we were only scheduled to speak at DefCon, but due to a last minute change we spoke at both venues. The backstory of how that occurred, is kind of funny so I figured I would share it with everyone who hasn’t heard it yet.

On July 26th, I decided to go out on a twilight fishing boat after a week long engagement in LA. We weren’t really having much luck catching fish, a few missed opportunities but no fish. As the sun began to set over the harbor, my expectations shifted to enjoying the evening and the week ahead in Las Vegas at BlackHat and DefCon. Around 10:30 or so, I got a call from “RSnake”, and he said “There has been a scheduling change, would you like to give the talk at BlackHat?” That was the only moment in my life, that I was happy I didn’t have a fish on my fishing line. I gladly accepted the invitation and knew that the next with 48 hours would be interesting, since I still needed to record many of my demos. Once I arrived in Vegas, I spent the majority of the time preparing all of the demos and getting things ready. The end result was around 9 recorded demos and 2 presentations.

Our presentations went really well and everyone had great comments and feedback. I had an amazing time hanging out with tons of friends who I only see once a year. I had a chance to meet Wade Alcorn (the author of BeEF). BeEF for those who have not used it, is an browser exploitation framework and it is very useful in performing penetration assessment. For the talks, I wrote all of my code and ported several of RSnake’s code to BeEF as modules, which will be included in the next release (should be out in a few weeks). All of the demos demonstrated methods that attackers can used to determine information about the victim’s machine.

I hope everyone enjoyed the talk and I look forward to seeing everyone again next year in Vegas!

Regards,

Jabra


Detecting Browser Plugins

August 6, 2009

This is a module from the Browser Exploitation Framework (BeEF) to detect all of the plugins available within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.


Virtualization Detection

August 6, 2009

This is a module from the Browser Exploitation Framework (BeEF) to detect the virtualization technology being used on by the client. This technique uses the MAC address with a regular expression to identify if the client is running on VMware, QEMU, VirtualBox or Amazon EC2. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.


SMBenum (Software Detection)

August 6, 2009

This is a module from the Browser Exploitation Framework (BeEF) to detect software on the clients machine. This technique uses local rendering of GIF images with SMB within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.


Visited URLs (Alexa Top 500)

August 6, 2009

This is a module from the Browser Exploitation Framework (BeEF) to identity all of the URL that the client has visited. This technique uses the CSS history to identify valid results. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.