August 5, 2010
Fierce is a network enumeration tool that uses many techniques (mostly using DNS) to gather a list of IPs controlled by an organization. The most common method is to provide Fierce with a domain. Last week at Security BSides in Las Vegas, I gave a talk about the newest version of Fierce. Version 2.0 includes tons of new functionality that the original version lacked. I also discussed the new functionality of Fierce v2 on Security Justice Episode 26.
Here is a small breakdown of the new techniques: Interactive mode for scanning IPs ranges, TLD bruteforce (also with an interactive mode), Virtual host detection and enumeration, ARIN lookups including lookups for every Nethandle, Whois enumeration, Reporting engine that includes TXT, XML and HTML report formats, rewrote all of the techniques to be Object Oriented with threading, ability to exclude or include techniques to ensure fine grained control of the scan and a ton more!
I have also been working on an XML parser module to extract data from Fierce using Perl. Parsing XML allows pentesters to extract the data from tools so they can automate the mundane tasks and work on more difficult things. The module is already on CPAN.
The official release of Fierce v2.0 can be found at:
To check out the latest version of Fierce v2 from subversion, simply run the following command:
svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
The XML module (known as Fierce::Parser) can be found at:
If you have any comments, questions or suggestions please let me know.
August 4, 2010
The course I have been working on for a while now, known as “Pentesting with Perl” was released for the first time this year at BlackHat 2010 in Las Vegas. There was a ton of quality content that I put into the course including many of the techniques I have developed to automate the tedious tasks that need to be performed when conducting a penetration assessment.
What made the course unique was that all of the examples were based on useful techniques that I use on a daily basis. Many people learn best by using example, so I built the course to leverage practical examples when explaining the theories of using Perl.
For example, I built a script which processed a PDML file and coverted the ASCII codes using a hash. This a better example than just using something like: (apple => red, orange => orange), because it demonstrates value which can be applied immediately.
Based on the feedback we received, it looks like people really enjoyed the course. The only thing that the students wanted to change is to have more time for the labs. Therefore, I’m sure I will be teaching this training again but using a two day format instead of one. Pentesting with Perl was a great success and it’s only gonna get better! Ph33r!
August 4, 2010
Back in early July, I was ask to make an appearance on the Security Justice podcast to discuss some of my projects (Fierce v2, Goal Oriented Pentesting and SQL Injection). Security Justice Episode #26.
It was pretty epic and we defiantly went off-topic, but it was a ton of fun.
“I can replace this podcast with one line of Perl!”
Worth a listen. Let me know what you think.
August 4, 2010
Back in June, I was in Baltimore for the SANS Pentest Summit 2010. I really enjoyed this conference, since it provided the opportunity to chat with many people that are working on ways to improve the penetration testing process. At the conference, I presented the Goal Oriented Pentesting theory that I have been talking about for a while(first post, second post) The talk expanded upon the original theories by incorporating specific methods which provided criteria for anyone that is looking to implement Goal Oriented Pentesting in their security assessments. I also included examples from several security assessments that I have performed (external pentesting, internal pentest and web app audit) so that attendees would be able to use these goals a guide in the future.
The slides from the talk can be found here.
What else should be done to improve upon this? Let me know what you think!
January 7, 2010
BurpSuite is by far, my favorite web application proxy. There is a limitation that I have found a unique way around, so I figured I would share it with everyone. BurpSuite does not have an easy way to import a list of targets when starting a web application assessment. Obviously, you can browse to the web applications using a browser, but this is time consuming. So we need a better way.
All that is needed is a method to make requests that pass through the proxy. So we can use LWP::UserAgent. Nmap is always helpful for finding open ports, so we can use that to speed things up as well. Nmap will find all of the web applications and then we can leverage Perl to populate BurpSuite’s target list.
First, we perform an nmap scan:
sudo nmap -p 80,443 -sS -oX nmap-web.xml -PN
Now, we parse the output of the nmap scan and generate files that contain the web servers running on port 80/tcp and 443/tcp. I have written a Perl script to parse nmap XML files. This script can be found here. Using this script we simply execute:
perl nmap-parse.pl -f nmap-web.xml -p 80 > 80-tcp.txt
perl nmap-parse.pl -f nmap-web.xml -p 443 > 443-tcp.txt
Now, we just need to import each file and perform a request for each web application. The key is that we have BurpSuite listening locally, so that all of the requests will pass through the proxy. The script is called proxycrawl and it will populate the target list because it makes requests through the proxy. It can be found here.
perl proxycrawl.pl -i 80-tcp.txt
perl proxycrawl.pl -i 443-tcp.txt --ssl
After running this script, you should see all of the targets populated in BurpSuite and you are ready be begin your web application assessment.