An EyeWitness View into your Network

@ChrisTruncer

Whoami

● Christopher Truncer (@ChrisTruncer) ○  Florida State Seminole ○  Open Source Developer ■  Veil Framework ■  Egress-Assess ■  Just-Metadata, etc

○  Mandiant’s Red Team

● Rohan Vazarkar (@CptJesus)

What’s this talk about?

●  Our Host Identification Process ●  Intro to EyeWitness and the Problem it

Solves ●  EyeWitness 2.0 ●  Demo

Typical Assessment Lifecycle

http://image.slidesharecdn.com/gates-open-source-information-gathering-brucon-111108214432-phpapp02/95/open-source-information-gathering-brucon-edition-9-728.jpg?cb=1320788708

First Step

●  Discovery/Recon - why care? ○  Do you know all your assets? ○  Does your customer? ○  Do you know all the services running

on your systems?

Blue Teamers

●  People just randomly plug stuff into your network! ○  Wifi APs ○  Computers ○  Wifi devices (phones)

●  Are you periodically looking for them?

Red Teamers

●  Want to find anything we can attack or use to gain a foothold ○  Rogue access point ○  Long-ago forgotten system ○  Misconfigured services

●  Our initial discovery scans can help identify quick wins ○  Why be sophisticated when I can

login w/ tomcat:tomcat

Scans

●  Penetration Test ○  NMap ○  Nessus

●  Red Team ○  Potentially neither ○  Likely highly targeted scans

NMap Timing

●  Timing ○  ping a few

live hosts ○  identify the

time it took to receive a response

NMap Timing

●  Timing Options ○  --initial-rtt-timeout 200ms ○  --max-rtt-timeout 100ms ○  --max-retries 1 ○  --max-scan-delay 0 ■  Usually

NMap Scan

●  nmap -vvv -Pn -n --open --initial-rtt-timeout 175ms --max-rtt-timeout 100ms --max-retries 1 --max-scan-delay 0 -iL <inputfile> -oA results -p21,22,23,25,135,139,443,445,3306,3389

NMap Scan

●  Once complete, make a list of live systems

●  Full port scan against live systems with -A ○  Potentially provides banner

information ○  Useful for parsing and identifying

services for screenshots :)

Nessus

●  Obvious use case is for vulnerability information...

●  ...but can be useful for identifying live systems if not needing stealth

●  .nessus files are contain a lot of information we can use ○  Easy to parse xml ○  Essentially provides the same content

as nmap xml

Point of Recon & Enumeration

●  Identify live hosts on the network

●  Identify any active services

●  Obtain system/OS version information

●  Generate a list of hosts to investigate further

●  Identify quick wins

https://nmap.org/images/nmap-401-demoscan-798x774.gif

Why Automate?

●  Previous steps lead up to this list ●  Find hundreds, or thousands, of

HTTP(s) servers ○  Manual review…. no thanks

●  Thousands of RDP servers ●  How do we begin to process/analyze

these systems if not in an automated manner?

Development Began

Problems to Solve

●  Automate web screenshots

●  Generate a

usable report ●  Take input in

multiple formats

●  Identify default credentials

●  Wanted to learn

Existing Tools

●  NMap - NSE Plugin ●  PeepingTom - by Tim Tomes ○  Closest to what I wanted

●  Nessus - Commercial Product

Started With This

StackOverflow

http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline-or-with-python

Developed a POC

Needed Improvements

●  File Input: ○  Text File ○  NMap ○  Nessus

●  Report Generation ●  User Agent Switching ●  Default credentials signatures

Report Generation

●  Simple - HTML table tags ●  Store server header and screenshots ●  Multi-Page Reports (don’t crash your

browser) ●  Link structure for reports ○  Off by one bugs aren’t fun

EyeWitness 1.0

Improvements (still)

Updates Needed

●  Library Issues ○  Ghost - good,

but a hack ●  Spaghetti code ●  Group “similar”

pages ●  No way to resume

a scan ●  Other protocols?

https://c2.staticflickr.com/8/7248/7021453583_c8e2b7597f.jpg

Fix the Problems

●  Drop Ghost ○  Didn’t want to do this - pure python is

nice ○  Stability issues forced our hand ○  Lack of development

Library Solution

●  PhantomJS

●  Selenium

http://38.media.tumblr.com/c5d6de716be379af2e7bf68dce080cd2/tumblr_inline_n0b4hyJnfG1sr0bzb.png http://www.seleniumhq.org/selenium-rc.png

Spaghetti Code Fixes

●  What we called the “nuke_it_all” principal ○  rm -rf it all and start over

●  Went from approx 100 variables to

more of a OO design

http://cdn.meme.am/instances/54834100.jpg

Result Groupings

●  We investigated multiple solutions ○  Levenshtein Distance (thanks

@Digininja) ■  Measure the distance between

strings ○  Fuzzy Sorting ■  This was the winner

Introduce Categories

●  Sorting similar pages works ●  Expand into categories ○  High Value Targets ○  iDrac ○  VoIP ○  Crap ○  Printers ■  So annoying, they are worse

than Crap

Resuming Scans

●  If a scan died on the last website, the whole scan died ○  You’d have the artifacts ■  Source Code ■  Screenshots

○  No Report ○  Very frustrating for large lists

Resuming Scans

●  Rohan began investigating a fix ○  SQLite to the rescue! ■  We wanted to stay lightweight

without a db requirement ■  Track URLs scanned and

completed ■  Allows us to tie into this for

other purposes

Protocols?

●  We wanted to add in RDP and VNC

●  Found a python library which does exactly what we needed!

https://github.com/citronneur/rdpy

EyeWitness 2.0

EyeWitness 2.0

●  Modularized the tool ○  Future updates/support is

significantly easier ●  Added in auxiliary scripts for

interacting with the database

Auxiliary Scripts

●  Search - Searches database for website with string specified

●  Recategorize - Creates new report based off of updated sigs

●  Mikto - Generates URL list for Mikto (multi-threaded Nikto)

●  Tomcat (upcoming) - Searches for and brute force tomcat servers

Writing Signatures

●  Signatures are easy to add ●  View the source code, then write it! ○  <sig>|<Name> <Creds> ○  <sig>;<sig>;<sig>...|<Name> <Creds>

Adding to Categories

●  Categories are also easy to add ●  View the source code, then write it! ○  <sig>|<category> ○  <sig>;<sig>;<sig>...|<category>

●  Same signature for default creds can be used for categories

EyeWitness Stats

●  Originally: 409 lines ●  Currently: 3500+ Lines ●  Reasons? ○  signatures ○  report generation ○  .. real guess?

Future Work

●  Additional Aux Modules ●  Additional Protocol Support ○  x11? ○  ideas?

●  Optical Character Recognition ○  Hunt for users via RDP

? ●  Github

○  https://github.com/ChrisTruncer/EyeWitness

●  Chris Truncer ○  @ChrisTruncer ○  CTruncer@christophertruncer.com

●  Rohan Vazarkar ○  @CptJesus ○  rvazarkar@verisgroup.com