an eyewitness view into your network
TRANSCRIPT
An EyeWitness View into your Network
@ChrisTruncer
Whoami
● Christopher Truncer (@ChrisTruncer) ○ Florida State Seminole ○ Open Source Developer ■ Veil Framework ■ Egress-Assess ■ Just-Metadata, etc
○ Mandiant’s Red Team
● Rohan Vazarkar (@CptJesus)
What’s this talk about?
● Our Host Identification Process ● Intro to EyeWitness and the Problem it
Solves ● EyeWitness 2.0 ● Demo
Typical Assessment Lifecycle
http://image.slidesharecdn.com/gates-open-source-information-gathering-brucon-111108214432-phpapp02/95/open-source-information-gathering-brucon-edition-9-728.jpg?cb=1320788708
First Step
● Discovery/Recon - why care? ○ Do you know all your assets? ○ Does your customer? ○ Do you know all the services running
on your systems?
Blue Teamers
● People just randomly plug stuff into your network! ○ Wifi APs ○ Computers ○ Wifi devices (phones)
● Are you periodically looking for them?
Red Teamers
● Want to find anything we can attack or use to gain a foothold ○ Rogue access point ○ Long-ago forgotten system ○ Misconfigured services
● Our initial discovery scans can help identify quick wins ○ Why be sophisticated when I can
login w/ tomcat:tomcat
Scans
● Penetration Test ○ NMap ○ Nessus
● Red Team ○ Potentially neither ○ Likely highly targeted scans
NMap Timing
● Timing ○ ping a few
live hosts ○ identify the
time it took to receive a response
NMap Timing
● Timing Options ○ --initial-rtt-timeout 200ms ○ --max-rtt-timeout 100ms ○ --max-retries 1 ○ --max-scan-delay 0 ■ Usually
NMap Scan
● nmap -vvv -Pn -n --open --initial-rtt-timeout 175ms --max-rtt-timeout 100ms --max-retries 1 --max-scan-delay 0 -iL <inputfile> -oA results -p21,22,23,25,135,139,443,445,3306,3389
NMap Scan
● Once complete, make a list of live systems
● Full port scan against live systems with -A ○ Potentially provides banner
information ○ Useful for parsing and identifying
services for screenshots :)
Nessus
● Obvious use case is for vulnerability information...
● ...but can be useful for identifying live systems if not needing stealth
● .nessus files are contain a lot of information we can use ○ Easy to parse xml ○ Essentially provides the same content
as nmap xml
Point of Recon & Enumeration
● Identify live hosts on the network
● Identify any active services
● Obtain system/OS version information
● Generate a list of hosts to investigate further
● Identify quick wins
https://nmap.org/images/nmap-401-demoscan-798x774.gif
Why Automate?
● Previous steps lead up to this list ● Find hundreds, or thousands, of
HTTP(s) servers ○ Manual review…. no thanks
● Thousands of RDP servers ● How do we begin to process/analyze
these systems if not in an automated manner?
Development Began
Problems to Solve
● Automate web screenshots
● Generate a
usable report ● Take input in
multiple formats
● Identify default credentials
● Wanted to learn
Existing Tools
● NMap - NSE Plugin ● PeepingTom - by Tim Tomes ○ Closest to what I wanted
● Nessus - Commercial Product
Started With This
StackOverflow
http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline-or-with-python
Developed a POC
Needed Improvements
● File Input: ○ Text File ○ NMap ○ Nessus
● Report Generation ● User Agent Switching ● Default credentials signatures
Report Generation
● Simple - HTML table tags ● Store server header and screenshots ● Multi-Page Reports (don’t crash your
browser) ● Link structure for reports ○ Off by one bugs aren’t fun
EyeWitness 1.0
Improvements (still)
Updates Needed
● Library Issues ○ Ghost - good,
but a hack ● Spaghetti code ● Group “similar”
pages ● No way to resume
a scan ● Other protocols?
https://c2.staticflickr.com/8/7248/7021453583_c8e2b7597f.jpg
Fix the Problems
● Drop Ghost ○ Didn’t want to do this - pure python is
nice ○ Stability issues forced our hand ○ Lack of development
Library Solution
● PhantomJS
● Selenium
http://38.media.tumblr.com/c5d6de716be379af2e7bf68dce080cd2/tumblr_inline_n0b4hyJnfG1sr0bzb.png http://www.seleniumhq.org/selenium-rc.png
Spaghetti Code Fixes
● What we called the “nuke_it_all” principal ○ rm -rf it all and start over
● Went from approx 100 variables to
more of a OO design
http://cdn.meme.am/instances/54834100.jpg
Result Groupings
● We investigated multiple solutions ○ Levenshtein Distance (thanks
@Digininja) ■ Measure the distance between
strings ○ Fuzzy Sorting ■ This was the winner
Introduce Categories
● Sorting similar pages works ● Expand into categories ○ High Value Targets ○ iDrac ○ VoIP ○ Crap ○ Printers ■ So annoying, they are worse
than Crap
Resuming Scans
● If a scan died on the last website, the whole scan died ○ You’d have the artifacts ■ Source Code ■ Screenshots
○ No Report ○ Very frustrating for large lists
Resuming Scans
● Rohan began investigating a fix ○ SQLite to the rescue! ■ We wanted to stay lightweight
without a db requirement ■ Track URLs scanned and
completed ■ Allows us to tie into this for
other purposes
Protocols?
● We wanted to add in RDP and VNC
● Found a python library which does exactly what we needed!
https://github.com/citronneur/rdpy
EyeWitness 2.0
EyeWitness 2.0
● Modularized the tool ○ Future updates/support is
significantly easier ● Added in auxiliary scripts for
interacting with the database
Auxiliary Scripts
● Search - Searches database for website with string specified
● Recategorize - Creates new report based off of updated sigs
● Mikto - Generates URL list for Mikto (multi-threaded Nikto)
● Tomcat (upcoming) - Searches for and brute force tomcat servers
Writing Signatures
● Signatures are easy to add ● View the source code, then write it! ○ <sig>|<Name> <Creds> ○ <sig>;<sig>;<sig>...|<Name> <Creds>
Adding to Categories
● Categories are also easy to add ● View the source code, then write it! ○ <sig>|<category> ○ <sig>;<sig>;<sig>...|<category>
● Same signature for default creds can be used for categories
EyeWitness Stats
● Originally: 409 lines ● Currently: 3500+ Lines ● Reasons? ○ signatures ○ report generation ○ .. real guess?
Future Work
● Additional Aux Modules ● Additional Protocol Support ○ x11? ○ ideas?
● Optical Character Recognition ○ Hunt for users via RDP
? ● Github
○ https://github.com/ChrisTruncer/EyeWitness
● Chris Truncer ○ @ChrisTruncer ○ [email protected]
● Rohan Vazarkar ○ @CptJesus ○ [email protected]