RUBY for PENETRATION TESTERS RUBY for PENETRATION Ruby for Penetration Testers

Total Page:16

File Type:pdf, Size:1020Kb

RUBY for PENETRATION TESTERS RUBY for PENETRATION Ruby for Penetration Testers 1 RUBY FOR PENETRATION TESTERS RUBY FOR PENETRATION ruby for penetration testers When you're down deep reversing a protocol • Getting up close and personal with or picking apart a binary, getting up to speed proprietary file formats quickly can be challenging in the best of circumstances. Over the past few years, we've • Becoming the puppet-master of both native figured out a tool that we can rely on every and Java applications atruntime time: the Ruby programming language. We'd like to highlight our use of Ruby to solve the • Exposing the most intimate parts of exotic security testing problems we're faced with network services like JRMI and Web services every day. • Trimming the time you spend decoding proprietary protocols and cutting directly to We use Ruby because it’s easy, flexible, and powerful. It works for everything from reverse fuzzing them engineering firmware bus protocols to fuzzing file formats to static and dynamic binary As if all that wasn’t enough, we'll show you analysis. We've used it to beat up web apps, how to make Ruby mash-ups of the stuff you and we've stuck with it all the way to attacking already love. Make the tools you already rely exotic proprietary hardware applications. on new again by getting them to work Having a great set of tools available to meet together, harder and smarter. When you're your needs might be the difference between a asked to get twice as much done in half the successful result for your customer and time, smile confidently knowing you have a updating your resume with the details of your secret weapon and the job will get done. former employer. WHY WE LIKE RUBY Not familiar with Ruby? None of us were either on that fateful day when Dino Dai Zovi declared Python “the language of over the hill You wouldn’t be reading this white paper or hackers”. But we were surprised at how easy attending our talk unless you already knew Ruby was to pick up. So we'll lead off by some kind of scripting language. So the illustrating why Ruby is so powerful, making a easiest way to help you “get” Ruby is to case for rapidly prototyping everything from compare it to other languages. reversing tools to hacked up network clients using our not-so-patented “bag-o-tricks” The language everyone compares Ruby to is approach. Python. You can Bing “Ruby vs. Python” and find 1,000 good shootouts. Most of them are Then we dive into our real-world experiences going to point out the most important fact: using Ruby to quickly get up and running on a Ruby and Python are remarkably similar wide range of tasks, including: languages, to the point where you can readily port code between them. If you're a • Ripping apart static binaries and bending pentester, here are some of the big them to your will differences you'll care about: • Ruby has “blocks”, which are a notation for defining functions on the fly without naming 2 them; you can stuff them into variables and Ruby has an answer to almost every situation DOCUMENT TITLE pass them around. This is huge: it allows where we would want to develop custom you to define domain-specific languages code to solve a problem: and new control structures, and it’s absolutely killer for writing asynchronous • We can redefine portions of the library with network code. “monkey patches”, for instance to allow all Numeric types to render as bignums. • Python is faster than Ruby. Not a little bit faster. A lot faster. • We can call low-level C libraries with Ruby/ DL, FFI, or Win32ole. Or we can wrap the • But Ruby has first-class regular expressions, library directly by extending the Ruby using the /regex/ syntax borrowed from interpreter. Perl. This means regexes are insanely easy to use in Ruby. You don’t have to “import” • We can even add Ruby into existing tools them from a library or instantiate classes. written in languages like C. • Python has a huge, sprawling standard • Ruby allows us to easily create DSL (Domain library. Ruby has a smaller, tighter standard Specific Language) frameworks like Ruckus, library. where defining complex structures is done in code, not complex configuration files. Yes, Ruby has some syntax borrowed from Perl. Yes, this is a scary idea. But you don’t WHO ELSE IS USING RUBY? care: the regex syntax is good, and the rest of it you can pretend doesn’t exist. Nobody Ever hear of Metasploit? Metasploit may be writes Ruby code that looks like Perl. one of the largest Ruby projects in existence and arguably in the most popular list of Ruby Mike Tracy, god help him, came to Matasano frameworks. Metasploit makes advanced from Tcl. Tcl and Ruby are surprisingly similar: exploitation of vulnerabilities possible through you can call Ruby “Japanese Tcl” and defend easy to use interfaces, payloads and tools. All that name long enough to upset a Rails of this great stuff is also supported on programmer. Go ahead, try it! Ruby multiple platforms thanks to Ruby. programmers use blocks for a lot of the same things that Tcl programmers use “uplevel” for, Metasm is another powerful Ruby framework and the Ruby object model is very similar to for compiling, disassembling and debugging [incr Tcl]. native code from Ruby. Metasm is included with the Metasploit framework as well. All these dynamic languages are flexible. Ruby allows us to rapidly prototype tools for Ronin is another Ruby framework written with vulnerability exploitation, protocol fuzzing, security and data exploration in mind. Ronin reverse engineering and everything in- provides convienence methods for an array of between. Many of the tools we develop in different protocols that penetration testers Ruby are easily hooked into one another might find useful. which can further speed up tool development and promotes code reuse. 3 SCRIPTED PENETRATION TESTING application basis using mixins and monkey DOCUMENT TITLE patches that are specific to your engagement. Your first question about whether a language is good for pentesting is, “how does it handle It also includes a ViewState (de)serializer web work”. Our answer: WWMD. that outputs to and reads in from XML. If you've never fuzzed ViewState before WWMD is a console for breaking web (working on one of the 4% of web applications. It’s like “pentesting Expect”: it’s applications out there that don’t have something in between a programming EnableViewStateMac = true?) then this is your environment and a console. huckleberry. Another interesting use for the ViewState deserializer is to programatically WWMD isn’t intended to be just another of base64 decode BinarySerialized() (custom the myriad tools used to conduct web serializations of objects like Telerik controls) application security assessments. Its goal is to that you'll find in many web applications. provide an easily accessible scripting Before WWMD, I had to do all that work by framework that includes the basic elements of hand. a web testing tool (transport and parsing) and combine them with convenience methods that A simple login example: make manual and automated testing tasks easier. Working either in IRB or from scripts, wwmd(main):003:0> page = it’s a snap to create powerful tools that take Page.new();nil care of the time consuming and repetitive => nil stuff and help you with the more subtle and wwmd(main):004:0> page.baseurl = advanced things you need to get done. “http://www.example.com” => “http://www.example.com” WWMD relies on Ruby and some great wwmd(main):005:0> page.get “http:// libraries for its base. Even if you're not going www.example.com/example/” to use WWMD, you should know about: => [200, 663] wwmd(main):006:0> page.text • Curb, which provides libcurl bindings for => “Login:\nPassword:\n” Ruby, which we use for our raw HTTP wwmd(main):007:0> form = page.getform transport. => [[“username”, nil], [“password”, nil]] • Nokogiri, for parsing HTML documents. wwmd(main):008:0> form[‘username’] = “jqpublic” Curb and Nokogiri are extremely excellent => “jqpublic” libraries, each of them reason enough to wwmd(main):011:0> form[‘password’] = spend some time learning Ruby. “password” => “password” To this, WWMD adds methods for everything wwmd(main):012:0> page.submit form from manipulating headers and application => [200, 2117] inputs to encodings. It also includes a patch wwmd(main):013:0> to Curb to allow sending requests using page.bodydata.match(/you are logged arbitrary methods (OPTIONS, TRACE, in.*/)[0].striphtml RANDOM). All of the behaviors of the base => “you are logged in as jqpublic Page object can be easily modified on a per- [logout]” wwmd(main):014:0> 4 Ever see a web form that takes an argument REVERSING DOCUMENT TITLE like: Reverse engineering has taken a front seat in args=key|value;key|value;key|value vulnerability research and penetration testing over the last few years. Often a penetration Instead of just fuzzing the form variable, you tester may be tasked with reversing can simply create a copy of the FormArray proprietary network protocols or closed class that uses | and ; as delimiters and fuzz source binaries in a relatively short amount of everything: time. wwmd(main):006:0> form = FormArray.new Ruby enables this kind of rapid tool => [] wwmd(main):007:0> cust = development whether the goal is breaking FormArray.new => [] open a custom network protocols header wwmd(main):008:0> cust.delimiter = “;” structure and de-obfuscating its payload or => “;” finding that backdoor in a compiled wwmd(main):009:0> cust.equals = “|” executable. We have developed tools to do => “|” both these kinds of things.
Recommended publications
  • Python Guide Documentation 0.0.1
    Python Guide Documentation 0.0.1 Kenneth Reitz 2015 09 13 Contents 1 Getting Started 3 1.1 Picking an Interpreter..........................................3 1.2 Installing Python on Mac OS X.....................................5 1.3 Installing Python on Windows......................................6 1.4 Installing Python on Linux........................................7 2 Writing Great Code 9 2.1 Structuring Your Project.........................................9 2.2 Code Style................................................ 15 2.3 Reading Great Code........................................... 24 2.4 Documentation.............................................. 24 2.5 Testing Your Code............................................ 26 2.6 Common Gotchas............................................ 30 2.7 Choosing a License............................................ 33 3 Scenario Guide 35 3.1 Network Applications.......................................... 35 3.2 Web Applications............................................ 36 3.3 HTML Scraping............................................. 41 3.4 Command Line Applications....................................... 42 3.5 GUI Applications............................................. 43 3.6 Databases................................................. 45 3.7 Networking................................................ 45 3.8 Systems Administration......................................... 46 3.9 Continuous Integration.......................................... 49 3.10 Speed..................................................
    [Show full text]
  • Specialising Dynamic Techniques for Implementing the Ruby Programming Language
    SPECIALISING DYNAMIC TECHNIQUES FOR IMPLEMENTING THE RUBY PROGRAMMING LANGUAGE A thesis submitted to the University of Manchester for the degree of Doctor of Philosophy in the Faculty of Engineering and Physical Sciences 2015 By Chris Seaton School of Computer Science This published copy of the thesis contains a couple of minor typographical corrections from the version deposited in the University of Manchester Library. [email protected] chrisseaton.com/phd 2 Contents List of Listings7 List of Tables9 List of Figures 11 Abstract 15 Declaration 17 Copyright 19 Acknowledgements 21 1 Introduction 23 1.1 Dynamic Programming Languages.................. 23 1.2 Idiomatic Ruby............................ 25 1.3 Research Questions.......................... 27 1.4 Implementation Work......................... 27 1.5 Contributions............................. 28 1.6 Publications.............................. 29 1.7 Thesis Structure............................ 31 2 Characteristics of Dynamic Languages 35 2.1 Ruby.................................. 35 2.2 Ruby on Rails............................. 36 2.3 Case Study: Idiomatic Ruby..................... 37 2.4 Summary............................... 49 3 3 Implementation of Dynamic Languages 51 3.1 Foundational Techniques....................... 51 3.2 Applied Techniques.......................... 59 3.3 Implementations of Ruby....................... 65 3.4 Parallelism and Concurrency..................... 72 3.5 Summary............................... 73 4 Evaluation Methodology 75 4.1 Evaluation Philosophy
    [Show full text]
  • Brian Ray Hi, I’M Brian Ray
    Python Hype? Brian Ray Hi, I’m Brian Ray • Indy Consulting Years • Directive Years 2010-2013 1998-2003 • Leadership Years 2009-2010 • Engineering Years • Big Four Consulting 2003-2006 2013-current Taken in China May 20th, 2016 Why “Python Hype”? In the last 10 years, we are seeing Python having (select one): A. Slow and steady growth. B. Spiked and now on decline. C. Spiked + Declined now stabilized. D. Lives in independent domain. E. We (Python fans) live in a bubble. What measure? • Hype Cycle • TIOBE Index • On Github • PYPL • Some other Don’t tell me there aren’t trends Programming language “popularity” is hard to measure. Lenses to help measure: 1. Learned: was taught Python in course 2. Migrated: from language to language 3. Addressed: problem class to solve 4. Platform-ed: ecosystem of tools 5. Retained: sticking with Python 6. Promoted: Promoted 236 respondents broken up into 3 groups OUR SURVEY Who Groups 1 2 3 The missing group 4: Those who didn’t take the survey User Distribution 1 2 3 29% 49 % 22% Treatment of groups • Learned • Addressed • Migrated • Platform-ed 1 2 3 all • Retained • Curve • Promoted Questions Group 1: Learned/Migrated • 60% heard of python Word of mouth • 56% had very positive first impression, 31% had positive, less than 13% neutral or less. • Net-promoter to recommend Group 1: Learned/Migrated Group 1: Learned/Migrated “Python is Now the Most Popular Introductory Teaching Language at Top U.S. Universities” By Philip Guo July 7, 2014 Group 2: addressed / platformed • 63% very positive 1st impression (3%
    [Show full text]
  • From the Library of Andrew Heck
    ptg6929616 From the Library of Andrew Heck Praise for Eloquent Ruby “Reading Eloquent Ruby is like programming in Ruby itself: fun, surprisingly deep, and you’ll find yourself wishing it was always done this way. Wherever you are in your Ruby experience from novice to Rails developer, this book is a must read.” —Ethan Roberts Owner, Monkey Mind LLC “Eloquent Ruby lives up to its name. It’s a smooth introduction to Ruby that’s both well organized and enjoyable to read, as it covers all the essential topics in the right order. This is the book I wish I’d learned Ruby from.” —James Kebinger Senior Software Engineer, PatientsLikeMe www.monkeyatlarge.com “Ruby’s syntactic and logical aesthetics represent the pinnacle for elegance and beauty ptg6929616 in the ALGOL family of programming languages. Eloquent Ruby is the perfect book to highlight this masterful language and Russ’s blend of wit and wisdom is certain to entertain and inform.” —Michael Fogus Contributor to the Clojure programming language and author of The Joy of Clojure From the Library of Andrew Heck This page intentionally left blank ptg6929616 From the Library of Andrew Heck ELOQUENT RUBY ptg6929616 From the Library of Andrew Heck Addison-Wesley Professional Ruby Series Obie Fernandez, Series Editor Visit informit.com/ruby for a complete list of available products. ptg6929616 he Addison-Wesley Professional Ruby Series provides readers Twith practical, people-oriented, and in-depth information about applying the Ruby platform to create dynamic technology solutions. The series is based on the premise that the need for expert reference books, written by experienced practitioners, will never be satisfied solely by blogs and the Internet.
    [Show full text]
  • ABSTRACT Combining Static and Dynamic Typing in Ruby Michael
    ABSTRACT Title of dissertation: Combining Static and Dynamic Typing in Ruby Michael Furr Doctor of Philosophy, 2009 Dissertation directed by: Professor Jeffrey S. Foster Department of Computer Science Many popular scripting languages such as Ruby, Python, and Perl are dynam- ically typed. Dynamic typing provides many advantages such as terse, flexible code and the ability to use highly dynamic language constructs, such as an eval method that evaluates a string as program text. However these dynamic features have tra- ditionally obstructed static analyses leaving the programmer without the benefits of static typing, including early error detection and the documentation provided by type annotations. In this dissertation, we present Diamondback Ruby (DRuby), a tool that blends static and dynamic typing for Ruby. DRuby provides a type language that is rich enough to precisely type Ruby code, without unneeded complexity. DRuby uses static type inference to automatically discover type errors in Ruby programs and provides a type annotation language that serves as verified documentation of a method's behavior. When necessary, these annotations can be checked dynamically using runtime contracts. This allows statically and dynamically checked code to safely coexist, and any runtime errors are properly blamed on dynamic code. To handle dynamic features such as eval, DRuby includes a novel dynamic analysis and transformation that gathers per-application profiles of dynamic feature usage via a program's test suite. Based on these profiles, DRuby transforms the program before applying its type inference algorithm, enforcing type safety for dynamic constructs. By leveraging a program's test suite, our technique gives the programmer an easy to understand trade-off: the more dynamic features covered by their tests, the more static checking is achieved.
    [Show full text]
  • Rails Test Prescriptions
    What readers are saying about Rails Test Prescriptions This a must-have book for those new to testing on a team that thinks, "We don’t have time for testing," and for experienced developers look- ing to round out their testing skills. If you want to write better code, deploy with confidence, and accelerate your team’s velocity, you should read this book! John McCaffrey Rails Developer/Project Manager, Railsperformance.blogspot.com Rails Test Prescriptions presents a nuanced and unbiased overview of the tools and techniques professionals use to test their Rails apps every day. A must-read for any Rails developer, whether you’ve never written a single test or you’ve written thousands. David Chelimsky Senior Software Engineer, DRW Trading Rails Test Prescriptions is a great resource for anyone interested in getting better at testing Rails applications. New readers will find many helpful guides, and experienced readers will discover many lesser- known tips and tricks. Nick Gauthier Developer, SmartLogic Solutions If you are comfortable working with Rails, yet have no experience writ- ing tests for it, this book is an excellent resource for getting up to speed on the most successful tools used to test drive your develop- ment. Adam Williams (@aiwilliams) Noel has dispensed a fantastic collection of prescriptions for all kind of testing maladies. Whether you are a budding intern, or a highly specialized surgeon, this book will provide you with the information you need to improve your testing health. Christopher Redinger Principal, Relevance, Inc. Testing is a given in the Rails world, but the varied options can be daunting if you are just starting to learn the framework.
    [Show full text]
  • The Art of Rails (2008).Pdf
    The Art of Rails® Edward Benson Wiley Publishing, Inc. The Art of Rails® Acknowledgments .................................................................. xi Introduction ...................................................................... xix Chapter 1: Emergence(y) of the New Web ..............................................1 Chapter 2: The Rails Concept ....................................................... 21 Chapter 3: The Server as an Application .............................................. 45 Chapter 4: Getting the Most from M, V, and C ........................................ 59 Chapter 5: Beautiful Web APIs ...................................................... 89 Chapter 6: Resources and REST .................................................... 115 Chapter 7: The Five Styles of AJAX ................................................. 139 Chapter 8: Playing with Blocks..................................................... 167 Chapter 9: Mixins and Monkey Patching ............................................ 197 Chapter 10: Code That Writes Code (That Writes Code)............................... 225 Chapter 11: How I Learned to Stop Worrying and Love the Schema ..................... 253 Chapter 12: Behavior-Driven Development and RSpec ................................ 275 Index ........................................................................... 297 The Art of Rails® Edward Benson Wiley Publishing, Inc. The Art of Rails® Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com
    [Show full text]
  • Pyconsg 2013 Documentation Release 0.1.0
    PyconSG 2013 Documentation Release 0.1.0 Calvin Cheng April 20, 2015 Contents 1 General concepts: concurrency, parallelism, threads and processes3 1.1 What’s the difference between concurrency and parallelism?......................3 1.2 What’s a coroutine?...........................................3 1.3 What is a thread?.............................................3 1.4 What is a process?............................................4 1.5 What’s the difference between threads and processes?.........................4 1.6 What does that mean in the context of a python application?......................5 1.7 If CPython python has GIL, why do we still use it?...........................5 1.8 So we cannot execute in parallel with python?.............................5 1.9 Advanced distributed, parallel computing with python.........................6 2 What is gevent? 7 2.1 libevent..................................................7 2.2 libev...................................................8 2.3 greenlets.................................................9 2.4 gevent API design............................................9 2.5 gevent with other python extensions...................................9 2.6 gevent’s monkey patch..........................................9 2.7 gevent with webservers.......................................... 10 2.8 gevent with databases.......................................... 11 2.9 gevent with I/O operations........................................ 11 2.10 gevent code example........................................... 12
    [Show full text]
  • Macruby on Ios – Rubymotion Review What I Like About Rubymotion
    MacRuby on iOS – RubyMotion review Posted by Matt Aimonetti in ruby on May 4th, 2012 Yesterday, RubyMotion was released and let’s be honest, it is one the best alternatives to Objective-C out there (if not the best). RubyMotion is a commercial, proprietary fork of MacRuby that targets iOS. This is not a small achievement, MacRuby relies on Objective C’s Garbage Collector (libauto) which is not available on iOS. Static compilation and new memory management solution was required to target the iOS platform . The new runtime had to be small and efficient. Furthermore, being able to run code on iOS isn’t enough, you need tools to interact with the compiler, to debug, to packages applications etc… I don’t think anyone will contest the fact that RubyMotion is a well done product. The question however is, “is it worth for you to invest some money, time and energy in this product instead of using Apple’s language and tools“. In this article, I’ll try to balance the pros and cons of RubyMotion so you can have a better understanding of what RubyMotion could mean for you. As a disclaimer I should say that I was beta testing RubyMotion, that they are strong ties between RubyMotion and the MacRuby project I’m part of and finally that having MacRuby on iOS has been something I’ve been looking forward for a very long time. Over the last few months I’ve seen RubyMotion take shape and finally hit the big 1.0. As you can see from Twitter and HackerNews, the Ruby community is excited about being able to use their language to write statically compiled, native iOS apps.
    [Show full text]