1 RUBY FOR PENETRATION TESTERS RUBY FOR PENETRATION ruby for penetration testers When you're down deep reversing a protocol • Getting up close and personal with or picking apart a binary, getting up to speed proprietary file formats quickly can be challenging in the best of circumstances. Over the past few years, we've • Becoming the puppet-master of both native figured out a tool that we can rely on every and Java applications atruntime time: the Ruby programming language. We'd like to highlight our use of Ruby to solve the • Exposing the most intimate parts of exotic security testing problems we're faced with network services like JRMI and Web services every day. • Trimming the time you spend decoding proprietary protocols and cutting directly to We use Ruby because it’s easy, flexible, and powerful. It works for everything from reverse fuzzing them engineering firmware bus protocols to fuzzing file formats to static and dynamic binary As if all that wasn’t enough, we'll show you analysis. We've used it to beat up web apps, how to make Ruby mash-ups of the stuff you and we've stuck with it all the way to attacking already love. Make the tools you already rely exotic proprietary hardware applications. on new again by getting them to work Having a great set of tools available to meet together, harder and smarter. When you're your needs might be the difference between a asked to get twice as much done in half the successful result for your customer and time, smile confidently knowing you have a updating your resume with the details of your secret weapon and the job will get done. former employer. WHY WE LIKE RUBY Not familiar with Ruby? None of us were either on that fateful day when Dino Dai Zovi declared Python “the language of over the hill You wouldn’t be reading this white paper or hackers”. But we were surprised at how easy attending our talk unless you already knew Ruby was to pick up. So we'll lead off by some kind of scripting language. So the illustrating why Ruby is so powerful, making a easiest way to help you “get” Ruby is to case for rapidly prototyping everything from compare it to other languages. reversing tools to hacked up network clients using our not-so-patented “bag-o-tricks” The language everyone compares Ruby to is approach. Python. You can Bing “Ruby vs. Python” and find 1,000 good shootouts. Most of them are Then we dive into our real-world experiences going to point out the most important fact: using Ruby to quickly get up and running on a Ruby and Python are remarkably similar wide range of tasks, including: languages, to the point where you can readily port code between them. If you're a • Ripping apart static binaries and bending pentester, here are some of the big them to your will differences you'll care about: • Ruby has “blocks”, which are a notation for defining functions on the fly without naming 2 them; you can stuff them into variables and Ruby has an answer to almost every situation DOCUMENT TITLE pass them around. This is huge: it allows where we would want to develop custom you to define domain-specific languages code to solve a problem: and new control structures, and it’s absolutely killer for writing asynchronous • We can redefine portions of the library with network code. “monkey patches”, for instance to allow all Numeric types to render as bignums. • Python is faster than Ruby. Not a little bit faster. A lot faster. • We can call low-level C libraries with Ruby/ DL, FFI, or Win32ole. Or we can wrap the • But Ruby has first-class regular expressions, library directly by extending the Ruby using the /regex/ syntax borrowed from interpreter. Perl. This means regexes are insanely easy to use in Ruby. You don’t have to “import” • We can even add Ruby into existing tools them from a library or instantiate classes. written in languages like C. • Python has a huge, sprawling standard • Ruby allows us to easily create DSL (Domain library. Ruby has a smaller, tighter standard Specific Language) frameworks like Ruckus, library. where defining complex structures is done in code, not complex configuration files. Yes, Ruby has some syntax borrowed from Perl. Yes, this is a scary idea. But you don’t WHO ELSE IS USING RUBY? care: the regex syntax is good, and the rest of it you can pretend doesn’t exist. Nobody Ever hear of Metasploit? Metasploit may be writes Ruby code that looks like Perl. one of the largest Ruby projects in existence and arguably in the most popular list of Ruby Mike Tracy, god help him, came to Matasano frameworks. Metasploit makes advanced from Tcl. Tcl and Ruby are surprisingly similar: exploitation of vulnerabilities possible through you can call Ruby “Japanese Tcl” and defend easy to use interfaces, payloads and tools. All that name long enough to upset a Rails of this great stuff is also supported on programmer. Go ahead, try it! Ruby multiple platforms thanks to Ruby. programmers use blocks for a lot of the same things that Tcl programmers use “uplevel” for, Metasm is another powerful Ruby framework and the Ruby object model is very similar to for compiling, disassembling and debugging [incr Tcl]. native code from Ruby. Metasm is included with the Metasploit framework as well. All these dynamic languages are flexible. Ruby allows us to rapidly prototype tools for Ronin is another Ruby framework written with vulnerability exploitation, protocol fuzzing, security and data exploration in mind. Ronin reverse engineering and everything in- provides convienence methods for an array of between. Many of the tools we develop in different protocols that penetration testers Ruby are easily hooked into one another might find useful. which can further speed up tool development and promotes code reuse. 3 SCRIPTED PENETRATION TESTING application basis using mixins and monkey DOCUMENT TITLE patches that are specific to your engagement. Your first question about whether a language is good for pentesting is, “how does it handle It also includes a ViewState (de)serializer web work”. Our answer: WWMD. that outputs to and reads in from XML. If you've never fuzzed ViewState before WWMD is a console for breaking web (working on one of the 4% of web applications. It’s like “pentesting Expect”: it’s applications out there that don’t have something in between a programming EnableViewStateMac = true?) then this is your environment and a console. huckleberry. Another interesting use for the ViewState deserializer is to programatically WWMD isn’t intended to be just another of base64 decode BinarySerialized() (custom the myriad tools used to conduct web serializations of objects like Telerik controls) application security assessments. Its goal is to that you'll find in many web applications. provide an easily accessible scripting Before WWMD, I had to do all that work by framework that includes the basic elements of hand. a web testing tool (transport and parsing) and combine them with convenience methods that A simple login example: make manual and automated testing tasks easier. Working either in IRB or from scripts, wwmd(main):003:0> page = it’s a snap to create powerful tools that take Page.new();nil care of the time consuming and repetitive => nil stuff and help you with the more subtle and wwmd(main):004:0> page.baseurl = advanced things you need to get done. “http://www.example.com” => “http://www.example.com” WWMD relies on Ruby and some great wwmd(main):005:0> page.get “http:// libraries for its base. Even if you're not going www.example.com/example/” to use WWMD, you should know about: => [200, 663] wwmd(main):006:0> page.text • Curb, which provides libcurl bindings for => “Login:\nPassword:\n” Ruby, which we use for our raw HTTP wwmd(main):007:0> form = page.getform transport. => [[“username”, nil], [“password”, nil]] • Nokogiri, for parsing HTML documents. wwmd(main):008:0> form[‘username’] = “jqpublic” Curb and Nokogiri are extremely excellent => “jqpublic” libraries, each of them reason enough to wwmd(main):011:0> form[‘password’] = spend some time learning Ruby. “password” => “password” To this, WWMD adds methods for everything wwmd(main):012:0> page.submit form from manipulating headers and application => [200, 2117] inputs to encodings. It also includes a patch wwmd(main):013:0> to Curb to allow sending requests using page.bodydata.match(/you are logged arbitrary methods (OPTIONS, TRACE, in.*/)[0].striphtml RANDOM). All of the behaviors of the base => “you are logged in as jqpublic Page object can be easily modified on a per- [logout]” wwmd(main):014:0> 4 Ever see a web form that takes an argument REVERSING DOCUMENT TITLE like: Reverse engineering has taken a front seat in args=key|value;key|value;key|value vulnerability research and penetration testing over the last few years. Often a penetration Instead of just fuzzing the form variable, you tester may be tasked with reversing can simply create a copy of the FormArray proprietary network protocols or closed class that uses | and ; as delimiters and fuzz source binaries in a relatively short amount of everything: time. wwmd(main):006:0> form = FormArray.new Ruby enables this kind of rapid tool => [] wwmd(main):007:0> cust = development whether the goal is breaking FormArray.new => [] open a custom network protocols header wwmd(main):008:0> cust.delimiter = “;” structure and de-obfuscating its payload or => “;” finding that backdoor in a compiled wwmd(main):009:0> cust.equals = “|” executable. We have developed tools to do => “|” both these kinds of things.