© 2012 Presented by: Building a Web Attacker Dashboard with ModSecurity and BeEF Ryan Barnett Lead Security Researcher Trustwave SpiderLabs [email protected] @ryancbarnett 

© 2012 Speaker Info: Ryan Barnett •  Trustwave SpiderLabs Research –  Specialize in Web Application Defense/WAF Research •  WebDefend (Commercial) •  ModSecurity (Open Source) •  OWASP –  Lead the ModSecurity Core Rule Set (CRS) Project –  Contributor for AppSensor Project •  Author –  The Web Application Defender’s Cookbook (Wiley, Dec. 2012) 

© 2012 Target Audience: Defender Community https://www.owasp.org/index.php/Defenders 

© 2012 Target Audience: Web Defenders http://www.swsec.com/resources/touchpoints/ 

© 2012 Agenda Breakdown •  OWASP Web Application Security Risks •  Situational Awareness –  Attacks –  Threats –  Tracking Threat Agents •  Building a Web Attacker Dashboard –  ModSecurity WAF –  BeEF –  Audit Console •  Example Usage •  Closing 

© 2012 OWASP Web Application Security Risks https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Attack Focus 

© 2012 

© 2012 Threat Agent Attack Vector Security Controls Block Attack Track Threat Agent? 

© 2012 Threat Agents: Sharks You Random Opportunistic Directed Opportunistic Fully Targeted 

© 2012 Threat Agent Tracking: Satellite Tagging 

© 2012 Threat Agents: Web Attackers Your Website Random Opportunistic Directed Opportunistic Fully Targeted 

© 2012 Common Attack Methodology •  ModSecurity SQL Injection Challenge •  Automation to identify injection points –  NetSparker –  Arachni –  Sqlmap –  Havij •  Manual testing in a web browser to develop working SQLi payloads –  An iterative process of trial and error 1.  Send initial payloads and observe DB responses 2.  Use obfuscation tactics (comments, encodings, etc…) 3.  Send payload and observe DB response 4.  Repeat steps 2 - 3 

© 2012 Threat Agent Attack Vector Security Controls Block Attack Track Threat Agent? 

© 2012 © 2012 Can you identify and track malicious web application users? 

© 2012 Threat Agent Tracking: BeEF Tagging •  BeEF – The Browser Exploit Framework •  Penetration testing tool that focuses on the web browser •  Mainly used to demonstrate how internal web clients can become compromised •  Written in Ruby •  Lead Developer is Michele Orru (Trustwave SpiderLabs) –  Exploiting Internal Network Vulns via the Browser using BeEF Bind –  Thursday October 25, 2012 3:00pm - 3:45pm –  NTObjectives Room - Texas Ballroom II http://beefproject.com/ 

© 2012 Example Hooking via Stored XSS 

© 2012 

© 2012 

© 2012 © 2012 Building a Web Attacker Dashboard 

© 2012 Dashboard Components •  ModSecurity WAF –  Monitors for attacks –  Initiates BeEF Hooking •  BeEF –  Hooks malicious users –  Enumerates attacker’s location –  Monitors activities •  Audit Console –  Collects audit logs from ModSecurity –  Shares data with BeEF UI 

© 2012 Update BeEF for Attacker Dashboard Usage •  Obscure the tell-tail signs of BeEF hook in config.yaml file –  From - hook_file: "/hook.js" –  To - hook_file: "/img-min.js" •  Modify the UI Text –  From – "Online Browsers" –  To – "Online Attackers" 

© 2012 Updated BeEF UI Text 

© 2012 © 2012 BeEF Hooking Defender Style: Setting HoneyTraps with ModSecurity 

© 2012 OWASP AppSensor Project https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project 

© 2012 Setting HoneyTraps •  ModSecurity can modify HTTP response data going to clients –  SecContentInjection Directive –  SecStreamOutBodyInspection Directive –  @rsub operator –  STREAM_OUTPUT_BODY variable –  Prepend/Append actions •  Use these capabilities to transparently add HoneyTrap data to applications 

© 2012 HoneyTrap Examples •  Fake robots.txt Disallow entries –  Disallow: /scripts.old •  Fake HTML comments –  •  Fake Cookies –  Set-Cookie: user_role=1; expires=Tue, 11-Mar-2014 18:28:03 GMT; path=/; domain=.yoursite.com •  Fake Hidden Form Field –  

© 2012 Fake Hidden Form Field Example SecRule STREAM_OUTPUT_BODY \ "@rsub s/<\/form>/<\/ form>/id" \ "id:'999009',phase4,t:none,nolog,pass" 

© 2012 Client View 

© 2012 Fake Parameter Data Sent POST /wordpress/wp-login.php HTTP/1.1 Host: 192.168.168.128 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv: 16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.168.128/wordpress/wp-login.php Cookie: PHPSESSID=39sg9cjq940h3bo9b0jmce2137; acopendivids=phpbb2,redmine; acgroupswithpersist=nada Content-Type: application/x-www-form-urlencoded Content-Length: 78 log=bsmith&pwd=paswword&submit=Login+%C2%BB&redirect_to=wp- admin%2F&admin=true 

© 2012 Initiate BeEF Hooking SecRule ARGS:admin "!@streq false" "id:'999010',phase: 2,t:none,log,block,msg:'HoneyTrap Alert: Fake HIDDEN Form Data Manipulated.',setvar:tx.malicious_client=1" SecRule TX:MALICIOUS_CLIENT "@eq 1" "chain,id:'999224',phase:4,t:none,pass,log, msg:'Hooking Client with BeEF due to HoneyTrap Violation.'" SecRule STREAM_OUTPUT_BODY "@rsub s/<\/ html>/<\/script>< \/html>/" 

© 2012 

© 2012 © 2012 Executing BeEF Command Modules 

© 2012 Caution •  BeEF is extremely powerful •  The use of many of its modules may violate hacking laws •  Consult your legal department before use 

© 2012 Focusing on Monitoring Capabilities •  Web Fraud Detection vendors do this today –  Inject code for client device fingerprinting –  Inspecting the browser/ system for malicious code •  We are focusing on enumerating information about the attacker –  Geo Location –  Network information –  Keystroke logging 

© 2012 Persistence: MiTB 

© 2012 Get Physical Location 

© 2012 Get Physical Location 

© 2012 Iframe Event Logger 

© 2012 Iframe Event Logger 

© 2012 © 2012 WAF Event Integration 

© 2012 ModSecurity Audit Console http://jwall.org/web/audit/console/index.jsp 

© 2012 

© 2012 

© 2012 BeEF + ModSecurity Audit Console RESTful API 

© 2012 ModSecurity Audit Console Integration •  Beef_dir/extensions/modsecurity/config.yaml beef: extension: modsecurity: enable: true name: 'ModSecurity' authors: ["antisnatchor"] auditconsole: ip: "console.yoursite.com" port: "443" ssl: true user: "defender" passwd: "secretpassword" 

© 2012 WAF Event Data 

© 2012 ModSecurity Alert Message Data 

© 2012 Full Request/Response Payloads 

© 2012 Closing •  Feedback/Questions? •  Email –  [email protected] –  [email protected] •  Twitter –  @ryancbarnett –  @ModSecurity •  OWASP Open Source Showcase - ModSecurity –  Friday October 26, 2012 2:00pm - 5:00pm –  Foothills I (17th Floor)