Slide 1

Slide 1 text

© 2012 Presented by: Building a Web Attacker Dashboard with ModSecurity and BeEF Ryan Barnett Lead Security Researcher Trustwave SpiderLabs [email protected] @ryancbarnett

Slide 2

Slide 2 text

© 2012 Speaker Info: Ryan Barnett •  Trustwave SpiderLabs Research –  Specialize in Web Application Defense/WAF Research •  WebDefend (Commercial) •  ModSecurity (Open Source) •  OWASP –  Lead the ModSecurity Core Rule Set (CRS) Project –  Contributor for AppSensor Project •  Author –  The Web Application Defender’s Cookbook (Wiley, Dec. 2012)

Slide 3

Slide 3 text

© 2012 Target Audience: Defender Community https://www.owasp.org/index.php/Defenders

Slide 4

Slide 4 text

© 2012 Target Audience: Web Defenders http://www.swsec.com/resources/touchpoints/

Slide 5

Slide 5 text

© 2012 Agenda Breakdown •  OWASP Web Application Security Risks •  Situational Awareness –  Attacks –  Threats –  Tracking Threat Agents •  Building a Web Attacker Dashboard –  ModSecurity WAF –  BeEF –  Audit Console •  Example Usage •  Closing

Slide 6

Slide 6 text

© 2012 OWASP Web Application Security Risks https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Attack Focus

Slide 7

Slide 7 text

© 2012

Slide 8

Slide 8 text

© 2012 Threat Agent Attack Vector Security Controls Block Attack Track Threat Agent?

Slide 9

Slide 9 text

© 2012 Threat Agents: Sharks You Random Opportunistic Directed Opportunistic Fully Targeted

Slide 10

Slide 10 text

© 2012 Threat Agent Tracking: Satellite Tagging

Slide 11

Slide 11 text

© 2012 Threat Agents: Web Attackers Your Website Random Opportunistic Directed Opportunistic Fully Targeted

Slide 12

Slide 12 text

© 2012 Common Attack Methodology •  ModSecurity SQL Injection Challenge •  Automation to identify injection points –  NetSparker –  Arachni –  Sqlmap –  Havij •  Manual testing in a web browser to develop working SQLi payloads –  An iterative process of trial and error 1.  Send initial payloads and observe DB responses 2.  Use obfuscation tactics (comments, encodings, etc…) 3.  Send payload and observe DB response 4.  Repeat steps 2 - 3

Slide 13

Slide 13 text

© 2012 Threat Agent Attack Vector Security Controls Block Attack Track Threat Agent?

Slide 14

Slide 14 text

© 2012 © 2012 Can you identify and track malicious web application users?

Slide 15

Slide 15 text

© 2012 Threat Agent Tracking: BeEF Tagging •  BeEF – The Browser Exploit Framework •  Penetration testing tool that focuses on the web browser •  Mainly used to demonstrate how internal web clients can become compromised •  Written in Ruby •  Lead Developer is Michele Orru (Trustwave SpiderLabs) –  Exploiting Internal Network Vulns via the Browser using BeEF Bind –  Thursday October 25, 2012 3:00pm - 3:45pm –  NTObjectives Room - Texas Ballroom II http://beefproject.com/

Slide 16

Slide 16 text

© 2012 Example Hooking via Stored XSS

Slide 17

Slide 17 text

© 2012

Slide 18

Slide 18 text

© 2012

Slide 19

Slide 19 text

© 2012 © 2012 Building a Web Attacker Dashboard

Slide 20

Slide 20 text

© 2012 Dashboard Components •  ModSecurity WAF –  Monitors for attacks –  Initiates BeEF Hooking •  BeEF –  Hooks malicious users –  Enumerates attacker’s location –  Monitors activities •  Audit Console –  Collects audit logs from ModSecurity –  Shares data with BeEF UI

Slide 21

Slide 21 text

© 2012 Update BeEF for Attacker Dashboard Usage •  Obscure the tell-tail signs of BeEF hook in config.yaml file –  From - hook_file: "/hook.js" –  To - hook_file: "/img-min.js" •  Modify the UI Text –  From – "Online Browsers" –  To – "Online Attackers"

Slide 22

Slide 22 text

© 2012 Updated BeEF UI Text

Slide 23

Slide 23 text

© 2012 © 2012 BeEF Hooking Defender Style: Setting HoneyTraps with ModSecurity

Slide 24

Slide 24 text

© 2012 OWASP AppSensor Project https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

Slide 25

Slide 25 text

© 2012 Setting HoneyTraps •  ModSecurity can modify HTTP response data going to clients –  SecContentInjection Directive –  SecStreamOutBodyInspection Directive –  @rsub operator –  STREAM_OUTPUT_BODY variable –  Prepend/Append actions •  Use these capabilities to transparently add HoneyTrap data to applications

Slide 26

Slide 26 text

© 2012 HoneyTrap Examples •  Fake robots.txt Disallow entries –  Disallow: /scripts.old •  Fake HTML comments –  •  Fake Cookies –  Set-Cookie: user_role=1; expires=Tue, 11-Mar-2014 18:28:03 GMT; path=/; domain=.yoursite.com •  Fake Hidden Form Field – 

Slide 27

Slide 27 text

© 2012 Fake Hidden Form Field Example SecRule STREAM_OUTPUT_BODY \ "@rsub s/<\/form>/<\/ form>/id" \ "id:'999009',phase4,t:none,nolog,pass"

Slide 28

Slide 28 text

© 2012 Client View

Slide 29

Slide 29 text

© 2012 Fake Parameter Data Sent POST /wordpress/wp-login.php HTTP/1.1 Host: 192.168.168.128 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv: 16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.168.128/wordpress/wp-login.php Cookie: PHPSESSID=39sg9cjq940h3bo9b0jmce2137; acopendivids=phpbb2,redmine; acgroupswithpersist=nada Content-Type: application/x-www-form-urlencoded Content-Length: 78 log=bsmith&pwd=paswword&submit=Login+%C2%BB&redirect_to=wp- admin%2F&admin=true

Slide 30

Slide 30 text

© 2012 Initiate BeEF Hooking SecRule ARGS:admin "!@streq false" "id:'999010',phase: 2,t:none,log,block,msg:'HoneyTrap Alert: Fake HIDDEN Form Data Manipulated.',setvar:tx.malicious_client=1" SecRule TX:MALICIOUS_CLIENT "@eq 1" "chain,id:'999224',phase:4,t:none,pass,log, msg:'Hooking Client with BeEF due to HoneyTrap Violation.'" SecRule STREAM_OUTPUT_BODY "@rsub s/<\/ html>/<\/script>< \/html>/"

Slide 31

Slide 31 text

© 2012

Slide 32

Slide 32 text

© 2012 © 2012 Executing BeEF Command Modules

Slide 33

Slide 33 text

© 2012 Caution •  BeEF is extremely powerful •  The use of many of its modules may violate hacking laws •  Consult your legal department before use

Slide 34

Slide 34 text

© 2012 Focusing on Monitoring Capabilities •  Web Fraud Detection vendors do this today –  Inject code for client device fingerprinting –  Inspecting the browser/ system for malicious code •  We are focusing on enumerating information about the attacker –  Geo Location –  Network information –  Keystroke logging

Slide 35

Slide 35 text

© 2012 Persistence: MiTB

Slide 36

Slide 36 text

© 2012 Get Physical Location

Slide 37

Slide 37 text

© 2012 Get Physical Location

Slide 38

Slide 38 text

© 2012 Iframe Event Logger

Slide 39

Slide 39 text

© 2012 Iframe Event Logger

Slide 40

Slide 40 text

© 2012 © 2012 WAF Event Integration

Slide 41

Slide 41 text

© 2012 ModSecurity Audit Console http://jwall.org/web/audit/console/index.jsp

Slide 42

Slide 42 text

© 2012

Slide 43

Slide 43 text

© 2012

Slide 44

Slide 44 text

© 2012 BeEF + ModSecurity Audit Console RESTful API

Slide 45

Slide 45 text

© 2012 ModSecurity Audit Console Integration •  Beef_dir/extensions/modsecurity/config.yaml beef: extension: modsecurity: enable: true name: 'ModSecurity' authors: ["antisnatchor"] auditconsole: ip: "console.yoursite.com" port: "443" ssl: true user: "defender" passwd: "secretpassword"

Slide 46

Slide 46 text

© 2012 WAF Event Data

Slide 47

Slide 47 text

© 2012 ModSecurity Alert Message Data

Slide 48

Slide 48 text

© 2012 Full Request/Response Payloads

Slide 49

Slide 49 text

© 2012 Closing •  Feedback/Questions? •  Email –  [email protected] –  [email protected] •  Twitter –  @ryancbarnett –  @ModSecurity •  OWASP Open Source Showcase - ModSecurity –  Friday October 26, 2012 2:00pm - 5:00pm –  Foothills I (17th Floor)