Dan,
On Thu, Aug 30, 2012 at 9:46 PM, Daniel Zulla <daniel.zu...@gmail.com> wrote:
> Hi,
> I attached a diff that shows my current work.
>
> An additional idea:
> Checking if the user is root is good.
> Providing a fall-back if he is not, is better.
>
> Actually, there is no need to sniff for ICMP. It is a valid way to solve the
> problem, but an alternative way is TCP.
> I would like to use telnet, because with telnet, we would not have to
> provide payloads for *ix and Windows.
>
> Both systems bring the utility (afaik, don't know exactly which Windows
> versions have it and which ones do not).
>
> Either way -- A "telnet ourhost our_temp_port" would force the target host
> to connect to the tcp server that osCommanding.py could set up temporarily.
>
> And there is no need to be root, doing it the TCP way.
>
> I'd appreciate any feedback.
I like the telnet idea, and as you mention it should provide us a
cross-platform test for verifying command execution. The only problem
I see is that in systems where there is a strict outgoing traffic
policy it won't work since packets might not be able to get out and
reach us.
Some comments about the new techniques you're adding:
* Private/Public IP address space check: I would add some type of
check where we verify that the technique's prerequisites are
fulfilled. Example: If w3af's host has a private IP address and the
target host has a public IP address; I would at least tell the user
that this technique won't work (ping -c private_ip_of_w3af_host from
remote host will simply be lost somewhere far away from us).
* Same payloads for time delay and reverse ICMP checks: This kind
of invalidates the previous check, and also invalidates the need of
checking if we're running this as root or not, and also reduces the
amount of HTTP requests per parameter (which rocks). My idea would be
to use the same payload (ping -c 5 w3af_host_ip) for both checks:
timeout and reverse ICMP. To clarify, with the patch (and if user is
root) we're sending 12 (aprox) "ping" commands for each application
input parameter to trigger a delay; and then 12 (aprox) "ping"
commands to trigger the reverse ICMP. If we just merge both
techniques, we'll have 12 less HTTP requests per input parameter.
The bad thing about merging both techniques is that in the past we
had ping -c 5 localhost, which delayed for a KNOWN amount of time, now
we'll have ping -c w3af_host; which will delay for 5sec + RTT of ICMP
(if ICMP is actually returned).
More thinking should be applied to what type of delay we get when
there is a strict outgoing filter.
Take care in not reporting the vulnerability twice; once for the
delay and once for the ICMP packet being captured.
* self._is_root = any(u == getpass.getuser() for u in ["root",
"Administrator"]) # works for linux and windows ; but it is not really
cross-platform. What if the Windows system is in German, Spanish or
Turkish? In those systems the "Administrator" is not called
"Administrator" (at least not in Spanish where it is Administrador).
Also, a user with the name "jdoe" might have admin rights.
* packets = sniff(filter="icmp", lfilter=lambda x:
x.haslayer(ICMP) and x.haslayer(IP), count=1, timeout=10) ; I wouldn't
use the count=1 here, since it might be the case (although rare) that
we're performing a w3af scan and at the same time "nmap -sP" and the
vulnerability is not detected because the sniffing was stopped ahead
of time. Also, just to be sure, I would start sniffing before sending
the http requests (even though they are send in threads and run_async
shouldn't block)
* Similar case as with "count=1":
> packets = sniff(filter="icmp", lfilter=lambda x: x.haslayer(ICMP) and
> x.haslayer(IP), count=1, timeout=10)
...
> hostile_packet = packets[0][IP]
> if hostile_packet.src.split(".")[:3] !=
> self._remote_host.split(".")[:3]:
> return False
What happens if we're running "nmap -sP" or simply "ping
target_host" while running w3af? I think we should add a check there
that verifies that the packet we got from the remote host was a ICMP
echo request (and not simply any icmp)
* Remove unused import "> from urlparse import urlparse"
All in all, very nice job, just requires minor changes to make
sure we don't have false positives and we don't impact performance too
much.
Would love to see the telnet stuff, since I think it would add a
good check and the performance impact is low since "telnet" takes the
same args in all platforms. The only issue I see with it (just
realized now...) is that most w3af users will have firewalls on their
boxes and incoming connections won't work. We should think about that,
Regards,
> Thanks,
> Daniel
>
> 2012/8/30 Andres Riancho <andres.rian...@gmail.com>
>>
>> Martin,
>>
>> On Wed, Aug 29, 2012 at 3:01 PM, Martin Alderete <malder...@gmail.com>
>> wrote:
>> > Hi guys!
>> >
>> >> I like the idea, it's actually a very good one. Some comments though:
>> >>
>> >> * The penalty for using scapy is that the user needs to be root, and
>> >> we don't want to ask users to run w3af as root for running a simple
>> >> scan. On the other side, the idea is good and should be implemented,
>> >> so what I recommend is to have something that looks like this:
>> >>
>> >
>> > I agree!!
>> >
>> >> if user_running_as_root():
>> >> start_sniffing()
>> >> send_requests_that_will_ping_back_to_us()
>> >> stop_sniffing()
>> >> analyze_packets()
>> >> else:
>> >> warn_user_that_technique_is_only_available_when_root()
>> >>
>> >
>> > Some comments about the code layout:
>> > You can develop that using Python's decorator instead of if-else
>> > statment.
>> > The code could look like :
>> >
>> > @require_root
>> > def my_custom_scan(params, kwds_params):
>> > start_sniffing()
>> > send_requests_that_will_ping_back_to_us()
>> > stop_sniffing()
>> > analyze_packets()
>> >
>> > That way is more flexible, and you are able to focus just in the logic
>> > of
>> > the *process*(scan, exploit, etc)
>>
>> Agreed, implementation looks nicer with something like that, and when
>> we implement the second, third, N-th technique that requires root,
>> code will look even nicer than the if-else option.
>>
>> > I hope you find it useful,
>>
>> Sure!
>>
>> PD: Bienvenido a la lista, es bueno ver mas Argentinos por aqui :)
>>
>> > Cheers,
>> >
>> >
>> > --
>> > Alderete, Martin Nicolas
>> > NINJA-IDE Core Developer
>> > Senior Python Developer
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3af-develop@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
