Andres,
2012/9/4 Andres Riancho <andres.rian...@gmail.com>
> Dan,
>
> On Thu, Aug 30, 2012 at 9:46 PM, Daniel Zulla <daniel.zu...@gmail.com>
> wrote:
> > Hi,
> > I attached a diff that shows my current work.
> >
> > An additional idea:
> > Checking if the user is root is good.
> > Providing a fall-back if he is not, is better.
> >
> > Actually, there is no need to sniff for ICMP. It is a valid way to solve
> the
> > problem, but an alternative way is TCP.
> > I would like to use telnet, because with telnet, we would not have to
> > provide payloads for *ix and Windows.
> >
> > Both systems bring the utility (afaik, don't know exactly which Windows
> > versions have it and which ones do not).
> >
> > Either way -- A "telnet ourhost our_temp_port" would force the target
> host
> > to connect to the tcp server that osCommanding.py could set up
> temporarily.
> >
> > And there is no need to be root, doing it the TCP way.
> >
> > I'd appreciate any feedback.
>
> I like the telnet idea, and as you mention it should provide us a
> cross-platform test for verifying command execution. The only problem
> I see is that in systems where there is a strict outgoing traffic
> policy it won't work since packets might not be able to get out and
> reach us.
>
> Some comments about the new techniques you're adding:
> * Private/Public IP address space check: I would add some type of
> check where we verify that the technique's prerequisites are
> fulfilled. Example: If w3af's host has a private IP address and the
> target host has a public IP address; I would at least tell the user
> that this technique won't work (ping -c private_ip_of_w3af_host from
> remote host will simply be lost somewhere far away from us).
>
> * Same payloads for time delay and reverse ICMP checks: This kind
> of invalidates the previous check, and also invalidates the need of
> checking if we're running this as root or not, and also reduces the
> amount of HTTP requests per parameter (which rocks). My idea would be
> to use the same payload (ping -c 5 w3af_host_ip) for both checks:
> timeout and reverse ICMP. To clarify, with the patch (and if user is
> root) we're sending 12 (aprox) "ping" commands for each application
> input parameter to trigger a delay; and then 12 (aprox) "ping"
> commands to trigger the reverse ICMP. If we just merge both
> techniques, we'll have 12 less HTTP requests per input parameter.
>
> The bad thing about merging both techniques is that in the past we
> had ping -c 5 localhost, which delayed for a KNOWN amount of time, now
> we'll have ping -c w3af_host; which will delay for 5sec + RTT of ICMP
> (if ICMP is actually returned).
>
> More thinking should be applied to what type of delay we get when
> there is a strict outgoing filter.
>
> Take care in not reporting the vulnerability twice; once for the
> delay and once for the ICMP packet being captured.
>
> * self._is_root = any(u == getpass.getuser() for u in ["root",
> "Administrator"]) # works for linux and windows ; but it is not really
> cross-platform. What if the Windows system is in German, Spanish or
> Turkish? In those systems the "Administrator" is not called
> "Administrator" (at least not in Spanish where it is Administrador).
> Also, a user with the name "jdoe" might have admin rights.
>
>
I don't know exactly how to do this on Windows platforms. I guess "net
user" is the way to go.
> * packets = sniff(filter="icmp", lfilter=lambda x:
> x.haslayer(ICMP) and x.haslayer(IP), count=1, timeout=10) ; I wouldn't
> use the count=1 here, since it might be the case (although rare) that
> we're performing a w3af scan and at the same time "nmap -sP" and the
> vulnerability is not detected because the sniffing was stopped ahead
> of time. Also, just to be sure, I would start sniffing before sending
> the http requests (even though they are send in threads and run_async
> shouldn't block)
>
sniff() blocks, so afaik it has to be started *after* the HTTP requests
where triggerd. There is a patch/hack for scapy that extends the
functionality of sniff() by a asyncronous-mode with an appropriate
'stopper'-argument (function) but I doubt that you would like to deliver a
custom version of scapy with the w3af.
> * Similar case as with "count=1":
>
> > packets = sniff(filter="icmp", lfilter=lambda x:
> x.haslayer(ICMP) and x.haslayer(IP), count=1, timeout=10)
> ...
> > hostile_packet = packets[0][IP]
> > if hostile_packet.src.split(".")[:3] !=
> self._remote_host.split(".")[:3]:
> > return False
>
> What happens if we're running "nmap -sP" or simply "ping
> target_host" while running w3af? I think we should add a check there
> that verifies that the packet we got from the remote host was a ICMP
> echo request (and not simply any icmp)
>
Hmm. Idea. Do the payloads of ICMP Echo packets differ between different
windows versions? Afaik they do between Windows and Linux. Might be a good
idea to do some passive OS fingerprinting. The Nmap Database should be
quite extensive. Also p0f [1] seems to be a great tool for that.
>
> * Remove unused import "> from urlparse import urlparse"
>
> All in all, very nice job, just requires minor changes to make
> sure we don't have false positives and we don't impact performance too
> much.
>
> Would love to see the telnet stuff, since I think it would add a
> good check and the performance impact is low since "telnet" takes the
> same args in all platforms. The only issue I see with it (just
> realized now...) is that most w3af users will have firewalls on their
> boxes and incoming connections won't work. We should think about that,
>
>
[1] p0f: http://lcamtuf.coredump.cx/p0f3/
Thanks for your feedback,
Daniel
> Regards,
>
> > Thanks,
> > Daniel
> >
> > 2012/8/30 Andres Riancho <andres.rian...@gmail.com>
> >>
> >> Martin,
> >>
> >> On Wed, Aug 29, 2012 at 3:01 PM, Martin Alderete <malder...@gmail.com>
> >> wrote:
> >> > Hi guys!
> >> >
> >> >> I like the idea, it's actually a very good one. Some comments though:
> >> >>
> >> >> * The penalty for using scapy is that the user needs to be root, and
> >> >> we don't want to ask users to run w3af as root for running a simple
> >> >> scan. On the other side, the idea is good and should be implemented,
> >> >> so what I recommend is to have something that looks like this:
> >> >>
> >> >
> >> > I agree!!
> >> >
> >> >> if user_running_as_root():
> >> >> start_sniffing()
> >> >> send_requests_that_will_ping_back_to_us()
> >> >> stop_sniffing()
> >> >> analyze_packets()
> >> >> else:
> >> >> warn_user_that_technique_is_only_available_when_root()
> >> >>
> >> >
> >> > Some comments about the code layout:
> >> > You can develop that using Python's decorator instead of if-else
> >> > statment.
> >> > The code could look like :
> >> >
> >> > @require_root
> >> > def my_custom_scan(params, kwds_params):
> >> > start_sniffing()
> >> > send_requests_that_will_ping_back_to_us()
> >> > stop_sniffing()
> >> > analyze_packets()
> >> >
> >> > That way is more flexible, and you are able to focus just in the
> logic
> >> > of
> >> > the *process*(scan, exploit, etc)
> >>
> >> Agreed, implementation looks nicer with something like that, and when
> >> we implement the second, third, N-th technique that requires root,
> >> code will look even nicer than the if-else option.
> >>
> >> > I hope you find it useful,
> >>
> >> Sure!
> >>
> >> PD: Bienvenido a la lista, es bueno ver mas Argentinos por aqui :)
> >>
> >> > Cheers,
> >> >
> >> >
> >> > --
> >> > Alderete, Martin Nicolas
> >> > NINJA-IDE Core Developer
> >> > Senior Python Developer
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Live Security Virtual Conference
> >> > Exclusive live event will cover all the ways today's security and
> >> > threat landscape has changed and how IT managers can respond.
> >> > Discussions
> >> > will include endpoint security, mobile security and the latest in
> >> > malware
> >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> > _______________________________________________
> >> > W3af-develop mailing list
> >> > W3af-develop@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> W3af-develop mailing list
> >> W3af-develop@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
