SlideShare une entreprise Scribd logo

Deep Exploit@Black Hat Europe 2018 Arsenal

Isao Takaesu
Isao Takaesu

Fully automatic penetration test tool using Machine Learning.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Deep Exploit - Fully automated penetration test tool - December 6th,2018 Black Hat EUROPE 2018 Arsenal Presented by Isao Takaesu
Deep Exploit Perimeter Network External Firewall Web Servers DNS Servers Internal Firewall Database Server Web Server Internal Network Internal Computers Exploiting the servers on perimeter && internal networks. What is Deep Exploit?
Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview
Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training
・ ・ ・ Numerous Trials (about >10,000) Learn how to exploitation while trying numerous exploits. ・ ・ ・ Worker thread Parameter Server ・ ・ ・ … ⊿w=gradw ⊿w=gradw ⊿w=gradw ・ ・ ・ Worker thread Worker thread send recv recvsend recv send Target Host info OS type Product Name Version Exploit module Target Payloads cmd/unix/bind_ruby linux/x86/shell/bind_tcp bsd/x64/exec generic/debug_trap linux/mipsle/shell_bind_tcp mainframe/shell_reverse_tcp ・・・ … ・ ・ ・ Training Servers ・ ・ ・ ・ ・ ・ Train the Deep Exploit
https://youtu.be/8ht4y9tboNY Training Movie
Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Processing Flow
Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> What are included the Web products in this HTTP response? Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Question
HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify OpenSSL and PHP using Signature. But, this HTTP response includes more products. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (1)
HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify joomla! and Apache using Machine Learning. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (2)
Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Open session between “Deep Exploit” and front server. Step 1. Intelligence Gathering Step 2. Exploitation ・ Execute exploit to target server using trained data. ・ Open session between “Deep Exploit” and target server (=compromised server). Step 3. Post-Exploitation Step 4. Generate Report Exploitation
Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Pivoting and execute the exploit to internal server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report If detect new server, repeat Step1-3 in new server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report ・ Generate the report of penetration test. Generate Report
Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Connectable Directly connect Scenario 1. Single target server https://youtu.be/mgEOBIM4omM ・Demo movie Demonstration
Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Server-B IP: 192.168.184.148 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 2. Exploitation via compromised server (=Server-A) https://youtu.be/DsBNOGBjJNg ・Demo movie Directly connect Demonstration
Server-A IP: 192.168.220.145 Deep Exploit IP: 192.168.220.150 Server-B IP: 192.168.220.146 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 3. Deep penetration https://youtu.be/s-Km-BE8NxM ・Demo movie Server-C IP: 192.168.220.152 (Only permits Server-A to connect) Connectable Connect via Server-A Directly connect Demonstration
https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit ・Source codes & Usage Deep Exploit resource
Another tool : GyoiThon [*] The GyoiThon is specialized in intelligence gathering of Web Server. It can gather target server information using several functions.
List of functions
List of gathered information Info category Example Product name/version WordPress/4.2.20, Apache/2.4.29, Jboss/4.2.3, OpenSSL/1.0.2n CVE number from NVD CVE-2017-15710, CVE-2016-0705, CVE-2017-14723 Open ports/certification [80/http, 443/https, 8080/http], [Cert Signature: MD5] [Cert validity 2017-08-15 00:00:00 to 2018-09-16 12:00:00] Unnecessary comments/ debug message <!-- debug - http://example.com/admn/secret.php -->, “Warning: mysql_connect() … in auth.php on line 38” Web product’s default contents/admin pages /wp-login.php, /phpMyAdmin/setup.php, /mailman/admin/ Real vulnerabilities [!] Collaboration Metasploit. exploit/unix/ftp/vsftpd_234_backdoor, exploit/freebsd/http/watchguard_cmd_exec, exploit/unix/webapp/carberp_backdoor_exec
https://github.com/gyoisamurai/GyoiThon ・Source codes & Usage GyoiThon resource
Reference all source codes and document: https://github.com/13o-bbr-bbq/machine_learning_security/

Recommandé

[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
Jim Fenton
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
FIDO Alliance
 

Recommandé

[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
Jim Fenton
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
FIDO Alliance
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
Keshab Nath
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
AniketPandit18
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng Hưng
Võ Thái Lâm
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
Ihor Uzhvenko
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
Amy McMullin
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
API Testing for everyone.pptx
API Testing for everyone.pptxAPI Testing for everyone.pptx
API Testing for everyone.pptx
Pricilla Bilavendran
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3
ManageEngine, Zoho Corporation
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JSFestUA
 

Contenu connexe

Tendances

Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
Keshab Nath
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 

Tendances (20)

Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
XXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng Hưng
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
API Testing for everyone.pptx
API Testing for everyone.pptxAPI Testing for everyone.pptx
API Testing for everyone.pptx
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Ssrf
SsrfSsrf
Ssrf
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 

Similaire à Deep Exploit@Black Hat Europe 2018 Arsenal

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Positive Hack Days
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
tutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
tutorialsruby
 

Similaire à Deep Exploit@Black Hat Europe 2018 Arsenal (20)

Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Free OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classificationFree OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classification
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi
 
Exploring billion states of a program like a pro. How to cook your own fast a...
Exploring billion states of a program like a pro. How to cook your own fast a...Exploring billion states of a program like a pro. How to cook your own fast a...
Exploring billion states of a program like a pro. How to cook your own fast a...
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Hack information of any website using webkiller
Hack information of any website using webkillerHack information of any website using webkiller
Hack information of any website using webkiller
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 

Plus de Isao Takaesu

Plus de Isao Takaesu (20)

OSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツールOSSで作る機械学習を用いたペネトレーションテストツール
OSSで作る機械学習を用いたペネトレーションテストツール
 
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
サイバーセキュリティ錬金術 - ノイズから価値あるデータを生成する技術 -
 
ハニーポッター技術交流会
ハニーポッター技術交流会ハニーポッター技術交流会
ハニーポッター技術交流会
 
サイバーセキュリティ錬金術
サイバーセキュリティ錬金術サイバーセキュリティ錬金術
サイバーセキュリティ錬金術
 
GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成GAとGANによる検査値の自動生成
GAとGANによる検査値の自動生成
 
Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化Pythonと機械学習によるWebセキュリティの自動化
Pythonと機械学習によるWebセキュリティの自動化
 
脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -脆弱性診断データの活用例 - Webアプリケーション診断編 -
脆弱性診断データの活用例 - Webアプリケーション診断編 -
 
RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -RECOMMENDER for Web security engineers - 中級編 -
RECOMMENDER for Web security engineers - 中級編 -
 
RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -RECOMMENDER for Web security engineers - 初級編 -
RECOMMENDER for Web security engineers - 初級編 -
 
Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法Convolutional Neural Networkに対する攻撃手法
Convolutional Neural Networkに対する攻撃手法
 
Discussion AIの脆弱性について
Discussion AIの脆弱性についてDiscussion AIの脆弱性について
Discussion AIの脆弱性について
 
機械学習関連情報の収集方法
機械学習関連情報の収集方法機械学習関連情報の収集方法
機械学習関連情報の収集方法
 
introduce "Stealing Machine Learning Models via Prediction APIs"
introduce "Stealing Machine Learning Models via Prediction APIs"introduce "Stealing Machine Learning Models via Prediction APIs"
introduce "Stealing Machine Learning Models via Prediction APIs"
 
機械学習を使ったハッキング手法
機械学習を使ったハッキング手法機械学習を使ったハッキング手法
機械学習を使ったハッキング手法
 
ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章ITエンジニアのための機械学習理論入門 第5章
ITエンジニアのための機械学習理論入門 第5章
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsCODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
 
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
CODE BLUE 2016 - 機械学習でWebアプリケーションの脆弱性を見つける方法
 
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
機械学習でWebアプリの脆弱性を見つける - Reflected XSS 編 -
 
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
AISECjp SAIVS(Spider Artificial Intelligence Vulnerability Scanner)
 
Aiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるAiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみる
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Deep Exploit@Black Hat Europe 2018 Arsenal

  • 1. Deep Exploit - Fully automated penetration test tool - December 6th,2018 Black Hat EUROPE 2018 Arsenal Presented by Isao Takaesu
  • 2. Deep Exploit Perimeter Network External Firewall Web Servers DNS Servers Internal Firewall Database Server Web Server Internal Network Internal Computers Exploiting the servers on perimeter && internal networks. What is Deep Exploit?
  • 3. Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview
  • 4. Train : Train how to exploitation by itself. Test : Execute the exploit using trained data. Overview Command Line Arguments Parser User’s Instructions ML Model A3C of Reinforcement Learning Penetration Test Framework Deep Exploit Target Server Trained Data RPC API Save/Restore Receive Result Send Commands Training Servers Testing Training
  • 5. ・ ・ ・ Numerous Trials (about >10,000) Learn how to exploitation while trying numerous exploits. ・ ・ ・ Worker thread Parameter Server ・ ・ ・ … ⊿w=gradw ⊿w=gradw ⊿w=gradw ・ ・ ・ Worker thread Worker thread send recv recvsend recv send Target Host info OS type Product Name Version Exploit module Target Payloads cmd/unix/bind_ruby linux/x86/shell/bind_tcp bsd/x64/exec generic/debug_trap linux/mipsle/shell_bind_tcp mainframe/shell_reverse_tcp ・・・ … ・ ・ ・ Training Servers ・ ・ ・ ・ ・ ・ Train the Deep Exploit
  • 7. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Processing Flow
  • 8. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
  • 9. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering 1. Nmap : identify open ports, products. 2. Contents exploration : identify Web products using found product contents on the Web port. 3. Scrapy : gathering HTTP responses on the Web port. By analyze HTTP responses using Signature and Machine Learning, identify Web products. Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Intelligence Gathering
  • 10. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> What are included the Web products in this HTTP response? Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Question
  • 11. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify OpenSSL and PHP using Signature. But, this HTTP response includes more products. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (1)
  • 12. HTTP/1.1 200 OK Date: Tue, 06 Mar 2018 06:56:17 GMT Server: OpenSSL/1.0.1g Content-Type: text/html; charset=UTF-8 Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587; path=/; Etag: "409ed-183-53c5f732641c0" …snip… <form action="/example/confirm.php"> Deep Exploit can identify joomla! and Apache using Machine Learning. Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Answer (2)
  • 13. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Open session between “Deep Exploit” and front server. Step 1. Intelligence Gathering Step 2. Exploitation ・ Execute exploit to target server using trained data. ・ Open session between “Deep Exploit” and target server (=compromised server). Step 3. Post-Exploitation Step 4. Generate Report Exploitation
  • 14. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Pivoting and execute the exploit to internal server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
  • 15. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report If detect new server, repeat Step1-3 in new server. Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation ・ Pivoting and execute the exploit to internal server via compromised server. Step 4. Generate Report Post-Exploitation
  • 16. Step 1. Intelligence Gathering Fully automatic (No human) Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report Step 1. Intelligence Gathering Step 2. Exploitation Step 3. Post-Exploitation Step 4. Generate Report ・ Generate the report of penetration test. Generate Report
  • 17. Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Connectable Directly connect Scenario 1. Single target server https://youtu.be/mgEOBIM4omM ・Demo movie Demonstration
  • 18. Server-A IP: 192.168.184.132 Deep Exploit IP: 192.168.184.145 Server-B IP: 192.168.184.148 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 2. Exploitation via compromised server (=Server-A) https://youtu.be/DsBNOGBjJNg ・Demo movie Directly connect Demonstration
  • 19. Server-A IP: 192.168.220.145 Deep Exploit IP: 192.168.220.150 Server-B IP: 192.168.220.146 (Only permits Server-A to connect) Connectable Connectable Connect via Server-A Scenario 3. Deep penetration https://youtu.be/s-Km-BE8NxM ・Demo movie Server-C IP: 192.168.220.152 (Only permits Server-A to connect) Connectable Connect via Server-A Directly connect Demonstration
  • 21. Another tool : GyoiThon [*] The GyoiThon is specialized in intelligence gathering of Web Server. It can gather target server information using several functions.
  • 23. List of gathered information Info category Example Product name/version WordPress/4.2.20, Apache/2.4.29, Jboss/4.2.3, OpenSSL/1.0.2n CVE number from NVD CVE-2017-15710, CVE-2016-0705, CVE-2017-14723 Open ports/certification [80/http, 443/https, 8080/http], [Cert Signature: MD5] [Cert validity 2017-08-15 00:00:00 to 2018-09-16 12:00:00] Unnecessary comments/ debug message <!-- debug - http://example.com/admn/secret.php -->, “Warning: mysql_connect() … in auth.php on line 38” Web product’s default contents/admin pages /wp-login.php, /phpMyAdmin/setup.php, /mailman/admin/ Real vulnerabilities [!] Collaboration Metasploit. exploit/unix/ftp/vsftpd_234_backdoor, exploit/freebsd/http/watchguard_cmd_exec, exploit/unix/webapp/carberp_backdoor_exec
  • 25. Reference all source codes and document: https://github.com/13o-bbr-bbq/machine_learning_security/