Alejandro Hernández, profile picture
Uploaded byAlejandro Hernández
PDF, PPTX1,390 views

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

The document describes DotDotPwn, an intelligent fuzzer for discovering directory traversal vulnerabilities. It begins with an overview and description of directory traversal vulnerabilities and fuzz testing. It then provides details on DotDotPwn's design, modules, usage, discovered vulnerabilities, and traversal engine. The presentation concludes by thanking contributors to the project.

Embed presentation

Download as PDF, PPTX
../../ DotDotPwn ! The Directory Traversal Fuzzer Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x) http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org
../../ AGENDA DotDotPwn Description Introduction Directory Traversal Vulnerability (Intelligent) Fuzz Testing General Information Origin / Evolution Design / Architecture Usage options Website / Contact Download Contributions Vulnerabilities Discovered vulnerabilities Traversal Engine Description Resources Fuzz patterns generation Intelligent fuzzing Modules Description of each one Greetings
../../ DotDotPwn Description README.txt It’s a very flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).
../../ Introduction Directory Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. A typical example of vulnerable application in php code is: Source: http://en.wikipedia.org/wiki/Directory_traversal
../../ Introduction Directory Traversal Vulnerability An attack against this system could be to send the following HTTP request: Generating a server response such as: Source: http://en.wikipedia.org/wiki/Directory_traversal
../../ Introduction Directory Traversal Vulnerability Some web applications scan query string for dangerous characters (to prevent Directory Traversal vulnerabilities) such as: .. .. ../ However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as: %2e%2e%2f which translates to ../ %2e%2e/ which translates to ../ ..%2f which translates to ../ %2e%2e%5c which translates to .. etc. Source: http://en.wikipedia.org/wiki/Directory_traversal
../../ Introduction Directory Traversal Vulnerability According to a study done by Imperva about Web Applications Attacks, the Directory Traversal vulnerability is one of the most common attacks nowadays (July 2011) Source: Imperva’s Web Application Attack Report. Edition #1 - July 2011
../../ Introduction Fuzz Testing Fuzz testing or fuzzing is a software testing technique that provides (in)valid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for. Source: http://en.wikipedia.org/wiki/Fuzz_testing
../../ Introduction Intelligent Fuzz Testing Source: DeMott, J. (2006). The evolving art of fuzzing.
../../ Introduction Intelligent Fuzz Testing Source: DeMott, J. (2006). The evolving art of fuzzing.
../../ Introduction Intelligent Fuzz Testing Source: DeMott, J. (2006). The evolving art of fuzzing.
../../ General Information Origin / Evolution CHANGELOG.txt DotDotPwn v1.0 Release date: 21/Aug/2010 Checker Script Core component: Traversal database (external .txt files) with 881 payloads Based on Shlomi Narkolayev’s Directory Traversal Cheat Sheet http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html DotDotPwn v2.1 Release date: 29/Oct/2010 (BugCon Security Conferences 2010) From Checker to Fuzzer Rewritten from the scratch Modular architechture (DotDotPwn packages) Core component: Traversal Engine OS detection (nmap) A cool banner was included ;) False positives detection Many parameters included for fuzzing flexibility More modules included DotDotPwn v3.0beta Release date: 03/Aug/2011 (Black Hat USA 2011 (Arsenal) - Conference CD) Random User-Agent in HTTP requests Operating System type specifier (if known) Reporting capabilities
../../ General Information Design / Architecture INPUTS FUZZ PATTERNS OUTPUTS CREATION Modules manual OS type HTTP Traversal Engine OS detection HTTP URL ../../ .... ..%2f..%2f Deepness FTP ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 TFTP ..%uF025..%uF025 ..%25c1%259c..%25c1%259c Filenames %252e%252e%c0%5c%252e%252e%c0%5c PAYLOAD STDOUT Dots & Slashes Encodings
../../ General Information Usage options USAGE.txt
../../ General Information Usage options EXAMPLES.txt (one example per module)
../../ General Information Website / Contact README.txt Official Website: http://dotdotpwn.blogspot.com Official Email: dotdotpwn@sectester.net Bugs / Contributions / Improvements: dotdotpwn@sectester.net
../../ General Information Download DotDotPwn v3.0beta: INCLUDED IN BLACK HAT USA 2011 CONFERENCE CD DotDotPwn v2.1: PacketStormSecurity: http://packetstormsecurity.org/files/view/95399/dotdotpwn-v2.1.tar.gz BackTrack Linux 4 R2: # apt-get update # apt-get install dotdotpwn # cd /pentest/fuzzers/dotdotpwn/ # ./dotdotpwn.pl Mirror: http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz
../../ General Information Contributions AUTHORS.txt Contribution: Idea Implementation of the Bisection Algorithm (http://en.wikipedia.org/wiki/Bisection_method) once a vulnerability has been found in order to determine the exact deepness of the directory traversal. Origin of -X switch. By: Roberto Salgado aka LightOS http://twitter.com/LightOS http://www.websec.ca ------------------------------------- Contribution: Idea and Code Not always include the @Extra_files (e.g. web.config, httpd.conf, etc.). Origin of the -e switch. Specify the Operating System type if known ("windows" or "unix"). Origin of the -o switch. By: Eduardo Ruiz Duarte aka Beck http://twitter.com/toorandom http://math.co.ro http://b3ck.blogspot.com ------------------------------------- Contribution: Code Save a results' report into the Reports folder. Origin of the -r switch. Treatment of SIGINT in order to print the number of traversals found when Ctrl + C is pressed. Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Diego Boy http://twitter.com/Diego_Boy ------------------------------------- Contribution: Code Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Cristian Urrutia aka Gashnark http://twitter.com/blion_tec
../../ General Information To Do Implementation of the Bisection Algorithm to determine the exact deepness of the directory traversal. The bisection method in mathematics, is a root-finding method which repeatedly bisects an interval then selects a subinterval in which a root must lie for further processing. Source: http://en.wikipedia.org/wiki/Bisection_method ../../../../../../../../../../../../../../../../etc/passwd (16) ../../../../../../../../etc/passwd (16/2 = 8) ../../../../../../../../../../../../etc/passwd ((8+16) / 2 = 12) ../../../../../../../../../../etc/passwd ((8+12) / 2 = 10) ../../../../../../../../../../../etc/passwd ((10+12) / 2 = 11) 5 requests instead of 11 !
../../ Vulnerabilities Discovered vulnerabilities Tested software HTTP: 72 Web platforms: 2 (CMS’s) FTP: 25 TFTP: 11
../../ Vulnerabilities Discovered vulnerabilities Examples of findings …
../../ Vulnerabilities Discovered vulnerabilities Exploits MultiThreaded HTTP Server [chr1x] – http://www.exploit-db.com/exploits/12304 Wing FTP Server v3.4.3 [chr1x] - http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt VicFTPS v5.0 [chr1x] – http://www.exploit-db.com/exploits/12498 TFTP Desktop 2.5 [chr1x] - http://www.exploit-db.com/exploits/14857 TFTPDWIN v0.4.2 [chr1x] - http://www.exploit-db.com/exploits/14856 Femitter FTP Server 1.04 [chr1x] - http://www.exploit-db.com/exploits/15445 Home FTP Server <= r1.11.1 (build 149) [chr1x] - http://www.exploit-db.com/exploits/15349 Yaws 1.89 HTTP Server [nitrØus] - http://www.exploit-db.com/exploits/15371 Mongoose 2.11 HTTP Server (Win32) [nitrØus] - http://www.exploit-db.com/exploits/15373
../../ Vulnerabilities Discovered vulnerabilities 3.4.0 - 1st Traversal found ! 3.4.1 3.4.2 3.4.3 3.4.5 – 2nd Traversal found ! ================= 56 days of exposure!! DotDotPwn’s Breaking Patches! ☺
../../ Traversal Engine Description Traversal Engine ../../ .... ..%2f..%2f ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 ..%uF025..%uF025 ..%25c1%259c..%25c1%259c %252e%252e%c0%5c%252e%252e%c0%5c
../../ Traversal Engine Resources
../../ Traversal Engine Resources
../../ Traversal Engine Fuzz patterns generation
../../ Traversal Engine Intelligent Fuzzing At the beggining of this presentation … Then …
../../ Traversal Engine Intelligent Fuzzing Fuzz patterns according to the Operating System detected (nmap) ../../../boot.ini on *NIX-like ../../../boot.ini on Windows ../../../etc/passwd on Windows ../../../etc/passwd on *NIX-like
../../ Traversal Engine Intelligent Fuzzing
../../ Traversal Engine Intelligent Fuzzing Encoding of slashes (/) for the correct semantics in the fuzzing patterns ..%2f..%2fetc/passwd ..%2f..%2fetc%2fpasswd %2e%2e%c0%af%2e%2e%c0%afwindowssystem32driversetchosts %2e%2e%c0%af%2e%2e%c0%afwindows%c0%afsystem32%c0%afdrivers %c0%afetc%c0%afhosts
../../ Traversal Engine Intelligent Fuzzing
../../ Modules HTTP #DotDowPwn #snort-2.8.4 - snort-2.9.x, and suricata alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow: established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; classtype: attempted-recon; reference:url,dotdotpwn.sectester.net; sid:yyyyyy; rev:1;)
../../ Modules HTTP Additional verification to avoid false positives
../../ Modules HTTP URL
../../ Modules FTP
../../ Modules FTP Compliance with RFC 959 - File Transfer Protocol Double testing approach: CD <directory> & GET <file> GET <directory><file>
../../ Modules TFTP
../../ Modules TFTP A little hack in the TFTP.pm module’s constructor to improve the testing speed (-t switch in DotDotPwn)
../../ Modules PAYLOAD
../../ Modules STDOUT
../../ Greetings Cubil Felino Crew (chr1x, r1l0, b0rr3x, l1l1th) Contributors BugCon Crew www.underground.org.mx #mendozaaaa CRAc, hkm, alt3kx, tr3w, beck, cldrn, LightOS, xScPx, Daemon, SirDarckCat, Rolman, Crypkey, KBrown, nediam, beavis, kaz, Carlos A. Ayala, corelanc0d3r, Héctor López, Raaka (el_gaupo), dex, Cj, preth00nker, Humberto Ochoa, ch0ks, ran, Federico L. Bossi Bonin, Bucio, javi3r, sunLevy, Zeus, etc… And all our followers on Twitter…
../../ Thanks ! chr1x & nitrØus @ Solar Vision 3 Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x) http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org

More Related Content

PDF
Guadalajara con 2012
byJaime Restrepo
 
PDF
HoneyNet SOTM 32 - Windows Malware Analysis
byChetan Ganatra
 
PDF
OceanLotus Ships New Backdoor Using Old Tricks
byESET Middle East
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
PPTX
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
PDF
Nikto
bySorina Chirilă
 
PPTX
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
PDF
44CON 2014 - Breaking AV Software
by44CON
 
Guadalajara con 2012
byJaime Restrepo
 
HoneyNet SOTM 32 - Windows Malware Analysis
byChetan Ganatra
 
OceanLotus Ships New Backdoor Using Old Tricks
byESET Middle East
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
Nikto
bySorina Chirilă
 
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
44CON 2014 - Breaking AV Software
by44CON
 

What's hot

PDF
Crash dump analysis - experience sharing
byJames Hsieh
 
PPTX
How to drive a malware analyst crazy
byMichael Boman
 
PDF
Php logging
byBrent Laminack
 
PDF
T3CON14EU: Migrating from TYPO3 CMS to TYPO3 Flow
bymhelmich
 
PPTX
Code Injection in Windows
byn|u - The Open Security Community
 
KEY
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
byrenebruns
 
PDF
SANS @Night There's Gold in Them Thar Package Management Databases
byPhil Hagen
 
PDF
Metasploit - The Exploit Learning Tree
byE Hacking
 
PDF
InspiringCon15: Bringing TYPO3 Legacy Applications into the Flow
bymhelmich
 
DOC
penetration testing - black box type.
byluigi capuzzello
 
PPTX
Windows Crash Dump Analysis
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
by44CON
 
PDF
TYPO3 6.2. What's new
byRafal Brzeski
 
DOC
Cutting out Malware
byluigi capuzzello
 
PPT
Hacking and Computer Forensics
byKristian Arjianto
 
PDF
PhyloPipe.v1.1_manual_20150610
byYixuan Guo
 
PDF
Docker Plugin For DevSecOps
byPichaya Morimoto
 
PPTX
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
byIgor Korkin
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PDF
The why and how of moving to php 8
byWim Godden
 
Crash dump analysis - experience sharing
byJames Hsieh
 
How to drive a malware analyst crazy
byMichael Boman
 
Php logging
byBrent Laminack
 
T3CON14EU: Migrating from TYPO3 CMS to TYPO3 Flow
bymhelmich
 
Code Injection in Windows
byn|u - The Open Security Community
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
byrenebruns
 
SANS @Night There's Gold in Them Thar Package Management Databases
byPhil Hagen
 
Metasploit - The Exploit Learning Tree
byE Hacking
 
InspiringCon15: Bringing TYPO3 Legacy Applications into the Flow
bymhelmich
 
penetration testing - black box type.
byluigi capuzzello
 
Windows Crash Dump Analysis
byMicrosoft TechNet - Belgium and Luxembourg
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
by44CON
 
TYPO3 6.2. What's new
byRafal Brzeski
 
Cutting out Malware
byluigi capuzzello
 
Hacking and Computer Forensics
byKristian Arjianto
 
PhyloPipe.v1.1_manual_20150610
byYixuan Guo
 
Docker Plugin For DevSecOps
byPichaya Morimoto
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
byIgor Korkin
 
ShinoBOT Suite
byShota Shinogi
 
The why and how of moving to php 8
byWim Godden
 

Similar to DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

PDF
DotDotPwn v3.0 [GuadalajaraCON 2012]
byWebsec México
 
PDF
SOHOpelessly Broken
byThe Security of Things Forum
 
PDF
Wfuzz para Penetration Testers
bySource Conference
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
PPTX
Introduction to path traversal attack
byPrashant Hegde
 
PPTX
Hunting Botnets with Zmap
byHeadlessZeke
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PPTX
How to dominate a country
byTiago Henriques
 
PPTX
Directory traversal
bypenetration Tester
 
PDF
Sergey Stoyan 2016
bySergey Stoyan
 
PDF
Sergey Stoyan 2016
bySergey Stoyan
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PDF
Oss forensics fosscomm_2011
byfangjiafu
 
PDF
Lares from LOW to PWNED
byChris Gates
 
PDF
Penetration Testing Services Technical Description Cyber51
bymartinvoelk
 
PPTX
Building an Automated Behavioral Malware Analysis Environment using Free and ...
byJim Clausing
 
PDF
ScaleCamp 2009 - Last.fm vs Xbox
bydavidsingleton
 
PPTX
Network Penetration Testing
byMohammed Adam
 
PDF
Google Hacking
byPim Piepers
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
byWebsec México
 
SOHOpelessly Broken
byThe Security of Things Forum
 
Wfuzz para Penetration Testers
bySource Conference
 
The Web Application Hackers Toolchain
byjasonhaddix
 
Introduction to path traversal attack
byPrashant Hegde
 
Hunting Botnets with Zmap
byHeadlessZeke
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
How to dominate a country
byTiago Henriques
 
Directory traversal
bypenetration Tester
 
Sergey Stoyan 2016
bySergey Stoyan
 
Sergey Stoyan 2016
bySergey Stoyan
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
Oss forensics fosscomm_2011
byfangjiafu
 
Lares from LOW to PWNED
byChris Gates
 
Penetration Testing Services Technical Description Cyber51
bymartinvoelk
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
byJim Clausing
 
ScaleCamp 2009 - Last.fm vs Xbox
bydavidsingleton
 
Network Penetration Testing
byMohammed Adam
 
Google Hacking
byPim Piepers
 

More from Alejandro Hernández

PPTX
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
byAlejandro Hernández
 
PPTX
Brain Waves Surfing - (In)security in EEG (Electroencephalography) Technologies
byAlejandro Hernández
 
PPTX
In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer
byAlejandro Hernández
 
PPTX
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
byAlejandro Hernández
 
PPTX
Malware en Linux - Barcamp SE - Cali, Colombia 2013
byAlejandro Hernández
 
PPTX
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
byAlejandro Hernández
 
PPT
De Hacker a C-Level
byAlejandro Hernández
 
PPT
ELF en la mira: Hacking y Defensa
byAlejandro Hernández
 
PPT
Live Hacking : del Bug al Exploit
byAlejandro Hernández
 
PPT
Fuzzeando Snort con opciones TCP/IP
byAlejandro Hernández
 
Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies
byAlejandro Hernández
 
Brain Waves Surfing - (In)security in EEG (Electroencephalography) Technologies
byAlejandro Hernández
 
In the lands of corrupted elves - Breaking ELF software with Melkor fuzzer
byAlejandro Hernández
 
Tips y Experiencias de un Consultor en Seguridad Informática - Campus Party C...
byAlejandro Hernández
 
Malware en Linux - Barcamp SE - Cali, Colombia 2013
byAlejandro Hernández
 
Seguridad Física - Mira Mamá, como Jason Bourne - BugCON 2013
byAlejandro Hernández
 
De Hacker a C-Level
byAlejandro Hernández
 
ELF en la mira: Hacking y Defensa
byAlejandro Hernández
 
Live Hacking : del Bug al Exploit
byAlejandro Hernández
 
Fuzzeando Snort con opciones TCP/IP
byAlejandro Hernández
 

Recently uploaded

PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
The year in review - MarvelClient in 2025
bypanagenda
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

  • 1.
    ../../ DotDotPwn ! The Directory Traversal Fuzzer Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x) http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org
  • 2.
    ../../ AGENDA DotDotPwn Description Introduction Directory Traversal Vulnerability (Intelligent) Fuzz Testing General Information Origin / Evolution Design / Architecture Usage options Website / Contact Download Contributions Vulnerabilities Discovered vulnerabilities Traversal Engine Description Resources Fuzz patterns generation Intelligent fuzzing Modules Description of each one Greetings
  • 3.
    ../../ DotDotPwn Description README.txt It’s avery flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).
  • 4.
    ../../ Introduction Directory TraversalVulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. A typical example of vulnerable application in php code is: Source: http://en.wikipedia.org/wiki/Directory_traversal
  • 5.
    ../../ Introduction Directory TraversalVulnerability An attack against this system could be to send the following HTTP request: Generating a server response such as: Source: http://en.wikipedia.org/wiki/Directory_traversal
  • 6.
    ../../ Introduction Directory TraversalVulnerability Some web applications scan query string for dangerous characters (to prevent Directory Traversal vulnerabilities) such as: .. .. ../ However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as: %2e%2e%2f which translates to ../ %2e%2e/ which translates to ../ ..%2f which translates to ../ %2e%2e%5c which translates to .. etc. Source: http://en.wikipedia.org/wiki/Directory_traversal
  • 7.
    ../../ Introduction Directory TraversalVulnerability According to a study done by Imperva about Web Applications Attacks, the Directory Traversal vulnerability is one of the most common attacks nowadays (July 2011) Source: Imperva’s Web Application Attack Report. Edition #1 - July 2011
  • 8.
    ../../ Introduction Fuzz Testing Fuzz testing or fuzzing is a software testing technique that provides (in)valid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for. Source: http://en.wikipedia.org/wiki/Fuzz_testing
  • 9.
    ../../ Introduction Intelligent FuzzTesting Source: DeMott, J. (2006). The evolving art of fuzzing.
  • 10.
    ../../ Introduction Intelligent FuzzTesting Source: DeMott, J. (2006). The evolving art of fuzzing.
  • 11.
    ../../ Introduction Intelligent FuzzTesting Source: DeMott, J. (2006). The evolving art of fuzzing.
  • 12.
    ../../ General Information Origin/ Evolution CHANGELOG.txt DotDotPwn v1.0 Release date: 21/Aug/2010 Checker Script Core component: Traversal database (external .txt files) with 881 payloads Based on Shlomi Narkolayev’s Directory Traversal Cheat Sheet http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html DotDotPwn v2.1 Release date: 29/Oct/2010 (BugCon Security Conferences 2010) From Checker to Fuzzer Rewritten from the scratch Modular architechture (DotDotPwn packages) Core component: Traversal Engine OS detection (nmap) A cool banner was included ;) False positives detection Many parameters included for fuzzing flexibility More modules included DotDotPwn v3.0beta Release date: 03/Aug/2011 (Black Hat USA 2011 (Arsenal) - Conference CD) Random User-Agent in HTTP requests Operating System type specifier (if known) Reporting capabilities
  • 13.
    ../../ General Information Design / Architecture INPUTS FUZZ PATTERNS OUTPUTS CREATION Modules manual OS type HTTP Traversal Engine OS detection HTTP URL ../../ .... ..%2f..%2f Deepness FTP ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 TFTP ..%uF025..%uF025 ..%25c1%259c..%25c1%259c Filenames %252e%252e%c0%5c%252e%252e%c0%5c PAYLOAD STDOUT Dots & Slashes Encodings
  • 14.
  • 15.
    ../../ General Information Usageoptions EXAMPLES.txt (one example per module)
  • 16.
    ../../ General Information Website/ Contact README.txt Official Website: http://dotdotpwn.blogspot.com Official Email: dotdotpwn@sectester.net Bugs / Contributions / Improvements: dotdotpwn@sectester.net
  • 17.
    ../../ General Information Download DotDotPwnv3.0beta: INCLUDED IN BLACK HAT USA 2011 CONFERENCE CD DotDotPwn v2.1: PacketStormSecurity: http://packetstormsecurity.org/files/view/95399/dotdotpwn-v2.1.tar.gz BackTrack Linux 4 R2: # apt-get update # apt-get install dotdotpwn # cd /pentest/fuzzers/dotdotpwn/ # ./dotdotpwn.pl Mirror: http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz
  • 18.
    ../../ General Information Contributions AUTHORS.txt Contribution:Idea Implementation of the Bisection Algorithm (http://en.wikipedia.org/wiki/Bisection_method) once a vulnerability has been found in order to determine the exact deepness of the directory traversal. Origin of -X switch. By: Roberto Salgado aka LightOS http://twitter.com/LightOS http://www.websec.ca ------------------------------------- Contribution: Idea and Code Not always include the @Extra_files (e.g. web.config, httpd.conf, etc.). Origin of the -e switch. Specify the Operating System type if known ("windows" or "unix"). Origin of the -o switch. By: Eduardo Ruiz Duarte aka Beck http://twitter.com/toorandom http://math.co.ro http://b3ck.blogspot.com ------------------------------------- Contribution: Code Save a results' report into the Reports folder. Origin of the -r switch. Treatment of SIGINT in order to print the number of traversals found when Ctrl + C is pressed. Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Diego Boy http://twitter.com/Diego_Boy ------------------------------------- Contribution: Code Random User-Agent in HTTP requests for IDS/IPS detection avoidance. By: Cristian Urrutia aka Gashnark http://twitter.com/blion_tec
  • 19.
    ../../ General Information ToDo Implementation of the Bisection Algorithm to determine the exact deepness of the directory traversal. The bisection method in mathematics, is a root-finding method which repeatedly bisects an interval then selects a subinterval in which a root must lie for further processing. Source: http://en.wikipedia.org/wiki/Bisection_method ../../../../../../../../../../../../../../../../etc/passwd (16) ../../../../../../../../etc/passwd (16/2 = 8) ../../../../../../../../../../../../etc/passwd ((8+16) / 2 = 12) ../../../../../../../../../../etc/passwd ((8+12) / 2 = 10) ../../../../../../../../../../../etc/passwd ((10+12) / 2 = 11) 5 requests instead of 11 !
  • 20.
    ../../ Vulnerabilities Discovered vulnerabilities Tested software HTTP: 72 Web platforms: 2 (CMS’s) FTP: 25 TFTP: 11
  • 21.
  • 22.
    ../../ Vulnerabilities Discovered vulnerabilities Exploits MultiThreaded HTTP Server [chr1x] – http://www.exploit-db.com/exploits/12304 Wing FTP Server v3.4.3 [chr1x] - http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt VicFTPS v5.0 [chr1x] – http://www.exploit-db.com/exploits/12498 TFTP Desktop 2.5 [chr1x] - http://www.exploit-db.com/exploits/14857 TFTPDWIN v0.4.2 [chr1x] - http://www.exploit-db.com/exploits/14856 Femitter FTP Server 1.04 [chr1x] - http://www.exploit-db.com/exploits/15445 Home FTP Server <= r1.11.1 (build 149) [chr1x] - http://www.exploit-db.com/exploits/15349 Yaws 1.89 HTTP Server [nitrØus] - http://www.exploit-db.com/exploits/15371 Mongoose 2.11 HTTP Server (Win32) [nitrØus] - http://www.exploit-db.com/exploits/15373
  • 23.
    ../../ Vulnerabilities Discovered vulnerabilities 3.4.0 - 1st Traversal found ! 3.4.1 3.4.2 3.4.3 3.4.5 – 2nd Traversal found ! ================= 56 days of exposure!! DotDotPwn’s Breaking Patches! ☺
  • 24.
    ../../ Traversal Engine Description Traversal Engine ../../ .... ..%2f..%2f ..%255c..%255c ..%c0%2f..%c0%2f ..%u2215..%u2215 ..%uF025..%uF025 ..%25c1%259c..%25c1%259c %252e%252e%c0%5c%252e%252e%c0%5c
  • 25.
  • 26.
  • 27.
    ../../ Traversal Engine Fuzzpatterns generation
  • 28.
    ../../ Traversal Engine IntelligentFuzzing At the beggining of this presentation … Then …
  • 29.
    ../../ Traversal Engine IntelligentFuzzing Fuzz patterns according to the Operating System detected (nmap) ../../../boot.ini on *NIX-like ../../../boot.ini on Windows ../../../etc/passwd on Windows ../../../etc/passwd on *NIX-like
  • 30.
  • 31.
    ../../ Traversal Engine IntelligentFuzzing Encoding of slashes (/) for the correct semantics in the fuzzing patterns ..%2f..%2fetc/passwd ..%2f..%2fetc%2fpasswd %2e%2e%c0%af%2e%2e%c0%afwindowssystem32driversetchosts %2e%2e%c0%af%2e%2e%c0%afwindows%c0%afsystem32%c0%afdrivers %c0%afetc%c0%afhosts
  • 32.
  • 33.
    ../../ Modules HTTP #DotDowPwn #snort-2.8.4 - snort-2.9.x, and suricata alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow: established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; classtype: attempted-recon; reference:url,dotdotpwn.sectester.net; sid:yyyyyy; rev:1;)
  • 34.
    ../../ Modules HTTP Additionalverification to avoid false positives
  • 35.
  • 36.
  • 37.
    ../../ Modules FTP Compliance with RFC 959 - File Transfer Protocol Double testing approach: CD <directory> & GET <file> GET <directory><file>
  • 38.
  • 39.
    ../../ Modules TFTP A little hack in the TFTP.pm module’s constructor to improve the testing speed (-t switch in DotDotPwn)
  • 40.
  • 41.
  • 42.
    ../../ Greetings CubilFelino Crew (chr1x, r1l0, b0rr3x, l1l1th) Contributors BugCon Crew www.underground.org.mx #mendozaaaa CRAc, hkm, alt3kx, tr3w, beck, cldrn, LightOS, xScPx, Daemon, SirDarckCat, Rolman, Crypkey, KBrown, nediam, beavis, kaz, Carlos A. Ayala, corelanc0d3r, Héctor López, Raaka (el_gaupo), dex, Cj, preth00nker, Humberto Ochoa, ch0ks, ran, Federico L. Bossi Bonin, Bucio, javi3r, sunLevy, Zeus, etc… And all our followers on Twitter…
  • 43.
    ../../ Thanks ! chr1x & nitrØus @ Solar Vision 3 Alejandro Hernández H. (nitrØus), CISSP, GPEN Christian Navarrete (chr1x) http://twitter.com/nitr0usmx http://twitter.com/chr1x <nitrousenador@gmail.com> <chr1x@sectester.net> http://chatsubo-labs.blogspot.com http://chr1x.sectester.net http://www.brainoverflow.org