Post on 23-Feb-2017
Httpillage
Calling all nodes
• John Poulin– Sr. App. Sec. Consultant @ nVisium– I’m from Maine
• Hobbies–Writing Code– Stacking Wood– Picking Apples
In the business of: Helping developers fix things, by breaking them.
I built a thing.
Intro
Penetration Testing
vs Vulnerability Assessment
Depth over Breadth
vs Breadth over
Depth
“An attacker could…”
If you’re being paid, you are the
attacker.
Impact statements must
be practical
“An attacker could intercept
the NSA’s unicorns, and ride
them to mars.”
“An attacker could enumerate
a list of user accounts.”
Traditional Attack
Unrealistic; Slow
We can improve.
Tool Overview
httpillage
httpillage• Designed for easy
distribution of attacks.
• Still super beta
• Originally a hackathon project
httpillage: features• Web Interface (Rails 4)– Job Creation– User Management– Response Tracking
• Burp Suite Integration– Easily send requests to httpillage
httpillage: features• Attack Types– Repeating (aka. DoS mode)–Dictionary– Bruteforce
• Response Flagging– String– Regex
httpillage: Architecture• Server: – Command and Control Server–Delegates work to nodes
• Nodes: – Sends requests to target– Processes responses for matches
httpillage: Architecture
httpillage• Easy
distribution
Poll for Job
NODE
Parse Payloads
Send request to target
Detect Match
Send to C&C
Work Complete?
Payload?Received
Job?
Has match?Yes
No
No
No
No
Yes
Yes
Live Demos
Username Enumeration
Username Enumeration• Application discloses
existence of username– Login– Forgot Password– Registration
Username Enumeration• Discoverable via:– Verbose Error Message– Response Diffing• Response Code• Spacing
– Timing (can be practical)• https://nvisium.com/blog/2015/06/25/time-
based-username-enumeration/
Username Enumeration
Username Enumeration
Username Enumeration• Useful for many things– Phishing Attacks– Password Discovery– Insecure Dir. Obj. Reference–De-anonymization
Username Enumeration• Process for exploitation– Build list of email addresses /
usernames• Adobe database dump
– Establish a baseline request– Automate that request for each
username– Search for pattern matches,
indicators of enumeration
Username Enumeration• Generally low impact• Generally low difficulty
• Results in: Moderate Risk.–Most orgs consider it low risk.
Live Demo
Username Enumeration• Easy to exploit• Very fast when distributed
• Classic example of vulnerability chaining.
Expiring Tokens
Expiring Tokens• (hopefully) random tokens• Out-of-band identification• Expire after creation
Expiring Tokens• Super common–Multi-factor authn, 6 digit token– Forgot password mechanisms
Expiring Tokens
Live Demo
https://github.com/nVisium/django.nV
Defeating Expiring Tokens• Possible to exploit with
adequate resources
• Should never be vulnerable!
Mitigating Expiring Tokens• Increase token length +
entropy–Why 4 digits? Why 6 digits?– Users are can be lazy
• Reduce length of expiration– 15-30 minutes should be adequate
for 8-alphanumeric characters.
Denial of Service
Denial of Service• Common in politically
motivated attacks
• Generally not in scope for assessment (Vuln. or Pentest)
Denial of Service• Exploitable via:– Large amounts of requests (DDoS)
– Large amounts of parameters (Hash Table Collisions)
– Unsafe application functionality (xml-rpc)
Denial of Service• Super easy to perform when
distributed
• A Startups nightmare
Live Demo
Denial of Service• DoS testing needs to be
performed
• Load-balance all the things
• Monitor costly operations (crypto, sleep)– Secure Client Renegotiation in SSL
Future Work• Job Prioritization• Job Scheduling• Node Allocation• Direct API Integration
We’re in the business of breaking things
Questions?–Httpillage:• https://github.com/nVisium/httpillage
–Django.nV:• https://github.com/nVisium/django.nV
@forced_request