BaconBacon

A Penetration and Auditing A Penetration and Auditing FrameworkFramework

Hernan Gipsgipsh@rubic.cc

Common problems…Common problems…

A lot of independent tools uses same A lot of independent tools uses same inputinput

Most tools are developed in c/c++ Most tools are developed in c/c++ Tools run in certain platformsTools run in certain platforms Tools need to be modifiedTools need to be modified Others…Others…

Solution: BaconSolution: Bacon

A flexible and extendible Framework A flexible and extendible Framework oriented to the security community.oriented to the security community.

OverviewOverview

Based on .NET FrameworkBased on .NET Framework Modular ArchitectureModular Architecture Multi language supportMulti language support OpensourceOpensource MultiplatformMultiplatform Fully OO DesignFully OO Design

What Bacon is not…What Bacon is not…

An automatic penetration toolAn automatic penetration tool hack-in-a-minute toolhack-in-a-minute tool A static toolA static tool

FrameworkFramework

Ability to load modulesAbility to load modules Keeps session informationKeeps session information Provides entities to store specific Provides entities to store specific

information like: targets, ports, information like: targets, ports, services, etcservices, etc

Provides libraries for proxing, Provides libraries for proxing, sniffing, etc.sniffing, etc.

FrameworkFramework

Bacon is multiplatform.Bacon is multiplatform.

Runs with:Runs with:– .NET Framework.NET Framework– MonoMono– Any ECMA VM implementationAny ECMA VM implementation

ArchitectureArchitecture

Bacon Framework

Console GUI

MODULES

Data

Internal ContextInternal Context

The framework provides information The framework provides information entities oriented to security and entities oriented to security and networking.networking.

Network

ServiceCollection

TargetCollection

Service

GenericList

Target

Internal ContextInternal Context

Each module has RW access to the Each module has RW access to the context. context.

Internal implementation uses XMLInternal implementation uses XML Developer can use the entities or Developer can use the entities or

directly access via generic XPath directly access via generic XPath queries.queries.

Internal ContextInternal Context

Context

Mail Addresses

Users

Session data…

Google Mails Finder

POP3 Brute force Attack

SMTP VRFY Dictionary

Attack

Target

ModulesModules

Each module is a DLL compiled Each module is a DLL compiled in .NETin .NET

Framework loads modules using Framework loads modules using reflection. reflection.

Modules are multithreadingModules are multithreading Each module runs on an different Each module runs on an different

Application DomainApplication Domain

Modules: ReflectionModules: Reflection

A developer may creates its own A developer may creates its own plugin in any language that plugin in any language that generates .NET assembly.generates .NET assembly.

ModulesModules

Well known languagesWell known languages C#C# VB.NETVB.NET C++.NETC++.NET

Not so well knownNot so well known IronPythonIronPython BooBoo

ModulesModules

Every modules inherits from Every modules inherits from Bacon.PluginBacon.Plugin abstract class abstract class

This class provides two methods:This class provides two methods:– Start()Start()– Stop()Stop()

Module has facilities toModule has facilities to– Access the contextAccess the context– Log debug informationLog debug information

ModulesModulesExample module source code in C#Example module source code in C#

[Plugin("Test", "plugin for testing purposes")]public class TestPlugin : Bacon.Plugin{

[Command("listdump", "command to test something")]….….

[Command(“listusers", "command to test something")]……

}

ModulesModules

Modules has commands defined on itModules has commands defined on it Each command has different parametersEach command has different parameters

[Command("hack", "hacks something")]class HackCommand : Bacon.Command{

public override void Execute(){

…….}

}

ModulesModules

How loader worksHow loader works

TestPlugin : Bacon.Plugin

MSILAssembly

Plugins Loader

Plugins Manager

ModulesModules

C# VB IronPython

MSIL Compilers (msc, monoc, etc)

Common Language Runtime

Bacon

Modules: Module chainingModules: Module chaining

Network Scan ICMP

Targets

TCP port scanner

[connect()]

Services

Web directory

finder

Web file finder

Dirs

Files

Dictionary

input: 192.168.0.0/24

Report Generato

r

XML

RemotingRemoting

The Framework exposes its own The Framework exposes its own interface like a remote service.interface like a remote service.

This is useful to create distributed This is useful to create distributed attacks.attacks.

Framework InterfaceFramework Interface

Integrated Command Line ConsoleIntegrated Command Line Console

Framework InterfaceFramework Interface Uses WinformsUses Winforms Each module may provide its own Each module may provide its own

GUIGUI

Framework InterfaceFramework Interface

You may create your own interface. You may create your own interface.

(i.e. a web interface)(i.e. a web interface) You may also create a common GUI You may also create a common GUI

generator for each modulegenerator for each module

Framework ServicesFramework Services

ProxyLib ServiceProxyLib Service SniffLib ServiceSniffLib Service FuzzLib ServiceFuzzLib Service OtherOther

Framework: ProxyLibFramework: ProxyLib

Creates simple proxiesCreates simple proxies HTTP, Sockets, etcHTTP, Sockets, etc Hook to eventsHook to events

State of DevState of Dev

Bacon got sponsored!Bacon got sponsored! The framework architecture is mostly The framework architecture is mostly

closedclosed We are working on creating new We are working on creating new

modules and a nice GUI.modules and a nice GUI.

FutureFuture

Module creation process Module creation process Now Now Opensource official release Opensource official release 3 3

MonthsMonths Community site release Community site release 1 Month 1 Month

ConclusionConclusion

We want to create a standard We want to create a standard framework for pentesting and framework for pentesting and auditing networks and applications. auditing networks and applications.

We want the security community We want the security community uses it and develops module for the uses it and develops module for the frameworkframework

Any Questions?Any Questions?

The End.The End.

Hernan GipsHernan Gips

gipsh@rubic.ccgipsh@rubic.cc