Tuesday, January 17, 2012
Thursday, January 05, 2012
toolsmith: ZeroAccess analysis with OSForensics
Prerequisites
Windows
Happy New Year:
“A New Year's resolution is something that goes in one year and out the other.”
- Author Unknown
Introduction
December is the time of year when I post the Toolsmith
Tool of the Year survey for reader’s to vote on their favorite tool of the
given year. Please do take a moment to vote. What’s
nice is that I often receive inquiries from tool developers who would like
consideration for coverage in toolsmith. David Wren, Managing Director, of
PassMark Software caught me at just the right moment as I was topic hunting for
this month’s column. PassMark, out of Sydney, Australia, has been known for benchmark
and diagnostic tools but has recently dipped its tow in the digital forensics
pool with OSForensics. I give
PassMark props for snappy marketing. OSForensics, “Digital Investigation for a
new era” coupled with the triumvirate of Discover, Identify, and Manage makes
for a good pitch, but as always we need tools that do as they do, not as they
say. So what can we expect from OSForensics? According to David, who provided
me with prerequisite vendor/developer content, the pending 1.1 release of
OSForensics expected in mid-January 2012 will include:
·
Inclusion of a tree view style file system
browser (Windows Explorer replacement).
·
Indexing & searching of the contents of
E-mail attachments. At the moment just the E-mail content and the file names of
attachments are indexed.
·
Improvements to add search results to a case
directly from search history (efficiency improvement)
·
Ability to add quick notes to a case. At the
moment adding arbitrary notes is a 2 step process.
·
Improvements in the built-in image viewer.
Better quality image scaling & more file properties.
·
Minor improvements in the way E-mails are
exported
·
Significant speed improvements in the window's
registry browser
·
A bug fix for handling of dates in Spanish
language E-mails.
·
Some minor documentation changes
Existing features include disk imaging, disk image
mounting, raw hex view of disk, manual
carving, a registry viewer, forensic copy of network files, testing &
zeroing of external drives prior to imaging, file hashing, live memory dumping,
detection of files with wrong extensions via signatures, case management,
reporting, 64bit support, and more.
The OSForensics website has an extensive FAQ as well
excellent videos and tutorials.
Please note that there is a Free Edition and a Pro
Edition. For this article I tested the 1.0 Pro version of OSForensics.
Integrating
additional tools into OSForensics
One of the things I like most about OSForensics is the
ability to plug in other tools. There’s a great tutorial for enhancing
OSForensics with Harlan Carvey’s RegRipper that
will give you a solid starting point for this activity. Friend and reader Jeff
C. expressed interest in rootkit analysis this month so I’m going to use this
opportunity to integrate GMER and
RootkitRevealer into OSForensics.
As I ran OSForensics on a Windows XP system from a USB
key, I copied GMER and RootkitRevealer to E:\OSForensics\AppData\SysInfoTools.
I then navigated to System
Information in the OSForensics UI, selected Add List and created a Rootkit Analysis list, followed Add under Commands and added the command to execute GMER and
RootkitRevealer as seen in Figure 1.
![]() |
| Figure 1: Rootkit Analysis tools added |
Keep in mind, you can add any of your preferred tools to
OSForensics and their execution as well as their output will be captured as
part of OSForensics case management capabilities.
Running
OSForensics
For ease of viewing, right-click the menu on the left
side of the OSForensics UI and choose thin buttons as this will present all
options without scrolling.
One note of interest before diving in: OSForensics allows
installation on a base analysis system from which you can then Install to USB so as to run it from a
USB key as part of your field kit as seen in Figure 2.
![]() |
| Figure 2: Install OSForensics to a USB key |
Jeff, as part of his expressed interest in rootkit
analysis, also provided me with a perfect sample with which to compromise my
test system. Nomenclature for this little nugget includes Jorik and Sirefef but
you may now it best as Zaccess or ZeroAccess. To read a truly in-depth study of
ZeroAccess, check out Giuseppe Bonfa’s fine work in four parts over at InfosecResources, as
well as a recent update from Pedro Bueno on the ISC Diary.
ZeroAccess has been rolled into the BlackHole Exploit Kit and is often used in
crimeware bundles for ad clicking.
This particular sample (MD5: 3E6963E23A65A38C5D565073816E6BDC)
is VMWare-aware so I targeted my Windows XP SP 3 system running Windows Steady
State and executed QuickTimeUpdate.exe
(it only plays a real QuickTime update on TV).
As with any tool of OSForensic’s ilk, I started the
process by creating a case which is as easy clicking Start then Create
Case. The OSForensics UI is insanely intuitive and simple; if you’re one
of those who refuses to read manuals, FAQs, and/or tutorials you’ll still get
underway in short order. With most forensics oriented multi-functional tools
that include indexing I always make indexing my second process. Yep, it’s as
easy as Create Index. I infected
this system on 12/26/11 at 1630 hours so a great next step for me was to review
Recent Activity to see what was
noteworthy. Based on a date range-limited search under Recent Activity I noted a significant spike in events in
the 1600 hour. I right-clicked on the resulting histogram for the hour of
interest and selected Show these files.
The result, as seen in Figure 3, shows all the cookies spawned when ZeroAccess
tapped into all its preferred ad channels. All cookies in Figure 3, including
those for switchadhub.com, demdex.com, and displayadfeed.com were created right
on the heels of the infection at 1630 hours. These are services malware writers
use to track clicks and campaign success.
| Figure 3: ZeroAccess’ malicious click campaign evidence via OSForensics |
I had not browsed to any websites and on this host would
have done so via a browser other than Internet Explorer; as such this activity as
written to C:\Documents and
Settings\LocalService\LocalSettings\Temporary Internet Files\Content.IE5
clearly occurred in the background.
I always take a network capture during malware runtime
and the resulting PCAP acquired while analyzing this version of ZeroAccess
included connections to a well-known malware redirection service at 67.201.62.*.
Search "67.201.62" malware
and you’ll see what I mean.
I then opted to call GMER from OSForensics as discussed
earlier during Integration. If
you’re not familiar GMER is the defacto standard for rootkit detection. Once a
GMER scan is complete, you can choose to dump detected modules as seen in
Figure 4 via Dump module.
![]() |
| Figure 4: GMER bags ZeroAccess via OSForensics |
I fed the resulting binary file to VirusTotal and was
rewarded for my efforts with hits for Gen:Variant.Sirefef.38,
a ZeroAccess variant.
OSForensics features a Memory
Viewer from which you can conduct similar activity natively by selecting
a given process (one you assume or have determined is malicious), select one of
four dump options including Dump Process
Memory Contents, then click Dump.
The resulting .bin can be fed to VirusTotal or a similar service.
But alas, you will not have made the utmost use of OSForensics
if you don’t capitalize on Hash Sets.
I won’t get into great detail as to how to do so as again the tutorial videos
are excellent. You will want to enable a given hash set by selecting it in the
UI then clicking Make Active.
One of the hash sets PassMark offers via download is a 124kb common Keyloggershash set. You
can select a directory via File Name
Search, then Search, then
right-click a file of interest (or CTRL-A to select all) and choose Look Up in Hash Set. As none of the
acquired binaries for ZeroAccess matched the current hash set, I chose to scan
my Lurid (the
APT) analysis folder to see what matches the hash set had for me. I used the Sorting menu in the lower right-hand
corner of the UI and set it to In Hash
Sets; the results are seen Figure 5.
![]() |
| Figure 5: Keylogger hashset checks |
While OSForensics claimed to have matches, they were only
for 0 byte files that all show up with the MD5 hash of D41D8CD98F00B204E9800998ECF8427E.
I’ll test this further with a known keylogger and determine what a real match
looks like. I don’t fault OSForensics for this as I likely don’t have a sample
keylogger whose hash matched the hash set. Trying hash matching against known
good system files worked admirably.
I didn’t even touch OSForensics password analysis
capabilities but will also likely do so in a future blog post. Do check out
that feature set via Passwords
for yourself and share your feedback. Recognize that OSForensics integrates
Rainbow Tables so as you can imagine, the possibilities are endless.
Don’t forget the expected disk image analysis
capabilities coupled with file carving. I tested this briefly (and
successfully) only to confirm what I consider a required and standard feature
for tools of this nature.
In Conclusion
I’ll admit I had no expectations for OSForensics as I had
no prior experience with it and to be quite candid, no awareness prior to David
contacting me. I always assume some risk when choosing such a tool given that I
could spend hours conducting research and analysis only to find the tool does
not meet the standard for toolsmith discussion (can you say emergency topic
change?”). Such was not the case with
OSForensics. I was pleased with the results, disappointed I didn’t have more
time to spend on it before writing about it here, but looking forward making
much more use of it in the future. As always, let me know what you think, I’m
hopeful you find it as intriguing as I have.
Ping me via email if you have questions (russ at
holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
Tuesday, December 20, 2011
Choose the 2011 Toolsmith Tool of the Year
Merry Christmas and Happy New Year!
It's that time again.
Please vote below to choose the best of 2011, the 2011 Toolsmith Tool of the Year.
We covered some outstanding information security-related tools in ISSA Journal's toolsmith during 2011; which one do you believe is the best?
I appreciate you taking the time to make your choice.
You can review all 2011 articles here for a refresher on any if the tools listed in the survey.
You can vote through January 31, 2012.
Results will be announced February 1, 2012.
It's that time again.
Please vote below to choose the best of 2011, the 2011 Toolsmith Tool of the Year.
We covered some outstanding information security-related tools in ISSA Journal's toolsmith during 2011; which one do you believe is the best?
I appreciate you taking the time to make your choice.
You can review all 2011 articles here for a refresher on any if the tools listed in the survey.
You can vote through January 31, 2012.
Results will be announced February 1, 2012.
Friday, December 02, 2011
toolsmith: Registry Decoder
Prerequisites
Binaries require no external dependencies; working from a
source checkout requires Python 2.6.x or 2.7.x and additional third-party apps
and libraries.
Merry Christmas:
"Christmas is not a time nor a
season, but a state of mind. To cherish peace and goodwill, to be plenteous in
mercy, is to have the real spirit of Christmas.” -Calvin Coolidge
Introduction
Readers of the SANS Computer Forensics Blog or
Harlan Carvey’s Windows Incident Response blog
have likely caught wind of Registry Decoder. Harlan
even went so far as to say “sounds like development is really ripping along (no
pun intended). If you do any analysis of Windows systems and you haven't looked
at this tool as a resource, what's wrong with you?” When Registry Decoder was first
released in September 2011, I spotted it via Team Cymru’s Dragon News Bytes
mailing list and filed it away for future use. Then, in most fortuitous
fashion, Andrew Case, one of the Volatility developers I’d reached out to for
September’s Volatility column, contacted me regarding Registry Decoder in early
November. Andrew co-develops Registry Decoder with Lodovico Marziale as part of
Digital Forensic Solutions and kindly provided me with content for the
remaining entirety of this introduction.
Registry Decoder is open source (GPL) and written
completely in Python and is downloadable via Google Code projects. It was
initially funded by the National Institute of Justice and now is funded by
Digital Forensics Solutions.
Registry Decoder can analyze registry files from a number
of sources and then provide a number of GUI-driven analysis capabilities. The
current version of the tool (1.1 as this is written) can import individual
registry files, raw (dd) disk images, raw (dd) split images, Encase (E01)
images, and databases from the live tool. Once evidence is imported and
pre-processed, the investigator then has a number of analysis tools available
and new evidence can be added to a case at any time.
Registry Decoder’s analysis capabilities include:
·
Browsing Hives (similar to Access Data’s
Registry Viewer)
·
Hive Searching (more on this below)
·
Plugin System (similar to regripper)
·
Hive Differencing
·
Timelining based on last write time
·
Path Based Analysis
·
Automated reporting of all of the above
Registry Decoder automates all of this functionality for
any number of registry hives and the reporting can handle exporting results
from multiple hives and analysis types into one report.
Andrew’s favorite Registry Decoder use case is USBSTOR
analysis. Almost every case involving investigating a specific employee requires
determining which (if any) USB drives were in use. To do this with Registry Decoder, all an
investigator has to do is create a case with the disk images or hives acquired,
run the USBSTOR plugin, and then
export the results. After pre-processing is done, it takes mere minutes to have
a report created with the device name, serial number, etc. of any devices
connected. Also, since Registry Decoder pulls historical files from live
machines and disk images (System Restore & Volume Shadow Service), this
analysis can be run across hives going back months or years.
Similarly, while investigating data exfiltration between
multiple employees of a company, Andrew needed to know if they shared USB
drives. To make the determination he took the SYSTEM files from each machine,
loaded them into Registry Decoder and then used the plugin differencing ability
on the USBSTOR plugin. It
immediately revealed what drives were shared between computers, including their
serial number. Another common use of the
differencing feature is with the Services
plugin as this quickly identifies malware if you difference your known good
disk image vs. a disk image of a machine suspected to be infected.
Registry Decoder’s search feature is one of its strongest
features. It allows you to search across any number of hives and filter by
keys/values/names, last write time range, wildcard searching, and bulk
searching with keyword files.
For a recent case, Andrew had to determine if a person
was accessing files they shouldn’t have been looking at. They had a desktop and
a laptop, both running XP and both with many System Restore Points. In less
than 30 minutes with Registry Decoder, Andrew needed only load the disk images
from the two machines into Registry Decoder, make a text file with all the
search terms, and then search all the terms across all the hives in the case
(including historical ones). This returned results that he then exported into
one report and was finished. Another useful
search is noted when viewing the search results tab, right click on any result,
and immediately jump into the Browse
view positioned at that key.
Another good use case includes path-based analysis which
allows you to determine if a registry path exists in any number of files. For whichever
files it is present in, one can then export the path and optionally its
key/value pairs. This is extremely useful in two situations:
1. Determining
if certain software is installed (P2P, cracked software, etc.), as you can simply
search any of the paths that the program creates and then export its key/values
inclusive of when and where the software was installed.
2. During
malware analysis as most malware writes to the registry. Searching across numerous
suspect systems for the malware’s path allows investigators to immediately determine
the extent of infection.
Registry Decoder’s roadmap includes more analysis plugins
and added support for memory analysis (integrate with Volatility’s existing
in-memory registry functionality).
The developers also want to add support for analyzing
previously deleted keys and name/value pairs within hives. The library utilized
for enumerating hives, reglookup,
already supports this functionality so it is just a matter of integration.
Running the Registry Decoder online acquisition component
I ran regdecoderlive32 on a 32bit Windows XP SP3 virtual
machine infected with Lurid and regdecoderlive64 on a Windows 7 SP1 64bit
machine.
One note for regdecoderlive32 on Windows XP systems with drives
formatted with NTFS. Even when running regdecoderlive32 with administrator
privileges the hidden System Volume Information directory is protected with
unique ACLs. To circumvent this issue, issue cacls
"C:\System Volume Information" /E /G :F from a
command prompt at the root of C: (this assumes the OS is installed on C:).
As seen in Figure 1, running regdecoderlive is as simple
as executing and defining a few parameters including description, output
directory (must be empty) and check boxes for acquisition of current and backup
files.
![]() |
| Figure1: Registry Decoder Live |
Once acquisition is complete, the results directory will
be populated with registryfiles/acquire_files.db
and related files. This results directory can (should) be written to portable
storage mounted on the target system or a network share, which can then be
consumed by Registry Decoder for offline analysis.
Running the
Registry Decoder offline analysis component
Registry Decoder can consume individual registry files,
raw (dd) disk images, and Encase (E01) images, including split images. Building
a case is as easy as adding a case name and number, investigator, comments, and
case directory. Adding evidence to a case after initial processing is created
is quite simple; you’ll be prompted to add new evidence after choosing Start Case and opening an existing
case.
I only tested Registry
Decoder with the acquisition database acquired from a Lurid-infected Windows XP
VM via Registry Decoder Live.
Initial processing can take
some time depending on the number of restore points or volume shadows.
Once initial processing is
complete however, Registry Decoder is nimble and effective.
I mimicked some of Andrew’s
use cases in this analysis of a Lurid victim. From runtime analysis of the Lurid sample I had (md5: 84d24967cb5cbacf4052a3001692dd54)
I knew a few key attributes to test Registry Decoder with. Services and
registry keys created include WmdmPmSp.
As the search functionality is a strong suit, I selected CORE from the current
snapshot acquired and searched WmdmPmSp. Right-click search results and
select Switch to File View then
navigate to the Browser tab for
key values, etc. as seen in Figure 2.
![]() |
| Figure 2: Registry Decoder search results |
I made use of the timeline
functionality and was amply rewarded. Imagine a scenario where have a ballpark
time window for a malware compromise or unauthorized access. You can filter the
timeline window accordingly and produce output that is compliant to the
SleuthKit’s mactime format. It’s not human readable currently (next release) so
read it in with Autopsy or TSK. Timeline gathering and results are combined in
Figure 3. It clearly identified exactly when Lurid wrote to HKLM\SYSTEM\CONTROLSET001\SERVICES\WmdmPmSp.
![]() |
| Figure 3: Registry Decoder timeline results |
I also tested USBSTOR (unrelated to Lurid) on both acquisitions
(Windows 7 and Windows XP) and the results were accurate and immediate in both
cases as seen Figure 4.
![]() |
| Figure 4: Registry Decoder USBSTOR results |
Explore the Plugins options
included with Registry Decoder, the possibilities are endless. SYSTEM will
provide you a nice summary overview as you begin, IE Typed URLs is great for
inappropriate browser use, Services with Perform Diff enabled is excellent for
malware hunting, System Runs will give you instant gratification regarding
what’s configured to run on startup, ACMRU queries the registry keys that have
been typed into the Windows Search dialog box, and on and on and on. J
Brilliant!
In Conclusion
I’m extremely excited about this tool and imagining its
use at scale to be of incredible use for enterprise incident responders and
forensic examiners. I’ve been chatting with Andrew at length while writing this
and he continuously mentions pending features including some visualization
options and the aforementioned Volatility interaction. I can’t wait; check out
Registry Decoder out for yourself ASAP.
Merry Christmas!
Ping me via email if you have questions (russ at
holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
Andrew Case, Registry Decoder
developer and project lead
Saturday, November 26, 2011
Tool review: NetworkMiner Professional 1.2
I've been slow in undertaking this review as NetworkMiner's Erik Hjelmvik sent me NetworkMiner Professional 1.1 when it was released and 1.2 is now available.
Seeing Richard Bejtlich's discussion of Pro 1.2 has served to get me off the schnide and is helpful as I will point you to his post as an ideal primer while I go into to a bit deeper detail as to some of NetworkMiner's power as well as what distinguishes Professional from the free edition.
I covered NetworkMiner in toolsmith in August 2008 back when it was version 0.84. Erik has accomplished all of his goals for improvement as identified in the article including reporting, faster parsing of large PCAP files (.735 MB/s at the command-line), more protocols implemented, and PIPI (Port Independent Protocol Identification). NetworkMiner Professional 1.2 incorporates all of the above.
To exemplify NetworkMiner Professional's PIPI capabilities, I changed my lab web server port to 6667, then set NetworkMiner to grab a live capture while browsing to the reconfigured server.
Note: you need to Run as Administrator to grab the interface on Windows 7.
Sure, it's more likely that someone would be more likely to hide evil traffic over port 80 but you get the point. As Richard said, "PIPI has many security implications for discovery and (preferably) denial of covert channels, back doors, and other policy-violating channels."
Note as seen in Figure 1 that NetworkMiner Professional clearly differentiates HTTP traffic regardless of the fact that it traversed port 6667.
![]() |
| Figure 1 |
I was a bit surprised to note that the Hosts view as seen in Figure 1 did not identify that any data was pushed as cleartext although it unequivocally identified the admin/password combination I sent in both the Cleartext view and the Credentials view.
I used an 18.8MB PCAP from the Xplico sample set as it includes a plethora of protocols and carve-able content with which to test NetworkMiner Professional.
Exporting results to CSV for reporting is as easy as File --> Export to CSV and selecting output of your choosing. As seen in Figure 2 I opted for Messages as NetworkMiner Professional cleanly carved out an MSN to Yahoo email session (HTTPS, anyone?).
![]() |
| Figure 2 |
Geo IP localization is a real standout too. You'll see it in play as you explore host details in Hosts view as seen in Figure 3.
![]() |
| Figure 3 |
You may find host coloring useful too should you wish to tag hosts for easy identification later as seen in Figure 4.
![]() |
| Figure 4 |
Finally, I am most excited about NetworkMinerCLI for command-line scripting support.
I ran a PCAP taken from a VM infected with Trojan-Downloader.Win32.Banload.MC through NetworkMinerCLI and was amply rewarded for my efforts...right after I excluded the output directory from AV detection.
Figure 5 shows the command executed at the prompt coupled with the resulting assembled files and CSVs populated to the output directory as seen via Windows Explorer.
![]() |
| Figure 5 |
The assembled files included all the malicious binaries disguised as JPGs as downloaded from the evil server. File carving network forensic analysis juju with easy CLI scripting. Bonus!
In closing, NetworkMiner Professional 1.2 is a mature, highly useful tool and well worthy of consideration for purchase by investigators and analysts tasked with NFAT activity.
I'm glad to provide further feedback via email and recommend you reach out to Erik as well via info [at] netresec.com if you have questions.
Labels:
forensics,
NetworkMiner,
NFAT,
pcap
Wednesday, November 02, 2011
toolsmith: OWASP ZAP - Zed Attack Proxy
Prerequisites
Java Runtime Environment
ZAP runs on Linux, Mac OS X, and Windows
Happy
Thanksgiving: "As we express our
gratitude, we must never forget that the highest appreciation is not to utter
words, but to live by them." -JFK
Introduction
November 2011’s toolsmith is the 61st in the
series for the ISSA Journal, thus marking five years of extensive tools
analysis for information security practitioners. Thank you for coming along for
the ride.
Fresh on the heels of a successful presentation on OWASP
Top 10 Tools and Tactics at an even more successful ISSA International in
Baltimore I was motivated to give full coverage this month to the OWASP Zed
Attack Proxy, better known as ZAP. I had presented ZAP as a tool of choice when
assessing OWASP Top Ten A1 – Injection but, as so many of the tools discussed,
ZAP delivers plenty of additional functionality worthy of in-depth discussion.
OWASP ZAP is a fork of the once favored Paros Proxy,
which has not been updated since August 2006. As such, it should be noted with
no small irony that we covered Paros in December 2006; this is an excellent
opportunity to show you how far ZAP has come from the original project.
ZAP is the result of Simon Bennetts’ (Psiinon) hard work,
though he’s got help from co-lead Axel Neumann (@a_c_neumann) and many
contributors.
As an official OWASP project, ZAP enjoys extensive use
and development support as an “easy to use integrated penetration testing tool
for finding vulnerabilities in web applications.”
Simon offered a veritable plethora of feedback for this
article, as provided throughout the rest of the introduction. He indicated that
he originally released ZAP specifically for developers and functional testers;
a group which he believes is poorly represented in the security tools market.
Ease of use was a prime concern, as was documentation and
to his surprise it turned out that it was the security folk who took up ZAP the
quickest, providing great feedback, reporting issues and asking for lots of
enhancements. Simon still wants ZAP to be ideal for people new to web application
security but it’s also going to be enhanced with more and more advanced
features aimed at profession penetration testers.
Simon also wanted ZAP to be a community project; there
are many open source security tools that are tightly controlled by one
individual or company. While he doesn’t have a problem with that fact he does believe
that the real strength of open source comes when anyone can contribute to a
project and take it in directions its initial developers never envisaged.
Anyone and everyone is welcome to contribute to ZAP, and
not necessarily coding only; they welcome help with testing, documentation,
localization, issues identification and enhancement requests. Help spread the
word as well via articles, reviews, videos, blogs, Twitter, etc.
ZAP is also one of the few open source security tools to
be fully internationalized. It has been translated into 10 languages and download
statistics indicate that approximately half of the ZAP users worldwide are
likely to be non-native English speakers.
ZAP is intended to provide everything that you need to
perform a penetration test on a web application.
If you are new to web application security then it might
be the only security tool you need. However, if you're an experienced
penetration tester be sure to include it as one of the many tools in your
toolbox.
As a result, the development team is trying to make it as
easy as possible to integrate ZAP with other tools. They provide a way to
invoke other applications from within ZAP passing across the current context.
In version 1.3 they introduced an API which allows the core ZAP functionality
to be invoked by a REST API, and will be extended to cover even more of ZAP's
features in future releases.
This is an ideal way for other applications to directly
drive ZAP, and can be used when ZAP is running in 'headless' mode (i.e. without
the UI).
They've also put together a POC showing how ZAP can be
used by developers to include basic security tests in their continuous
integration framework and be alerted to potential security vulnerabilities
within hours of checking code.
Simon and team don’t believe in reinventing the wheel,
which is why they always seek high quality open source components to reuse
before implementing a new feature from scratch.
As such, the brute force/forced browsing support is
provided via DirBuster and
fuzzing makes use of the JBroFuzz libraries (both OWASP projects).
Amongst the more advanced features that users might not
be aware of is that ZAP keeps track of all of the anti-CSRF tokens it finds. If
fuzzing a form with an anti CSRF-token in it, ZAP can regenerate the token for
each of the payloads you fuzz with. There’s also an experimental option that
allows this to be turned on when using the active scanner as well. I can say
that quality CSRF testing is not commonplace among ZAP’s web application
testing contemporaries.
For ZAP version 1.4 the development team has decided to
focus on:
·
Improving the active and passive scanners
·
Improving stability (especially for large sites)
·
Session token analysis
In July 2011 ZAP was evaluated and designated as a
'stable' OWASP project, the highest level currently available. Further, OWASP
projects are now being restructured; ZAP has been designated as one of the
small number of 'flagship' projects.
Rightfully so; thank you Simon.
Let’s run ZAP through its paces.
ZAP Installation
and Configuration
ZAP is installation is very simple. Once unpacked on your
preferred platform, invoke ZAP from the application icon or at the command
prompt via the appropriate executable. A current Java Runtime Environment is a
requirement as all the executables (EXE, BAT, SH) invoke java –jar zap.jar org.zaproxy.xap.ZAP.
Most importantly ZAP, runs as a proxy. Configure your
preferred browser to proxy via localhost and the default port of 8080. I change
the port to 8088 to avoid conflict with other proxies and services. You can
change the port under Tools Ã
Options Ã
Local proxy if you run multiple proxies that you bounce between during
assessments. I do and as such I use the Firefox add-on FoxyProxy to quickly
dial in my proxy of choice.
You must also generate an SSL certificate in order to use
and test SSL enabled sites. You will be prompted to do when running ZAP for the
first time.
ZAP Use
In addition to the aforementioned Security Regression
Tests for developers, the OWASP ZAP project offers ZAP Web Application
Vulnerability Examples, or ZAP WAVE. Download it and drop zap-wave.war in the webapps directory
of your favorite servlet engine. On Debian/Ubuntu systems sudo apt-get install tomcat6 will get
you in business with said servlet engine quickly. In addition to a LAMP stack
on an Ubuntu 11.10 VM I run Tomcat for just such occasions. OWASP WebGoat also
runs as a standalone test bed or via a servlet engine.
Enable ZAP, with your browser configured to proxy through
it, then navigate to the system (VM or real steel) hosting ZAP WAVE, usually on
port 8080. As an example: http://192.168.140.137:8080/zapwave/.
ZAP WAVE includes “active” vulnerabilities such as
cross-site scripting and SQL injection as well as “passive” vulnerabilities
including three types of information leakage and two session vulnerabilities.
There are also pending false positives that are not yet
ready for primetime.
The developers recommend that you explore the target app
with ZAP enabled as a proxy, and touch as much of it as possible before
spidering. Doing so helps ZAP find more vulns as you may cross paths with error
messages, etc.
I typically visit the root of the application hierarchy
for a web application I wish to assess, right-click on it, select Attack, then Spider site. This crawls the entire site hierarchy and
populates the tree view under the Sites tab in ZAP’s left pane as seen in
Figure 1.
![]() |
| Figure 1: ZAP spidering |
Crawling/spidering can have unintended side-effects on an
application, even adding or deleting records in a database, so be advised.
A good crawl ensures a better active scan, but before
beginning a scan, set your Scan Policy via Analyze
à Scan Policy as seen in Figure 2. You may wish to more
narrowly scope your scan activity to just the likes of information gathering or
SQL injection as seen in Figure 2.
![]() |
| Figure 2: ZAP scan policy |
Spidering and scan policy
configuration complete, right click the root, or a specific node you wish to
assess as you can choose Attack à Active scan
site or Attack à Active scan
node.
You can also exclude a site
from the scope in a similar fashion.
A full scan of the ZAP WAVE
instance completed in very short order; results were immediate as seen in
Figure 3.
![]() |
| Figure 3: ZAP scan results |
ZAP includes the expected
Encode/Decode/Hash functionality via Edit
à Encode/Decode/Hash or Tools
à Encode/Decode/Hash along with a manual editor for generating manual requests. I’ll often
run ZAP for nothing more than encoding, decoding, and hashing; it’s a great
utility.
The Port Scan feature is also useful. It will select the in-scope host
by default; just click the Port Scan tab then the start button.
The Brute Force tab is a function of the above-mentioned DirBuster
component and includes seven dictionary lists to choose from. I ran this
against my full host VM rather just the servlet element and included the
dictionary-list-1.0 dictionary for a simple, quick test.
![]() |
| Figure 4: ZAP DirBuster at work |
One of my favorite ZAP features
(there are many) is the Fuzzer. Per the Fuzzer component guidance:
·
Select
a request in the Sites or History tab
·
Highlight
the string you wish to fuzz in the Request tab
·
Right
click in the Request tab and select 'Fuzz...'
·
Select
the Fuzz Category and one or more Fuzzers
·
Press
the Fuzz button
·
The
results listed in the Fuzzer tab - select them to see the full requests and
responses.
The fuzzer, like the scanner,
includes functionality which causes ZAP to automatically regenerate the tokens
when required
I ran Fuzzer against http://192.168.140.137:8080/zapwave/active/xss/xss-form-anti-csrf.jsp
and fuzzed the anticsrf and name variables as it is a recent
addition per the ZAP WAVE download site.
As seen in Figure 5, the
fuzzer offers a wider array fuzzers within a given category.
![]() |
| FIGURE 5: ZAP fuzzer config |
In the understanding that
fuzzing is the art of submitting a great deal of invalid or unexpected data to
a target, you can look for variations in results such as response code (200 OK)
and response times. Where normal response times per request average between 2ms
and 4ms for ZAP WAVE hosted on a local VM, one request in particular stood out at
a 402ms response time. I checked for the string passed and cracked up.
%3CIMG+SRC%3D%60javascript%3Aalert%28%22RSnake+says%23%23%23+%27XSS%27%22%29%60%3E
In Conclusion
ZAP deserves its status as an OWASP flagship project.
Whether you’re a seasoned veteran or new to the web application security game
make the Zed Attack Proxy part of your arsenal. I’d go so far as to say, as
2011 is winding down, that ZAP feels like a likely front runner for 2011
Toolsmith Tool of the Year. But that is for you to decide, dear reader. Let me
know if you agree.
Ping me via email if you have questions (russ at
holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
Simon Bennetts (Psiinon) for
project feedback and details
Axel Neumann (@a_c_neumann)
for draft review
Labels:
OWASP,
OWASP Top 10,
toolsmith
Saturday, October 15, 2011
Presenting OWASP Top 10 Tools & Tactics at ISSA International
The ISSA International Conference is coming up this week in Baltimore; I'll be presenting OWASP Top 10 Tools and Tactics based on work for the InfoSecInstitute article of the same name.
If you're in Baltimore and planning to attend, stop by Friday, October 21 at 2:20pm in Room 304.
I'll be discussing and demonstrating tools such as Burp Suite, Tamper Data, ZAP, Samurai WTF, Watobo, Watcher, Nikto, and others as well as tactics for their use as part of SDL/SDLC best practices.
If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation.
Hope to see you there.
Cheers.
If you're in Baltimore and planning to attend, stop by Friday, October 21 at 2:20pm in Room 304.
I'll be discussing and demonstrating tools such as Burp Suite, Tamper Data, ZAP, Samurai WTF, Watobo, Watcher, Nikto, and others as well as tactics for their use as part of SDL/SDLC best practices.
If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation.
Hope to see you there.
Cheers.
Subscribe to:
Posts (Atom)





















