 Good morning We're going to start a little earlier since I have some cool demo For you guys. I've presented this in blackhead, but I think I will change a little bit style to deafcon style Before I started I want to have a quick survey. How many people here? for the job reason or for careless reason that at least they have for Hack one website and again the data from back end Can you raise your wall pretty good cool? so my name is fan and Today I'm going to present our next generation web application vulnerability scanner with deep injection high performance and low false alarm So everybody knows right web application security big problem So we are good just going to skip most of the database in backhand interesting enough Oracle SQL server db2 and the mysql I think took 90% of the shares More than that. So this is about a pentas to a first time revealed and It's not a so blind secret injection tool. I will show you a bit later fully automated powerful and with the bunch of pentast policy for different database Here's a quick glance of how these two looks like but I will show you a flash demo very soon. So In the left side, you can see it's the web URL then It has the Oracle detected in the back end automatically the secret injection type Tables belongs to these web user Collins and even the contents right side is the fundamental report In short, this is a cross database support Pentas to with a hundred thousand lines of C++ code high performance Very flexible extendable pentas framework, which I'll describe later Very low false alarm because if you already gain all the data Do you think it's still false alarm? and It's fully automated so We all know that through the five firewall is just not enough With this case and there's so many things from a database that you can gain So before I continue, I would like to present the first part of the flash demo for you So here we have a movie rental program Pretty cool web application. It's not a Netflix by the way. Okay. It just looks like so there is a movie You can you can go to the movie to call the science movie, but unfortunately is also a sign of the secret injection so You can just paste to the matrix tool and then right-click scan now you can see that it detect the back end is the Oracle and The secret injection type the instance name and they use the name who connect to the back end database So you will see that most of the time is right-click left-click style So now you right-click and then get a table content Sorry, get a table count. How many tables belongs to this user? So that's a I will come to the slides later Matrix has a very complex Sequence to do all the pen test from beginning to the very deep. So now we get the table count is 11 Now if you right-click again, the Manage different now you can get the table names So all the table name you can just select a few or select everything So here and try to gain a table name in the back end. So there are different ways to gain a table names They dictionary you can also brute force. You can also error-based. So Several ways that you can count in So here's the vulnerabilities that is already reported in back end so that later on we can export to the CSV or whatever so The get table name face it will it will gain the information With only like about 10 seconds so With all that iteration we get is a address table name So this is only one way. We will show you another way which is brute force Think about it how many times you design your tables like a user username profile member order, right? So this is just a common sense if you want to so now we already get to the table name Another table name is the member So now we come to the auditing panel, which is you can choose. There's a many policies We has been building to audit of the The back end database So since we already know the database type for example right now, we have default password checking and also the password Complexity checking all the parameter configurations like dictionary accessibility and the user privileges This is an important piece, right? And also the SQL area. What's the raw SQL in in the back end? All these is done through the web interface Now I reverse select and then I try to gain all the hash and the name From the back end database Since the Oracle is a hashed right the password, but that's okay. The matrix has a building Password crack for the Oracle, which is extremely fast. You can see that my password is pretty good The q a z w s x, but the matrix is even better. So it's cracked on the fly The password is cracked on the fly. So also you can see that There is default password in there as well So we will come back to this later. So here we have the cross-site scripting Functionality and also your own defined abilities So also you can have get a proxy list so that all your traffic can be Distributed isn't it will look like from all over the world. So It's pretty neat to have here's And then here's the hijack hijacking feature and here's another cool thing Okay, so We'll come back to the slides come back to normal. Okay So what's the essential fact it's based basically first Parameter defense is just not enough right with the web based on and the database securities database are all different Different vulnerabilities different design, but there are many things in common which I will describe later and database has to maintain a lot of information in the back end and the coolest the database and The cool it is and the more information need to gain for example or 10g the flashback is a good example If it want to game get back to the previous data, it has to think about it from design Right it has to maintain the sequel that is used before so think if you can get that sequel That's useful for you right through the web web applications use a context another example Finally Harden a database is not so easy at least it's much difficult than just talking right So here's the pentast sequence that it will take first just like normal scanner will do it will detect If it is sequel injectable, but that is far less than enough right then second Just as end map will send tens of packets to detect the OS types right based on TTL window size Matrix will send tens of different requests detail determine What's the database type in back end and what's the versions and then it will get the current database properties such as what web user has connect to the database and What's the incidence name or stuff? versions and Then you you can get the basic pretty much whole database dictionary. That's the One thing but also like I said there's other ways to gain and then you can start dancing because you can do advanced Injection and advanced auditing because you already know the context. I Will have to skip some of the slides because I have very limited time 36 slides, but you pretty much it's very detailed here Database in common things rows and the privileges for different database and the special spots there's always interesting part extended procedures and And either can even use the two guests for example just the utl TCP even that I can use to guess the SA password. It's a lot of things that you cannot even Maybe it's a bit beyond your imagine and weak password port stuff So here's the mind manager function on the graph. So You can either Configure your browser to point to the port which matrix will listen so matrix will monitor the session and the traffic Automatically and then detect if the URL you are browsing is Sorry, it reminds me more demos so it will Automatically detect the web URL If it's far vulnerable, but of course you can always just directly targeting the web URL and then Gain all the forbidden information then you can gain the database dictionary blind injection search the interesting tables and Then even do the brute force you can also audit many things authentication authorization You can also do the penetration test for specific spots Like a privilege as creation and all the kinds of stuff Here's a snapshot. You probably already saw it. So you are a type database name user name task Get everything field name field count or fields. You can search for specific spots like a password user so for auditing stuff you can Check the password check the configuration weakness and the versions is Oracle This pretty old the one I was using was a better 10 G so Get the user use use password and hashes and OS commands. So here's an example here that you already got the Based on the hash you'll get it's cracked on the fly because based on the username and the hash it's the it's a You already can do a rainbow style crack Pentastyle if you do the So the just browsing the browser and using magic matrix as proxy Then you can hijack the sessions in between so it can even hijack the SSL So I would I will mention that a little bit later but It can be much easier for example Here the other pentast is just it's again right-click style So here you can get all the extended procedures. You can run OS command and Doing whatever you want on pretty much so authentication currently user privileges password check system user views and As I mentioned that the C system and DBS and peep password can be Pre-generated right because you already know the username so based on diction you you can generate the hash already and For all 10 G. There's a pretty huge leak Which is that the DBS and MP password can be get through a simple query. So the reason is that it's not hashed it's encrypted and more importantly The for 10 G the default installation will put see system and the DBS and P share the same password So once you know the DBS and P password, you will know the season system. Think about it Database configuration any parameters many parameters auditing and For different database for different Context and the policies Configurations so an important feature about the matrix is that it's extremely extendable so that if there's a vulnerability released for example There's no need to Change the code or 99% of the time No need to change the code just add a conversion file and then it will automatically add to your pentast policies so Ross equal auditing an Important thing from the web interface you may very very interesting. What is the sequel running back end? Right, so to gain the sequels to give you much more abilities to gain the things okay, I Always like to use Taiji to describe the two modes of the matrix Once the in mode basically passive right very silent and quiet But they detect everything for you if it's acting as a proxy mode because you are just browsing right and then Suddenly there's a reporting back end and young mode basically you already see from the fresh demo it's direct targeting the web and hard multisreading Proxy mode as long as you browse point to it. It's all I do everything, but here's a very cool SSL man in the middle. I At least on top of my head. I don't know there's any tool that do that does anybody knows To do the hijacking for HTTPS the reason is that it's supposed to secure the channel, right? But here matrix did a special with which is that it's a special matrix in the middle So then it will Assemble the HTTP traffic. It will listen in a local port 127 and the assembled HTTP traffic to the HTTPS Representing and send it to remotely and then get it and disassemble it from that way it can audit all the sessions all the parameters in between so you can hijack it in mode here's in more example Automatically detect. Okay, oh Number secret injection type young mode. I already described Get post and also you can use proxy to targeting the stuff Advanced features like privilege escalation for example 9i DBMS med data Pretty much you can make use of the The some secret injection in the procedures to gain more privileges 10g DBMS advisor and Even the more the sequel stuff If it's installed then it will give you much more power to do the special Pan test and there's many things such as html DB xml DB and the report servers This is a specific things, but it's also very interesting So keep adding the policy like I said to gain more and more It's very important because you always want to keep the pace you don't want to have something that last year or two years ago and That's that's not so useful, right? That's needed but not so useful there's also you can audit the some Network related or some evil procedures using the outband secret injection Pan test the capability plug-in I already mentioned but again, this is very one of the key you can add the policies on the fly so Similar tools, I don't know if it's so similar, but I'll put it here evasion techniques So these are interesting part, right? If right most of ideas like we'll detect okay one equals to one or some of the patterns But it's a iteration last year in blackhead. I presented the Defense techniques about secret injection. So it's quite hard. It's quite hard. I mean to think about it There's so many variations. I want to get to there. There's also some interesting Evasion for example, you can use some decks a function equals to something right looks totally different So that way to catch that pattern is really difficult You can also lower down your thread So it will look and also distribute by proxies so that it will looks like a more normal Defense techniques before the installation and configuration is usually lame dictionary protection least privileges always bear in mind for application especially for different applications and Do a regularly pen testing and the continuous monitoring so Before I come to the next demo I would to thank you for everyone for listening and I Have to mention my partner Xiaorong. He did a really fantastic job. He's really cool but Sorry, he couldn't come join me and special thanks to Alexander for great comments and The one of the big reason I'm here, which is I want to get your feedback I won't get your comments so that Make it a better and a better if you have any Suggestions or comments Then to send to the info DB app security calm So we will come to the next the demo. We have two minutes. I think oh I have ten. Oh Cool Sure Thanks fine. I Should not make so hard if I know I have ten so Here's another web application JSP books selling the book right security book looks like so You know right click this time is a MS sequel number sequel injection and The database name is in the web user name is SA okay The vulnerability level is of course higher So again here you already have 23 tables in back end not bad so Can get the table name And get a few here the advanced one you can basically search the table name Sometimes if that has like a 200 tables, you just want to search some of the specific points So it's getting easier Now you have quite a few tables and the customer info Looks interesting right customer info. That's always the I mean from my point of view, but I'm sure you're the same so Now you get a field account then you can get all the fields again, it's a right click style and Cumulator there's a the end there was always command execution That's probably one of the few place that you need to use the keyboard To type because you need to run OS commands To as you wish so now you have a few interesting fields name password So customer ID login name so we can just gain a few just for demo purpose So again, I have to emphasize all these through is through the web application Interface there's no need any more information about it so Here is coming for another come to another fun part It will get all the content from the tables Welcome to the matrix The speed is quite fast. This is in real speed because the engine is optimized Right so Now we can come to another fun part, which is the panel chasing So now you have all the contacts right what database it is in back end. What's the web user connected? What's the vulnerabilities of the web application? Now you can look at the like what's the DS name? Okay, I don't know why they have my name in yet, so You can also Another thing is that you can also look at how many evil procedures is available So that's another thing because you first want to see how many things you can do in hand Right, then you can do more things so you can see that from the beginning to the end It's always step-by-step but helping each other to get deeper and deeper for all the injection. So Okay, we have Read error log get protocol stuff, okay, you can always get more things because It's just a it will give you from the number of things that you can you can choose Okay, so In new error logs That's not bad, right? Now you have OS command type see boot dot init file So The run OS command for you and then tell you everything so I will let the demo go on and Thank you very much for listening and I'm taking questions. Thank you Thank you, Mike. Yes, sir. Yes Say again. Sorry. Yeah Yeah, good question. There's a project safe So no matter where you are you if you save for a project next time if you restart It will already in the state in there Good question Yeah, so for middleware basically right now The current version is we'll try to inject as much as possible So it will depends on how middleware process the parameters this etc. And also We we are planning to add in more like specific middleware like from basically in in in the policies for it Yeah, any other questions. Yes, sir Specifically I did not but my friend did once. Yeah, thank you. No, I'm not kidding because we already have Okay, yeah, trust me. Okay, because We already have the beta tester, which is a very big company so they can test their own applications through the pen test. So I'm so busy with this So I won't have time to hack stuff. Yeah, so Yes, sir Yeah, we'll have beta test plan like slowly going. Yeah, so you can send emails to the question. Yeah Yes, oh you mean for the SSL hijacking Okay, so basically What it do is that actually I have SSL flash later on I can show you but basically what it do is that Because these two is in your machine, right? So in 127, so it's your trusted man So it's like a trusted man in the middle. So then you through the HTTP for example browsing the local Just like your local port that Matrix world we're listening. So for example, if you want the HTTPS www.abc.com Then something then the machine need knows that this traffic in this port is talking to that HTTPS then it will assemble all your You are from your point of view from browser still Looking at the remote website, right browsing, but actually in the middle it will assemble all the HTTPS traffic for you and then Monitoring the sessions if it has the vulnerabilities or the primary the vulnerabilities inside So that's basically how it works, but I can show you Flash later on. Yeah Yeah, it's traceable. So if you if you turn on Hijack that option, then it will stop there and then you can change something and Primate and then click send it will send it. So Any questions more questions? All right. Thank you very much for listening and yeah, send me email if you have any comments