SlideShare uma empresa Scribd logo

Mp26 : Tachyon, sloppiness is bliss

Montreal Python
Montreal Python
TecnologiaDesign
1 de 32
Baixar para ler offline
Tachyon Sloppiness is bliss
● This talk implements udrink ● When I do a mistake and you call it, iDrink. ● At the end of the talk if you ask a good question, uDrink. ● The drink of the day is....
Seriously, who is this guy? ● Security Hobbyist for more than 10 years ● CTF Monkey with the CISSP Groupies ● Hackus 2012 Python Track sadist-in-chief ● Homebrewer ● Amateur Photographer ● Retard
What is Tachyon ● Offensive tool for penetration testers ● Weapon against sysadmin sloppiness ● Intelligent Web discovery tool ○ _hidden_ files and folders ○ Backups ○ Temporary copies ○ Test and Dev artifacts ○ Dumps and more!
What it is not (use a british accent) ● Vulnerability scanner ● All-purpose framework ● Reporting tool ● Web Crawler ● Dumb bruteforcer
Nothing else does it correctly
Why not <insert tool name> ? ● Dirbuster ○ Grotesque bruteforcer (/Queer, /richard_macmanus) ○ Unmaintained (2009) ○ No plugin architecture ○ Dumb ● Skipfish ○ False positive factory ○ In C! c'mon man we're in 2011! ○ No plugin architecture
Why not <insert tool name> ? ● Nessus, Vega, etc... ○ Vulnerabilities scanners ○ Fancy and heavy UI ○ Reporting tools ○ Not made for this task ● Nikto ○ Slower than water at 0K ○ Vulnerability scanner ○ Database clusterfuck
Features ● Tor support ● Plugin engine ● Fast multi-threading ● HTTPS ● DNS caching ● Automatic variable rate limiter ● Recursive scanning (credits: EiNSTeiN@CISSP Groupies) ● Cutting edge 2.0 command line interface
Path database ● Cheap (The root of evil) ● Each scan start with a path lookup ● Python dict (Plugins++)
File database ● Costs a lot more ● Provides more control ○ "No suffix" : Ignore all extension matching ○ "match-string" : String must match to be a valid hit
Extensions database ● Cost more than a PONY! ● _Hardcoded_ (Python, yeah right...)
Plugins ● Access to almost everything in Tachyon ○ Data structures ○ Classes ○ Python does _not_ support protection :) ● Dedicated execution levels: ○ Before path test ○ Before file-path combination ○ Link validation level (still in dev) ● No documentation for now, but some examples
Semi automatic scanning ● Most efficient ● You need to know what you are doing ● Usefull for manually discovered paths ● Two modes ○ Search only for subpath in specified path ○ Search only for files in specified path
Automatic scanning ● Lazy _lulzsec_ mode ● Longer (a lot in some cases) ● More false positives ● Better to find irregularities (/img/pass.txt)
Recursive scanning ● Powerful but hard to control ● Lot of assumptions on recursive directory existence ● Easier to use in semi-automatic mode ● Depth limitable
Tor support ● Trough Privoxy in http proxy mode ● A lot slower ● More prone to timeouts ● Useful for WAF evasion ○ Tor has pseudo-random latency
A false positive story ● Incoherent Error codes ● Redirections ● Batshit insane webserver ● Variable 404 output
False positive detection ● Benchmark target ○ CRC32 evaluation ○ Generate 404's with uuid ○ Probe common file handling ■ .html, .php, .asp, .txt, no-ext ○ Store each 404 CRC in lookup table
False positive detection ● Redirect evaluation ○ Using Ratcliff-Obershelp (not levenshtein!!!) ○ pony.com -> www.pony.com == Valid ○ pony.com/pony.txt -> www.pony.com/pony.txt == Valid ○ pony.com/test -> pony.com/error/404 -> 200 -> invalid!
False positive detection pitfall ● CRC32 Testing of first 200 bytes ○ False positive if there's a timestamp in those bytes ○ False positive if there's anything variable in those bytes ● Ratcliff-Obershelp ○ Too much granularity in some cases ■ what is the best differential ratio? 0.6 VS 0.65?
Plugins - Robots.txt parser ● Leverage your little "Secrets" ● Dissalow path : new target path ● Dissalow file: new target file
Plugins - Path Generator ● Used to generate trivial paths and files ● Reduce database pollution ○ /0-9 ○ /a-z
Plugins - Host Processor ● Try to generate pobable filenames with hostname ● adomain.com -> domain, adomain, adomain. sql etc...
Plugins - /.svn/entries parser ● Parse xml svn entries ● Old non-xml format will be supported ● Generate paths
Limitations ● Recursive scanning ○ Predictability ○ <Forbidden 1>/<Forbidden 2>/ == 403. Does not guarantee "2" exists (nginx) ● Various edge cases ● Tor support trough privoxy only
Todo ● Faster (urllib3: keep-alive pooling) ● Cute and/or parseable output ● Plugin system ○ Callbacks ○ Documentation ● Pattern eclusion ● HTML Crawler (buy me _some_ good beer then maybe)
Demo!
You want to contribute? ● Google "github tachyon" ● Contact me first!!! (initnull@gmail.com) ● You need a github account ○ no i won't handle your un-mergeable .patch ○ I work on Linux AND Windows ○ I don't care ● Priorities: ○ Documentation ○ Clever plugins ● Also looking for website directory listing
The end!

Recomendados

ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementWei-Ning Huang
 
Druid beginner performance tips
Druid beginner performance tipsDruid beginner performance tips
Druid beginner performance tipsvishnu rao
 
Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Luc Perkins
 
In a Nutshell: Rancher
In a Nutshell: RancherIn a Nutshell: Rancher
In a Nutshell: RancherJeffrey Sica
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oraclemanong007
 
Golang getting started
Golang getting startedGolang getting started
Golang getting startedHarshad Patil
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 

Recomendados

ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementWei-Ning Huang
 
Druid beginner performance tips
Druid beginner performance tipsDruid beginner performance tips
Druid beginner performance tipsvishnu rao
 
Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Luc Perkins
 
In a Nutshell: Rancher
In a Nutshell: RancherIn a Nutshell: Rancher
In a Nutshell: RancherJeffrey Sica
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oraclemanong007
 
Golang getting started
Golang getting startedGolang getting started
Golang getting startedHarshad Patil
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 
A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxiesMohan Dutt
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyAlex Chistyakov
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...Yiran Wang
 
Ruxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetRuxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetChristophe Alladoum
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016Alex Chistyakov
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1priestc
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3Shusaku Fukumine
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyOlivier Bourgeois
 
Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'BDPA Education and Technology Foundation
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentationVachagan Balayan
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ftJeffrey Sica
 
Node.js
Node.jsNode.js
Node.jsNolifelover Earn
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)Nicolai Grodzitski
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2Mahmoud Alqam
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Javajbellis
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMontreal Python
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMontreal Python
 

Mais conteúdo relacionado

Mais procurados

A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxiesMohan Dutt
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyAlex Chistyakov
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...Yiran Wang
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016Alex Chistyakov
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1priestc
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyOlivier Bourgeois
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ftJeffrey Sica
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2Mahmoud Alqam
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Javajbellis
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 

Mais procurados (20)

A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxies
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of Berkeley
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
 
Ruxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetRuxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenet
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development Efficiency
 
Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentation
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ft
 
Node.js
Node.jsNode.js
Node.js
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsd
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Java
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog Plugins
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 

Destaque

Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMontreal Python
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMontreal Python
 
Mp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMontreal Python
 
Mp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMontreal Python
 
Mp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMontreal Python
 
Mp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMontreal Python
 
Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Montreal Python
 

Destaque (7)

Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook game
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with Python
 
Mp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without Python
 
Mp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based Designs
 
Mp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with Talents
 
Mp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with Python
 
Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?
 

Semelhante a Mp26 : Tachyon, sloppiness is bliss

Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSVlatko Kosturjak
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015cameronevans
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django applicationbangaloredjangousergroup
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishOmid Vahdaty
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)David Timothy Strauss
 
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmudjcp
 
AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned Omid Vahdaty
 
Scaling Up with PHP and AWS
Scaling Up with PHP and AWSScaling Up with PHP and AWS
Scaling Up with PHP and AWSHeath Dutton ☕
 
Scalable, good, cheap
Scalable, good, cheapScalable, good, cheap
Scalable, good, cheapMarc Cluet
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Stripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe
 
Programming for Performance
Programming for PerformanceProgramming for Performance
Programming for PerformanceCris Holdorph
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional ProgrammerDave Cross
 

Semelhante a Mp26 : Tachyon, sloppiness is bliss (20)

Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django application
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
 
Pentester++
Pentester++Pentester++
Pentester++
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)
 
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmu
 
AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned
 
Scaling Up with PHP and AWS
Scaling Up with PHP and AWSScaling Up with PHP and AWS
Scaling Up with PHP and AWS
 
Scalable, good, cheap
Scalable, good, cheapScalable, good, cheap
Scalable, good, cheap
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Stripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe CTF3 wrap-up
Stripe CTF3 wrap-up
 
Programming for Performance
Programming for PerformanceProgramming for Performance
Programming for Performance
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional Programmer
 
Kraken mesoscon 2018
Kraken mesoscon 2018Kraken mesoscon 2018
Kraken mesoscon 2018
 

Último

Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Último (20)

Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Mp26 : Tachyon, sloppiness is bliss

  • 2. ● This talk implements udrink ● When I do a mistake and you call it, iDrink. ● At the end of the talk if you ask a good question, uDrink. ● The drink of the day is....
  • 3. Seriously, who is this guy? ● Security Hobbyist for more than 10 years ● CTF Monkey with the CISSP Groupies ● Hackus 2012 Python Track sadist-in-chief ● Homebrewer ● Amateur Photographer ● Retard
  • 4. What is Tachyon ● Offensive tool for penetration testers ● Weapon against sysadmin sloppiness ● Intelligent Web discovery tool ○ _hidden_ files and folders ○ Backups ○ Temporary copies ○ Test and Dev artifacts ○ Dumps and more!
  • 5. What it is not (use a british accent) ● Vulnerability scanner ● All-purpose framework ● Reporting tool ● Web Crawler ● Dumb bruteforcer
  • 6. Nothing else does it correctly
  • 7. Why not <insert tool name> ? ● Dirbuster ○ Grotesque bruteforcer (/Queer, /richard_macmanus) ○ Unmaintained (2009) ○ No plugin architecture ○ Dumb ● Skipfish ○ False positive factory ○ In C! c'mon man we're in 2011! ○ No plugin architecture
  • 8. Why not <insert tool name> ? ● Nessus, Vega, etc... ○ Vulnerabilities scanners ○ Fancy and heavy UI ○ Reporting tools ○ Not made for this task ● Nikto ○ Slower than water at 0K ○ Vulnerability scanner ○ Database clusterfuck
  • 9. Features ● Tor support ● Plugin engine ● Fast multi-threading ● HTTPS ● DNS caching ● Automatic variable rate limiter ● Recursive scanning (credits: EiNSTeiN@CISSP Groupies) ● Cutting edge 2.0 command line interface
  • 10.
  • 11. Path database ● Cheap (The root of evil) ● Each scan start with a path lookup ● Python dict (Plugins++)
  • 12. File database ● Costs a lot more ● Provides more control ○ "No suffix" : Ignore all extension matching ○ "match-string" : String must match to be a valid hit
  • 13. Extensions database ● Cost more than a PONY! ● _Hardcoded_ (Python, yeah right...)
  • 14. Plugins ● Access to almost everything in Tachyon ○ Data structures ○ Classes ○ Python does _not_ support protection :) ● Dedicated execution levels: ○ Before path test ○ Before file-path combination ○ Link validation level (still in dev) ● No documentation for now, but some examples
  • 15.
  • 16. Semi automatic scanning ● Most efficient ● You need to know what you are doing ● Usefull for manually discovered paths ● Two modes ○ Search only for subpath in specified path ○ Search only for files in specified path
  • 17. Automatic scanning ● Lazy _lulzsec_ mode ● Longer (a lot in some cases) ● More false positives ● Better to find irregularities (/img/pass.txt)
  • 18. Recursive scanning ● Powerful but hard to control ● Lot of assumptions on recursive directory existence ● Easier to use in semi-automatic mode ● Depth limitable
  • 19. Tor support ● Trough Privoxy in http proxy mode ● A lot slower ● More prone to timeouts ● Useful for WAF evasion ○ Tor has pseudo-random latency
  • 20. A false positive story ● Incoherent Error codes ● Redirections ● Batshit insane webserver ● Variable 404 output
  • 21. False positive detection ● Benchmark target ○ CRC32 evaluation ○ Generate 404's with uuid ○ Probe common file handling ■ .html, .php, .asp, .txt, no-ext ○ Store each 404 CRC in lookup table
  • 22. False positive detection ● Redirect evaluation ○ Using Ratcliff-Obershelp (not levenshtein!!!) ○ pony.com -> www.pony.com == Valid ○ pony.com/pony.txt -> www.pony.com/pony.txt == Valid ○ pony.com/test -> pony.com/error/404 -> 200 -> invalid!
  • 23. False positive detection pitfall ● CRC32 Testing of first 200 bytes ○ False positive if there's a timestamp in those bytes ○ False positive if there's anything variable in those bytes ● Ratcliff-Obershelp ○ Too much granularity in some cases ■ what is the best differential ratio? 0.6 VS 0.65?
  • 24. Plugins - Robots.txt parser ● Leverage your little "Secrets" ● Dissalow path : new target path ● Dissalow file: new target file
  • 25. Plugins - Path Generator ● Used to generate trivial paths and files ● Reduce database pollution ○ /0-9 ○ /a-z
  • 26. Plugins - Host Processor ● Try to generate pobable filenames with hostname ● adomain.com -> domain, adomain, adomain. sql etc...
  • 27. Plugins - /.svn/entries parser ● Parse xml svn entries ● Old non-xml format will be supported ● Generate paths
  • 28. Limitations ● Recursive scanning ○ Predictability ○ <Forbidden 1>/<Forbidden 2>/ == 403. Does not guarantee "2" exists (nginx) ● Various edge cases ● Tor support trough privoxy only
  • 29. Todo ● Faster (urllib3: keep-alive pooling) ● Cute and/or parseable output ● Plugin system ○ Callbacks ○ Documentation ● Pattern eclusion ● HTML Crawler (buy me _some_ good beer then maybe)
  • 30. Demo!
  • 31. You want to contribute? ● Google "github tachyon" ● Contact me first!!! (initnull@gmail.com) ● You need a github account ○ no i won't handle your un-mergeable .patch ○ I work on Linux AND Windows ○ I don't care ● Priorities: ○ Documentation ○ Clever plugins ● Also looking for website directory listing