HitB2011AMS: WebShells: A Framework for Penetration TestingFrank Breedijk
Slides on the HitB Materials page.
Lots of Webshells used by pentesters to get access to the systems are detected by conventional security products like anti-virus, IPS and WAF. In stead of building a new websheel for each assignment the presenters tried to work towards a framework for webshells, that was modular and added obfuscation as a protection against AV/IPS/WAF.
But if you want to build a webshell framework you need to know what is out there. Most webservers on the internet are dominantly Apache, IIS and Weblogic. Pentesters are most in need of Webshells based on ASP, PHP and Java shells as it is heavily used for intranet applications.
The presenters gave an overview of the webshels out there for webshells for Linux, MySQL, PHP, JSP, ASP. Many of the common shells have high detection rates on the most common anti-virus platforms.
Even tough there are some webshells that are nearly complete in features and others that are not detected by Anti-Virus there isn’t one that is both.
There are a few ways to get around anti-virus encoding, obfuscation and encryption. There are common tools available to obfuscation for different languages like PHP, VBScript and Java. Obfuscation tools make reading the code harder, but are analysis is often still possible.
Using this knowledge the presenters designed a webshell platform. The platform should be language independent, resistant against third party unauthorized access and not be detected by AV/IPS/WAF.
Protection against unauthorized third party access is archived by mean of encryption based on “user provided key”, server IP address and client IP address.
So what are the must have functionalities of the framework:
- System information
- Graphical file maanger
- file upload/download
- command line cmd
- SQL manager
Elena and Joffrey show the design and some code fragments of the platform and demonstrated the proof of concept platform.
The proof of concept is already very feature rich.
About Elena Kropochkina
Elena Kropochkina begins her professional career in Devoteam Audit Security team. She was graduated by Ecole Polytechnique and Telecom ParisTech with a M.S. in Computer Science. She is specialized in IT Security and Artificial Intelligence.
About Joffrey Czarny
Joffrey Czarny, working for Devoteam Security Business Unit (FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at Hack.lu 2005, VoIP at Hack.lu 2007/2008 and ITunderground 2008/2009). On his site, www.insomnihack.net, he maintains the Elsenot project and posts video tutorials and tools on several security aspects.