SlideShare una empresa de Scribd logo

Mp26 : Tachyon, sloppiness is bliss

Montreal Python
Montreal Python
TecnologíaDiseño
1 de 32
Descargar para leer sin conexión
Tachyon Sloppiness is bliss
● This talk implements udrink ● When I do a mistake and you call it, iDrink. ● At the end of the talk if you ask a good question, uDrink. ● The drink of the day is....
Seriously, who is this guy? ● Security Hobbyist for more than 10 years ● CTF Monkey with the CISSP Groupies ● Hackus 2012 Python Track sadist-in-chief ● Homebrewer ● Amateur Photographer ● Retard
What is Tachyon ● Offensive tool for penetration testers ● Weapon against sysadmin sloppiness ● Intelligent Web discovery tool ○ _hidden_ files and folders ○ Backups ○ Temporary copies ○ Test and Dev artifacts ○ Dumps and more!
What it is not (use a british accent) ● Vulnerability scanner ● All-purpose framework ● Reporting tool ● Web Crawler ● Dumb bruteforcer
Nothing else does it correctly
Why not <insert tool name> ? ● Dirbuster ○ Grotesque bruteforcer (/Queer, /richard_macmanus) ○ Unmaintained (2009) ○ No plugin architecture ○ Dumb ● Skipfish ○ False positive factory ○ In C! c'mon man we're in 2011! ○ No plugin architecture
Why not <insert tool name> ? ● Nessus, Vega, etc... ○ Vulnerabilities scanners ○ Fancy and heavy UI ○ Reporting tools ○ Not made for this task ● Nikto ○ Slower than water at 0K ○ Vulnerability scanner ○ Database clusterfuck
Features ● Tor support ● Plugin engine ● Fast multi-threading ● HTTPS ● DNS caching ● Automatic variable rate limiter ● Recursive scanning (credits: EiNSTeiN@CISSP Groupies) ● Cutting edge 2.0 command line interface
Path database ● Cheap (The root of evil) ● Each scan start with a path lookup ● Python dict (Plugins++)
File database ● Costs a lot more ● Provides more control ○ "No suffix" : Ignore all extension matching ○ "match-string" : String must match to be a valid hit
Extensions database ● Cost more than a PONY! ● _Hardcoded_ (Python, yeah right...)
Plugins ● Access to almost everything in Tachyon ○ Data structures ○ Classes ○ Python does _not_ support protection :) ● Dedicated execution levels: ○ Before path test ○ Before file-path combination ○ Link validation level (still in dev) ● No documentation for now, but some examples
Semi automatic scanning ● Most efficient ● You need to know what you are doing ● Usefull for manually discovered paths ● Two modes ○ Search only for subpath in specified path ○ Search only for files in specified path
Automatic scanning ● Lazy _lulzsec_ mode ● Longer (a lot in some cases) ● More false positives ● Better to find irregularities (/img/pass.txt)
Recursive scanning ● Powerful but hard to control ● Lot of assumptions on recursive directory existence ● Easier to use in semi-automatic mode ● Depth limitable
Tor support ● Trough Privoxy in http proxy mode ● A lot slower ● More prone to timeouts ● Useful for WAF evasion ○ Tor has pseudo-random latency
A false positive story ● Incoherent Error codes ● Redirections ● Batshit insane webserver ● Variable 404 output
False positive detection ● Benchmark target ○ CRC32 evaluation ○ Generate 404's with uuid ○ Probe common file handling ■ .html, .php, .asp, .txt, no-ext ○ Store each 404 CRC in lookup table
False positive detection ● Redirect evaluation ○ Using Ratcliff-Obershelp (not levenshtein!!!) ○ pony.com -> www.pony.com == Valid ○ pony.com/pony.txt -> www.pony.com/pony.txt == Valid ○ pony.com/test -> pony.com/error/404 -> 200 -> invalid!
False positive detection pitfall ● CRC32 Testing of first 200 bytes ○ False positive if there's a timestamp in those bytes ○ False positive if there's anything variable in those bytes ● Ratcliff-Obershelp ○ Too much granularity in some cases ■ what is the best differential ratio? 0.6 VS 0.65?
Plugins - Robots.txt parser ● Leverage your little "Secrets" ● Dissalow path : new target path ● Dissalow file: new target file
Plugins - Path Generator ● Used to generate trivial paths and files ● Reduce database pollution ○ /0-9 ○ /a-z
Plugins - Host Processor ● Try to generate pobable filenames with hostname ● adomain.com -> domain, adomain, adomain. sql etc...
Plugins - /.svn/entries parser ● Parse xml svn entries ● Old non-xml format will be supported ● Generate paths
Limitations ● Recursive scanning ○ Predictability ○ <Forbidden 1>/<Forbidden 2>/ == 403. Does not guarantee "2" exists (nginx) ● Various edge cases ● Tor support trough privoxy only
Todo ● Faster (urllib3: keep-alive pooling) ● Cute and/or parseable output ● Plugin system ○ Callbacks ○ Documentation ● Pattern eclusion ● HTML Crawler (buy me _some_ good beer then maybe)
Demo!
You want to contribute? ● Google "github tachyon" ● Contact me first!!! (initnull@gmail.com) ● You need a github account ○ no i won't handle your un-mergeable .patch ○ I work on Linux AND Windows ○ I don't care ● Priorities: ○ Documentation ○ Clever plugins ● Also looking for website directory listing
The end!

Recomendados

ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementWei-Ning Huang
 
Druid beginner performance tips
Druid beginner performance tipsDruid beginner performance tips
Druid beginner performance tipsvishnu rao
 
Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Luc Perkins
 
In a Nutshell: Rancher
In a Nutshell: RancherIn a Nutshell: Rancher
In a Nutshell: RancherJeffrey Sica
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oraclemanong007
 
Golang getting started
Golang getting startedGolang getting started
Golang getting startedHarshad Patil
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 

Recomendados

ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementWei-Ning Huang
 
Druid beginner performance tips
Druid beginner performance tipsDruid beginner performance tips
Druid beginner performance tipsvishnu rao
 
Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Pandoc: the deep dive (PDXFunc presentation)
Pandoc: the deep dive (PDXFunc presentation)Luc Perkins
 
In a Nutshell: Rancher
In a Nutshell: RancherIn a Nutshell: Rancher
In a Nutshell: RancherJeffrey Sica
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Encryption oracle
Encryption oracleEncryption oracle
Encryption oraclemanong007
 
Golang getting started
Golang getting startedGolang getting started
Golang getting startedHarshad Patil
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 
A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxiesMohan Dutt
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyAlex Chistyakov
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...Yiran Wang
 
Ruxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetRuxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetChristophe Alladoum
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016Alex Chistyakov
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1priestc
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3Shusaku Fukumine
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyOlivier Bourgeois
 
Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'BDPA Education and Technology Foundation
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentationVachagan Balayan
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ftJeffrey Sica
 
Node.js
Node.jsNode.js
Node.jsNolifelover Earn
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)Nicolai Grodzitski
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2Mahmoud Alqam
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Javajbellis
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMontreal Python
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMontreal Python
 

Más contenido relacionado

La actualidad más candente

A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxiesMohan Dutt
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileRainer Gerhards
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyAlex Chistyakov
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...Yiran Wang
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016Alex Chistyakov
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1priestc
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyOlivier Bourgeois
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ftJeffrey Sica
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdScott Tsai
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2Mahmoud Alqam
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Javajbellis
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog PluginsRainer Gerhards
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 

La actualidad más candente (20)

A tale of two(many) proxies
A tale of two(many) proxiesA tale of two(many) proxies
A tale of two(many) proxies
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
 
Harry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of BerkeleyHarry Potter and the Daemons of Berkeley
Harry Potter and the Daemons of Berkeley
 
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
KubeCon EU 2019 - P2P Docker Image Distribution in Hybrid Cloud Environment w...
 
Ruxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenetRuxmon.2015-08.-.proxenet
Ruxmon.2015-08.-.proxenet
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016
 
Stashaway 1
Stashaway 1Stashaway 1
Stashaway 1
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3
 
Tips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development EfficiencyTips and Tricks for Increased Development Efficiency
Tips and Tricks for Increased Development Efficiency
 
Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'Handout: 'Open Source Tools & Resources'
Handout: 'Open Source Tools & Resources'
 
Barcamp presentation
Barcamp presentationBarcamp presentation
Barcamp presentation
 
Active Data Stores at 30,000ft
Active Data Stores at 30,000ftActive Data Stores at 30,000ft
Active Data Stores at 30,000ft
 
Node.js
Node.jsNode.js
Node.js
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)
 
Bsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsdBsdtw17: george neville neil: realities of dtrace on free-bsd
Bsdtw17: george neville neil: realities of dtrace on free-bsd
 
Introduction to Sublime text 2
Introduction to Sublime text 2Introduction to Sublime text 2
Introduction to Sublime text 2
 
Pycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from JavaPycon 2012 What Python can learn from Java
Pycon 2012 What Python can learn from Java
 
Writing External Rsyslog Plugins
Writing External Rsyslog PluginsWriting External Rsyslog Plugins
Writing External Rsyslog Plugins
 
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
Accumulo Summit 2015: Accumulo In-Depth: Building Bulk Ingest [Sponsored]
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 

Destacado

Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMontreal Python
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMontreal Python
 
Mp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMontreal Python
 
Mp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMontreal Python
 
Mp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMontreal Python
 
Mp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMontreal Python
 
Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Montreal Python
 

Destacado (7)

Mp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook gameMp24: The Bachelor, a facebook game
Mp24: The Bachelor, a facebook game
 
Mp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with PythonMp25: Optical Music Recognition with Python
Mp25: Optical Music Recognition with Python
 
Mp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without PythonMp24: Fabulous Mobile Development with and without Python
Mp24: Fabulous Mobile Development with and without Python
 
Mp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based DesignsMp25 Message Switching for Actor Based Designs
Mp25 Message Switching for Actor Based Designs
 
Mp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with TalentsMp26 : Connecting Startups with Talents
Mp26 : Connecting Startups with Talents
 
Mp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with PythonMp25: Audio Fingerprinting and metadata correction with Python
Mp25: Audio Fingerprinting and metadata correction with Python
 
Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?Mp26 : How do you Solve a Problem like Santa Claus?
Mp26 : How do you Solve a Problem like Santa Claus?
 

Similar a Mp26 : Tachyon, sloppiness is bliss

Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSVlatko Kosturjak
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015cameronevans
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django applicationbangaloredjangousergroup
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishOmid Vahdaty
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)David Timothy Strauss
 
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmudjcp
 
AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned Omid Vahdaty
 
Scaling Up with PHP and AWS
Scaling Up with PHP and AWSScaling Up with PHP and AWS
Scaling Up with PHP and AWSHeath Dutton ☕
 
Scalable, good, cheap
Scalable, good, cheapScalable, good, cheap
Scalable, good, cheapMarc Cluet
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Stripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe
 
Programming for Performance
Programming for PerformanceProgramming for Performance
Programming for PerformanceCris Holdorph
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional ProgrammerDave Cross
 

Similar a Mp26 : Tachyon, sloppiness is bliss (20)

Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Journey through high performance django application
Journey through high performance django applicationJourney through high performance django application
Journey through high performance django application
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
 
Pentester++
Pentester++Pentester++
Pentester++
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)
 
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodbPGConf APAC 2018 - High performance json postgre-sql vs. mongodb
PGConf APAC 2018 - High performance json postgre-sql vs. mongodb
 
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
WebCamp 2016: Python. Вячеслав Каковский: Real-time мессенджер на Python. Осо...
 
Screaming Fast Wpmu
Screaming Fast WpmuScreaming Fast Wpmu
Screaming Fast Wpmu
 
AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned
 
Scaling Up with PHP and AWS
Scaling Up with PHP and AWSScaling Up with PHP and AWS
Scaling Up with PHP and AWS
 
Scalable, good, cheap
Scalable, good, cheapScalable, good, cheap
Scalable, good, cheap
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Stripe CTF3 wrap-up
Stripe CTF3 wrap-upStripe CTF3 wrap-up
Stripe CTF3 wrap-up
 
Programming for Performance
Programming for PerformanceProgramming for Performance
Programming for Performance
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional Programmer
 
Kraken mesoscon 2018
Kraken mesoscon 2018Kraken mesoscon 2018
Kraken mesoscon 2018
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Mp26 : Tachyon, sloppiness is bliss

  • 2. ● This talk implements udrink ● When I do a mistake and you call it, iDrink. ● At the end of the talk if you ask a good question, uDrink. ● The drink of the day is....
  • 3. Seriously, who is this guy? ● Security Hobbyist for more than 10 years ● CTF Monkey with the CISSP Groupies ● Hackus 2012 Python Track sadist-in-chief ● Homebrewer ● Amateur Photographer ● Retard
  • 4. What is Tachyon ● Offensive tool for penetration testers ● Weapon against sysadmin sloppiness ● Intelligent Web discovery tool ○ _hidden_ files and folders ○ Backups ○ Temporary copies ○ Test and Dev artifacts ○ Dumps and more!
  • 5. What it is not (use a british accent) ● Vulnerability scanner ● All-purpose framework ● Reporting tool ● Web Crawler ● Dumb bruteforcer
  • 6. Nothing else does it correctly
  • 7. Why not <insert tool name> ? ● Dirbuster ○ Grotesque bruteforcer (/Queer, /richard_macmanus) ○ Unmaintained (2009) ○ No plugin architecture ○ Dumb ● Skipfish ○ False positive factory ○ In C! c'mon man we're in 2011! ○ No plugin architecture
  • 8. Why not <insert tool name> ? ● Nessus, Vega, etc... ○ Vulnerabilities scanners ○ Fancy and heavy UI ○ Reporting tools ○ Not made for this task ● Nikto ○ Slower than water at 0K ○ Vulnerability scanner ○ Database clusterfuck
  • 9. Features ● Tor support ● Plugin engine ● Fast multi-threading ● HTTPS ● DNS caching ● Automatic variable rate limiter ● Recursive scanning (credits: EiNSTeiN@CISSP Groupies) ● Cutting edge 2.0 command line interface
  • 10.
  • 11. Path database ● Cheap (The root of evil) ● Each scan start with a path lookup ● Python dict (Plugins++)
  • 12. File database ● Costs a lot more ● Provides more control ○ "No suffix" : Ignore all extension matching ○ "match-string" : String must match to be a valid hit
  • 13. Extensions database ● Cost more than a PONY! ● _Hardcoded_ (Python, yeah right...)
  • 14. Plugins ● Access to almost everything in Tachyon ○ Data structures ○ Classes ○ Python does _not_ support protection :) ● Dedicated execution levels: ○ Before path test ○ Before file-path combination ○ Link validation level (still in dev) ● No documentation for now, but some examples
  • 15.
  • 16. Semi automatic scanning ● Most efficient ● You need to know what you are doing ● Usefull for manually discovered paths ● Two modes ○ Search only for subpath in specified path ○ Search only for files in specified path
  • 17. Automatic scanning ● Lazy _lulzsec_ mode ● Longer (a lot in some cases) ● More false positives ● Better to find irregularities (/img/pass.txt)
  • 18. Recursive scanning ● Powerful but hard to control ● Lot of assumptions on recursive directory existence ● Easier to use in semi-automatic mode ● Depth limitable
  • 19. Tor support ● Trough Privoxy in http proxy mode ● A lot slower ● More prone to timeouts ● Useful for WAF evasion ○ Tor has pseudo-random latency
  • 20. A false positive story ● Incoherent Error codes ● Redirections ● Batshit insane webserver ● Variable 404 output
  • 21. False positive detection ● Benchmark target ○ CRC32 evaluation ○ Generate 404's with uuid ○ Probe common file handling ■ .html, .php, .asp, .txt, no-ext ○ Store each 404 CRC in lookup table
  • 22. False positive detection ● Redirect evaluation ○ Using Ratcliff-Obershelp (not levenshtein!!!) ○ pony.com -> www.pony.com == Valid ○ pony.com/pony.txt -> www.pony.com/pony.txt == Valid ○ pony.com/test -> pony.com/error/404 -> 200 -> invalid!
  • 23. False positive detection pitfall ● CRC32 Testing of first 200 bytes ○ False positive if there's a timestamp in those bytes ○ False positive if there's anything variable in those bytes ● Ratcliff-Obershelp ○ Too much granularity in some cases ■ what is the best differential ratio? 0.6 VS 0.65?
  • 24. Plugins - Robots.txt parser ● Leverage your little "Secrets" ● Dissalow path : new target path ● Dissalow file: new target file
  • 25. Plugins - Path Generator ● Used to generate trivial paths and files ● Reduce database pollution ○ /0-9 ○ /a-z
  • 26. Plugins - Host Processor ● Try to generate pobable filenames with hostname ● adomain.com -> domain, adomain, adomain. sql etc...
  • 27. Plugins - /.svn/entries parser ● Parse xml svn entries ● Old non-xml format will be supported ● Generate paths
  • 28. Limitations ● Recursive scanning ○ Predictability ○ <Forbidden 1>/<Forbidden 2>/ == 403. Does not guarantee "2" exists (nginx) ● Various edge cases ● Tor support trough privoxy only
  • 29. Todo ● Faster (urllib3: keep-alive pooling) ● Cute and/or parseable output ● Plugin system ○ Callbacks ○ Documentation ● Pattern eclusion ● HTML Crawler (buy me _some_ good beer then maybe)
  • 30. Demo!
  • 31. You want to contribute? ● Google "github tachyon" ● Contact me first!!! (initnull@gmail.com) ● You need a github account ○ no i won't handle your un-mergeable .patch ○ I work on Linux AND Windows ○ I don't care ● Priorities: ○ Documentation ○ Clever plugins ● Also looking for website directory listing