RubyAndPenetrationTesting

From Rory.wiki

Jump to: navigation, search

Contents

Ruby Apps for Penetration Testing

Metasploit

Ronin

Wordlist Generation Library

Ruby Black Bag

WWMD

Origami Ruby app for analyzing and modifying PDFs

PenTBox Another penetration testing framework in Ruby.

Ruby and Crypto

post on using crypt and blowfish in ruby

Using openssl and public key crypto with rails

Crypt homepage

some general cryptanalysis strategies

From here Converting ruby hex string to binary string

if you've got a hex string like "d573499ed86a7c3642e6b7654d3c3a8a58d3b6dd6cd041c18c97196a53f60cd3" 

"d573499ed86a7c3642e6b7654d3c3a8a58d3b6dd6cd041c18c97196a53f60cd3".to_a.pack("H*")

If you've got it split up by spaces like "d5 73 49 9e d8 6a 7c 36 42 e6 b7 65 4d 3c 3a 8a 58 d3 b6 dd 6c d0 41 c1 8c 97 19 6a 53 f6 0c d3" 

"d5 73 49 9e d8 6a 7c 36 42 e6 b7 65 4d 3c 3a 8a 58 d3 b6 dd 6c d0 41 c1 8c 97 19 6a 53 f6 0c d3".read.gsub(/\s/,'').to_a.pack("H*")

from here the reverse if you've got a binary string (say for example the output of one of crypts functions) that you want to convert to hex

assuming you've got the encrypted output in a variable called enc and an empty string variable called hexed 

hexed = ''
enc.each_byte { |c| hexed << '%02x' % c }

Converting string representations to different bases turns out to be pretty easy 

#convert hex character to Integer
int = "d5".to_i(16)
#convert integer to binary string representation
bin_string = int.to_s(2)
#Convert ASCII to hex (unpack returned an array which is why we need the [0] at the end
"string".unpack("H*")[0]
#Alternative way of achieving the above
"string"[0].to_s(16)

Mechanize

Mechanize is very useful for automating web applications as part of a test.

Error Notes

I did get an error from IConv when using mechanize to submit a form as the encoding wasn't set (TypeError from nil to string). Setting the form encoding seemed to solve the error. 


#set a proxy and the user agent
require 'rubygems'
require 'mechanize'
agent = WWW::Mechanize.new
agent.set_proxy('localhost','8080')
agent.user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11'
 
 
#find a specific link based on the text in the link
 
page = agent.get('http://www.victim.com/page')
 
page.links.each do |link|
  if link.text =~ /<link_text_here>/
    @right_link = link
  end
end
 
 
#get another page by "clicking" the link
 
page2 = agent.click(@right_link)
 
#Get a form based on the name attribute
 
main_form = page2.form('<form_name>')
 
#Setting form values based on field name elements
 
main_form.field('field1').value = '1'
main_form.field('field2').value = 'false'
 
#Deleting a form field you don't want to submit
 
main_form.delete_field!('unneeded_field')
 
#Getting another page by submitting the form
 
page3 = main_form.submit

Nokogiri

Very handy HTML and XML parsing library. Home page Nokogiri

Searching all links on a page 

require 'rubygems'
require 'nokogiri'
require 'open-uri'
 
doc = Nokogiri::HTML(open('http://www.mccune.org.uk'))
 
doc.search('a').each {|url| puts url['href']}

Nokogiri Tips

From here if you want to search a set of tags which have the same element name but different atttributes you can do it by specifying the desired attribute in square brackets. So for example with a document like this 

<HostProperties>
  <tag name="HOST_END">Fri Feb  5 21:01:04 2010</tag>
  <tag name="operating-system">Linux Kernel 2.4 Linux Kernel 2.6</tag>
  <tag name="mac-address">00:11:32:02:8d:d0</tag>
  <tag name="host-ip">192.168.151.2</tag>
  <tag name="host-fqdn">TriTeraTops.local</tag>
  <tag name="netbios-name">TRITERATOPS</tag>
  <tag name="HOST_START">Fri Feb  5 20:57:29 2010</tag>
</HostProperties>

if you wanted to pull out the MAC Address 

  doc.search('//HostProperties/tag[@name="mac-address"]')

should work

Ruby and ldap

There's a pure ruby ldap implementation called net-ldap here. Setting up a basic query of an LDAP server to get information out seems pretty straightforward.

This snippet queries a PGP Universal server for a list of users and prints their e-mail addresses 

require 'net-ldap'
 
ldap = Net::LDAP.new
ldap.host = your_server_ip_address
ldap.port = 389
 
ldap.bind
 
results = ldap.search (:base => "o=Users")
 
results.each do |res|
  puts res["name"]
end

General Links & Resources

http://www.matasano.com/log/1739/ruby-for-pentesters-a-viewstate-deserializer/ Ruby and viewstate deserialization]

Using rack for penetration testing

Ruby for Pen testers slides Slides from the Matasano talk at BH '09

RubyCodeSnippets

Ruby and win32ole

RubySSLChecker

Net::Http cheat shet git repo

Interesting post on buby

Omni auth gem handles authentication via OpenID, OAuth and Facebook.

Retrieved from "http://wiki.mccune.org.uk/index.php/RubyAndPenetrationTesting"
Personal tools