00:00:01.199
Okay, good night everyone. My name is Mauro Eldritch, and I'm here to show you my talk on "Crafting Exploit Tools and Havoc with Ruby." It's a pleasure to be here today. I will introduce myself and talk a little bit about this session, which will be short.
00:00:09.280
I will be showing a couple of tools, spending a brief amount of time on each. In order to introduce myself, I am Mauro Eldritch, an enthusiastic hacker and the founder of the VCA and DC5411 from Uruguay and Argentina. I have spoken at many events, always focusing on security.
00:00:19.520
This talk is pretty simple and aims to share ideas on how to craft security tools in a friendly and approachable way for both newcomers and experienced developers alike. Throughout the session, you will see an increase in difficulty and complexity, starting with basic tools and moving toward more complex ones.
00:00:40.640
This presentation is divided into three short chapters: defensive tools, intelligence tools, and offensive tools. All the tools showcased here have either been originally created by me or contributed by members of my group. Everything is open source, so feel free to grab a copy and use it for educational purposes. I'm always happy to help if you get stuck, or if you'd like to show me anything new you've built.
00:01:06.160
Let's start with defensive tools. First, we'll discuss leak analyzers and scanners. For instance, if your company or government experiences a data breach, it’s called "terror" here. We developed a small search engine for compromised user credentials to help users independently check if their credentials were leaked instead of having to wait for an admin to sift through thousands or millions of records.
00:01:44.000
This tool is like a self-hosted version of haveibeenpwned.com. It uses common Ruby gems such as Sinatra and Logger. The only requirement is a CSV database file that includes the email and password for analysis. It contains less than 100 lines of code and is available on my GitHub, which I will share later.
00:02:43.760
Another simple tool, which will increase in complexity over time, is called "Charmander-B." If you’ve had a web server or application exposed to the internet, you probably know that it won’t take long before malicious bots start scanning or attacking you.
00:03:07.440
This lightweight tool, which is under 60 lines of code, will parse your logs in common log formats, especially those supported by Sinatra, such as Webrick and Thin, as well as Apache and Nginx. It checks for HTTP responses other than '200' and generates locking rules for both UFW or iptables, depending on your preference.
00:03:14.400
The tool needs a log file to parse and comes with a real case example from one of my log files, identifying some bad bots. This is an easy introduction to defensive security using Ruby, providing a small taste of how to deal with bad traffic online.
00:04:30.640
Now, moving on to intelligence tools, which will be brief because I want to showcase many ideas in a short span. The first tool is called "Ghost," which fetches threat intelligence pulses using the Alien Vault OTX API. It sends updates about cyber security threats and advances hourly or daily via Telegram.
00:05:05.840
Ghost can serve as a standalone Telegram bot or be used as an API. It's built using the same gems I mentioned, including Sinatra and Logger, and it’s around 130 lines of code. I hope to release it soon, and in the meantime, if anyone is interested, I have the necessary tools and models for building something similar.
00:06:35.680
Next is a project called "Binautory," aimed at identifying trolls before they attack you. It utilizes the Twitter API to fetch various user statistics and parse them to identify troll-like behaviors on social media. Additionally, it leverages popular gems like MySQL2 for the backend and MiniMagick for image processing.
00:07:34.720
This tool will eventually be released as a software-as-a-service (SaaS), providing profiles on potentially malicious accounts based on diverse traits and activity. We're still working on it, fixing some bugs before the release.
00:08:55.000
Now, on to one of the most anticipated sections: offensive tools. I will start by introducing two simple tools and gradually move on to more complex concepts. The tools GengarBi and HunterV are fundamental for those wanting to explore offensive security with Ruby.
00:09:22.080
These tools are brute-forcers for SSH and FTP. They connect using standard user credentials and a password dictionary file. Although they are basic, they are functional and very useful for anyone wanting to extend their capabilities.
00:10:26.560
The next tool I’ll discuss is Capybara, which acts as a command-and-control (C2) server and client. A C2 server sends commands to malware, and although we are building a hypothetical C2 server as a demonstration, our implementation does not maliciously operate or steal from users. It merely connects and acts ethically, for educational purposes.
00:11:55.200
This tool utilizes Sinatra and other necessary gems depending on the client you wish to create. Each client will need specific additional gems based on the platform, such as YT API for YouTube or Steam's API. The code is relatively simple, running with around 70 lines.
00:14:08.480
I’ll present an example; you can create commands leveraging Spotify as a C2 server, where commands correspond to songs in a malicious playlist. For example, the song titles can act as commands to execute particular functions.
00:15:48.800
Next, we will address more serious exploits. The first I will cover targets specific high-severity CVEs for Gluster. It’s essential for anyone navigating secure environments to realize that exploiting a replication system can lead to compromising other systems due to how replication works.
00:17:40.000
The exploit works by injecting a malicious crontab entry into targeted hosts. While it requires some knowledge and common Ruby gems, the exploit itself is relatively straightforward, consisting of about 90 lines of code. Additionally, you can also use Metasploit modules with this exploit.
00:19:22.000
I’ll also discuss two exploits targeting specific Docker container configurations. The first exploit is called PASU, which seeks to infect unauthenticated popular instances, while LEMPO aims to exploit a critical severity flow that targets LDAP passwords. Effectively controlling the LDAP database allows extensive access to the entire user directory, which can lead to serious consequences.
00:20:28.000
Leveraging the combination of these two exploits provides a robust attack vector into target networks. While the implementation consists of many more gems, the primary operations are executed efficiently, paving the way for expansive control against Docker infrastructure.
00:21:53.280
Another intriguing exploit is called "Mime," which hacks smart digital assistants like Amazon Echo or Google Home through a unique vulnerability involving microphone systems. By creating a fake microphone device, it plays pre-recorded commands to the target assistant, installing malicious extensions that compromise the system.
00:23:14.720
The culmination of the demonstrations showcases how Ruby can support a wide range of security-related projects and tools. Ruby is an excellent platform due to its flexibility and ease of use.
00:25:28.560
In conclusion, Ruby is beloved in the security community for the myriad of useful projects being developed. I look forward to seeing what you build from here. Please reach out through my social handles if you have questions!
00:27:20.400
Thank you for attending!