Crafting exploits, tools and havoc with Ruby

by Mauro Eldritch

In the video titled "Crafting Exploit Tools and Havoc with Ruby" presented by Mauro Eldritch at RubyKaigi Takeout 2021, the speaker explores a variety of security tools and exploits built with Ruby. The talk is aimed at both newcomers and experienced developers, guiding them through the creation of various security tools ranging from defensive mechanisms to offensive exploits.

Key Points:

Introduction to Mauro Eldritch: The speaker is a passionate hacker and founder of the VCA and DC5411, known for focusing on security at various events.
Structure of the Presentation: The session is divided into three categories: defensive tools, intelligence tools, and offensive tools, increasing in complexity throughout.

Defensive Tools:

Leak Analyzer: A self-hosted search engine for compromised user credentials, with less than 100 lines of code, implemented using Sinatra and Logger. It's akin to haveibeenpwned.com.
Charmander-B: A lightweight tool under 60 lines for parsing logs and generating locking rules to protect against bad traffic.

Intelligence Tools:

Ghost: A tool that fetches threat intelligence updates via the Alien Vault OTX API and runs as a Telegram bot or API, built with around 130 lines of code.
Binautory: A service that identifies potential trolls on social media by analyzing user statistics using the Twitter API, aiming for a future release as SaaS.

Offensive Tools:

GengarBi and HunterV: Basic brute-forcers for SSH and FTP, demonstrating initial offensive security concepts.
Capybara: A command-and-control (C2) server that acts ethically for educational purposes, using various APIs to showcase command execution.
Complex Exploits: The speaker discusses how to exploit Docker container vulnerabilities with two projects: PASU and LEMPO. Another exploit, "Mime", targets smart digital assistants, manipulating their microphone systems to install malicious extensions.

Conclusions:

Ruby's versatility and simplicity make it a popular choice for developing security tools, as exemplified throughout the session. Eldritch encourages attendees to explore and build their own projects based on the concepts presented, fostering an active interest in security intelligence and tooling.

In summary, the workshop effectively showcases Ruby's potential in creating a wide range of security-related applications, inspiring participants to innovate and collaborate in the field.

00:00:01.199 Okay, good night everyone. My name is Mauro Eldritch, and I'm here to show you my talk on "Crafting Exploit Tools and Havoc with Ruby." It's a pleasure to be here today. I will introduce myself and talk a little bit about this session, which will be short.

00:00:09.280 I will be showing a couple of tools, spending a brief amount of time on each. In order to introduce myself, I am Mauro Eldritch, an enthusiastic hacker and the founder of the VCA and DC5411 from Uruguay and Argentina. I have spoken at many events, always focusing on security.

00:00:19.520 This talk is pretty simple and aims to share ideas on how to craft security tools in a friendly and approachable way for both newcomers and experienced developers alike. Throughout the session, you will see an increase in difficulty and complexity, starting with basic tools and moving toward more complex ones.

00:00:40.640 This presentation is divided into three short chapters: defensive tools, intelligence tools, and offensive tools. All the tools showcased here have either been originally created by me or contributed by members of my group. Everything is open source, so feel free to grab a copy and use it for educational purposes. I'm always happy to help if you get stuck, or if you'd like to show me anything new you've built.

00:01:06.160 Let's start with defensive tools. First, we'll discuss leak analyzers and scanners. For instance, if your company or government experiences a data breach, it’s called "terror" here. We developed a small search engine for compromised user credentials to help users independently check if their credentials were leaked instead of having to wait for an admin to sift through thousands or millions of records.

00:01:44.000 This tool is like a self-hosted version of haveibeenpwned.com. It uses common Ruby gems such as Sinatra and Logger. The only requirement is a CSV database file that includes the email and password for analysis. It contains less than 100 lines of code and is available on my GitHub, which I will share later.

00:02:43.760 Another simple tool, which will increase in complexity over time, is called "Charmander-B." If you’ve had a web server or application exposed to the internet, you probably know that it won’t take long before malicious bots start scanning or attacking you.

00:03:07.440 This lightweight tool, which is under 60 lines of code, will parse your logs in common log formats, especially those supported by Sinatra, such as Webrick and Thin, as well as Apache and Nginx. It checks for HTTP responses other than '200' and generates locking rules for both UFW or iptables, depending on your preference.

00:03:14.400 The tool needs a log file to parse and comes with a real case example from one of my log files, identifying some bad bots. This is an easy introduction to defensive security using Ruby, providing a small taste of how to deal with bad traffic online.

00:04:30.640 Now, moving on to intelligence tools, which will be brief because I want to showcase many ideas in a short span. The first tool is called "Ghost," which fetches threat intelligence pulses using the Alien Vault OTX API. It sends updates about cyber security threats and advances hourly or daily via Telegram.

00:05:05.840 Ghost can serve as a standalone Telegram bot or be used as an API. It's built using the same gems I mentioned, including Sinatra and Logger, and it’s around 130 lines of code. I hope to release it soon, and in the meantime, if anyone is interested, I have the necessary tools and models for building something similar.

00:06:35.680 Next is a project called "Binautory," aimed at identifying trolls before they attack you. It utilizes the Twitter API to fetch various user statistics and parse them to identify troll-like behaviors on social media. Additionally, it leverages popular gems like MySQL2 for the backend and MiniMagick for image processing.

00:07:34.720 This tool will eventually be released as a software-as-a-service (SaaS), providing profiles on potentially malicious accounts based on diverse traits and activity. We're still working on it, fixing some bugs before the release.

00:08:55.000 Now, on to one of the most anticipated sections: offensive tools. I will start by introducing two simple tools and gradually move on to more complex concepts. The tools GengarBi and HunterV are fundamental for those wanting to explore offensive security with Ruby.

00:09:22.080 These tools are brute-forcers for SSH and FTP. They connect using standard user credentials and a password dictionary file. Although they are basic, they are functional and very useful for anyone wanting to extend their capabilities.

00:10:26.560 The next tool I’ll discuss is Capybara, which acts as a command-and-control (C2) server and client. A C2 server sends commands to malware, and although we are building a hypothetical C2 server as a demonstration, our implementation does not maliciously operate or steal from users. It merely connects and acts ethically, for educational purposes.

00:11:55.200 This tool utilizes Sinatra and other necessary gems depending on the client you wish to create. Each client will need specific additional gems based on the platform, such as YT API for YouTube or Steam's API. The code is relatively simple, running with around 70 lines.

00:14:08.480 I’ll present an example; you can create commands leveraging Spotify as a C2 server, where commands correspond to songs in a malicious playlist. For example, the song titles can act as commands to execute particular functions.

00:15:48.800 Next, we will address more serious exploits. The first I will cover targets specific high-severity CVEs for Gluster. It’s essential for anyone navigating secure environments to realize that exploiting a replication system can lead to compromising other systems due to how replication works.

00:17:40.000 The exploit works by injecting a malicious crontab entry into targeted hosts. While it requires some knowledge and common Ruby gems, the exploit itself is relatively straightforward, consisting of about 90 lines of code. Additionally, you can also use Metasploit modules with this exploit.

00:19:22.000 I’ll also discuss two exploits targeting specific Docker container configurations. The first exploit is called PASU, which seeks to infect unauthenticated popular instances, while LEMPO aims to exploit a critical severity flow that targets LDAP passwords. Effectively controlling the LDAP database allows extensive access to the entire user directory, which can lead to serious consequences.

00:20:28.000 Leveraging the combination of these two exploits provides a robust attack vector into target networks. While the implementation consists of many more gems, the primary operations are executed efficiently, paving the way for expansive control against Docker infrastructure.

00:21:53.280 Another intriguing exploit is called "Mime," which hacks smart digital assistants like Amazon Echo or Google Home through a unique vulnerability involving microphone systems. By creating a fake microphone device, it plays pre-recorded commands to the target assistant, installing malicious extensions that compromise the system.

00:23:14.720 The culmination of the demonstrations showcases how Ruby can support a wide range of security-related projects and tools. Ruby is an excellent platform due to its flexibility and ease of use.

00:25:28.560 In conclusion, Ruby is beloved in the security community for the myriad of useful projects being developed. I look forward to seeing what you build from here. Please reach out through my social handles if you have questions!

00:27:20.400 Thank you for attending!