1 00:00:00,125 --> 00:00:01,626 SOEN: All right. 2 00:00:01,626 --> 00:00:02,999 I guess we'll get started. 3 00:00:02,999 --> 00:00:03,999 Hi everyone. 4 00:00:03,999 --> 00:00:06,876 My name is soen, and I'm talking about Evolving Exploits Through 5 00:00:06,876 --> 00:00:08,999 Genetic Algorithms. 6 00:00:09,292 --> 00:00:11,250 So before I jump into genetic algorithms, though, 7 00:00:11,250 --> 00:00:15,042 I want to just give you a little background of who I am. 8 00:00:15,042 --> 00:00:18,999 I'm a CTF player for DEF CON for many years. 9 00:00:19,876 --> 00:00:21,959 I do programming. 10 00:00:21,999 --> 00:00:23,834 I love viruses, worms. 11 00:00:23,834 --> 00:00:25,626 And I've been trained as a computer scientist, 12 00:00:25,626 --> 00:00:29,626 and I do penetration testing in the daylight hours. 13 00:00:29,999 --> 00:00:31,999 But, you know, I'm still a n00b. 14 00:00:31,999 --> 00:00:34,999 But this talk was focused mainly off of kind 15 00:00:34,999 --> 00:00:41,209 of my computer science interests and my job and my inner laziness 16 00:00:41,209 --> 00:00:44,083 wanting to come out. 17 00:00:44,083 --> 00:00:45,584 And I was looking at my job. 18 00:00:45,626 --> 00:00:50,375 And I go, what I do on a day to day basis, I exploit web applications. 19 00:00:50,876 --> 00:00:53,542 And there's a number of problems associated with, you know, 20 00:00:53,542 --> 00:00:55,709 performing this task. 21 00:00:55,918 --> 00:01:00,125 And the major ones are it is driven by the customer, so you have 22 00:01:00,125 --> 00:01:03,542 to provide them what they want. 23 00:01:03,542 --> 00:01:05,083 There's a small scope. 24 00:01:05,083 --> 00:01:07,918 You're only allowed to hit a tiny portion of the site, so you have 25 00:01:07,918 --> 00:01:10,999 to have like a scalpel like efficiency. 26 00:01:10,999 --> 00:01:14,584 You can't hit the whole web server with a hammer. 27 00:01:14,584 --> 00:01:17,375 You only have a limited amount of time, usually very short, as in a day, 28 00:01:17,375 --> 00:01:19,542 two days, three days. 29 00:01:19,626 --> 00:01:21,999 And it's all report driven because it's based off of giving 30 00:01:21,999 --> 00:01:23,999 a report to the customer. 31 00:01:24,083 --> 00:01:28,083 And so these problems is what has been driving me to look 32 00:01:28,083 --> 00:01:30,250 into this area. 33 00:01:31,334 --> 00:01:34,334 And there's a number of ways that I approach trying 34 00:01:34,334 --> 00:01:37,876 to solve these problems, and my methodology was usually run 35 00:01:37,876 --> 00:01:39,876 as many scanning tools as possible 36 00:01:39,876 --> 00:01:42,501 against a web application and then mainly poke 37 00:01:42,501 --> 00:01:45,918 at the areas that come up as suspicious. 38 00:01:46,083 --> 00:01:50,250 And from there, if it does turn out to be exploitable, I write 39 00:01:50,250 --> 00:01:52,709 an exploit for it. 40 00:01:52,709 --> 00:01:54,083 But there's a couple problems inherent 41 00:01:54,083 --> 00:01:57,083 with that approach, because the code coverage 42 00:01:57,083 --> 00:02:02,083 is inherently small because I'm trying to limit the code that I view on a day 43 00:02:02,083 --> 00:02:03,999 to day basis. 44 00:02:04,542 --> 00:02:07,834 So I I want to have myself view less code 45 00:02:07,834 --> 00:02:11,209 and make sure that the code that I'm viewing 46 00:02:11,209 --> 00:02:17,417 is actually potentially vulnerable instead of just what have you. 47 00:02:17,417 --> 00:02:21,876 And also they the inspection of suspicious areas that are discovered 48 00:02:21,876 --> 00:02:24,709 by say web scanners or manually testing 49 00:02:24,709 --> 00:02:27,999 is also time consuming as well. 50 00:02:28,999 --> 00:02:31,626 And then additionally, the development 51 00:02:31,626 --> 00:02:34,999 of a working exploit for site takes time as well 52 00:02:34,999 --> 00:02:39,083 because there might be additional blocking mechanisms in place 53 00:02:39,083 --> 00:02:43,999 like a WAF, a web application firewall, which you can see you have SQL 54 00:02:43,999 --> 00:02:48,501 injection, but all of a sudden, you don't really have SQL injection 55 00:02:48,501 --> 00:02:51,501 because there's an additional layer you have 56 00:02:51,501 --> 00:02:53,709 to break through. 57 00:02:53,999 --> 00:02:56,209 And there's a number of really good tools out there 58 00:02:56,209 --> 00:02:58,999 for exploit discovery and development. 59 00:02:59,334 --> 00:03:04,959 And I I use Acunetix or ZAP and SQL Map very frequently, 60 00:03:04,959 --> 00:03:09,292 and they're all fantastic tools. 61 00:03:10,417 --> 00:03:15,751 But I realized running, you know, some of the other tools like Nessus, 62 00:03:15,751 --> 00:03:20,751 Nmap, other scanning tools that there's this problem. 63 00:03:20,751 --> 00:03:23,834 There's this very similarity there's this very big similarity 64 00:03:23,834 --> 00:03:27,250 with an existing industry, and it's a fundamental problem 65 00:03:27,250 --> 00:03:31,375 with web application scanners as we know it today. 66 00:03:36,501 --> 00:03:40,999 (Applause) SOEN: So SPEAKER: Stand over there. 67 00:03:44,209 --> 00:03:45,999 What up, bitches? 68 00:03:47,125 --> 00:03:48,751 It's funny. 69 00:03:48,834 --> 00:03:50,751 He thought you were clapping for him. 70 00:03:50,751 --> 00:03:54,459 (Laughing) He's like, well, I said, SQL map, what? 71 00:03:54,876 --> 00:03:56,083 Okay. 72 00:03:56,501 --> 00:03:57,501 All right. 73 00:03:57,501 --> 00:03:58,709 You know why we're here. 74 00:03:58,709 --> 00:04:00,125 Wow, this first time. 75 00:04:00,125 --> 00:04:01,501 There you go. 76 00:04:01,501 --> 00:04:02,999 That's what I'm talking about. 77 00:04:02,999 --> 00:04:04,501 At the very back, in the gray. 78 00:04:04,501 --> 00:04:05,999 No, in the hoody, man. 79 00:04:05,999 --> 00:04:07,417 Bring your skittles up here. 80 00:04:11,876 --> 00:04:13,959 Oh, what is this called? 81 00:04:13,959 --> 00:04:15,542 AUDIENCE: Shot the n00b. 82 00:04:15,542 --> 00:04:16,792 SPEAKER: Thank you. 83 00:04:17,876 --> 00:04:19,626 Oh, my God. 84 00:04:19,751 --> 00:04:21,167 That was awesome. 85 00:04:21,167 --> 00:04:22,292 The Price is Right. 86 00:04:22,292 --> 00:04:23,292 You are here. 87 00:04:24,999 --> 00:04:26,626 All right. 88 00:04:28,250 --> 00:04:29,834 Thank you, sir. 89 00:04:30,334 --> 00:04:31,999 Wait, what's your name? 90 00:04:31,999 --> 00:04:33,083 AUDIENCE: Conner. 91 00:04:33,083 --> 00:04:34,083 SPEAKER: Conner. 92 00:04:34,209 --> 00:04:37,250 Conner represents all of you who are first timers. 93 00:04:39,250 --> 00:04:41,626 And DEF CON. 94 00:04:44,876 --> 00:04:46,999 AUDIENCE: Cheers! 95 00:04:50,083 --> 00:04:54,250 (Applause) SPEAKER: So foundational problems 96 00:04:54,250 --> 00:04:57,999 with current techniques sorry. 97 00:04:57,999 --> 00:04:58,999 That's all I knew. 98 00:04:58,999 --> 00:05:00,959 I think he was talking about scanning. 99 00:05:00,959 --> 00:05:02,209 Oh, scanning. 100 00:05:02,209 --> 00:05:04,375 SOEN: Scanning and software and stuff. 101 00:05:04,375 --> 00:05:05,959 SPEAKER: Oh, my God, look. 102 00:05:05,959 --> 00:05:07,167 He's got a countdown timer. 103 00:05:07,167 --> 00:05:08,167 SOEN: Yeah. 104 00:05:08,167 --> 00:05:11,167 SPEAKER: Oh, shit, you only got five minutes to go, dude. 105 00:05:11,667 --> 00:05:13,667 Four minutes. 106 00:05:13,999 --> 00:05:15,459 Wow, that sucks. 107 00:05:17,876 --> 00:05:20,459 SOEN: Well, thank you for the alcohol. 108 00:05:20,459 --> 00:05:21,459 I appreciate it. 109 00:05:21,459 --> 00:05:24,125 SPEAKER: You're welcome. 110 00:05:24,250 --> 00:05:27,083 SOEN: So back on track. 111 00:05:27,083 --> 00:05:30,542 The foundational problems that we have with web application scanners 112 00:05:30,542 --> 00:05:33,209 is that the current main technologies are built 113 00:05:33,209 --> 00:05:36,083 around a signature based system. 114 00:05:36,083 --> 00:05:37,709 They have an understanding of what 115 00:05:37,709 --> 00:05:40,959 a potential exploit could look like. 116 00:05:40,959 --> 00:05:43,542 They throw it at the web server, and then if they retrieve favorable 117 00:05:43,542 --> 00:05:46,999 or unfavorable result, they mark it as a finding. 118 00:05:56,459 --> 00:06:02,334 (Cough) (Laughing) (Applause) SOEN: And so, okay. 119 00:06:02,751 --> 00:06:05,834 So I thought, you know, hey, why not take genetic algorithms 120 00:06:05,834 --> 00:06:08,542 and apply them to web applications. 121 00:06:08,792 --> 00:06:12,083 Why not take your average basic SQL injection and go 122 00:06:12,083 --> 00:06:16,375 from something that a web application firewall can easily 123 00:06:16,375 --> 00:06:20,083 protect against and a programmer can easily defend 124 00:06:20,083 --> 00:06:25,083 against to something that is more, more hard to stop. 125 00:06:26,083 --> 00:06:28,459 And so this whole process of evolution 126 00:06:28,459 --> 00:06:32,209 is something that was really fascinating to me. 127 00:06:32,209 --> 00:06:36,876 And so so for this talk, we're going to use genetic algorithms 128 00:06:36,876 --> 00:06:42,959 to make exploits for SQL injection, command injection and our attack 129 00:06:42,959 --> 00:06:45,999 surfaces, HTTP and HTTPS. 130 00:06:46,375 --> 00:06:48,584 So it's web based parameters. 131 00:06:48,999 --> 00:06:51,209 And we're not going to cover anything else. 132 00:06:51,792 --> 00:06:55,999 This could be applied to a number of different things, another JSON, Ajax, 133 00:06:55,999 --> 00:06:57,918 what have you. 134 00:06:57,918 --> 00:07:00,876 But just for the scope of this talking, we're talking about SQL I 135 00:07:00,876 --> 00:07:02,999 and command injection. 136 00:07:03,209 --> 00:07:07,167 So the two I wrote for this talk is called Force Evolution, 137 00:07:07,167 --> 00:07:12,709 and it takes this concept of I'm going to use genetics to write exploits 138 00:07:12,709 --> 00:07:16,626 for me so I don't have to do it myself. 139 00:07:16,999 --> 00:07:19,584 It's the inner lazy programmer. 140 00:07:20,083 --> 00:07:22,834 So what is a genetic algorithm? 141 00:07:22,999 --> 00:07:25,918 Well, a genetic algorithm is essentially you create 142 00:07:25,918 --> 00:07:30,751 a large number of things, and in this case, they will be exploit strings, 143 00:07:30,751 --> 00:07:34,209 and you look for a certain solution that these things 144 00:07:34,209 --> 00:07:36,083 will provide. 145 00:07:36,083 --> 00:07:38,083 And in this case, it will be an exploit. 146 00:07:38,083 --> 00:07:41,209 And then you score all the strings' performance using some 147 00:07:41,209 --> 00:07:44,542 sort of vague, ambiguous fitness function. 148 00:07:44,751 --> 00:07:49,083 And this fitness function in our case, we'll get into that later, but there 149 00:07:49,083 --> 00:07:52,459 is a way of determining, okay, using numbers, this 150 00:07:52,459 --> 00:07:56,918 is a better injection string than the previous one. 151 00:07:56,918 --> 00:07:59,584 And so our algorithm here is we have this loop, 152 00:07:59,584 --> 00:08:03,250 while we haven't found the solution, we score, we kill 153 00:08:03,250 --> 00:08:06,792 off all the low performing strings. 154 00:08:06,834 --> 00:08:09,209 We breed the strong performing strings, 155 00:08:09,209 --> 00:08:14,834 the ones that are more efficient or they bypass or they exploit better. 156 00:08:14,999 --> 00:08:18,083 And then we also mutate the strings randomly. 157 00:08:18,250 --> 00:08:21,959 And then once we have a found a correct exploit, 158 00:08:21,959 --> 00:08:25,083 we display it and show it. 159 00:08:25,417 --> 00:08:31,584 And so the tool, Force Evolution, does exactly this. 160 00:08:31,584 --> 00:08:34,083 We create a large number of pseudo random strings. 161 00:08:34,459 --> 00:08:37,999 We are playing upon the history of all previous well, 162 00:08:37,999 --> 00:08:41,999 all that I could find SQL injections and command injections 163 00:08:41,999 --> 00:08:44,709 and using them to influence the population 164 00:08:44,709 --> 00:08:50,209 of creatures that we breed so we're not losing evolutionary progress. 165 00:08:50,209 --> 00:08:52,209 We're progressing forward. 166 00:08:52,209 --> 00:08:54,999 So we're we create a large amount of strings, and we breed 167 00:08:54,999 --> 00:08:58,584 in what we know has worked in the past, but we use that just 168 00:08:58,584 --> 00:09:01,167 to influence the population. 169 00:09:01,167 --> 00:09:02,667 We don't actually say, okay, we have a set of signatures 170 00:09:02,667 --> 00:09:05,709 because then we're back to the original problem. 171 00:09:08,959 --> 00:09:11,167 And we go through the exact same process 172 00:09:11,167 --> 00:09:14,083 as a generic, genetic algorithm. 173 00:09:14,334 --> 00:09:16,959 We send the string as a parameter value, either a post 174 00:09:16,959 --> 00:09:20,417 or get, what have you, and then use the response from the server 175 00:09:20,417 --> 00:09:22,751 to determine the score. 176 00:09:22,999 --> 00:09:24,876 And this could be many things. 177 00:09:25,083 --> 00:09:27,667 So we have a good deal of granularity 178 00:09:27,667 --> 00:09:30,667 on how we can score a string. 179 00:09:30,834 --> 00:09:33,999 And then just like the rest, we cull, we breed, we mutate. 180 00:09:33,999 --> 00:09:37,334 And then when we find a string that successfully exploits 181 00:09:37,334 --> 00:09:40,083 an app, we display it. 182 00:09:40,083 --> 00:09:41,501 There's a number of things we also had talked about, 183 00:09:41,501 --> 00:09:43,999 like what is this fitness function? 184 00:09:43,999 --> 00:09:47,250 Like how do we define, is this string better than another string? 185 00:09:47,292 --> 00:09:50,834 And there's a couple of things that we can look at and say, 186 00:09:50,834 --> 00:09:53,459 does it cause weird behavior? 187 00:09:53,584 --> 00:09:55,209 Is the string reflected? 188 00:09:55,209 --> 00:09:57,459 There might be a potential for XSS in this. 189 00:09:57,999 --> 00:10:00,959 Does the string cause an error? 190 00:10:01,000 --> 00:10:04,584 And if so, is our SQL injection or command injection displayed 191 00:10:04,584 --> 00:10:06,751 inside that error? 192 00:10:06,999 --> 00:10:09,250 That gives us additional information as well. 193 00:10:09,250 --> 00:10:12,626 And also, does the exploit string cause goal data 194 00:10:12,626 --> 00:10:17,334 or sensitive data to be displayed so that we can see, oh, 195 00:10:17,334 --> 00:10:22,125 potentially this is, you know, a good exploit. 196 00:10:22,501 --> 00:10:27,334 So once we've once we found out what a creature score is, 197 00:10:27,334 --> 00:10:31,167 then we breed the top scores and then we kill 198 00:10:31,167 --> 00:10:34,542 the underperforming scores. 199 00:10:34,584 --> 00:10:37,250 And the majority of well, I can't really say majority, 200 00:10:37,250 --> 00:10:40,375 but a good chunk of genetic algorithms use this geno 201 00:10:40,375 --> 00:10:43,501 cross over, and this works really well in our domain 202 00:10:43,501 --> 00:10:47,918 because we have these variable length SQL injection strings that we need 203 00:10:47,918 --> 00:10:50,501 to breed against each other. 204 00:10:50,542 --> 00:10:52,626 And so the this breeding process consists 205 00:10:52,626 --> 00:10:55,751 of cutting a string in half and then mixing halves 206 00:10:55,751 --> 00:10:58,042 and then mutating them. 207 00:10:58,042 --> 00:11:01,209 And the current implementation that I have in the tool 208 00:11:01,209 --> 00:11:05,918 is two parents create four children and also survive themselves so 209 00:11:05,918 --> 00:11:10,083 they pass on their genes and they also live to see another day 210 00:11:10,083 --> 00:11:13,167 until one is better than them. 211 00:11:14,834 --> 00:11:19,250 Now for the next step, what do we mean by mutating strings. 212 00:11:19,999 --> 00:11:22,501 Mutating our exploits? 213 00:11:22,626 --> 00:11:30,876 So (coughing) yeah, that whiskey. 214 00:11:30,876 --> 00:11:33,542 The mutation rate, I found to be usually it's best 215 00:11:33,542 --> 00:11:35,999 to have it variable. 216 00:11:36,626 --> 00:11:39,626 And there's a number of operations that we can use, but it 217 00:11:39,626 --> 00:11:42,999 all boils down to three essentially operations. 218 00:11:42,999 --> 00:11:46,209 We have mutation, changing a single byte in a string. 219 00:11:46,459 --> 00:11:50,209 We have adding information and we also have removing information 220 00:11:50,209 --> 00:11:51,876 as well. 221 00:11:51,959 --> 00:11:54,999 So it's somewhat like natural evolution. 222 00:11:54,999 --> 00:11:59,209 And so say, say for example, if the premutated string ABCDE 223 00:11:59,209 --> 00:12:03,167 or ABCD, the mutations that have been applied to it are 224 00:12:03,167 --> 00:12:07,999 the X has been prepended to the string, the B has been deleted and 225 00:12:07,999 --> 00:12:12,792 the D has been mutated, so hopefully, that will give you some idea 226 00:12:12,792 --> 00:12:15,209 of what we're saying. 227 00:12:15,209 --> 00:12:16,959 We're not doing anything crazy. 228 00:12:16,959 --> 00:12:19,834 We're just picking a random part of the string and we're changing it 229 00:12:19,834 --> 00:12:21,584 a little bit. 230 00:12:21,876 --> 00:12:25,375 So that's how we mutate the string. 231 00:12:25,375 --> 00:12:28,792 There's a couple things to keep in mind as we go throughout. 232 00:12:28,792 --> 00:12:31,626 Because they have this algorithmic process 233 00:12:31,626 --> 00:12:38,751 of breeding, killing, breeding, so our population is going to vary. 234 00:12:38,876 --> 00:12:42,167 And the mutation rate versus search speed is very important 235 00:12:42,167 --> 00:12:45,834 because if we mutate too quickly, if we say every single part 236 00:12:45,834 --> 00:12:49,626 of the every single attack string that we have is going to change, 237 00:12:49,626 --> 00:12:52,918 it's essentially throwing random data at the web server, 238 00:12:52,918 --> 00:12:55,626 and it's really not efficient. 239 00:12:56,083 --> 00:12:57,792 It's not worth doing. 240 00:12:58,083 --> 00:13:00,542 It's taking a bunch of dice, throwing them in the air and hoping 241 00:13:00,542 --> 00:13:02,250 to get all sixes. 242 00:13:02,334 --> 00:13:08,584 So it has to be tuned down to a point to where it is efficient search. 243 00:13:08,792 --> 00:13:11,209 And there's also the string cull rate versus 244 00:13:11,209 --> 00:13:13,459 the population speed. 245 00:13:13,459 --> 00:13:16,834 If you cull more than you breed, your the amount of strings 246 00:13:16,834 --> 00:13:21,167 in your population will decrease and vice versa. 247 00:13:21,250 --> 00:13:23,375 If you repopulate too quickly, it will be like rabbits, and 248 00:13:23,375 --> 00:13:26,083 they will denial of service run machine. 249 00:13:26,626 --> 00:13:27,751 So. 250 00:13:29,250 --> 00:13:33,083 With these things in mind, I went ahead and I compiled 251 00:13:33,083 --> 00:13:37,417 a couple statistics on the leading edge tools. 252 00:13:37,751 --> 00:13:41,999 And I did Acunetix for ZAP, the Olys, the ZAP and SQL map as well 253 00:13:41,999 --> 00:13:46,626 as Forced Evolution, and this is just the raw data, but I'll go 254 00:13:46,626 --> 00:13:51,292 through the charts to show how it compares to them. 255 00:13:51,542 --> 00:13:56,375 The number of requests sent to server is very significant amount. 256 00:13:56,584 --> 00:13:59,083 Forced Evolution sends on average maybe ten 257 00:13:59,083 --> 00:14:04,751 to 30,000 requests to a server, so this is not exactly a stealth attack tool. 258 00:14:04,999 --> 00:14:08,999 But we'll get into some of the pros later. 259 00:14:09,250 --> 00:14:11,999 And the time to exploit is usually dependent 260 00:14:11,999 --> 00:14:16,501 on network blatancy and so these will fluctuate a little bit. 261 00:14:16,626 --> 00:14:19,918 But Forced Evolution does perform well compared to some tools 262 00:14:19,918 --> 00:14:22,999 but not very well at all to others. 263 00:14:23,125 --> 00:14:25,167 And the same for SQL injection. 264 00:14:25,542 --> 00:14:29,709 I also did the same statistics for SQL injection, and 265 00:14:29,709 --> 00:14:35,083 the total number of requests for server decreases dramatically 266 00:14:35,083 --> 00:14:39,626 because SQL injection has a finer way of expressing 267 00:14:39,626 --> 00:14:44,792 the score associated with the fitness function. 268 00:14:45,334 --> 00:14:49,417 There's a better way, and it's easier to score one string higher than another 269 00:14:49,417 --> 00:14:52,751 because you have more information to do so. 270 00:14:52,751 --> 00:14:54,501 And so, it's naturally more efficient because it depends 271 00:14:54,501 --> 00:14:56,999 on that fitness function, that scoring mechanism 272 00:14:56,999 --> 00:15:01,083 to determine who lives or what string lives and what string dies. 273 00:15:01,250 --> 00:15:03,083 So it reaches a solution faster. 274 00:15:03,542 --> 00:15:07,667 And the time to exploit as well decreases proportionately. 275 00:15:08,083 --> 00:15:12,751 So hmm, with that, let's go ahead and try a demo. 276 00:15:13,459 --> 00:15:16,834 May the demo gods be gracious 277 00:15:16,834 --> 00:15:23,876 because this does depend on Python import random so let's hope 278 00:15:23,876 --> 00:15:26,792 everything works. 279 00:15:26,792 --> 00:15:30,792 There we go. 280 00:15:30,792 --> 00:15:32,792 Okay. 281 00:15:32,792 --> 00:15:36,792 This is terrible. 282 00:15:36,792 --> 00:15:39,792 I'm sorry. 283 00:15:39,792 --> 00:15:40,999 Okay. 284 00:15:40,999 --> 00:15:43,167 So we have a generic web application here 285 00:15:43,167 --> 00:15:47,709 with a log in form and it is vulnerable to SQL injection 286 00:15:47,709 --> 00:15:51,876 as you can I'll just type in some random characters, 287 00:15:51,876 --> 00:15:58,083 and it does it doesn't bring back correct input, and there's also other problems 288 00:15:58,083 --> 00:16:00,375 with it as well. 289 00:16:00,375 --> 00:16:02,709 So we know that a vulnerability there exists, 290 00:16:02,709 --> 00:16:07,083 and we can discover this vulnerability or this suspicious area 291 00:16:07,083 --> 00:16:11,501 like we talked about previously through other scanning tools, 292 00:16:11,501 --> 00:16:15,709 and now all we have to do is point Forced Evolution at it, 293 00:16:15,709 --> 00:16:19,834 and it will go ahead and exploit it for us. 294 00:16:22,375 --> 00:16:24,167 Let me see. 295 00:16:24,167 --> 00:16:25,709 All of a sudden changed size. 296 00:16:27,417 --> 00:16:28,876 Sorry. 297 00:16:30,667 --> 00:16:32,751 There we go. 298 00:16:34,542 --> 00:16:35,999 Okay. 299 00:16:37,792 --> 00:16:41,334 So and Forced Evolution will be up on GitHub in about 15 minutes 300 00:16:41,334 --> 00:16:43,167 after the talk. 301 00:16:43,626 --> 00:16:48,250 So the command line options. 302 00:16:48,250 --> 00:16:50,999 Wish I had my glasses are. 303 00:16:50,999 --> 00:16:53,626 We have a target for this. 304 00:16:53,626 --> 00:16:54,999 We'll just do a local host. 305 00:16:55,209 --> 00:17:00,167 And we have an address of the vulnerable web page, so 306 00:17:00,167 --> 00:17:04,999 in that case, that will be SQLindex.PHP. 307 00:17:06,083 --> 00:17:10,125 And then we also have the vulnerable variable, 308 00:17:10,125 --> 00:17:13,751 which I believe is password. 309 00:17:14,125 --> 00:17:15,626 I believe both should work. 310 00:17:15,709 --> 00:17:17,626 And then the method. 311 00:17:17,626 --> 00:17:21,167 The method previously was displayed as post, or I'm sorry, get. 312 00:17:21,167 --> 00:17:24,751 But the tool has both options. 313 00:17:27,334 --> 00:17:31,751 And the other variables we'll just include for completeness. 314 00:17:36,250 --> 00:17:38,999 We'll just include the user name. 315 00:17:39,167 --> 00:17:41,792 AUDIENCE: Typo. 316 00:17:41,959 --> 00:17:44,334 SOEN: Typo? 317 00:17:44,542 --> 00:17:46,667 I would be dangerous without my glasses. 318 00:17:46,876 --> 00:17:49,834 AUDIENCE: No. 319 00:17:49,999 --> 00:17:55,083 SOEN: User name equals let's just say DEF CON. 320 00:17:58,209 --> 00:18:03,999 And then we also have what will constitute a valid exploit. 321 00:18:04,125 --> 00:18:09,083 So in this case, we want to get to the administrative area of the site, 322 00:18:09,083 --> 00:18:14,542 and so we'll put in our goal text will be administrative we'll just put 323 00:18:14,542 --> 00:18:19,167 admin because the tool will search any request or any response 324 00:18:19,167 --> 00:18:22,999 that it receives back, parse it and then determine 325 00:18:22,999 --> 00:18:26,083 if it has that string in it. 326 00:18:26,083 --> 00:18:32,584 So and on the right hand side, I have a tale 327 00:18:32,584 --> 00:18:40,999 of the current request coming into the web server, so 328 00:18:40,999 --> 00:18:49,292 as we start naming the tool, that will jump up. 329 00:18:49,292 --> 00:18:50,292 Wish me luck. 330 00:18:50,292 --> 00:18:51,292 Here we go. 331 00:18:51,292 --> 00:18:52,292 All right. 332 00:18:52,292 --> 00:18:54,999 Right now it has created a large number of strings. 333 00:18:54,999 --> 00:18:56,459 Well, actually not that large. 334 00:18:56,459 --> 00:18:57,959 It's only about a thousand. 335 00:18:57,959 --> 00:18:59,999 But it's running them against the web server currently, 336 00:18:59,999 --> 00:19:02,542 and it's scoring them based upon what 337 00:19:02,542 --> 00:19:05,584 the response it receives back. 338 00:19:05,792 --> 00:19:09,292 And it's taking the top performers and it's breeding them so right now 339 00:19:09,292 --> 00:19:12,083 we're at generation two, three. 340 00:19:15,083 --> 00:19:16,459 (Laughing). 341 00:19:19,459 --> 00:19:21,999 SOEN: Nothing crash. 342 00:19:24,959 --> 00:19:26,167 Okay. 343 00:19:29,167 --> 00:19:30,626 Five. 344 00:19:33,584 --> 00:19:38,959 And because this is based upon random random strings. 345 00:19:38,999 --> 00:19:41,876 Sometimes the solution is found extremely quickly 346 00:19:41,876 --> 00:19:44,584 and sometimes it takes a while. 347 00:19:44,834 --> 00:19:49,250 But because of the influence of the previous database, this 348 00:19:49,250 --> 00:19:52,959 will become much, much factor. 349 00:19:57,542 --> 00:19:59,209 Come on. 350 00:20:03,999 --> 00:20:07,042 (Applause) SOEN: There we go. 351 00:20:11,876 --> 00:20:13,250 All right. 352 00:20:14,501 --> 00:20:16,876 Drag this back over to my side. 353 00:20:19,626 --> 00:20:24,542 So the pros and cons of using genetic algorithms. 354 00:20:27,042 --> 00:20:29,999 The cons, there's a couple major ones. 355 00:20:29,999 --> 00:20:31,999 This is not a very stealthy attack tool. 356 00:20:32,334 --> 00:20:34,999 As you can see, this generates a large amount of requests 357 00:20:34,999 --> 00:20:39,834 to the server, and this is inherent in genetic algorithms as a whole. 358 00:20:40,000 --> 00:20:43,876 And there's a small potential to inadvertently destroy the database 359 00:20:43,876 --> 00:20:46,709 in an operating system, so I wouldn't run this 360 00:20:46,709 --> 00:20:49,667 against production environment. 361 00:20:51,999 --> 00:20:53,584 Job security? 362 00:20:55,375 --> 00:20:56,834 I don't know. 363 00:20:56,834 --> 00:20:59,834 Yeah, and it is a slower process to develop and test exploits, 364 00:20:59,834 --> 00:21:03,083 at least from the front end, because I'm sure anyone 365 00:21:03,083 --> 00:21:06,292 in the audience, when they see that SQL injection, 366 00:21:06,292 --> 00:21:08,584 they write it down. 367 00:21:08,876 --> 00:21:13,834 And but see the program, you know, 20, 30 seconds to do it. 368 00:21:13,834 --> 00:21:15,999 And genetic algorithms will always be suboptimal 369 00:21:15,999 --> 00:21:18,999 to source code analysis because there's just more code 370 00:21:18,999 --> 00:21:21,083 coverage you can do. 371 00:21:21,876 --> 00:21:25,709 But the pros the pros for genetic algorithms and using these 372 00:21:25,709 --> 00:21:28,876 to create exploits are fantastic. 373 00:21:28,959 --> 00:21:33,083 They're really cheap in CP ram and hard drive and human time. 374 00:21:33,167 --> 00:21:35,542 You can run that on Raspberry Pie. 375 00:21:35,626 --> 00:21:38,999 Your only limiting feature or factor is the network speed 376 00:21:38,999 --> 00:21:42,999 like how far away are you from the web server. 377 00:21:42,999 --> 00:21:47,959 And as far as my time goes, I can just turn it on, and it runs. 378 00:21:47,959 --> 00:21:49,083 I don't look at it again. 379 00:21:49,083 --> 00:21:50,083 It's good. 380 00:21:50,083 --> 00:21:52,999 And I feel it has more complete code coverage than other black box 381 00:21:52,999 --> 00:21:55,292 approaches because not only does it have 382 00:21:55,292 --> 00:21:58,459 the signatures that the other black box approaches has, 383 00:21:58,459 --> 00:22:01,876 it also isn't bound by a box of thinking. 384 00:22:01,876 --> 00:22:04,167 This is someone is saying, this is what we know 385 00:22:04,167 --> 00:22:06,999 a good SQL injection to be. 386 00:22:06,999 --> 00:22:09,292 It doesn't have that definition. 387 00:22:09,501 --> 00:22:14,584 It's limitless in its approach to the solution and so that that takes us 388 00:22:14,584 --> 00:22:19,125 to the yeah, right now, the tool will break web applications 389 00:22:19,125 --> 00:22:21,209 in the future. 390 00:22:21,334 --> 00:22:24,501 It might not do it efficiently, but as the database 391 00:22:24,501 --> 00:22:28,876 of SQL exploits grows, it will do it more efficiently. 392 00:22:28,999 --> 00:22:33,999 And another huge pro to this is automatic exploit development. 393 00:22:36,375 --> 00:22:40,999 I don't have to invest my time into sitting down and figuring, oh, okay, 394 00:22:40,999 --> 00:22:41,918 I got SQL I. 395 00:22:41,918 --> 00:22:44,334 Oh, okay, there's a WAF. 396 00:22:44,334 --> 00:22:46,083 Oh, okay, there's something else. 397 00:22:46,083 --> 00:22:47,999 Oh, okay, there's filtering rules. 398 00:22:47,999 --> 00:22:51,083 This doesn't need to know about those. 399 00:22:51,083 --> 00:22:53,918 It just cares about that question response, 400 00:22:53,918 --> 00:22:58,584 and so it's really fantastic in that regard. 401 00:22:58,584 --> 00:23:01,999 And the last biggest pro for this is emergent exploit discovery 402 00:23:01,999 --> 00:23:05,959 because since this isn't bound by what we know as okay, this 403 00:23:05,959 --> 00:23:09,542 is a valid exploit, this will create new things, new ways 404 00:23:09,542 --> 00:23:13,709 of approaching problems that we haven't seen yet. 405 00:23:13,709 --> 00:23:15,459 And for that reason, I think it's absolutely fantastic, 406 00:23:15,459 --> 00:23:17,999 and I think we should pursue this. 407 00:23:18,250 --> 00:23:20,834 So in conclusion, if you can download the tool, 408 00:23:20,834 --> 00:23:23,292 give me about 15 minutes. 409 00:23:23,292 --> 00:23:25,501 And there's my contact info.