GyoiThon v0.0.3-beta releases: growing penetration test tool using Machine Learning

GyoiThon

GyoiThon is a growing penetration test tool using Machine Learning.

It identifies the software installed on the web server (OS, Middleware, Framework, CMS, etc…) based on the learning data. After that, it executes valid exploits for the identified software using Metasploit. Finally, it generates reports of scan results. It executes the above processing automatically.

  • Processing steps
    Processing flow

GyoiThon executes the above “Step1” – “Step4” fully automatically.
User’s operation only inputs the top URL of the target web server in GyoiThon.

It is very easy!
You can identify vulnerabilities of the web servers without taking time and effort.

Processing flow

Step 1. Gather HTTP responses.

GyoiThon gathers several HTTP responses of target website while crawling.
The following are an example of HTTP responses gathered by GyoiThon.

  • Example.1
    HTTP/1.1 200 OK
    Date: Tue, 06 Mar 2018 03:01:57 GMT
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Etag: "409ed-183-53c5f732641c0"
    Content-Length: 15271
    
    ...snip...

     

     

Step 2. Identify product name.

GyoiThon identifies product name installed on a web server using two methods.

1. based on Machine Learning.

By using Machine Learning (Naive Bayes), it identifies software based on a combination of slightly different features(Etag value, Cookie value, specific HTML tag etc.) for each software. Naive Bayes learns using the training data which example below (Training data). Unlike the signature base, Naive Bayes is stochastically identified based on various features included in HTTP response when it cannot be identified software in one feature.

  • Example.1
    Etag: "409ed-183-53c5f732641c0"

     

    GyoiThon can identify the web server software Apache.
    This is because it learns features of Apache such as “Etag header value (409ed-183-53c5f732641c0). In our survey, Apache use combination of a numeral and lower case letters as the Etag value. And, Etag value is separated 4-5 digits and 3-4 digits and 12 digits, final digit is 0 in many cases.

Step 3. Exploit using Metasploit.

GyoiThon executes exploit corresponding to the identified software using Metasploit.
And it checks whether the software is affected by the vulnerability.

Link with Metasploit

  • Running example
    [*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_nonx_tcp, result: failure
    [*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_tcp, result: failure
    [*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_tcp_uuid, result: failure
    [*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell_bind_ipv6_tcp, result: failure
    [*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell_bind_tcp, result: failure
    
    ...snip...
    
    [*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/custom, result: failure
    [*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/debug_trap, result: failure
    [*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/shell_bind_tcp, result: failure
    [*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/shell_reverse_tcp, result: failure
    [*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/tight_loop, result: bingo!!

     

Step 4. Generate scan report.

GyoiThon generates a report that summarizes vulnerabilities.
Report’s style is html.

  • sample gyoithon_report

Changelog v0.0.3-beta

  • Add “Creating signature” function

Download

git clone https://github.com/gyoisamurai/GyoiThon.git

Usage

Demo

Copyright 2018 Mitsui Bussan Secure Directions, Inc.

Source: https://github.com/gyoisamurai/

Share