Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/13/2010
01:01 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Relying On Tools Makes You Dumber

It takes a lot of time and effort to stay up on the latest vulnerabilities, attacks, and tools. Often, we in the security field rely on tools to automate parts of a vulnerability assessment or penetration test, but our testing should never rely only on the tools. If all we ran were some tools and blindly trusted their output,then we would be no better than your average script kiddie.

It takes a lot of time and effort to stay up on the latest vulnerabilities, attacks, and tools. Often, we in the security field rely on tools to automate parts of a vulnerability assessment or penetration test, but our testing should never rely only on the tools. If all we ran were some tools and blindly trusted their output,then we would be no better than your average script kiddie.A couple of recent presentations have followed a similar line of thinking. They've focused on people's reliance on the expertise of tools, the need to go beyond the crutch that tools provide to understand, and practical examples of using languages like Python to accomplish that goal. At Black Hat, Nathan Hamiel and Marcin Wielgoszewski presented "Constricting the Web: Offensive Python for Web Hackers" (video), and at Security B-Sides Las Vegas, frank^2 presented "F**k Tools, Do It Yourself Jerk."

The premise of the presentations was that tools are written to do one or two things well, but they may not apply to all situations or work with future versions of the targeted application. To deal with various tools' inherit limitations, the users of the tools need to learn what the tools are doing and be able to do it on their own.

For example, if you're using a tool to find cross-site scripting or SQL injection vulnerabilities in a website, then you need to know how to do that without the tool by using just your Web browser.

In the examples given during Nathan and Marcin's talk, they focused on the Python scripting language as the best solution for quickly interacting with Web applications and developing proof-of-concept tools. They chose Python because many popular security tools are written in Python, giving it a large support base, they say it's easier than Perl (YES!), and it does a great job parsing Web content like HTML and XML.

Personally, I've found myself doing more custom one-off type jobs with Ruby. The most recent were several SHODAN search scripts using the new API. I eventually turned them into a Metasploit module that is available here.

In closing, I think that having the ability to quickly provide a proof-of-concept script is important for two reasons: One, it gives you the ability to verify a tool's output is correct and the vulnerability it found does exist and is repeatable. Two, you can then provide the script to a client with full documentation so they can see it themselves.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVE-2021-32554
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.