Home
Next generation penetration test tool
GyoiThonはWebサーバのIntelligence Gatheringに特化したツールである。
GyoiThonはリモートから対象のWebサーバにアクセスし、サーバ上で稼働している製品(CMS, Webサーバソフトウエア, Framework, Language等)を特定する。そして、製品に関連するCVE番号を列挙する。また、Metasploit連携で特定した製品に関するExploitを実行することも可能である。これらの行為を全自動で実行する。GyoiThonの主な特徴は以下のとおり。
- リモートアクセス/全自動
GyoiThonはリモートアクセスのみで対象Webサーバの情報を全自動で収集可能である。
あなたがすべきことは、対象FQDN(またはIPアドレス)の用意と、GyoiThonを1回実行するだけである。 - 非破壊
GyoiThonは正常アクセスの範囲内で情報を収集可能である。
よって、対象サーバに対する影響を最小限に抑える事ができる。
※一部のオプション(Metasploit連携, コンテンツ探索等)は対象サーバに影響を与えるため注意が必要。 - 様々な情報を収集
GyoiThonには、個性豊かな情報収集エンジンが備わっている。
例えば、Web Crawler, Google Custom Search API, Censys, デフォルトコンテンツ探索, クラウドサービス調査等である。
収集した情報をシグネチャと機械学習で分析することで、Webサーバで稼働している製品/バージョン/CVE番号, 不要なコメント/デバッグメッセージ, ログイン画面の有無, 利用しているクラウドサービス等を高速に調査することが可能である。 - リアルな脆弱性の調査
GyoiThonはMetasploitと連携することで、特定した製品に対するExploitを実行することが可能である。
これにより、CVE番号の列挙だけではなく、実際に対象Webサーバが脆弱性の影響を受けるか否かを調査することができる。
GyoiThon is a growing penetration test tool using Machine Learning.
GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc...) based on the learning data. After that, it executes valid exploits for the identified software using Metasploit. Finally, it generates reports of scan results. GyoiThon executes the above processing automatically.
- Processing steps
GyoiThon executes the above "Step1" - "Step4" fully automatically.
User's only operation is to input the top URL of the target web server in GyoiThon.
It is very easy!
You can identify vulnerabilities of the web servers without taking time and effort.
GyoiThon gathers several HTTP responses of target website while crawling.
The following are example of HTTP responses gathered by GyoiThon.
- Example.1
HTTP/1.1 200 OK
Date: Tue, 06 Mar 2018 03:01:57 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Etag: "409ed-183-53c5f732641c0"
Content-Length: 15271
...snip...
- Example.2
HTTP/1.1 200 OK
Date: Tue, 06 Mar 2018 06:56:17 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;
path=/;
Content-Length: 37496
...snip...
- Example.3
HTTP/1.1 200 OK
Date: Tue, 06 Mar 2018 04:19:19 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11819
...snip...
<script src="/core/misc/drupal.js?v=8.3.1"></script>
GyoiThon identifies product name installed on web server using following two methods.
By using Machine Learning (Naive Bayes), GyoiThon identifies software based on a combination of slightly different features (Etag value, Cookie value, specific HTML tag etc.) for each software. Naive Bayes is learned using the training data which example below (Training data). Unlike the signature base, Naive Bayes is stochastically identified based on various features included in HTTP response when it cannot be identified software in one feature.
- Example.1
Etag: "409ed-183-53c5f732641c0"
GyoiThon can identify the web server software Apache.
This is because GyoiThon learns features of Apache such as "Etag header value (409ed-183-53c5f732641c0). In our survey, Apache use combination of numeral and lower case letters as the Etag value. And, Etag value is separated 4-5 digits and 3-4 digits and 12 digits, final digit is 0 in many cases.
- Example.2
Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;
GyoiThon can identify the CMS Joomla!.
This is because GyoiThon learns features of Joomla! such as "Cookie name (f00e6 ... 9831e) " and "Cookie value (0eba9 ... 7f587). In our survey, Joomla! uses 32 lower case letters as the Cookie name and Cookie value in many cases.
- Joomla! (CMS)
Set-Cookie: ([a-z0-9]{32})=[a-z0-9]{26,32};
Set-Cookie: [a-z0-9]{32}=([a-z0-9]{26,32});
...snip...
- HeartCore (Japanese famous CMS)
Set-Cookie:.*=([A-Z0-9]{32});.*
<meta name=["'](author)["'] content=["']{2}.*
...snip...
- Apache (Web server software)
Etag:.*".*-[0-9a-z]{3,4}-[0-9a-z]{13}")[\r\n]
...snip...
Of course, GyoiThon can identify software by string matching also used in traditional penetration test tools. Examples are shown below.
- Example.3
<script src="/core/misc/drupal.js?v=8.3.1"></script>
GyoiThon can identify the CMS Drupal.
It is very easy.
GyoiThon executes exploit corresponding to the identified software using Metasploit and it checks whether the software is affected by the vulnerability.
- Running example
[*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_nonx_tcp, result: failure
[*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_tcp, result: failure
[*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell/reverse_tcp_uuid, result: failure
[*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell_bind_ipv6_tcp, result: failure
[*] exploit/multi/http/struts_code_exec_exception_delegator, target: 1, payload: linux/x86/shell_bind_tcp, result: failure
...snip...
[*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/custom, result: failure
[*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/debug_trap, result: failure
[*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/shell_bind_tcp, result: failure
[*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/shell_reverse_tcp, result: failure
[*] exploit/linux/http/apache_continuum_cmd_exec, target: 0, payload: generic/tight_loop, result: bingo!!
GyoiThon generates a report that summarizes vulnerabilities.
Report's style is html.
- sample
- Kali Linux 2018.2 (for Metasploit)
- Memory: 8.0GB
- Metasploit Framework 4.16.48-dev
- ubuntu 16.04 LTS (Host OS)
- CPU: Intel(R) Core(TM) i5-5200U 2.20GHz
- Memory: 8.0GB
- Python 3.6.1(Anaconda3)
- docopt==0.6.2
- jinja2==2.10
- msgpack-python==0.4.8
- pandas==0.23.4
- urllib3==1.23
- Scrapy==1.5.1