We take a look back at some of the latest offensive security tools that were launched over the past three months
If necessity is the mother of invention, then the potentially calamitous consequences of unchecked security flaws is propelling the security research community’s innovation across the web ecosystem and beyond.
The first three months of the year alone have seen the development and release of multiple open source tools that are aimed at making researchers’ lives easier – for instance by exploiting Java deserialization bugs or avoiding deep packet inspection.
Here’s our roundup of the latest hacking tools for the first quarter of 2020:
GadgetProbe: Java deserialization exploits made easy
A new tool developed by researchers at Bishop Fox aims to reduce the frustration of exploiting Java deserialization bugs – a dangerous and often underrated class of security vulnerabilities found in Java web applications.
Named GadgetProbe, the tool makes it easier to exploit deserialization bugs by automating the trial-and-error effort required to find potentially vulnerable Java libraries used in remote applications.
GadgetProbe ties in with other deserialization vulnerability discovery tools, such as Gadget Inspector.
“Given a list of libraries, GadgetInspector will automatically discover new gadget chains,” Jake Miller, security associate at Bishop Fox, told The Daily Swig.
“By feeding the information from GadgetProbe into GadgetInspector, you will be able to develop custom gadget chains unique to the specific set of libraries present in the application you are testing.”
Batea: Machine learning tool simplifies target discovery
Researchers at Delve Labs have put together an open source tool that makes use of machine learning to highlight potential security threats in network device data.
The utility is called Batea, a reference to the tool gold prospectors use to find nuggets of gold amongst the sand and shale scooped up from riverbeds.
“It’s easy to make the parallel between gold mining and penetration testing, or even malicious network intrusion,” Serge Olivier Paquette, research lead at Delve Labs, told us.
“When trying to infiltrate a network, one has to separate muddy, uninteresting devices to focus attention on the heavier and shiny targets early on in the process.”
SymTCP: Circumventing deep packet inspections
Academics have released a tool designed to bypass deep packet inspection (DPI) to the open source community.
Dubbed SymTCP, the software is described as a means to “automatically discover subtle discrepancies between two TCP implementations”.
Specifically, SymTCP can be used to find discrepancies between a server and DPI, and exploit these differences to avoid deep packet inspection.
DPI can be invaluable for preventing buffer overflow and man-in-the-middle attacks in corporate setups, but it can also be used to conduct surveillance and establish censorship blocks at the ISP level.
SymTCP first runs ‘symbolic execution’ on a server’s TCP implementation, and the resulting scan collects execution paths labeled as either ‘accept’ or ‘drop’ for packet inspection.
The DPI system is then checked with generated packet sequences to ascertain which, if any, are processed in the same way by the DPI and the server.
If discrepancies in handling are detected, the open source tool is able to create packets that can reach core elements in the code responsible for accepting or dropping requests, thereby potentially avoiding DPI middlebox checks.
Google tackles USB keystroke injection attacks
From offense to defense, Google has developed a tool for Linux machines that combats USB keystroke injection attacks by flagging suspicious keystroke speeds and blocking devices classified as malicious.
In a post on the Google Open Source blog, Google security engineer Sebastian Neuner explained how the tool uses two heuristic variables – keystroke speed and time between keystrokes – to distinguish between benign and malicious inputs.
Neuner advises users to recalibrate the default parameters by gauging their own typing speed using online utilities whilst running the Google tool in ‘monitoring’ mode.
“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” Neuner said.