Bacon A Penetration and Auditing Framework Hernan Gips

Common problems… A lot of independent tools uses same input A lot of independent tools uses same input Most tools are developed in c/c++ Most tools are developed in c/c++ Tools run in certain platforms Tools run in certain platforms Tools need to be modified Tools need to be modified Others… Others…

Solution: Bacon A flexible and extendible Framework oriented to the security community.

Overview Based on.NET Framework Based on.NET Framework Modular Architecture Modular Architecture Multi language support Multi language support Opensource Opensource Multiplatform Multiplatform Fully OO Design Fully OO Design

What Bacon is not… An automatic penetration tool An automatic penetration tool hack-in-a-minute tool hack-in-a-minute tool A static tool A static tool

Framework Ability to load modules Ability to load modules Keeps session information Keeps session information Provides entities to store specific information like: targets, ports, services, etc Provides entities to store specific information like: targets, ports, services, etc Provides libraries for proxing, sniffing, etc. Provides libraries for proxing, sniffing, etc.

Framework Bacon is multiplatform. Runs with: –.NET Framework –Mono –Any ECMA VM implementation

Architecture Architecture Bacon Framework Console GUI MODULESMODULES Data

Internal Context The framework provides information entities oriented to security and networking. Network ServiceCollection TargetCollection Service GenericList Target

Internal Context Each module has RW access to the context. Each module has RW access to the context. Internal implementation uses XML Internal implementation uses XML Developer can use the entities or directly access via generic XPath queries. Developer can use the entities or directly access via generic XPath queries.

Internal Context Context Mail Addresses Users Session data… Google Mails Finder POP3 Brute force Attack SMTP VRFY Dictionary Attack Target

Modules Each module is a DLL compiled in.NET Each module is a DLL compiled in.NET Framework loads modules using reflection. Framework loads modules using reflection. Modules are multithreading Modules are multithreading Each module runs on an different Application Domain Each module runs on an different Application Domain

Modules: Reflection A developer may creates its own plugin in any language that generates.NET assembly.

Modules Well known languages Well known languages  C#  VB.NET  C++.NET Not so well known Not so well known  IronPython  Boo

Modules Every modules inherits from Bacon.Plugin abstract class Every modules inherits from Bacon.Plugin abstract class This class provides two methods: This class provides two methods: –Start() –Stop() Module has facilities to Module has facilities to –Access the context –Log debug information

Modules Example module source code in C# [Plugin("Test", "plugin for testing purposes")] public class TestPlugin : Bacon.Plugin { [Command("listdump", "command to test something")] …. [Command(“listusers", "command to test something")] … }

Modules Modules has commands defined on it Modules has commands defined on it Each command has different parameters Each command has different parameters [Command("hack", "hacks something")] class HackCommand : Bacon.Command { public override void Execute() { ……. }

Modules How loader works How loader works TestPlugin : Bacon.Plugin MSIL Assembly Plugins Loader Plugins Manager

Modules C# VB IronPython MSIL Compilers (msc, monoc, etc) Common Language Runtime Bacon

Modules: Module chaining Network Scan ICMP Targets TCP port scanner [connect()] Services Web directory finder Web file finder Dirs Files Dictionary input: /24 Report Generator XML

Remoting The Framework exposes its own interface like a remote service. This is useful to create distributed attacks.

Framework Interface Integrated Command Line Console Integrated Command Line Console

Framework Interface Uses Winforms Uses Winforms Each module may provide its own GUI Each module may provide its own GUI

Framework Interface You may create your own interface. (i.e. a web interface) You may create your own interface. (i.e. a web interface) You may also create a common GUI generator for each module You may also create a common GUI generator for each module

Framework Services ProxyLib Service ProxyLib Service SniffLib Service SniffLib Service FuzzLib Service FuzzLib Service Other Other

Framework: ProxyLib Creates simple proxies Creates simple proxies HTTP, Sockets, etc HTTP, Sockets, etc Hook to events Hook to events

State of Dev Bacon got sponsored! Bacon got sponsored! The framework architecture is mostly closed The framework architecture is mostly closed We are working on creating new modules and a nice GUI. We are working on creating new modules and a nice GUI.

Future Module creation process  Now Module creation process  Now Opensource official release  3 Months Opensource official release  3 Months Community site release  1 Month Community site release  1 Month

Conclusion We want to create a standard framework for pentesting and auditing networks and applications. We want to create a standard framework for pentesting and auditing networks and applications. We want the security community uses it and develops module for the framework We want the security community uses it and develops module for the framework

Any Questions?

The End. Hernan Gips