brandonprry/gray_hat_csharp_code brandonprry/gray_hat_csharp_code

  • Stars
    star
    379
  • Rank 112,472 (Top 3 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created about 10 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
brandonprry/gray_hat_csharp_code
github

brandonprry

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This repository contains full code examples from the book Gray Hat C#

Gray Hat C# - Creating and Automating Security Tools

https://www.nostarch.com/grayhatcsharp

This repository contains fully-fleshed out code examples from the book Gray Hat C#. In this book, a wide variety of security oriented tools and libraries will be written using the C# programming language, allowing for cross-platform automation of the most crucial aspects of a security engineer's roles in a modern organization. Many of the topics will also be highly useful for hobbyists and security enthusiasts who are looking to gain more experience with common security concepts and tools with real world examples for both offensive and defensive purposes.

We cover a broad slice of concepts a modern security engineer must be familiar with, starting with a brief introduction to the C# language. After the introduction, we focus on fuzzing web application vulnerabilities and writing exploits for them. This is followed by C# payloads for pentesters to use for remote command execution and persistence. Then, we move onto security tool automation using true APIs, not just calling programs from the system shell. Finally, we focus on reverse engineering and forensics in the final chapters.

The solution was developed on Linux with MonoDevelop and OS X with Xamarin Studio. However, every line of code should work across all platforms and this should Just Work(tm) in Visual Studio on Windows.

The Chapters

Chapter 1 - Crash Course

In chapter one, we learn the basics of C# object-oriented programming with very simple examples. We briefly cover object-oriented principles such as inheritance, but also cover more advanced features of the C# language such as delegates and Platform Invoke (P/Invoke).

https://msdn.microsoft.com/en-us/library/kx37x362.aspx

Chapter 2 - Fuzzing and Exploiting XSS and SQL Injection

In chapter two, we are introduced to the HTTP library used to communicate with web servers in order to write small HTTP request fuzzers looking for XSS and SQL injection in a variety of different data types. We also write exploits for two types of SQL injection techniques; UNION and boolean-based.

https://www.owasp.org/index.php/SQL_Injection

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Chapter 3 - Fuzzing SOAP Endpoints

In chapter three, we take the concept of the fuzzers in the previous chapter to the next level, and also introduce the excellent XML libraries available in the standard library. We write a small fuzzer that retrieves and parses a SOAP WSDL in order to automatically generate HTTP requests in order to find potential SQL injections.

https://en.wikipedia.org/wiki/SOAP

Chapter 4 - Writing Connect-backs, Binds, and Metasploit Payloads

In chapter four, we break from the focus on HTTP and move onto payloads that we can create. We first create a couple of simple payloads, one over TCP and one over UDP. Then we learn how to generate x86/x86_64 shellcode in Metasploit to create cross-platform and cross-architecture payloads.

Chapter 5 - Automating Nessus

In chapter five, we start back again with HTTP in order to begin automating the Nessus vulnerability scanner. We go over how to create, watch, and report on scans on CIDR ranges programmatically.

https://www.tenable.com

Chapter 6 - Automating Nexpose

In chapter six, we maintain the focus on tool automation by moving onto automating the Nexpose vulnerability scanner. Nexpose, whose API is also HTTP based, can also achieve automated vulnerability scans and reports and offers a free year license for their Community product, very useful for home enthusiasts.

https://www.rapid7.com/products/nexpose/

Chapter 7 - Automating OpenVAS

In chapter seven, we conclude the focus on vulnerability scanner automation with OpenVAS, a free and open source vulnerability scanner. OpenVAS has a fundamentally different kind of API than both Nessus and Nexpose, and is also very useful for hobbyists or home enthusiasts.

http://www.openvas.org

Chapter 8 - Automating the Cuckoo Sandbox

In chapter eight, we move into the incident response area and focus on automating the Cuckoo Sandbox. Using an easy to consume RESTful JSON API, we automate submitting potential malware samples, then reporting on the results.

http://www.cuckoosandbox.org

Chapter 9 - Automating sqlmap

In chapter nine, we move onto more than just finding potential SQL injections with fuzzers and begin exploiting SQL injections to their fullest extent by automating sqlmap. Using an easy to use JSON API shipped with sqlmap, we first create small tools to submit single URLs. Once done with the introduction, we integrate sqlmap into the SOAP WSDL fuzzer from chapter three, so any potential SQL injection vulnerabilities can be automatically exploited and validated.

http://sqlmap.org/

Chapter 10 - Automating ClamAV

In chapter ten, we focus on interacting with native, unmanaged libraries. ClamAV, a popular and open source antivirus project, is not written in a .NET language, but we can still interface with its core libraries as well as remotely via a TCP daemon. We cover how to automate ClamAV in both scenarios.

http://www.clamav.net

Chapter 11 - Automating Metasploit

In chapter eleven, we put the focus back on Metasploit. We learn how to programmatically drive Metasploit via the MSGPACK RPC that is shipped with the core framework in order to exploit and report on shelled hosts.

https://www.rapid7.com/products/metasploit/

Chapter 12 - Automating Arachni

In chapter twelve, we focus on automating the blackbox web application scanner Arachni, a free and open source project, though dual-licensed. Using both the simpler REST HTTP API and the more powerful MSGPACK RPC that is the shipped with the project, we create small tools to automatically scan a URL and report the findings as we scan.

http://www.arachni-scanner.com

Chapter 13 - Decompiling and Reversing Managed Assemblies

In chapter thirteen, we move into reverse engineering. There are easy to use .NET decompilers for Windows, but not for Mac or Linux, so we write a small one ourselves. We also discuss the useful monodis tool, which allows granular insight into the inner working of a .NET assembly.

http://www.mono-project.com/docs/tools+libraries/libraries/Mono.Cecil/

http://www.mono-project.com/docs/tools+libraries/tools/monodis/

Chapter 14 - Reading Offline Windows NT Registry Hives

In chapter fourteen, we move into the digital forensics area and focus on registry hives. Going over the binary structure of the Windows registry, we learn how to parse and read offline registry hives, which allows us to easily retrieve the system's boot key, used to encrypt password hash information in the SAM registry hive.

https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md

Conclusion

In the end, I want the reader to leave having a broad understanding of the potential the C# programming language can have at their home or organization, who may be struggling to enact and follow through with mature vulnerability management or security-oriented SDLCs due to resource constraints.

More Repositories

1

wicked_cool_shell_scripts_2e

Full shell scripts for the second edition of Wicked Cool Shell Scripts
Shell
240
star
2

yaml-fuzz

A generated corpus, seed, and target for a fuzz job
HTML
59
star
3

Potato

Windows privilege escalation through NTLM Relay and NBNS Spoofing
C#
50
star
4

clamav-fuzz

A fuzz job for ClamAV
31
star
5

crestron

Tools for taking over Crestron Windows CE devices
C#
30
star
6

vulnerable_xxe

A C# web handler that is vulnerable to XXE with PoC. This is to serve as an example of what vulnerable C# code looks like.
C#
27
star
7

vulnerable_soap_service

This is a SOAP service written in C# that has intentional SQL injection vulnerabilties.
C#
21
star
8

volatile_reader

A small, fast, and efficient offline event log parser, registry reader, pcap file analyzer, IL decompiler (with ICSharpCode), and pagefile analyzer written in C# and using GTK.
C#
19
star
9

rubytooth

Updated ruby bluetooth bindings based on ruby-bluetooth
C
10
star
10

rising_sun

security tool automation playground
C#
6
star
11

ical-fuzz

Results from fuzzing libical across many versions
C
6
star
12

vulnerable_json_sqli

A small JSON web service that is vulnerable to SQL injection, with fuzzer to fuzz the endpoint.
C#
5
star
13

connect_back_bind_payloads

Simple connect-back and bind payloads written in C# and work on Linux, Mac, and Windows.
C#
4
star
14

dirty_c-_decompiler

3
star
15

vulnerable_cookie_swap

Can username find out what the admin's password is? There's no SQL.
C#
3
star
16

ntreg-ruby

ruby library for reading nt registry hives offline
Ruby
2
star
17

midifuzz

2
star
18

pdf_jbig2_gen

C#
2
star
19

sass-fuzz

Groff
2
star
20

volatileminds_modules

Ruby
2
star
21

tiff-fuzz

2
star
22

im_scripts

Shell
1
star
23

crossplatform_metasploit_payload

1
star
24

od-autoassess_legacy

An old Bash script I wrote to automate security tools a long time ago. Probably no longer works or useful, just here to be here.
Shell
1
star
25

psd-fuzz

1
star
26

managed_trig_methods

C#
1
star
27

is_a_fetus_a_person

Is a fetus a person?
1
star
28

tga-fuzz

1
star