Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: defcon

[Defcon] SHODAN for Penetration Testers

SHODAN for Penetration Testers – Michael “theprez98″ Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> http://www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

  • after/before
    • Limit results by date
  • country
    • 2 letter country code
  • hostname
    • Filters by text in the hostname or domain
  • net
    • Specific IP range or subnet
  • os
  • port
  • SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

  • apache hostname:.nist.gov
  • iss-5.0 hostname:.edu

Port filtering

  • FTP 21
  • SSH 22
  • Telnet 23
  • HTTP 80
  • SNMP 161
  • HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

  • CISCO Devices
    • By searching for CISCO with a 200 OK, you will find devices without authentication
    • Some of these are probably test labs….. but not ALL of them!
    • 5-6,000 of such systems on the internet
  • Default Passwords
    • Search for the words “default password”
    • Find… a printer accessible from the web using the default password as displayed in the headers
  • HAUWEI
    • Exclusion of all 4XX codes –> We just want 200 OK
    • Most responses where all in the same Subnet
    • Lots and lots of VoIP phones public facing
    • However…. they needed a password. Most hauwei have easy to guess default passwords
    • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
  • Infrastructure Exploitation… or “How to pwn an ISP”
    • A number of CISCO devices discovered in the earlier section
    • Allow LEVEL 15 access (full admin)
    • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
    • ISP located in the US (small regional)
    • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
    • SNMP server IP address and community strings

Other interesting info

  • Some IIS searches
    • iis/5 –> 362695
    • iis/4 –> 9977
    • iis/3 –> 381
    • iis/2 –> 42
    • iis/1 –> 152
  • Wireless network cameras… with movement features
    • In Firefox you can do snapshots..
    • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links:

[Defcon] You Spent All That Money And You Still Got Owned…

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

  • Firewalls are commonplace (perimeter and host based)
  • Anti-virus is smarter
  • Intrusion Detection / Prevention systems are hard to detect, let alone bypass
  • NAC Solutions are making their way into networks
  • IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

  • Server Header
  • Time/Date

Use DNS queries and Netcraft.com

Tools to do this

  • Load Balancer Detection – lbd.sh
  • Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.

Example:

DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit

SQLNinja

  • Written in Perl, but still good.
  • Great from going from SQLi to shell

SQLMAP

  • Written in Python
  • Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu

PHPIDS

  • Smoketest
    • check your encoding and bypass techniques
    • find something that will bypass a lot of the rules

MOD_Security

  • Also now offers a smoketest
  • Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions

No DHCP

  • Use Static

DHCP MAC Address REservations

  • Find a system, steal MAC

Port Security

  • Find a printer….

NAC Solutions

  • Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

  • net commands on Windows are great for finding network information
  • Script output and find the Administrators
  • Escalate to SYSTEM/Administrator
  • Run commands using psexec, pskill, …
  • Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!

Links:

[Defcon] Hacking Oracle From Web Apps

Hacking Oracle From Web Apps – Sumit Siddharth

Exploitation techniques for exploit SQL Injection attacks on Web Applications with Oracle databases

Because it’s Defcon… and we love SQL Injection!

No free tools for hacking Oracle Databases from the web

  • Even commercial tools like Pangolin have outdated techniques

Oracle Privileges

Oracle comes with a number of default packages. This has reduced a lot with the latest 11g release

By default these packages run with the privileges of the definer

This can be changed to the caller of the function, but must be set in the function/procedure (AUTHID CURRENT_USER)

Owning from the network is easy

  • Enumerate SID
  • Enumerate common users
  • Connect to the Oracle DB
  • Exploit SQL Injection in a procedure owned by SYS
  • Become DBS
  • Execute OS Code

Demonstrated by Chris Gates last year using a number of Metasploit plugins

In Oracle there are 2 classes of Injection

  • PL/SQL
  • SQL
    • Limited
    • Doesn’t allow chained statements

OS Code execution is also not as simple as it is in Microsoft SQL Server

PL/SQL Injection

  • Injection in Anonymous PL/SQL Block
  • No Restriction
  • Execute DDL/DML

SQL

  • Common SQL Injection
  • Limited capabilities
  • No chained statements

eExploitating PL/SQL Injection

Using David Litchfield’s exploit from Blackhat DC 2010 –> Enable JAVA IO Permissions

OS Command Injection can then be obtained by calling a JAVA function (DBMS_JAVA_TEST) and calling a command on the local system

Exploiting SQL Injection

This could mean many thing… do you want data from the DB or a shell –> depends on the goals of a test/attacker

Extraction of Data

  • Error Messages Enabled
  • Error Messages Disabled
    • Union Query
    • Blind injection
    • Time delay / Heavy queries
    • Out-of-band channels
  • Privilege escalation
  • OS Command Execution

Is your SQL Injection Privileged or unprivileged?

Are you executing with DBA privileges or something else

  • Privileged SQL Injection
    • Happens more often when the application connects to a database with DBA privs
    • SQL Injection is in a procedure owned by the DBA (regardless of the connection string)
  • Unprivileged SQL Injection

To exploit the Os we need Functions executable by public and vulnerable to :

  • PL/SQL Injection
  • Allows PL/SQL execution as a feature
  • Buffer overflow

There are a few functions known but the exploit is not publicly available

e.g. DBMS_JAVA_TEST (10g) buffer overflow

Of those known the following are popular:

  • DBMS_EXPORT_EXTENSION
  • GET_DOMAIN_INDEX_TABLES()
    • Function vulnerable to PL/SQL Injection
    • Runs with definer (SYS) privileges
    • Allows privilege escalation
    • OS Command Execution

Privileges needed to execute code on the OS

  • DBA Privileges
  • JAVA IO Privileges

Versions prior to CPU April 2006 there are a number of exploits in Pangolin and CoreImpact

Functions to execute code on the OS

  • DBMS_JAVA.RUNJAVA()
  • DBMS_JAVA_TEST.FUNCALL()

These take an Oracle class as input and cannot be executed without JAVA IO Privileges.

DBA can grant himself the required privileges, however even without he can use the SYS.KUPP$PROC.CREATE.MASTER_PROCESS() function on 10g/11g to execute code on the remote OS.

Bsqlbf 2.6

Supports these new attack types and can be downloaded from Google Code.

Includes the ability to upload and execute a Metasploit payload through these vulnerabilities

Supports JAVA IO and DBA execution as required

Has a cleanup mode for nice penetration testers ;)

Non-interactive second order injections

Even if a field is not injectable it could be that the code is executed if for example, an administrator views the injected code through a second vulnerable application (for example a logging tool, or administration screen).

The malicious user will never see the response however, as the secondary user is running the injection. This means any output will be returned to the secondary user and not the malicious user.

Another possible scenario is a trigger or automated nightly process that acts on the injected code when run.

So how can we make these non-interactive attack vectors interactive ?

Encode and upload a binary (Metasploit payload) to the remote server and wait for the secondary user/process to trigger the exploit –> Shell –> WIN

webraider tool implements this style of attack to upload a Metasploit module

You’ve been hacked… so what?

PCI compliance mandates the card data must be stored encrypted –> So the output is encrypted

PCI doesn’t specific if the encryption happens at the DB or App level

If it’s at the DB level, then the App decrypts the data when requesting –> Passing the encryption key means an attacker could extract them

  • v$sql table logs statistics on shared SQL area
  • Typically stores last 500 queries –> including the encryption details


Links:

[Defcon] Exploiting WebSphere Application Server’s JSP Engine

Exploiting WebSphere Application Server’s JSP Engine – Ed Schaller

Note: Apologies for the notes…. Ed talks REALLY fast!

WebSphere Application Server

IBM’s JEE Application Server

One of the top 3

Not cheap –> free trial available

Common Network Architecture

Client Browser –> Web Servers –> WebSphere AS

Web server plugin –> Extension module for common HTTP servers (IIS, Apache, etc…)

  • Communicates with WAS via HTTP
  • Load Balancing
  • Fail over
  • Not Security!

Plugin URL Handling

Not all requests get forwarded back to the WAS.

  • Based on URL mappings in web.xml and ibm-web-ext.xmi (simple file globs)

If a match occurs the request is forwarded, if not its handled by the local HTTP Server

JSP & NUL

Strings

  • OS under Java is written in C
    • NUL terminates strings
    • Cannot contain NUL
  • Java
    • Counted
    • NUL Allowed

What about the JSP engine inside WAS. How does it handle NULs

  1. Locate and read file
  2. Translate .jsp to .java
  3. Compile
  4. Run as servlet

This means you can reading (some) specific files through the JSP engine. As long as it’s a valid JSP

What’s a valid JSP?

  • Anything starting with <%
  • HTML
  • XML
  • Most Text files
  • ….

What about directories… well you can read them to?

  • /root/dir/%00.jsp
  • /root/dir/.%00.jsp
    • Sometimes you need “..”

Web Server Plugin & NUL

Although not intended for security, it can get in the way of insecurity!

%00 works great on WAS, but getting it through the C compiled plugin isn’t

The next challenge is how to get %00 past the plugin

Character Encodings

UTF-8 is how Java reads strings natively

  • Multi-byte character encoding
  • Single byte values can be encoded as multiple bytes
  • Explicitly forbidden in the spec
    • Nobody follows the spec!

A fix for this issue was implemented… but the fix didn’t work!

It is however fixed in the latest JVM release (no direct patch from IBM as yet)

Encoding to bypass the plugin and get a NUL to the WAS –> %C0%80.jsp instead of %00.jsp

Web-INF & META-INF

Servlet specification says Return 404

Checked many places in WAS… but the missed one!

Fixed by IBM… but badly.

To bypass…

  • /ctxroot/%C0%AE/WEB-INF/web.xml

This also works for META-INF

The Whole Truth

JSP Strikes back

  1. Locate and read file
  2. Translate .JSP to .JAVA
  3. Compile
  4. Run

Doesn’t this mean we can get remote code-exec?

SOAP With attachments lets us read a file that we what to compile and execute

Anything over 32KB gets cached to a location readable….

Not many SOAP services however, handle attachments!

This makes it a lot less useable

SOAP Encoding

This allows you to reference attachments through the href in a SOAP message

When used with AXIS 1, it parses the attachment and caches the larger ones to the disk

AXIS 1 provides an interesting feature, A client can send a fault to the server as the first request… which is parsed

Faults use SOAP encoding and can therefore can be used to send an attachment

Putting it all together

Attachment filenames are random.

To bypass this .:

  1. Get the directory listing first
  2. Uploads the JSP
  3. Get another directory listing to find the filename

This process however is pretty noisy and can cause a large amount of logs.

An example exploit code that performs this will be made available

Affected platforms

  • WAS runs on a lot of platforms
  • AIX and Linux tested and vulnerable
  • Case insensitive file systems are not vulnerable to %00.jsp –> e.g Windows

Fixes

Fixes are out for 6.x, and 7.x

Took IBM 2 weeks to fix this flaw (16 different variants)

Providing security reports as a PMR works!

Fix from IBM is very elegant

  • Double checks the file being opened to make sure it’s really the end file being opened
  • WEB-INF doesn’t appear in the patch –> Not so elegant

Workarounds

  • Disable runtime compilation and reloading of JSPs
    • disableJspRuntimeCompilation
  • Block access to .jsp before WAS
    • Not always possible
    • JSP Extensions such as jsv, jsw, etc….

A Note on Browsers

  • Browsers may normalize the characters
  • Could cause issues with exploitation

Links:

  • Talk Information –> LINK
  • Slides –> LINK
Follow

Get every new post delivered to your Inbox.

Join 118 other followers