Bsides Orlando - Joey Belans - Hacking Like It's 1999

okay so my name is Joey baland uh today's topic is going to be covering some trivia vulnerabilities that we're still seeing uh today in a lot of environments I will kind of be stepping back from your standard uh new tool latest threat type of talk and kind of looking back at uh some old old vulnerabilities as well as things that pretty much just go against your basic Standard Security 101 practices and still exist today um my name is joans I'm with h Fish N security I've been with consultant with them for about a year now prior to that I was mostly on the consulant or excuse me mostly on the corporate side um kind of main reason I

made the switch was to try to get more uh more exposed to what's out there rather than just dealing with a single Network um and being Limited in what I could do with that network uh the other half of me has been a passion of mine for a while if it wasn't an it it probably be hopefully or potentially have been a DJ somewhere still try to do as much today as I can um hoping maybe be a def kind if you guys make it out there maybe have a chance to see me out in Vegas so the ultimately the problem that I'm trying to solve with this talk is kind of twofold uh one from a

uh if you're a security professional maintaining an environment try to bring to light some common vulnerabilities um that still exist today that really make my job very easy to do um the other side of it would be from a pentester standpoint making sure that things that look uh uh low or medium or not necessarily a risk in and of themselves try to bring them to light uh to make sure they don't get overlooked when you're doing an assessment so really the overall arching problem uh I believe is Hackers have a lot of spare time uh they've got an enormous amount of resources in front of them in the sense of the amount of data that's available at on the internet

things that they can get from Services what have you they've uh once they review that information really all they need to do is find one week leak into an environment where the security guide pretty much has to maintain not only the technical side of the environment but also de deal with your standard compliancy issues and your assessments and dealing with a developer who's telling you you're a road block for him getting his application done um really you're already overworked you don't have time to to Really deal with all this and at the end of the day you're kind of fighting a losing battle um you just don't have the amount of time that attacker is going to

have so what I'm hoping to at least help today is at least the basic stuff again try to take what you already do on a day-to-day basis and um kind of bring to light some things that we're still seeing as consultants uh that really just shouldn't be there anymore and if anything else um you as a professional make your site less of a Target um at least if somebody like myself is is assessing your network um or an attacker uh is going to make an attempt on your network that you're going to at least make their job a little harder and when all said and done you're going to be secure right well obviously not but

again hopefully you'll you'll be less of a Target uh so the vulnerabilities I'll be introducing just some basic vulnerabilities that we're uh continue to see in environments I'll describe the associated risks with them uh some Discovery examples uh some real world uh screenshots of things that we've seen and engagements that we've conducted uh time permitting I will go through a case study that kind of pulls this all together uh and then I'll open it up up for for some discussion so security 101 these are basic principles that every security practitioner obviously needs to follow they are written in every standard every best practice every compliancy document but yet everything that I'm going to be mentioning today pretty much goes

against these basic principles uh I have to say I was pretty naive when I when I took this job uh I was expecting to find that my job is going to be a lot harder than it was in the sense of it would be more complex more that many of these basic principles wouldn't be as rampant as they are uh so for myself being new to the Consulting side it was actually very eye opening for me so we'll start with information disclosure uh obviously in and of itself may not necessarily lead to an immediate compromise but enough if you divulge enough information to an attacker um Give Them Enough vectors they might be able to piece together a lot of that

information together to perform future attacks uh some of the areas that I'm going to be talking about are uh application design flaws these would be anywhere your your standard uh web application if it's got a database back end uh uh if you divulge the database that exists behind it a standard error message you might reveal to an attacker uh if he's able to break that application how he can go about basically what techniques he can now use to attack that database clear text protocols self-explanatory um they still exist today people are still using telet still using FTP uh for various various reasons um obvious risk any of that anything that traverses those protocols is going

to be available potentially available to an attacker uh default configurations um easy example is Tom C we still to this day find Tomcat all over the place with a default configuration which typically is going either be no password in place or uh in a situation where you can bypass the authentication uh n sessions very apparent in misconfigured active directory environments uh in cases where we find this uh you will potentially be able to pull the all the users in within that active directing environment um and obviously once once you've got that listing you can now it's kind of more of a numbers game I attempt to try to find any of the weak accounts that exist

within that environment which might now give you a foothold into the environment and the internet um in some cases you might be able to find enough information about an environment before you even send a single packet to that environment uh there's enough between Google indexing uh some of the tools that use the open source information that's available out there uh you may in some ways be able to find pretty much a way to get into an environment before you ever send them a single packet so some ways to identify some of the stuff uh your standard vulnerability scanners and map uh obviously will do a good job of of finding a lot of these scenarios uh configuration management

software uh will help with anomalies if you've got your gold and build in your environment and want to try to identify some of the places where you've taken the time to your default configurations this can help identify uh anomalies in your environment uh manual testing we find passwords in source code all the time uh scripts that we might find that we used to tie things together whatever what have you um embedded passwords that might get us access into a database or other resources within the environment uh simple browsing uh just kind of think outside the box if you just go beyond the standard Port 8 Port 443 um look at some of the other services you might have running in your

environment you may find that they're exposing services or other information that you just didn't know was there based on your standard p80 port4 P3 vulnerability scans and again Google ppin pick your poison uh the information's out there um you may want to just take some time to as a security professional just see what what has Google index what what what's out there regarding my environment so I tried to uh the screenshots I'm be going through I tried to arrange them in such a way that an attacker might think um as they were to assess an environment so just doing some simple Google scans um this first example is looking for some password files um I've actually I've come across

scenarios myself where I was able to either looking like on past bin found somebody's Yahoo or LinkedIn what have you account was had been uh their password had been leaked online just so having that same password worked on the corporate environment uh so you might be able to find some information there um backup files uh so this example shows some uh password backup password files that existed out on the out on the out on the web if I can gain those hashes and just so happens to be a client that I'm assessing might give me access to additional resources if I can crack those hashes uh iOS backups uh again if uh by downloading some of these images might

give me enough information about an environment or better yet if I can get the hashes out of that backup file might give me access to Perimeter resources uh that exist in an environment who is information uh great for uh social awareness types taxs U A lot of times you can find full contact information regarding an employee within the company um and that employee very well might have elevated resources within the company um using your standard social engineering type techniques might be able to convince a health desk person to change that password and now give me a foothold into the network DNS Zone transfers uh specifically this particular one is uh perimeter device uh so not only now uh

could I now have a mapping of the perimeter Network potentially of hosts that I didn't know exist based on other means um but even more so if it just so happened that this DNS device had internal information I know I might be able to map the internal Network again things that just should not be out there and we're still seeing today uh standard Apache messages um give pretty basic give the version information but now at least tells me what type of system I'm running um probably lowkey but again just more information to attacker than uh we should be putting out there uh ASP message uh key piece here the uh root path uh if now that I know

what the root path is of the web server if I'm able to break this web server um and ultimately upload a some type of exploit I now know where that exploit is I don't have to root force my way you're uh you're basically minimizing the amount of time it's going to take for that user to go from the discovery of this vulnerability to the exploitation of it printers uh many cases people look at vulnerability scans and they say it's just a printer well not only could it potentially have a foothold into the network but any data that's been printed copied facts what have you uh might be cached on that printer and now you've potentially exposed it to an attacker

this one was a little uh uh excuse me um null sessions um again I mentioned earlier uh misconfigured active directory environment uh showing me full information regarding a user that was uh pulled from the active director environment without credentials uh I'm guessing the uh the assessor probably had a full listing of accounts that was in active directory and again at that point it's a numbers game just try to find the weak account uh this one was a little unique uh this was a Java application that just so happened the um when you access the site it downloaded a configuration file down to the outlet which told it where to connect um it was base 64 encoded um

obviously uh very easy to manipulate um you could pretty much tell the client to connect anywhere you wanted to so if an attacker was able to uh somehow uh change that config file they could ultimately perform Man of the midal attack um maybe if they learn the protocol of the environment or the application they could ultimately hyack the browser what have you insecure coding so three areas I'm going to talk about have at least two of the three have been in the Limelight for quite some time uh crosslight scripting SQL injection OS top 10 forever um but yet still exist in a lot of environments today uh from a risk standpoint obviously crossy scripting not

necessarily a risk to the server itself but more so to your employees your customers your clients what have you um SQL injection can range anywhere from data leakage to a full system compromise uh depending on the nature of the uh of How Deep The the backend database or or how big the exploit really is uh and user eneration at least personal experience I don't know if this one's actually talked about much but I found myself it seems to be quite evident in a lot of uh a lot of environments um a lot of companies are now moving towards uh account management or pushing account management out to the end user or their customers so they can maintain it themselves as

such a lot of that functionality ends up giving attackers or someone like myself the ability to identify accounts that exist within that within that environment and again it's now a numbers game from a discovery standpoint uh you've got your standard vul scanner doing I would say a better job of finding some of this stuff uh you've got your more in tune application vulnerability scanners that can help identify a little more in tune to these types of vulnerabilities um your uh standard web analysis proxy U like for example burp has got a lot of the um fun functionality built in to where it can do some automated testing for you um from a manual standpoint obviously um burp again you can is is a

a good tool to use if you want to just do some manual analysis of your applications uh source code review uh probably the best way to find a lot of these flaws and then there's numerous security and or numerous specialty and custom scripts that people have written that can uh help identify and or exploit a lot of these types of BS so quick example uh invalid redirect uh this was an application that was identified that had a URL parameter uh as that you could pretty much pass anything you wanted to and when you made a request to the server would ultimately redirect you to that URL so the example here showing uh that it was redirected

to Google great for a social engineering attack uh if an attacker would potentially send an email to to a bunch of employees uh using this this uh this vulnerability uh and and end user might look at it and say this is a valid URL therefore it's safe to click and not realizing that the server itself is going to ultimately redirect them somewhere else SQL injection uh these three error messages were used to pretty much identify the backend query that was uh being conducted by the application uh by using the error messages that were provided uh the assessor was able to identify the number of columns that were in the query the types of the type of

each qu column within the query and pretty much doing a simple Union select could now have access to any of the data that existed in that database that was accessible by the user that the application was running as uh user neration uh it might be kind of hard to read but ultimately what you see here is uh two error messages that were uh provided by a password or excuse me by a login screen uh if you submitted a valid account uh it would tell you invalid password if you submitted an invalid account it would tell you an invalid invalid user account was provided uh again you can now Lo Loop through just a list of potential

accounts find some valid accounts within the application and ultimately now try to find any week passwords Associated outdated software most companies do a pretty good job of keeping up with the standard Microsoft patches uh it's that ancillary stuff that commonly gets missed um or your environment has scenarios where that machine just can't be patched because it we don't know if it's going to come back up or it's running an old piece of software and we patch it it may not work anymore um these are going to prevent potentially provide assessors Andor attackers a foothold into network uh some standard ways to identify a lot of this stuff um standard nmap vulnerability scans um patch management software will definitely uh

help you identify at least doing a better job of identifying some of the ancillary stuff that exists outside of Microsoft uh configuration management software can help you from a golden build standpoint uh try to finite anomalies that might exist in the environment uh from a manual standpoint netcat just uh connect directly to any service uh look at the versioning information that you might get back from it um and from there you can identify is there any known vulnerabilities is it out of date um and then these next remaining tools are pretty much going to identify any open source information that's available out there that uh May Pro that's been indexed or may provide you information

about the services that are running in your environment ms08 067 it's been around forever it's very easy to exploit but yet it still seems to exist in environments today um best part about it you can exploit it any number of times you want it really will have no effect on the system that's affected and our system is vulnerable as well as it's going to give you system level access to the Box fiveyear volum that still exists today uh this is an example of a tftp application that had directory traversal flaw uh ultimately was able to pull the system Sam and security files uh this point you can grab the hashes associated with that box um more than likely the uh

in many cases the uh administrator password if uh will a lot of cases the administrator password is reused across the environment um so therefore could potentially give access to other resources in the environment Java um pretty much the standard Banner when you access a Java applet is really the only thing keeping an end user from potentially causing uh or keeping potentially keeping a Tapper from exploiting something on the uh on the end users workstation I actually did a uh scenario where I sent out an email regarding a security awareness survey um and the when you access the survey it had a Java applet embedded and half the recipients answered the survey and gave me access to half the uh gave me access

to the workstations of half the recipients that receed the email accessive access these would be areas that um if I identified can quickly and easily give an assessor an attacker a lot of access to an environment um with pretty much less or or with pretty much minimal or no effort uh publicly exposed authentication interfaces these would be consoles that would typically be held to or typically should be uh limited to just local land traffic um like tet SSH uh any Tomcat consoles things that just really don't need to be on the perimeter but yet we're still finding them today uh very easy to exploit uh default configuration so SNMP public seems still to be rampid uh on

the internet today uh local admin rights many organizations still give their end users local administrative rights um and just by all the vums I've already shown uh pretty much if somebody's able to get a hold of an end user just to click the wrong place um ultimately now you've given that attacker local admin rights on that box and it's probably only a matter of time before those rights will get elevated and weak credentials anywhere from just a password one company name One to default account to no password at all uh again these are basic principles that still seem to not get fully enforced today uh ways of Discovery uh stand map or vulnerability scans uh can do a

decent job of finding this stuff uh a lot of the vulnerability scanners have um some minimal lists of default accounts that exist out there for various applications um obviously just lose that that should just be a starting point think about some of the applications that might be in your environment and go do go do your own research make sure you're testing for those for those default accounts uh simple browsing again looking past the ad and 443 see if you can find jmx consoles somewhere or or what have you uh Google um simple Google search looking for uh known web application consoles if Google's indexed it more than likely it means it's probably there got it's more

than likely not even password protected and just sitting out there and again various specialty tools and scripts that are available uh that can identify or exploit some of these vulnerabilities uh simple web search I was looking for a desktop web application um more than likely any of these would be uh only protected by a password um if one these happen to be in your environment uh if some and somebody's able to compromise an account ultimately you've now got access to uh whatever internal resource this is associated with uh SNMP public mentioned that earlier uh again key aspect here out on the perimeter um if so at least so now attacker assessor would have access to

information regarding that device now would potentially give them uh information regarding other means of attacks or better yet if the right Community strings were also the default now they might be able to uh potentially modify that device rsh old school shell out on the perimeter Network by default does not require a password um so sure did not take long before somebody owned this box uh Tom Cat mentioned a number of times very easy to exploit uh if you can either a find one that has default password no password or a version that has the known authentication bypass flaw uh by default uh very easily upload a war file which would now give uh attacker assessor uh access to uh system

access to that device um depending on the rights of the of of how depending on the app the account that hcat was running as would ultimately give full access to machine uh default Cisco account uh this I believe was a VPN device um but kind of case in point here uh Cisco device add on the perimeter network with a default account U if it happen to be a router whatever what have you um could potentially give not only uh potentially compromise the network but ultimately might be able to give access to additional resources inside the network LM authentication still exists today um for the most part most environments I I can't imagine why LM authentication

would still be required obviously 2003 2008 now 2012 no longer need it but yet it's still exists in the environment or environments that we've seen so uh case study so the next few slides was uh actually regarding an engagement I was working on while I was trying to pull this all together and it just so happened that the the vulnerabilities and or exploits that I used during this engagement kind of fell in line with what I was talking about today um pretty much um using most of the vulnerabilities I've already talked about I was able to from the perimeter gain domain domain administrative rights within the environment so it started with a user enumeration flaw they had a uh password

reset functionality um and ultimately using the one of the uh web forms was able to identify a number of accounts that were valid within the application from there they had a password reset function and I ultimately tried to find a we password with one of the accounts that I had and ultimately one had a password of company name one just so happened they also had a Citrix environment that was only protected by a password there was no second Factor uh once I got in the application there were three web apps uh available inside they did their due diligence in the sense of when you clicked on any of those applications uh it would open the

browser in Kiosk mode but if you right click on any of the links did open a new window uh you ultimately got a web browser that had a full URL bar type in C colon uh I now had access to Windows Explorer uh browsed over system 32 would now had access uh command line access to the box so I figured all right it can't be this easy um but it was I uh was able to now browse over to my lab machine downloaded an interpreter shell and was ultimately sitting on the box in a interpreter shell and it just so happened that this user also had local admin rights on the citric server once I got that far realized that

there was a domain admin also available on this box uh I ultimately assumed his token and now had domain administra privileges in the environment uh I was also able to access internal resources from this box uh obviously at this point I would probably have access to most all of the windows environment but to take it one step further further if you're not familiar with a tool called MIM cats MIM cats exploits a flaw in the ls process which will ultimately dump passwords of those that have been logged in in plain text so not only I get the original password I had but also the domain admin password but there about 19 other people that were logged in this

server that now I have their passwords in plain text so obvious conclusion um do some homework outside look outside the box uh just because it says low or medium on a vulnerability scan doesn't necessarily mean it's not going to potentially lead to a compromise um training um and this would go just outside of the Standard Security awareness training um I I can't count how many times I've heard I can't believe I never thought that a application could do that or whatever have you um basically we need to get people in it to start looking outside the box as to what can and can't done be done with an application um and and try to start hitting some of

this get rid of some of this crap it shouldn't be here at this point questions comments

concerns who's Tom at Teo I saw that in the screenshot you don't need to ask do you that would be himself well thank you appreciate

it