everyone matters in infosec 2014
DESCRIPTION
Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory Enumeration vulnerability and making a better exploitation tool. Or perhaps contributing in other ways.TRANSCRIPT
1
Everyone matters in infosecIIS TILDE ENUMERATION (RE)EXPLOITED
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
2
Who am I?◦ Infosec Engineer / Pentester◦ NoVA Hacker◦ PwnWiki.io Curator◦ Recon-ng module Writer◦ SANS Instructor (SEC542)◦ Hiker / Backpacker
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
Novahackers.com
3
Sometimes it is the little things…
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
4
We can all contribute
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
System Admins
Management
Developers
Testers
Database Admins
Students
5
Ask yourself….
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
6
Low Risk Web Vulnerabilities
Things not directly exploitable
Information Leakage◦ Directory Listings◦ Detailed Errors◦ Configuration Pages◦ IIS Tilde Enumeration
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
IIS TILDE ENUMERATION 7
What is this vuln? IIS Tilde Enumeration Vulnerability
◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 8
An example
Micah Hoffman @WebBreacher
When completed, 8.3 file names are revealed (ex., docume~1.htm)
From the original PDF report…
IIS TILDE ENUMERATION 9
Tilde Java POC Scanner Pros
◦ POC that there is a vuln◦ Free on Google Code◦ Fast
Cons◦ Java◦ Not recursive◦ Only gives 8.3 names◦ Can’t surf to 8.3 files =
Low Risk Vuln
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 10
How can we do it better?
Make it in Python
Guess the file and dir names using wordlists◦ Get us real, full file and dir names
Recursivenessitivity◦ Go deep
Verbosity◦ Show me whatcha finding◦ Gimme response sizes (reduce False Positives)
Rate limiting for those ‘fragile’ systems
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 11
tilde_enum.py
Micah Hoffman @WebBreacher
$ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words-lowercase.txt
[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm[-] URLNotThere -> HTTP Code: 404, Response Length: 1635[-] Testing with user-submitted http://iis[-] URLUser -> HTTP Code: 200, Response Length: 1433[+] The server is reporting that it is IIS (Microsoft-IIS/6.0).[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..[+] Found a new directory: docume[+] Found a new directory: javasc[+] Found file: parame . xml[+] Found file: 765432 . htm[+] Found file: _vti_i . htm[+] Found a new directory: _vti_s[-] Finished doing the 8.3 enumeration for /.
IIS TILDE ENUMERATION 12
tilde_enum.py (con’t)
Micah Hoffman @WebBreacher
---------- FINAL OUTPUT ------------------------------[*] We found files for you to look at:[*] http://iis/_vti_inf.html - Size 1754[*] http://iis/documentation/advertising.html - Size 227[*] http://iis/documentation/default.aspx - Size 1433[*] http://iis/javascript/321.xlsx - Size 227[*] http://iis/parameter.xml - Size 1307
[*] Here are all the 8.3 names we found.[*] If any of these are 6 chars and look like they [snip][*] http://iis/documentation/advert~1.htm[*] http://iis/documentation/defaul~1.asp[*] http://iis/765432~1.htm[*] http://iis/_vti_i~1.htm[*] http://iis/parame~1.xml[*] http://iis/javascript/321~1.xls
13IIS TILDE ENUMERATION
Demo
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 14
Shortcomings…for now Doesn’t find all the files
◦ < 3 char file names◦ ab.htm->abJHG7.htm
◦ Some other files are just missed◦ Odd file names (test.htm.bak,
Copy of micah.html)◦ Words not in the word list
Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 15
Future Features Better file/dir detection
Peek into authentication-required dirs
Pull back file content and store locally
IIS7 support
Your suggestions
Micah Hoffman @WebBreacher
16
Continue to… Investigate the mysteries Ask questions
◦ What if?◦ Reach out to others
Share / Give back Challenge yourself
◦ Enhance your tools / processes / skills◦ Don’t settle Create!
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC
17
Questions?https://github.com/WebBreacher/tilde_enum
EVERYONE MATTERS IN INFOSECMicah Hoffman @WebBreacher