hacking our way to better...
TRANSCRIPT
Hacking Our Way to Better Security:Lessons from a Web Application Penetration Test
Tyler RasmussenMercer Engineer Research Center
About Me
➢ Cybersecurity Engineering Intern @ MERC
➢ Senior IT/Cybersecurity Major @ MGA
➢ Competitive Cybersecurity - Cyberknights
➢ Certified Ethical Hacker
➢ Former US Army SIGINT / Arabic Linguist
Penetration Testing 101
➢ Motivations
➢ Methodologies
➢ Internal vs. External
➢ Rules of Engagement
➢ Final Product
Purpose
➢ Security Focused Testing
➢ Access, Escalate, Pivot
➢ Model Threats and Categorize Risk
➢ Script kiddies to state actors
➢ Discoverability, Difficulty, Exploitability, Detectability
➢ Layers, Chains and Narratives
Scope
➢ Application is the focus
➢ Network & Servers are for post-exploit
➢ Human element is modeled
➢ Test server / development network
➢ Replicated data
➢ Extra ‘targets’
➢ “Cheating”
Methodology: Planning
➢ Guidelines and Checklists
➢ NIST 800-15 / NIST 800-64r2
➢ Open Web Application Security Project
➢ Outside to Inside
➢ Black Box Grey Box White Box
➢ Recon!
Methodology: Goals
➢ Download / Upload
➢ CMD prompt / Shell
➢ Hashes Passwords
➢ Privilege escalation
➢ Non-User User Local Admin Domain Admin
➢ Persistence
Tools
➢ Kali Linux
➢ BeEF-xss, sqlmap, dirbuster, metasploit
➢ BURP, Wireshark, Fiddler
➢ Browser Dev Tools
➢ Decompilers & Code Editors
➢ Database Client
Basic External Recon
➢ Nmap scan host
➢ Fingerprint OS if possible
➢ View HTTP headers
➢ ASP.net version info
➢ View site as user
➢ Follow all hyperlinks
➢ Note all forms, inputs
Automated Scanning
➢ OWASP Zap
➢ Burp Spider
➢ Open-VAS
➢ W3af
➢ Nikto
Automated Scanning
Username Enumeration
➢ Feedback on incorrect username/passwords
➢ Forgot Password functionality gives ‘useful’ messages
➢ Account does not exist
➢ Your password has been emailed to [email protected]
➢ Patterns + Open Source Intel = usernames
Data Validation and Parameters
➢ Every input is an opportunity
➢ Even “hidden” ones
➢ URL parameters are easy targets
➢ POST’d / Hidden Fields just need a proxy
Cross-site Scripting: Error Pages
➢ Custom error pages are great!
➢ Controlling what info is exposed is best practice
➢ URL parameters - error source&message - were not filtered
➢ <script> tags equals reflected XSS
➢ Send links to unsuspecting users
➢ BeEF xss tool
➢ Cookie stealing
➢ Keylogging
➢ Modification of website on client
Cross-site Scripting: Error Pages
SQL Injection: Exception Viewer
➢ Application – Database Interaction
➢ Input added directly to SQL queries
➢ Expose data piece by piece
SQL Injection: Exception Viewer
SQL Injection: Exception Viewer
File Uploads
➢ Application Form allows uploads
➢ Pictures, text, video, zip files allowed
➢ Controlled by ~/Admin/FileTypes.aspx
➢ Add whatever extensions you want!
➢ Match the web application’s file type to get auto-execution
Account Roles and Access
➢ Undefined permissions
➢ Affected <10% of pages
➢ Usually pages outside user role, no gain of access
➢ Lack of permission check
➢ Affected <2% of pages
➢ But pages aren’t directly visible to a user?
➢ Dirbuster + Wordlists = No Hiding
Consequences
➢ ExceptionViewer was accessible by 4 of 4 user roles
➢ SQL Injection, for all!
➢ ~/Admin/FileTypes.aspx lacked a permission check
➢ Only one user role could change the file extensions
➢ Allowed extensions applied to EVERYONE
➢ Malware uploads, for all!
ANTAK Webshell
Pros
➢ Minimal Setup
➢ Download/Upload features
➢ SQL Command Execution
Cons
➢ Forced to use full file paths
➢ Powershell…
Meterpreter
➢ Metasploit framework’s dll-injected payload
➢ Create custom payload with msfvenom
➢ Can embed in .aspx file
➢ Can encode for anti-virus evasion
➢ Start a listener in msfconsole
➢ Load web page -> execute malware
➢ Server initiates TCP/http/https connection
➢ Linux-like shell + lots of support scripts
Config / Source Code Download
➢ Web.config
➢ DB users + encrypted passwords
➢ Assembly References
➢ License Keys
➢ Data Exfiltration
➢ .dlls / .pdb files Source code
Reverse Engineering: Code Reuse
➢ De-compile .dll + .pdb files
➢ Look for useful classes / functions
➢ Login / User Admin / Database➢ Business Logic
➢ Remember early flaws
➢ Encrypted Passwords?➢ Password emailed?➢ Encryption.Decrypt() used in email lost password…
➢ Simple user account password decryption script
Mass Password Decryption
➢ Can we get users without having to guess?
➢ Custom database queries had some problems
➢ More code reuse
➢ Create drop down menu to select any country
➢ Container class for all users in a country
➢ Iterate through collection, decrypting the password
➢ Display results to screen!
Direct Database Access
➢ Web.config + decryption + tnsnames.ora file
➢ Find the database server
➢ IP/Port from nmap scan or netstat
➢ Make connection with SQL client (SQLdeveloper)
➢ Browse and edit tables at will
SYSTEM Privileges
➢ IIS APPPOOL\ASP.NET v4.0 service account
➢ Restricted read access
➢ Very restricted write access
➢ C:\Windows\Temp
➢ C:\Users\Public
➢ Easy escalation failed
➢ Window “runas”
➢ Meterpreter’s getsystem
SYSTEM Privileges
➢ Foxglove Security’s
RottenPotato Exploit
➢ Man in the middle attack on NTLM authentication
➢ Upload file and run
➢ Load meterpreter “incognito”
➢ Impersonate token
SYSTEM Privileges
➢ Full Read/Write Access
➢ No longer restricted to uploads / public folders
➢ Defacement
➢ Add redirects or XSS
➢ Edit System Registry
➢ Keyloggers / packet sniffing
Domain Admin
➢ Mimikatz can grab credentials from memory
➢ Lie in wait for a domain administrator to log on
➢ Task Manager / Process list reveal process owners
➢ Attempt various mimikatz modules
➢ sekurlsa: logonpasswords
➢ Remote Desktop to the Domain Controller and win!
AD Credential Collection
➢ Get a Meterpreter session on Domain Controller
➢ Meterpreter “Credential Collector” script
➢ 120+ AD accounts & password hashes
➢ Time to crack!
Hashcat
Conclusions
➢ Most of the site was well protected
➢ File upload enables critical vulnerability chain
➢ Page Access Control
➢ Validate and Sanitize… EVERYTHING
➢ Passwords need to be hashed, salted
➢ Open source tools are very powerful