jeroen van beek · many many useful google dorks online 18 ... you need to exploit a weakness to...
TRANSCRIPT
![Page 1: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/1.jpg)
Jeroen van Beek
1
![Page 2: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/2.jpg)
Why bother? Causes of data breaches OWASP◦ Top ten attacks
Now what? Do it yourself Questions?
2
![Page 3: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/3.jpg)
In many cases the web application stores:◦ Credit card details◦ Personal information◦ Passwords that also might be used elsewhere
Media likes hacks◦ You company doesn’t…
Governments want to enforce data protection◦ NL: Meldplicht Datalekken◦ EU: General Data Protection Regulation a.k.a. GDPR
3
![Page 4: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/4.jpg)
Your companydoesn’t like that
4
![Page 5: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/5.jpg)
GDPR◦ Enforceable starting 25 May 2018◦ Goal is to give control back to citizens and
residents over their personal data◦ Fines: Lower level Up to €10 million, or 2% of the worldwide annual revenue
of the prior financial year, whichever is higher
Upper level: Up to €20 million, or 4% of the worldwide annual revenue
of the prior financial year, whichever is higher
5
![Page 6: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/6.jpg)
In many cases caused by technical issues:◦ Poor/no input filtering◦ Outdated software with known weaknesses◦ Weak passwords
Non-techies are creating technical solutions:◦ Click and play enterprise website◦ Not aware of security issues
Techies are also no always aware◦ What about you?
In many cases the issues are quite easy to solve◦ If you know what to do…
6
![Page 7: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/7.jpg)
The same issues keep on coming back◦ People make the same mistakes over and over again…
Open Web Application Security Project (OWASP):◦ Free and open◦ Top ten project Documents the 10 most critical webapp security flaws https://www.owasp.org/index.php/Category:OWASP_Top
_Ten_Project Latest version: 2017
◦ Documents solutions For all popular webapp environments
7
![Page 8: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/8.jpg)
8
![Page 9: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/9.jpg)
Key items are not logged◦ Successful and failed logons◦ Application errors
Not all interfaces monitored◦ E.g. API forgotten
Insecure storage of logs◦ Use write-only and / or non-local storage
No follow-up◦ Logs never checked…
9
![Page 10: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/10.jpg)
Keep your software up-to-date◦ Patching doesn’t stop at operating system level! Database Web server Third party libraries …
Lots of automated tools available◦ Mapping: nmap, …◦ Scanning: OpenVAS, Nessus, Nexpose, …◦ Exploiting: Metasploit, …◦ Script kiddies can and will do this!
10
![Page 11: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/11.jpg)
![Page 12: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/12.jpg)
Serialization◦ The process of turning an object in memory into a stream of bytes
that can be stored or transmitted.◦ $array = array("a" => 1, "b" => 2, "c" => array("a" => 1, "b" => 2)); a:3:{s:1:"a";i:1;s:1:"b";i:2;s:1:"c";a:2:{s:1:"a";i:1;s:1:"b";i:2;}}
Deserialization◦ The reverse process, turning a stream of bytes into an object in
memory.
Issues◦ Parsers are complex and prone to errors◦ User data in a web app is untrusted◦ Doing something wrong might mean (remote) code execution
12
![Page 13: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/13.jpg)
Vulnerable PyYAML example:import yaml
with open(‘evil.yml') as yaml_file:
contents = yaml.load(yaml_file)
print(contents['foo’])
Exploit:foo: !!python/object/apply:subprocess.check_output[‘whoami’]
Known danger:◦ “Warning: It is not safe to call yaml.load with any data
received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.”
◦ https://searchcode.com/?q=yaml.load…
13
![Page 14: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/14.jpg)
Exploits developed for deserialization libraries of popular frameworks:◦ Apache Commons Collections (3.x and 4.x)◦ Spring Beans/Core (4.x)◦ Groovy (2.3.x)◦ JRE <= 1.7u21
Other parsers might also be vulnerable Resources:◦ https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
◦ http://frohoff.github.io/owaspsd-deserialize-my-shorts/
◦ https://github.com/frohoff/ysoserial
◦ https://github.com/NetSPI/JavaSerialKiller
14
![Page 15: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/15.jpg)
Cross Site Scripting◦ Execute scripts in the victim’s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user’s browser using scripting malware
◦ In most cases Javascript based Also applicable to other scripting languages
15
![Page 16: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/16.jpg)
Two types:◦ Reflective: Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script>
E.g. one phishing email per attack◦ Stored: Evil code is e.g. stored in the database, logs Store <script>alert(123)</script> in DB record for
welcome message of CMS
Store once, run for all users◦ Interesting goals for an attacker: Session hijacking (stealing cookies) Privilege escalation (account upgrade by targeting admins)
16
![Page 17: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/17.jpg)
Advanced tools are out there to abuse flaws◦ Tunnel traffic using XSS https://github.com/portcullislabs/xssshell-xsstunnell
17
![Page 18: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/18.jpg)
Out of the box installs◦ Next, next, next, finish
Find it using Google:◦ Web front-end for Oracle intitle:iSQL intitle:Release inurl:isqlplus
◦ Indexing of sensitive information intitle:"Index of" .mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpMyAdmin SQL Dump”
◦ Many many useful Google Dorks online https://www.exploit-db.com/google-hacking-
database/
18
![Page 19: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/19.jpg)
Default passwords◦ http://www.defaultpassword.com/
19
![Page 20: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/20.jpg)
iPhone botnet◦ Default SSH password after jailbreak
Routers
20
![Page 21: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/21.jpg)
User can access andmodify object values
Example:◦ Login using your credentials◦ Link refers to
http://app/details?userid=1
◦ Script download of all files userid=[1-9999]
Hashing doesn’t help
21
![Page 22: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/22.jpg)
Server side authorization checks are not performed for all functionality
Attacks:◦ Escalate from anonymous user to authenticated user◦ Escalate from authenticated user to admin
Examples:◦ If /users/user1/admin/ exists, it might be worth
checking if /users/userN/admin/ also exists
Difficult to identify with automated tools
22
![Page 23: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/23.jpg)
Hidden and unchecked parameter:◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUserAdmin=on
23
![Page 24: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/24.jpg)
Problem can also occur with ‘secret’ files:
24
![Page 25: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/25.jpg)
Untrusted XML input is parsed Attacker includes evil entities in XML
XML parser processes evil entities Examples:◦ Local files: <!ENTITY xxe SYSTEM "file:///etc/shadow" >]>◦ URLs: <!ENTITY xxe SYSTEM "https://intranet.lan/secret" >]>◦ DoS: <!ENTITY xxe SYSTEM "file:///dev/random" >]>
25
![Page 26: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/26.jpg)
Blind out of band attacks are possible as well:
26
![Page 27: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/27.jpg)
Secure transport: Sending sensitive information over an
unencrypted link◦ No encryption / obfuscation◦ Weak encryption◦ Downgrade attacks
Check for no encryption / obfuscation◦ Sniff data
GET http://target/INSTALL.pgsql.txt HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0
Host: target
Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx=
27
![Page 28: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/28.jpg)
Secure transport: Weak transport encryption◦ Protocol issues Known flaws is SSLv2,3 / TLSv1.0 SSLv3 and TLSv1.0 still enabled in
many cases (e.g. non-www)
◦ Ciphers E.g. DES, RC4, 3DES based Weak ciphers can be cracked
◦ Weak algorithms E.g. MD5, SHA-1
28
![Page 29: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/29.jpg)
Used in ‘Flame’ malware◦ Signed Windows Updates!◦ Linked to Equation Group / NSA◦ Most targets in the Middle East
29
![Page 30: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/30.jpg)
![Page 31: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/31.jpg)
Secure transport: Downgrade attacks◦ Strip SSL layer: sslstrip http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
https://moxie.org/software/sslstrip/
◦ Hijack e.g. Facebook and Twitter sessions: Firesheep https://github.com/codebutler/firesheep
Worked since not all pages were using https
31
![Page 32: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/32.jpg)
Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms
(MD5, SHA-1, RC3, RC4, …) Hard coded keys, and storing keys in
unprotected environments
32
![Page 33: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/33.jpg)
Real-life example
33
same passwords
<password>1<password>2…
different lengthpasswords
![Page 34: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/34.jpg)
How to decode the passwords?◦ Create your own account◦ Password = ‘aaaaaaaa’ Store password hash, e.g. \01\02\03\04\05\06\07\08
◦ Password = ‘bbbbbbbb’ Store password hash, e.g. \02\03\04\05\06\07\08\09
◦ Etc.◦ Find the link password ↔ hash◦ Write a decoder
for (i = 0; i < in.length(); i++)
print (alfabet(in.position(i) + i))
◦ Decode all passwords◦ Dump sensitive information
34
![Page 35: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/35.jpg)
35
![Page 36: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/36.jpg)
36
![Page 37: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/37.jpg)
No rate limiting and lock-out◦ Brute force usernames and passwords
Inadequate password policy◦ Pass = username, password, welcome01
Predictable / low entropy session IDs◦ Weak implementations typically use: Sequential numbers Hashes of sequential numbers Time elapsed since starting of server / service
◦ Attacker can: Disconnect all users Hijack existing sessions
37
![Page 38: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/38.jpg)
Not invalidating session IDs◦ Or: never expires
Weak enrollment and recovery processes◦ Not so secret questions◦ Protect master secrets with PIN / PUK + no lock-out
https://www.os3.nl/_media/2016-2017/ot-report-digidentity.pdf◦ Enroll 2FA with password only
38
![Page 39: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/39.jpg)
Logical flaws◦ Intel Management Engine (ME / AMT) Low level access to system (KVM) On, even if your PC is switched off Uses webserver(…) Password check: strncmp (computed_value, user_value, len(user_value))
What’s wrong?
user_value = ‘’ strcomp(‘anything’, ‘’, 0) Nothing matches nothing (length 0): login successful…
39
![Page 40: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/40.jpg)
SQL-injection Also applicable for other languages User input is directly used in a query◦ Manipulation of database query◦ User input ‘search’ = jeroen◦ Backend uses select details from users where name=‘jeroen’◦ Attacker input ‘search’ = jeroen’ or 1=1--◦ Backend uses select details from users where name=‘jeroen’ or 1=1 This is always true: display all records
40
![Page 41: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/41.jpg)
41
![Page 42: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/42.jpg)
42
![Page 43: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/43.jpg)
Advanced tools are out there to abuse flaws◦ Database (bulk) download◦ OS File upload◦ OS File download◦ OS command execution◦ …
sqlmap◦ https://github.com/sqlmapproject/sqlmap◦ Tunnel an SQL-injection based OS-shell over http!
43
![Page 44: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/44.jpg)
Detection:◦ Detection of well-known attacks using IDS◦ Check web server logs◦ Check network flows◦ Difficult to detect all attacks!
Prevention:◦ Use good practices https://www.owasp.org/index.php/OWASP_Guide_Project
◦ Review and/or test the application before going live Source code review
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Penetration test https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
44
![Page 45: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/45.jpg)
Hacking is not allowed◦ “Wet Computer Criminaliteit”◦ Testing without breaking in is also not allowed
If you want to test your (organization’s) apps:◦ Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system’s owner
45
![Page 46: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/46.jpg)
Hands on hacking environment◦ Ten web based levels◦ Six platform based levels◦ In each level you can find a password Password gives access to the next level
◦ You need to exploit a weakness to get the password◦ Most OWASP top ten issues are included◦ We’ll show hints on the screen to help you If needed ;)
Work in teams We explicitly allow you to hack the system :)
46
![Page 47: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/47.jpg)
More hands on hacking:◦ Books http://www.webhackingexposed.com/
◦ Certifications https://www.eccouncil.org/programs/certified-
ethical-hacker-ceh/ https://www.offensive-security.com/information-
security-certifications/oscp-offensive-security-certified-professional/
https://www.giac.org/
47
![Page 48: Jeroen van Beek · Many many useful Google Dorks online 18 ... You need to exploit a weakness to get the password](https://reader035.vdocument.in/reader035/viewer/2022062413/5ae42f677f8b9a0d7d8eaaef/html5/thumbnails/48.jpg)
J.C.vanBeek uva.nl
48