Hacking Our Way to Better...
Transcript of Hacking Our Way to Better...
![Page 1: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/1.jpg)
Hacking Our Way to Better Security:Lessons from a Web Application Penetration Test
Tyler RasmussenMercer Engineer Research Center
![Page 2: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/2.jpg)
About Me
➢ Cybersecurity Engineering Intern @ MERC
➢ Senior IT/Cybersecurity Major @ MGA
➢ Competitive Cybersecurity - Cyberknights
➢ Certified Ethical Hacker
➢ Former US Army SIGINT / Arabic Linguist
![Page 3: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/3.jpg)
Penetration Testing 101
➢ Motivations
➢ Methodologies
➢ Internal vs. External
➢ Rules of Engagement
➢ Final Product
![Page 4: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/4.jpg)
Purpose
➢ Security Focused Testing
➢ Access, Escalate, Pivot
➢ Model Threats and Categorize Risk
➢ Script kiddies to state actors
➢ Discoverability, Difficulty, Exploitability, Detectability
➢ Layers, Chains and Narratives
![Page 5: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/5.jpg)
Scope
➢ Application is the focus
➢ Network & Servers are for post-exploit
➢ Human element is modeled
➢ Test server / development network
➢ Replicated data
➢ Extra ‘targets’
➢ “Cheating”
![Page 6: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/6.jpg)
Methodology: Planning
➢ Guidelines and Checklists
➢ NIST 800-15 / NIST 800-64r2
➢ Open Web Application Security Project
➢ Outside to Inside
➢ Black Box Grey Box White Box
➢ Recon!
![Page 7: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/7.jpg)
Methodology: Goals
➢ Download / Upload
➢ CMD prompt / Shell
➢ Hashes Passwords
➢ Privilege escalation
➢ Non-User User Local Admin Domain Admin
➢ Persistence
![Page 8: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/8.jpg)
Tools
➢ Kali Linux
➢ BeEF-xss, sqlmap, dirbuster, metasploit
➢ BURP, Wireshark, Fiddler
➢ Browser Dev Tools
➢ Decompilers & Code Editors
➢ Database Client
![Page 9: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/9.jpg)
Basic External Recon
➢ Nmap scan host
➢ Fingerprint OS if possible
➢ View HTTP headers
➢ ASP.net version info
➢ View site as user
➢ Follow all hyperlinks
➢ Note all forms, inputs
![Page 10: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/10.jpg)
Automated Scanning
➢ OWASP Zap
➢ Burp Spider
➢ Open-VAS
➢ W3af
➢ Nikto
![Page 11: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/11.jpg)
Automated Scanning
![Page 12: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/12.jpg)
Username Enumeration
➢ Feedback on incorrect username/passwords
➢ Forgot Password functionality gives ‘useful’ messages
➢ Account does not exist
➢ Your password has been emailed to [email protected]
➢ Patterns + Open Source Intel = usernames
![Page 13: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/13.jpg)
Data Validation and Parameters
➢ Every input is an opportunity
➢ Even “hidden” ones
➢ URL parameters are easy targets
➢ POST’d / Hidden Fields just need a proxy
![Page 14: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/14.jpg)
Cross-site Scripting: Error Pages
➢ Custom error pages are great!
➢ Controlling what info is exposed is best practice
➢ URL parameters - error source&message - were not filtered
➢ <script> tags equals reflected XSS
➢ Send links to unsuspecting users
➢ BeEF xss tool
➢ Cookie stealing
➢ Keylogging
➢ Modification of website on client
![Page 15: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/15.jpg)
Cross-site Scripting: Error Pages
![Page 16: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/16.jpg)
SQL Injection: Exception Viewer
➢ Application – Database Interaction
➢ Input added directly to SQL queries
➢ Expose data piece by piece
![Page 17: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/17.jpg)
SQL Injection: Exception Viewer
![Page 18: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/18.jpg)
SQL Injection: Exception Viewer
![Page 19: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/19.jpg)
File Uploads
➢ Application Form allows uploads
➢ Pictures, text, video, zip files allowed
➢ Controlled by ~/Admin/FileTypes.aspx
➢ Add whatever extensions you want!
➢ Match the web application’s file type to get auto-execution
![Page 20: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/20.jpg)
Account Roles and Access
➢ Undefined permissions
➢ Affected <10% of pages
➢ Usually pages outside user role, no gain of access
➢ Lack of permission check
➢ Affected <2% of pages
➢ But pages aren’t directly visible to a user?
➢ Dirbuster + Wordlists = No Hiding
![Page 21: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/21.jpg)
Consequences
➢ ExceptionViewer was accessible by 4 of 4 user roles
➢ SQL Injection, for all!
➢ ~/Admin/FileTypes.aspx lacked a permission check
➢ Only one user role could change the file extensions
➢ Allowed extensions applied to EVERYONE
➢ Malware uploads, for all!
![Page 22: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/22.jpg)
ANTAK Webshell
Pros
➢ Minimal Setup
➢ Download/Upload features
➢ SQL Command Execution
Cons
➢ Forced to use full file paths
➢ Powershell…
![Page 23: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/23.jpg)
Meterpreter
➢ Metasploit framework’s dll-injected payload
➢ Create custom payload with msfvenom
➢ Can embed in .aspx file
➢ Can encode for anti-virus evasion
➢ Start a listener in msfconsole
➢ Load web page -> execute malware
➢ Server initiates TCP/http/https connection
➢ Linux-like shell + lots of support scripts
![Page 24: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/24.jpg)
Config / Source Code Download
➢ Web.config
➢ DB users + encrypted passwords
➢ Assembly References
➢ License Keys
➢ Data Exfiltration
➢ .dlls / .pdb files Source code
![Page 25: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/25.jpg)
Reverse Engineering: Code Reuse
➢ De-compile .dll + .pdb files
➢ Look for useful classes / functions
➢ Login / User Admin / Database➢ Business Logic
➢ Remember early flaws
➢ Encrypted Passwords?➢ Password emailed?➢ Encryption.Decrypt() used in email lost password…
➢ Simple user account password decryption script
![Page 26: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/26.jpg)
Mass Password Decryption
➢ Can we get users without having to guess?
➢ Custom database queries had some problems
➢ More code reuse
➢ Create drop down menu to select any country
➢ Container class for all users in a country
➢ Iterate through collection, decrypting the password
➢ Display results to screen!
![Page 27: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/27.jpg)
Direct Database Access
➢ Web.config + decryption + tnsnames.ora file
➢ Find the database server
➢ IP/Port from nmap scan or netstat
➢ Make connection with SQL client (SQLdeveloper)
➢ Browse and edit tables at will
![Page 28: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/28.jpg)
SYSTEM Privileges
➢ IIS APPPOOL\ASP.NET v4.0 service account
➢ Restricted read access
➢ Very restricted write access
➢ C:\Windows\Temp
➢ C:\Users\Public
➢ Easy escalation failed
➢ Window “runas”
➢ Meterpreter’s getsystem
![Page 29: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/29.jpg)
SYSTEM Privileges
➢ Foxglove Security’s
RottenPotato Exploit
➢ Man in the middle attack on NTLM authentication
➢ Upload file and run
➢ Load meterpreter “incognito”
➢ Impersonate token
![Page 30: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/30.jpg)
SYSTEM Privileges
➢ Full Read/Write Access
➢ No longer restricted to uploads / public folders
➢ Defacement
➢ Add redirects or XSS
➢ Edit System Registry
➢ Keyloggers / packet sniffing
![Page 31: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/31.jpg)
Domain Admin
➢ Mimikatz can grab credentials from memory
➢ Lie in wait for a domain administrator to log on
➢ Task Manager / Process list reveal process owners
➢ Attempt various mimikatz modules
➢ sekurlsa: logonpasswords
➢ Remote Desktop to the Domain Controller and win!
![Page 32: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/32.jpg)
AD Credential Collection
➢ Get a Meterpreter session on Domain Controller
➢ Meterpreter “Credential Collector” script
➢ 120+ AD accounts & password hashes
➢ Time to crack!
![Page 33: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/33.jpg)
Hashcat
![Page 34: Hacking Our Way to Better Securityisc2chapter-middlega.org/forum/1803/1100_CyberExpo_MERCPenTe… · Hacking Our Way to Better Security: Lessons from a Web Application Penetration](https://reader034.fdocuments.us/reader034/viewer/2022050323/5f7c39bcf60dfa7c5337d9f7/html5/thumbnails/34.jpg)
Conclusions
➢ Most of the site was well protected
➢ File upload enables critical vulnerability chain
➢ Page Access Control
➢ Validate and Sanitize… EVERYTHING
➢ Passwords need to be hashed, salted
➢ Open source tools are very powerful