Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Size: px

Start display at page:

Download "Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center"

Arnold Harrison
5 years ago
Views:

1 Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test Tyler Rasmussen Mercer Engineer Research Center

2 About Me Cybersecurity Engineering MERC Senior IT/Cybersecurity MGA Competitive Cybersecurity - Cyberknights Certified Ethical Hacker Former US Army SIGINT / Arabic Linguist

3 Penetration Testing 101 Motivations Methodologies Internal vs. External Rules of Engagement Final Product

4 Purpose Security Focused Testing Access, Escalate, Pivot Model Threats and Categorize Risk Script kiddies to state actors Discoverability, Difficulty, Exploitability, Detectability Layers, Chains and Narratives

5 Scope Application is the focus Network & Servers are for post-exploit Human element is modeled Test server / development network Replicated data Extra targets Cheating

6 Methodology: Planning Guidelines and Checklists NIST / NIST r2 Open Web Application Security Project Outside to Inside Black Box Grey Box White Box Recon!

7 Methodology: Goals Download / Upload CMD prompt / Shell Hashes Passwords Privilege escalation Non-User User Local Admin Domain Admin Persistence

8 Tools Kali Linux BeEF-xss, sqlmap, dirbuster, metasploit BURP, Wireshark, Fiddler Browser Dev Tools Decompilers & Code Editors Database Client

9 Basic External Recon Nmap scan host Fingerprint OS if possible View HTTP headers ASP.net version info View site as user Follow all hyperlinks Note all forms, inputs

10 Automated Scanning OWASP Zap Burp Spider Open-VAS W3af Nikto

11 Automated Scanning

12 Username Enumeration Feedback on incorrect username/passwords Forgot Password functionality gives useful messages Account does not exist Your password has been ed to Patterns + Open Source Intel = usernames

13 Data Validation and Parameters Every input is an opportunity Even hidden ones URL parameters are easy targets POST d / Hidden Fields just need a proxy

14 Cross-site Scripting: Error Pages Custom error pages are great! Controlling what info is exposed is best practice URL parameters - error source&message - were not filtered <script> tags equals reflected XSS Send links to unsuspecting users BeEF xss tool Cookie stealing Keylogging Modification of website on client

15 Cross-site Scripting: Error Pages

16 SQL Injection: Exception Viewer Application Database Interaction Input added directly to SQL queries Expose data piece by piece

17 SQL Injection: Exception Viewer

18 SQL Injection: Exception Viewer

19 File Uploads Application Form allows uploads Pictures, text, video, zip files allowed Controlled by ~/Admin/FileTypes.aspx Add whatever extensions you want! Match the web application s file type to get auto-execution

20 Account Roles and Access Undefined permissions Affected <10% of pages Usually pages outside user role, no gain of access Lack of permission check Affected <2% of pages But pages aren t directly visible to a user? Dirbuster + Wordlists = No Hiding

21 Consequences ExceptionViewer was accessible by 4 of 4 user roles SQL Injection, for all! ~/Admin/FileTypes.aspx lacked a permission check Only one user role could change the file extensions Allowed extensions applied to EVERYONE Malware uploads, for all!

22 ANTAK Webshell Pros Minimal Setup Download/Upload features SQL Command Execution Cons Forced to use full file paths Powershell

23 Meterpreter Metasploit framework s dll-injected payload Create custom payload with msfvenom Can embed in.aspx file Can encode for anti-virus evasion Start a listener in msfconsole Load web page -> execute malware Server initiates TCP/http/https connection Linux-like shell + lots of support scripts

24 Config / Source Code Download Web.config DB users + encrypted passwords Assembly References License Keys Data Exfiltration.dlls /.pdb files Source code

25 Reverse Engineering: Code Reuse De-compile.dll +.pdb files Look for useful classes / functions Login / User Admin / Database Business Logic Remember early flaws Encrypted Passwords? Password ed? Encryption.Decrypt() used in lost password Simple user account password decryption script

26 Mass Password Decryption Can we get users without having to guess? Custom database queries had some problems More code reuse Create drop down menu to select any country Container class for all users in a country Iterate through collection, decrypting the password Display results to screen!

27 Direct Database Access Web.config + decryption + tnsnames.ora file Find the database server IP/Port from nmap scan or netstat Make connection with SQL client (SQLdeveloper) Browse and edit tables at will

28 SYSTEM Privileges IIS APPPOOL\ASP.NET v4.0 service account Restricted read access Very restricted write access C:\Windows\Temp C:\Users\Public Easy escalation failed Window runas Meterpreter s getsystem

29 SYSTEM Privileges Foxglove Security s RottenPotato Exploit Man in the middle attack on NTLM authentication Upload file and run Load meterpreter incognito Impersonate token

30 SYSTEM Privileges Full Read/Write Access No longer restricted to uploads / public folders Defacement Add redirects or XSS Edit System Registry Keyloggers / packet sniffing

31 Domain Admin Mimikatz can grab credentials from memory Lie in wait for a domain administrator to log on Task Manager / Process list reveal process owners Attempt various mimikatz modules sekurlsa: logonpasswords Remote Desktop to the Domain Controller and win!

32 AD Credential Collection Get a Meterpreter session on Domain Controller Meterpreter Credential Collector script 120+ AD accounts & password hashes Time to crack!

33 Hashcat

34 Conclusions Most of the site was well protected File upload enables critical vulnerability chain Page Access Control Validate and Sanitize EVERYTHING Passwords need to be hashed, salted Open source tools are very powerful

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may