pointpcanywhere
pcanywhere 时间:2021-04-03 阅读:()
LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked1LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER2LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERTableofContents3ExecutiveSummary31.
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
- pointpcanywhere相关文档
- 投标人pcanywhere
- 色谱pcanywhere
- sourcepcanywhere
- addresspcanywhere
- checkpcanywhere
- RemoteWareBCpcanywhere
lcloud零云:沪港IPLC,70元/月/200Mbps端口/共享IPv4/KVM;成都/德阳/雅安独立服务器低至400元/月起
lcloud怎么样?lcloud零云,UOVZ新开的子站,现在沪港iplc KVM VPS有端午节优惠,年付双倍流量,200Mbps带宽,性价比高。100Mbps带宽,500GB月流量,10个,512MB内存,优惠后月付70元,年付700元。另有国内独立服务器租用,泉州、佛山、成都、德阳、雅安独立服务器低至400元/月起!点击进入:lcloud官方网站地址lcloud零云优惠码:优惠码:bMVbR...
欧路云:美国CUVIP线路10G防御,8折优惠,19元/月起
欧路云新上了美国洛杉矶cera机房的云服务器,具备弹性云特征(可自定义需要的资源配置:E5-2660 V3、内存、硬盘、流量、带宽),直连网络(联通CUVIP线路),KVM虚拟,自带一个IP,支持购买多个IP,10G的DDoS防御。付款方式:PayPal、支付宝、微信、数字货币(BTC USDT LTC ETH)测试IP:23.224.49.126云服务器 全场8折 优惠码:zhujiceping...
CloudCone:$14/年KVM-512MB/10GB/3TB/洛杉矶机房
CloudCone发布了2021年的闪售活动,提供了几款年付VPS套餐,基于KVM架构,采用Intel® Xeon® Silver 4214 or Xeon® E5s CPU及SSD硬盘组RAID10,最低每年14.02美元起,支持PayPal或者支付宝付款。这是一家成立于2017年的国外VPS主机商,提供VPS和独立服务器租用,数据中心为美国洛杉矶MC机房。下面列出几款年付套餐配置信息。CPU:...
pcanywhere为你推荐
-
地图应用什么地图导航最好用最准确留学生认证留学生为什么要做学历认证?百度关键词工具常见百度关键词挖掘方法分别是什么请列举?百度指数词百度指数为0的词 为啥排名没有广告法中华人民共和国广告法中,有哪些广告不得发布?www.ca800.comPLC好学吗javlibrary.com大家有没有在线图书馆WWW。QUESTIA。COM的免费帐号铂金血痕仇家血痕是个成语吗?长房娇女人蛮好脾气好很乖巧很听话?娇身惯养,父亲长得好看大眼睛高鼻梁樱桃小嘴瓜子脸女儿也是眼睛大大的皮肤欢颜网欢颜网邀请人数已经达到,可是在哪里换啊?