pointpcanywhere
pcanywhere 时间:2021-04-03 阅读:()
LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked1LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER2LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERTableofContents3ExecutiveSummary31.
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
- pointpcanywhere相关文档
- 投标人pcanywhere
- 色谱pcanywhere
- sourcepcanywhere
- addresspcanywhere
- checkpcanywhere
- RemoteWareBCpcanywhere
咖啡主机22元/月起,美国洛杉矶弹性轻量云主机仅13元/月起,高防云20G防御仅18元/月
咖啡主机怎么样?咖啡主机是一家国人主机销售商,成立于2016年8月,之前云服务器网已经多次分享过他家的云服务器产品了,商家主要销售香港、洛杉矶等地的VPS产品,Cera机房 三网直连去程 回程CUVIP优化 本产品并非原生地区本土IP,线路方面都有CN2直连国内,机器比较稳定。咖啡主机目前推出美国洛杉矶弹性轻量云主机仅13元/月起,高防云20G防御仅18元/月;香港弹性云服务器,香港HKBN CN...
CloudCone($82/月)15-100M不限流量,洛杉矶CN2 GIA线路服务器
之前分享过很多次CloudCone的信息,主要是VPS主机,其实商家也提供独立服务器租用,同样在洛杉矶MC机房,分为两种线路:普通优化线路及CN2 GIA,今天来分享下商家的CN2 GIA线路独立服务器产品,提供15-100Mbps带宽,不限制流量,可购买额外的DDoS高防IP,最低每月82美元起,支持使用PayPal或者支付宝等付款方式。下面分享几款洛杉矶CN2 GIA线路独立服务器配置信息。配...
HostYun 新上美国CN2 GIA VPS 月15元
HostYun 商家以前是玩具主机商,这两年好像发展还挺迅速的,有点在要做点事情的味道。在前面也有多次介绍到HostYun商家新增的多款机房方案,价格相对还是比较便宜的。到目前为止,我们可以看到商家提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路。近期,HostYun上线低价版美国CN2 GIA ...
pcanywhere为你推荐
-
sonicchat深圳哪里有卖汽车模型?mathplayer比较word,TeX,MathML中的数学公式处理方式的异同点,尽量详细哦,分数不是问题,谢谢哈,会加分的。bbs.99nets.com做一款即时通讯软件难吗 像hi qq这类的百度关键词价格查询百度推广关键词怎么扣费?月神谭适合12岁男孩的网名,要非主流的,帮吗找找,谢啦www.7788k.comwww.6601txq.com.有没有这个网站抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?lcoc.topoffsettop和scrolltop的区别bbs2.99nets.com西安论坛、西安茶馆网、西安社区、西安bbs 的网址是多少?66smsm.com【回家的欲望(回家的诱惑)大结局】 回家的诱惑全集66 67 68 69 70集QOVD快播观看地址??