pointpcanywhere
pcanywhere 时间:2021-04-03 阅读:()
LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked1LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER2LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERTableofContents3ExecutiveSummary31.
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
- pointpcanywhere相关文档
- 投标人pcanywhere
- 色谱pcanywhere
- sourcepcanywhere
- addresspcanywhere
- checkpcanywhere
- RemoteWareBCpcanywhere
云步云72.5元/月起云服务器,香港安畅/葵湾/将军澳/沙田/大浦CN2机房,2核2G5M
云步云怎么样?云步云是创建于2021年的品牌,主要从事出售香港vps、美国VPS、日本VPS、香港独立服务器、香港站群服务器等,机房有香港、美国、日本东京等机房,目前在售VPS线路有CN2+BGP、CN2 GIA,香港的线路也是CN2直连大陆,该公司旗下产品均采用KVM虚拟化架构。目前,云步云提供香港安畅、沙田、大浦、葵湾、将军澳、新世界等CN2机房云服务器,2核2G5M仅72.5元/月起。点击进...
妮妮云(119元/季)日本CN2 2核2G 30M 119元/季
妮妮云的知名度应该也不用多介绍了,妮妮云旗下的云产品提供商,相比起他家其他的产品,云产品还是非常良心的,经常出了一些优惠活动,前段时间的八折活动推出了很多优质产品,近期商家秒杀活动又上线了,秒杀产品比较全面,除了ECS和轻量云,还有一些免费空间、增值代购、云数据库等,如果你是刚入行安稳做站的朋友,可以先入手一个119/元季付的ECS来起步,非常稳定。官网地址:www.niniyun.com活动专区...
美国cera机房 2核4G 19.9元/月 宿主机 E5 2696v2x2 512G
美国特价云服务器 2核4G 19.9元杭州王小玉网络科技有限公司成立于2020是拥有IDC ISP资质的正规公司,这次推荐的美国云服务器也是商家主打产品,有点在于稳定 速度 数据安全。企业级数据安全保障,支持异地灾备,数据安全系数达到了100%安全级别,是国内唯一一家美国云服务器拥有这个安全级别的商家。E5 2696v2x2 2核 4G内存 20G系统盘 10G数据盘 20M带宽 100G流量 1...
pcanywhere为你推荐
-
公司网络被攻击网站总是被攻击,该怎么处理啊?地图应用手机地图软件那么多,都不知道用哪个好了?蓝色骨头手机宠物的一个蓝色骨头代表多少级,灰色又代表多少级,另外假如有骨头又代表多少级老虎数码86年属虎的吉祥数字和求财方向18comic.fun18岁以后男孩最喜欢的网站百度关键词价格查询百度关键字如何设定竟价价格?地陷裂口天上顿时露出一个大窟窿地上也裂开了,一到黑幽幽的深沟可以用什么四字词语来?丑福晋历史上真正的八福晋是什么样子的?丑福晋男主角中毒眼瞎毁容,女主角被逼当丫鬟,应用自己的血做药引帮男主角解毒的言情小说www.99cycy.com谁在这个http://www.sifangmall.com网站上买过东西?