Oracle EBS Security auditing

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…

Application testing:

Controls to test:

  • Default application account credentials
  • Weak application password controls
  • Poor patching policies
  • Directory listing / sensitive information exposure
  • Segregation of duties / roles and responsibilities
  • Etc

Default application account credentials:

I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.

Other tests to perform on the application to perhaps gain access are here.

Solution:  disable the default app accounts;

Weak application password controls

Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!

no hashed

Lack of patching:

Simple select statement to view patch levels:

SELECT
patch_name
, patch_type
, maint_pack_level
, creation_date
FROM applsys.ad_applied_patches
ORDER BY creation_date DESC

Lack of patching on the app leads to many  OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues.

XSS

Solution: Patch. Patch. Patch.

Directory listing / sensitive information exposure

See post here

Solution: Reduce the attack surface by removing the JSPs not in use.

Big shoutout to the guys below for being ready to help the community in this ERP space:

  • David Litchfield
  • Integrigy
  • Onapsis

< Post in progress/>

Training Extras (RT)

Web:

List of hacking and CTF challenges: https://www.blackroomsec.com/wp-content/uploads/List-of-Hacking.pdf

Owasp Top 10 – 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Deliberate vulnerable websites: http://vulnweb.com/

Google Hacking DB, Exploits: https://www.exploit-db.com/

 

OS:

CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/

Nessus download: https://www.tenable.com/downloads

Nix auditor: https://github.com/XalfiE/Nix-Auditor

Lynis download: https://cisofy.com/downloads/

 

From Shodan to Remote Code Execution #3: Hacking the Belkin N600DB Wireless Router

Our newest post of this interesting series of Shodan to RCE takes us to Belkin routers.

Shodan search:

“Server: httpd” “Cache-Control: no-cache,no-store,must-revalidate, post-check=0,pre-check=0” “100-index.htm”

belkin shodan search

As at the time of writing this post, there were not so many results for the Belkin routers )-:

By navigating to one of the shodan search results, we may get such a dashboard, which in itself may be reported as a security vulnerability? – unauthorized access?, information disclosure?

belkin dashboard_

 

Getting key, method #1

By navigating to the link http://target//langchg.cgi and view the source..

key1_

The key can be clearly seen above, without authentication!

Getting key, method #2

By navigating to the link http://target/adv_wifidef.cgi and view the source..

key2_

Again, the key can be clearly seen above, without authentication!

 

Credits to the exploit author: Wadeek.

 

Blackhat Europe 2017 – conference notes

I had the pleasure to attend the Blackhat Europe 2017 in London – and it was enlightening! In this post, I shall provide links to the slide decks, videos and tools shared during the demonstrations, briefings and various talks. The abstracts for the briefings can be found on the official Blackhat Europe website.

 

1.Black Hat Europe 2017 youtube playlist (continuously being updated):

 

2. Presentation slide decks:

LOST IN TRANSACTION: PROCESS DOPPELGÄNGING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL MANAGEMENT ENGINE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

EXPOSING HIDDEN EXPLOITABLE BEHAVIORS IN PROGRAMMING LANGUAGES USING DIFFERENTIAL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

ATTACKING NEXTGEN ROAMING NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Schmidt-Attacking-Next-Gen-Roaming-Networks.pdf

BLUEBORNE – A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Seri-BlueBorne-A-New-Class-Of-Airborne-Attacks-Compromising-Any-Bluetooth-Enabled-Linux-IoT-Device.pdf

NATION-STATE MONEYMULE’S HUNTING SEASON – APT ATTACKS TARGETING FINANCIAL INSTITUTIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf

SECURITY THROUGH DISTRUSTING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rutkowska-Security-Through-Distrusting.pdf

EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atch-Exfiltrating-Reconnaissance-Data-From-Air-Gapped-Ics-Scada-Networks.pdf

THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE G2H ESCAPE VULNERABILITIES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf
A PROCESS IS NO ONE: HUNTING FOR TOKEN MANIPULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

A UNIVERSAL CONTROLLER TO TAKE OVER A Z-WAVE NETWORK:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rouch-A-Universal-Controller-To-Take-Over-A-Z-Wave-Network.pdf

ATTACKS AGAINST GSMA’S M2M REMOTE PROVISIONING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Meyer-Attacks-Against-GSMAS-M2M-Remote-Provisioning.pdf

AUTOMATIC DISCOVERY OF EVASION VULNERABILITIES USING TARGETED PROTOCOL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Levomaki-Automatic-Discovery-Of-Evasion-Vulnerabilities-Using-Targeted-Protocol-Fuzzing.pdf
BECOMING YOU: A GLIMPSE INTO CREDENTIAL ABUSE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Burney-Becoming-You-A-Glimpse-Into-Credential-Abuse.pdf

BREAKING BAD: STEALING PATIENT DATA THROUGH MEDICAL DEVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Harit-Breaking-Bad-Stealing-Patient-Data-Through-Medical-Devices.pdf

BREAKING OUT HSTS (AND HPKP) ON FIREFOX IE/EDGE AND (POSSIBLY) CHROME:https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf

BY-DESIGN BACKDOORING OF ENCRYPTION SYSTEM – CAN WE TRUST FOREIGN ENCRYPTION ALGORITHMS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-Algorithms.pdf

CALDERA: AUTOMATING ADVERSARY EMULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf

CLKSCREW: EXPOSING THE PERILS OF SECURITY-OBLIVIOUS ENERGY MANAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Tang-Clkscrew-Exposing-The-Perils-Of-Security-Oblivious-Energy-Management.pdf

DEALING THE PERFECT HAND – SHUFFLING MEMORY BLOCKS ON Z/OS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Elaassal-Dealing-The-Perfect-Hand-Shuffling-Memory-Blocks-On-ZOS.pdf

DIFUZZING ANDROID KERNEL DRIVERS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

ENRAPTURED MINDS: STRATEGIC GAMING OF COGNITIVE MINDHACKShttps://www.blackhat.com/docs/eu-17/materials/eu-17-Kropotov-Enraptured-Minds-Strategic-Gaming-Of-Cognitive-Mindhacks.pdf

FED UP GETTING SHATTERED AND LOG JAMMED? A NEW GENERATION OF CRYPTO IS COMINGhttps://www.blackhat.com/docs/eu-17/materials/eu-17-Wong-Fed-Up-Getting-Shattered-And-Log-Jammed-A-New-Generation-Of-Crypto-Is-Coming.pdf

GDPR AND THIRD PARTY JS – CAN IT BE DONE?:https://www.blackhat.com/docs/eu-17/materials/eu-17-Grushcovski-GDPR-And-Third-Party-JS-Can-It-Be-Done.pdf

HEAP LAYOUT OPTIMISATION FOR EXPLOITATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Heelan-Heap-Layout-Optimisation-For-Exploitation.pdf

HIDING PIN’S ARTIFACTS TO DEFEAT EVASIVE MALWARE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Polino-Hiding-Pins-Artifacts-To-Defeat-Evasive-Malware.pdf

HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ma-How-Samsung-Secures-Your-Wallet-And-How-To-Break-It.pdf

HOW TO ROB A BANK OVER THE PHONE – LESSONS LEARNED AND REAL AUDIO FROM AN ACTUAL SOCIAL ENGINEERING ENGAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu17-Crumbaugh-How-To-Rob-A-Bank-Over-The-Phone.pdf

I TRUST MY ZOMBIES: A TRUST-ENABLED BOTNET: https://www.blackhat.com/docs/eu-17/materials/eu-17-Vasilomanolakis-I-Trust-My-Zombies-A-Trust-Enabled-Botnet.pdf

INSIDE ANDROID’S SAFETYNET ATTESTATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mulliner-Inside-Androids-SafetyNet-Attestation.pdf

INTEL ME: FLASH FILE SYSTEM EXPLAINED:https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
JAILBREAKING APPLE WATCH:https://www.blackhat.com/docs/eu-17/materials/eu-17-Bazaliy-Jailbreaking-Apple-Watch.pdf

KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL:https://www.blackhat.com/docs/eu-17/materials/eu-17-Vanhoef-Key-Reinstallation-Attacks-Breaking-The-WPA2-Protocol.pdf

PASSIVE FINGERPRINTING OF HTTP/2 CLIENTS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients.pdf

RED TEAM TECHNIQUES FOR EVADING BYPASSING AND DISABLING MS ADVANCED THREAT PROTECTION AND ADVANCED THREAT ANALYTICS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX:https://www.blackhat.com/docs/eu-17/materials/eu-17-Donenfeld-Rooten-Apples-Vulnerability-Heaven-In-The-IOS-Sandbox.pdf

SELF-VERIFYING AUTHENTICATION – A FRAMEWORK FOR SAFER INTEGRATIONS OF SINGLE-SIGN-ON SERVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Chen-Self-Verifying-Authentication-A-Framework-For-Safer-Integrations-Of-Single-Sign-On-Services.pdf

THE APPLE OF YOUR EFI: AN UPDATED ANALYSIS OF THE STATE OF APPLE’S EFI SECURITY SUPPORT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Smith-The-Apple-Of-Your-EFI-An-Updated-Analysis-Of-The-State-Of-Apples-EFI-Security-Support.pdf

THE SPEAR TO BREAK THE SECURITY WALL OF S7COMMPLUS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus.pdf

WI-FI DIRECT TO HELL: ATTACKING WI-FI DIRECT PROTOCOL IMPLEMENTATIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Blanco-WI-FI-Direct-To-Hell-Attacking-WI-FI-Direct-Protocol-Implementations.pdf

ZERO DAYS THOUSANDS OF NIGHTS: THE LIFE AND TIMES OF ZERO-DAY VULNERABILITIES AND THEIR EXPLOITS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ablon-Zero-Days-Thousands-Of-Nights-The-Life-And-Times-Of-Zero-Day-Vulnerabilities-And-Their-Exploits.pdf

From Shodan to Remote Code Execution #1 – hacking Jenkins

In this era of extreme automation, whether for development, programming deployment or even security management are we getting closer to security maturity or are we better off without the automation?

In the next posts, I hope to uncover some of the tools/ applications employed on enterprises geared towards automation and better security but end up exposing and increasing surface area for attack. We start with Jenkins.

Jenkins  is an open source automation server written in Java. Jenkins helps to automate the non-human part of software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.

It is used by several organizations globally and a quick Shodan search gives over 300,000 instances publicly accessible over the internet.

usage_

We shift focus quickly to see if there are some portal instances on port 8081 and the figure goes down..

8081

Of these, some require credentials…..and some don’t 🙂 …some even have the Manage Jenkins option which simply means among other things we are a somewhat privileged user (eg jenkins user) and can install plugins of choice.

good dash_

Most people I know would opt to install terminal plugin..for obvious reasons..

manage plugins_

 

Running some commands.. :-O

commands_

Enough!

 

 

 

 

 

SAMBAry save us!!

Remember linux users laughing at Windows users because of the now all too famous Wannacry? Karma.

According to Samba, “All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” Might appear not to be serious,but a quick look at our beloved Shodan we see roughly half a million companies with publicly exposed samba (shares.) – not to say all are exploitable but narrowing down and just by viewing the versions, more than half are!!!

shodan_

Exploitation:

Various exploits have been released, I explored the exploit by HD Moore and it works pretty well; At the time of writing it had not been ported to metasploit, port it manually as below, fire up msf.

exploit msf_

msf exploit_

We would all appreciate a Check module in the msf exploit, since it is not there, I decided to do a manual grep – tedious if you a have a large estate to check but better safe than sorry.

 

How to check:

Download either of these files, which show open ports 139 and 445 for public IPs globally as at May 24th and search for your IP of interest :-)..am sure programmers have an easier way?

grep_

 

Remediation:

As usual PATCH! Samba have already released a patch for versions 4.4 onwards. There are workarounds for the other versions, though they could break functionality – the workaround is to add the parameter “nt pipe support = no” to the smb.conf global section and restart smbd service.

 

On a light note 😀

WhatsApp Image 2017-05-26 at 7.33.22 AM

Post title inspired by Remy Zero’s Save me

 

From Shodan to Remote Code Execution #2 – hacking OpenDreambox 2.0.0

A sequel to the last post of what is now becoming a series of “From Shodan to remote code execution”, we now take a look at how to hack misconfigured Dreambox installations. Dreambox is a company which offers Digital TV set top boxes and other related services.

Shodan search:

Perform a shodan search as below:

shodan search_

Go through the portals in the search results. The indicator of a vulnerable dreambox installation is the presence of webadmin plugin as below:

webadmin-plugin_.png

From the address bar run linux commands using the syntax: http://IP/PORT/webadmin/script?command=|”linux_command” as shown below:

id _

etc passwd_

etc shadow_

whoami_

cat issue_

 

Credits:  Jonatas Fil, the discoverer of the vulnerability.

Exploiting Windows with Eternalblue and Doublepulsar with Metasploit!

Most of us got hold of the NSA exploits recently released to the public and there was so much hype and public statements around it. A lot has been said, and most vendors came out to defend their products and to release patches to downplay/mitigate the impact of these exploits.

In the exploits, we came to learn about Fuzzbunch, NSA’s exploit framework – “NSA’s metasploit”. I know a few people who have tried to use it and fail due to lack of knowledge/ familiarity with the dependencies that Fuzzbunch demands…fret no more. We can exploit the same vulnerabilities using our beloved Metasploit :-). Currently Metasploit has the MS17-010 SMB RCE Detection module which “uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user “\” and connect to IPC$.” It is a scanner module and just informs you that you need to patch your windows boxes – extremely useful for blue teamers.

If you are interested to exploit, read on…

Our friends at Eleven Paths, created a Metasploit module that we can add to our MSF and get a nice meterpreter session.

Steps:

  1. Download the file from https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
  2. Copy the eternalblue_doublepulsar.rb file to the metasploit windows smb exploits path (/usr/share/metasploit-framework/modules/exploits/windows/smb)
  3. Load msf and select the eternalblue_doublepulsar module

msf use eternalblue_

At this point it is important to remind ourselves what the two exploits really do:

Description

and the parameters we need to input:

basic options

And with that,we are set. Fire up the exploit…and voila! Meterpreter session as SYSTEM – we do not even need to elevate privileges :-O

meterpreter session_

Though Microsoft has released patches for this issue, there are millions if not billions of servers, workstations still vulnerable for various reasons. And worse, it is now easier to exploit, as we have seen.

UPDATE!

I should have updated this ages ago! So, a metasploit module was developed for the above exploit and makes exploiting this vulnerability a breeze. Surprisingly, this vulnerability is still not being patched..see video below:

Penetration testing Sharepoint

Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing.

Google Dorks FTW!:

Some google dorks to help you find sharepoint installations exposed to the web as below. It would be wise to add the parameters “site:yoursite.com < then the below dorks>” to narrow down the search and discover what your sharepoint installation is exposing to the public.

google dork1_

dork4_

googledork3_

googledorks2_

Fuzz:

From the above, we can view a lot of documents, which you may not necessarily need to expose. In addition to the classified documents seen above we can also :

  • discover Sharepoint version installed
  • discover the Sharepoint web services configured on the application
  • enumerate users
  • view default SharePoint _layouts, _catalogs, configuration settings and forms

How?

I prefer to use this fuzzer, but you can use dirbuster, fuzzdb etc. I have over time come up with a list to feed the fuzzer.

Run the scanner as below and discover all the information that your sharepoint installation is exposing to the public 🙂

scan_

Going to the pages with HTTP status code 200, we find:

  1. Frontpage server extensions and sharepoint versions:

_vti_inf_.html

2. Sharepoint web services:

_vti_bin_spdisco_.aspx

3. Default layouts:

viewlsts_

etc…you get the drift.

What to do?

  • Patch.
  • Restrict / remove default pages, forms, layouts

Word Heist!

So, I stumbled upon an interesting script.

Over the years, I have been using various tools and scripts to do spear phishing; with the many vulnerabilities in Microsoft Office Suite and Adobe PDF reader being enablers and the ability to embed macros being an even bigger enabler. But things have changed and users are now keen on the “enable macro warning” and they don’t enable macros anymore 😦

macros warning

…hence most spear phishing attempts fail or are filtered by mail filters, firewalls, IPSs as they are deemed suspicious.

So this was a breath of fresh air and seems to get through most IPSs and security devices.

On your listening server:

Download the script. Put an image of your choice in the folder. I chose elephant.jpg

Start script as below. For this we want to set this server as a listening server hence the 1 after the image. Setting to 0 will not run the listener.

script start

The script is mostly automated and the only hard work is to send the file. Notice below that an *.rtf file (1491333207.rtf) has been generated from the *.jpg (elephant.jpg) image.

file created

This is what we need to send to our victim, and when we need to get really creative..

After sending the *.rtf document to victim:

Wait for victim to open the document, and immediately you notice NTLM hashes being populated on the listening server terminal. At the same time a file, passwords_netntlmv2, which contains NTLMv2 hashes is created. Which brings us to the last step – cracking the hashes..

password hashes

Password cracking

There are many tools to do this, but john the ripper is recommended for various reasons. I used JTR for this illustration as below:

username and password

And voila, passwords of the victim!

Note: it would have definitely taken a longer time depending on the complexity of the password and wordlist used.

From a blue teamers point of view:

  • We see the need for a strong password which should meet password complexity requirements
  • The back connection via port 445 is common especially for meterpreter sessions and this would point, though not necessarily, to an indicator of compromise.