Common Findings Database

The difference between "fast" and "slow" hashing algorithms is exactly that. One algorithm takes very little time to compute. The other takes much longer to compute, (is slow).

When dealing with fast hashing algorithms, and attacker is able to make many more guesses in the same amount of time, increasing his chance of finding the resulting plaintext password.

With the plaintext passwords in hand, the attacker is highly likely to use the information to further his malicious intentions. Or to leak the plaintext passwords on the internet in an attempt to embarrass and humiliate your service in the eyes of the public.

Examples of fast hashing algorithms are as follows:

• SHA-1
• MD5
• SHA-2
• LM

If access to the application is limited for the purposes of ascertaining the the name of the algorithm used, it is often possible to determine the algorithm that generated a hash by looking at the hash itself.

One such tool capable of performing this analysis to a limited extent is John the Ripper, which can be found here.

Examples of which are as follows:

• BCrypt
• Crypt)
• PBKDF2

Another interesting hashing algorithm is SCrypt which uses extensive amounts of memory rather than time in order to limit an attacker's ability to parallel compute when attacking a hash.

If for some reason it is impossible for a system or service to be upgraded from a fast hashing algorithm, it is then paramount that a proper password policy be set and enforced in order to increase the complexity of stored passwords and increase the work the attacker must perform.

An example of a password policy that might mitigate the use of fast hashing algorithm to some extent is as follows:

>>Min-Length:21
>>Must Contain: Upper/Lower Alpha, Numeric, Special Char
>>Recommend: Passphrase, not password

https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage

https://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996

https://crackstation.net/hashing-security.htm

Gain access to printer files and configuration Execute programs from the printer by loading custom firmware images Read files on the printer and potentially intercept printed files

Deral Heiland: From Printer to Pwned
Extensive Default Password List

• List of possible uses for this vulnerability to give real-world uses
• Read files as www-data (or use web server is running as)
• DDoS service
• Code execution (for this one to fly there needs to be a reference proving it)

username/password

• tomcat/tomcat
• both/tomcat
• role1/tomcat
• manager/manager
• admin/admin

[Link to CVE] [Link to Metasploit module] [Link to Nessus/NeXpose/Qualys write up]

One can search for abnormal commands in a number of ways, including but not limited to monitoring web user command line history, monitoring of logs (such as apache's access.log, monitoring of network traffic to detect requests on the wire (IDS for example), and hardcoding monitoring routines into the application itself.

Here are a number of resources to assist you in properly sanitizing data in a number of languages.

PHP

ASP.NET

Ruby Rails

Java+method)

Python/Ruby

Input sanitization is accomplished by removing/escaping special characters from user supplied input. Or by properly quoting the user supplied input.

The command seperator is used to end the command that the application expects to execute, and everything that follows is added as commands appended to the application's usual request.

For example, if an application takes user input in the form of an IP address to "ping" from the command line; and the application does not correctly sanitize input: A normal request might look like "ping user_supplied_ip". The injection might look like "ping && cat /etc/passwd".

Example is illustrated below. <syntaxhighlight lang="php"> <?php

if(isset($_GET['ip'])) {

       $ip = $_GET['ip'];
       $output = shell_exec("ping -c 3 $ip");

$output

} ?> </syntaxhighlight> The PHP code above is vulnerable to command injection since it does not sanitize any input.

Here is what the ping form might look like with a user supplied IP to ping.

As you can see, exploitation is quite simple in a basic scenario like this.

• List of possible uses for this vulnerability to give real-world uses
• Read files as www-data (or use web server is running as)
• DDoS service
• Code execution (for this one to fly there needs to be a reference proving it)

• Link to CVE
• Link to Metasploit module
• Link to Nessus/NeXpose/Qualys write up

• Overwrite files (overwrite files as web server user)
• Denial of Service

If the server is vulnerable to directory traversal, it will be possible to "escape" from the intended directory and/or document root by referencing a series of directories above the intended directory using dot-dot-slash ("../") notation. Depending on the starting directory, several dot-dot-slashes to reach the target directory.

Example #1: Linux password file http://www.example.com/profile.php?user=../../../../../etc/passwd

Example #2: Window.ini http://www.example.com/display.asp?page=../../../../../Windows/system.ini Windows Web Servers If the target web server is running on Windows, it may be necssary to use back slashes ("\") instead of forward slashes.

Absolute Path Traversal In some instances, it may be possible to specify the absolute path of the file.

Example #3: Linux password file via absolute path traversal

http://www.example.com/profile.php?user=/etc/passwd

Encoding During testing, it may appear that the web server ACLs and input sanitization are functioning properly. Testing should also include requests using character encoding to bypass input sanitization routines in the application.

Encoding Example #1: http://www.example.com/profile.php?user=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Encoding Example #2: http://www.example.com/profile.php?user=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Overwriting files If the web application uses client-supplied input to specify the target location or file name for file uploads, it may be possible to overwrite existing files, provided the web server user has write permissions to the target file and directory. In some instances, this may result in a denial of service condition. Testing for directory traversal file overwrite vulnerabilities uses the same methods outlined above.

• https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/23.html
• https://cwe.mitre.org/data/definitions/36.html

• Direct access to database records, messages, files, etc.

Typically, Insecure Direct Object Reference exists within the authentication boundary of the application. However, in poorly designed authentication and authorization schemes, it may be possible to access objects for which authentication is normally required. For example, if a company's support page offers only certain knowledgebase articles to unauthenticated users and requires authentication for all others, it may be possible to access articles which normally require authentication. In this example, if kbarticle.php?article=12345 is viewable by unauthenticated users, but article=55555 is intended for only authenticated users, if article=55555 is accessible by an unauthenticated user then Insecure Direct Object Reference exists.

• https://cwe.mitre.org/data/definitions/639.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8487
• http://blog.attify.com/2015/05/26/offensive-security-oscp-student-control-panel-owned/

• Enumerate objects using BurpSuite Intruder or similar methods
• Determine if objects are owned by another user or should be referenceable by requester

More work is spent securing the highly sensitive section of the site. But a vulnerability is a less sensitive section of the site is potentially just as dangerous under this model.

Additional detection methods include writing hidden javascript routines into the code of the site which send an alert home if they are hosted somewhere other than the original site.

When a user visits the page containing the injection they are redirected to the attacker's malicious copy of the vulnerable application. This happens transparently, and unless the user is exceptionally privy they are unlikely to notice the redirection. They will then continue to use the application as before. Potentially accessing the highly secure sections (such as the payment system) on the attacker's malicious site.

This can be accomplished by coding a method into whatever application is used to access the db, that performs these checks/alerts. MySQL query history can also be monitored directly.

Detection of SQLi can also be performed by network or host based IDS.

SQLi can also be detected by monitoring for unexpected changes to the database and its contents manually. Or by monitoring the web application's logs (such as apache's access.log). Or by monitoring network activity for signs of sensitive data being accessed by a remote party.

This resource provides instructions for proper sanitization in a number of languages: http://bobby-tables.com/ Another resource can be found here.

The main method by which one avoids SQLi is through the use of parametereized queries. A parameterized query is a query for which specific inputs are mapped to specific parameters. The exact way to implement is different in every language and for every library (SQL backend/server type). However, here is a wonderful resource, a multi-language cheat sheet from OWASP.

The end goal is to remove/escape special characters from the user supplied input. Or to properly encapsulate the user supplied input in quotes that it cannot escape. These methods can accomplish that for you.

For example. If a query performs a lookup of username by first name in a users table it might look something like this: SELECT username FROM users WHERE firstname='user_supplied_firstname'. In this scenario, the attacker would be able to "break out" of the quoted parameter by setting his input like so user_supplied_firstname = ' or 1=1;--

The final query would look like this: SELECT username FROM users WHERE firstname= or 1=1;--

This would tell the SQL database to return all the usernames where the firstname is equal to , or where 1=1. 1 is always equal to 1, therefore it always returns true. This will cause the query therefore to return all of the usernames in the database.

It's a very basic example. But it demonstrates exactly what SQLi is. When special characters are allowed into a query unescaped, they can modify the query itself.

An example is demonstrated below. <syntaxhighlight lang="php"> <?php if(isset($_GET['firstname'])) {

       $search = $_GET['firstname'];
       $db = new SQLite3('users.db');
       $results = $db->query("SELECT username FROM users WHERE firstname='$search'");
       while($row = $results->fetchArray()){
               echo $row[0];
               echo "
";
       }

} ?> </syntaxhighlight> The above PHP code is vulnerable to SQLi. It doesn't attempt to escape or remove special characters from the user supplied input before passing it into the query.

It also does not use parameterized queries to wrap the user supplied input inside of quotes, forcing them to stay inside a specific parameter.

As you can see, it doesn't take much for an attacker to exploit SQLi when presented with a vulnerable application.

• An attacker can interact with otherwise restricted IP addresses and services, either on the server itself (localhost), or on other IPs. This can give an external attacker visibility to an internal environment. This includes using the vulnerable server to port scan other hosts (Cross Site Port Attacks (XSPA)).
• If the vulnerable server can communicate with backend API's or services that do not require authentication, the external attacker can fully interact with those services.
• If the vulnerable application is hosted in a cloud environment, such as Amazon EC2 and OpenStack, this may allow the attacker to gain access to metadata services, which can be used to gain access to sensitive information, sometimes including credentials or private keys.

The target application is accepting a URL from you. Ex: www.thirdpartysite.com The target application is displaying part or all of the result back to you. 2) If both conditions apply, look at your proxy logs. If you do not see the request to the resource (www.thirdpartysite.com) in your proxy logs, but you see the content on the page, this indicates that the content returned to you has been requested by the server itself on your behalf. This behavior indicates the application is vulnerable to SSRF.

An intentionally vulnerable demo application requesting a page on behalf of the user:

CWE-918: Server-Side Request Forgery (SSRF) CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') EC2 Instance Metadata Service Documentation OpenStack Metadata Service Documentation Compromising an unreachable Solr server with CVE-2013-6397 Bringing a Machete to the Amazon Prezi Got pwned - A tale of responsible disclosure

Manually testing SSRF using a browser (GET Requests), or something like Burp Repeater (POST Requests) The level of risk you can demonstrate depends on how much you know about the environment. Is the vulnerable application hosted on a service that uses a metadata service (ex: http://169.254.169.254)? If so, pull up the reference documents above and make some requests to valid metadata service endpoints for your respective service. EC2: http://www.example.com/?url=169.254.169.254/latest/dynamic/instance-identity/document To discover services, exploit SSRF to perform a XSPA. One simple way to do this is to use Burp Intruder. Send the initial Request to Burp Intruder For the URL, use http://host:port format, and make the port the position For the payload, enter the port numbers you want to test (only TCP works) Start the attack. Pay attention to the response times for each requested port. You should be able to infer which ports are open and which ports are closed based on the response times. Quicker times are open ports, longer times are closed ports (they timed out before the client gave up). Can you target other services via SSRF that are not directly accessible to you? You could even run a tool like dirbuster or the http-enum NSE via SSRF.

• Usernames/Passwords
• Personally Identifiable Information
• Personal Health Information
• Financial Data

• Mozilla Wiki on Server Hardening
• OWASP TLS Cheat Sheet
• CVE-2014-3566 "POODLE"

• Use iptables to re-direct to your proxy listening port: iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>
• Use proxy tool (e.g. mitmproxy) to intercept the connection and alter SSL Handshake so client only requests weaker versions of SSL and/or weaker ciphers (configuration will vary depending on the tool(s) used.

• Link to CVE
• Link to Metasploit module
• Link to Nessus/NeXpose/Qualys write up

• List of possible uses for this vulnerability to give real-world uses
• Read files as www-data (or use web server is running as)
• DDoS service
• Code execution (for this one to fly there needs to be a refence proving it)

• Link to CVE
• Link to Metasploit module
• Link to Nessus/NeXpose/Qualys write up

The attacker might use for example, an error field in a form which allows injecion of arbitraty (non-code) content to make the error field appear to read that the user must contact the "site admin" @ "[email protected]".

Please see the attached blog post for more information.

Additionally, the vast scripting capabilities mean that many tools and exploits can potentially be run from a system on which a standard user account may not have privilege to install tools. These tools could be used to perform functions to elevate privileges on the local system, perform network reconaissance, perform attacks against other remote systems, etc.

Get-ExecutionPolicy

• Microsoft Technet on Scripting in PowerShell
• Powersploit post exploitation with PowerShell

• Enable LocalAccountTokenFilterPolicy registry key as detailed in the references
• Use Microsoft's LAPS or alternative local account randomization tool to randomize the local account passwords.

• Microsoft LAPS

• Network level by mass usage of credentials. Attackers need to find where the credentials dumped can be used and the usual way to do this is to test them out and see where access is granted

• SMB or HTTP relay of credentials to NTLM based services
• Code execution when used in conjuntion with PSEXEC

Using the reference on craig-tolley.co.uk you can set a VB script to run as a Logon Script that will disable this setting.

• http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle
• http://www.craig-tolley.co.uk/2011/08/30/disable-automatically-detect-settings-in-internet-explorer/

Code and screen shots of this happening

Scenario 2: SMB Relay to PSEXEC for code execution

Code and screen shots of this happening

Example SPN Kerberos Tickets: Id  : uuid-7856e72a-2c40-4d94-a939-8c671b80e2bd-2 SecurityKeys  : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKe

                      y}

                      y}

ValidFrom  : 5/19/2016 3:06:41 PM ValidTo  : 5/20/2016 12:53:24 AM ServicePrincipalName : MSSQLSvc/WIN2K8R2.sittingduck.info SecurityKey  : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey

• Acquire list of services running on a particular host
• Acquire Kerberos tickets with the context of the user running the service
• Compromise a domain based on the level of the user running the SPN service (Domain Admin accounts have been used to run Services in the past)

• Ensure that any service accounts have long, strong passwords (20 character+)

• Managed Service Accounts
• Cracking Kerberos TGS Tickets Using Kerberoast - Exploiting Kerberos to Compromise the Active Directory Domain

[email protected]:~/impacket/examples# ./GetUserSPNs.py -dc-ip 192.168.168.10 sittingduck.info/notanadmin Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies

Password: ServicePrincipalName Name MemberOf PasswordLastSet

http/win10.sittingduck.info uberuser CN=Domain Admins,CN=Users,DC=sittingduck,DC=info 2015-11-10 23:47:21 MSSQLSvc/WIN2K8R2.sittingduck.info sqladmin01 Crack the service ticket password using oclHashcat:

[email protected]:~/oclHashcat# ./oclHashcat -m 13100 hash -w 3 -a 3 ?l?l?l?l?l?l?l oclHashcat v2.01 (g0891e39) starting...

Device #1: Hawaii, 2858/4025 MB allocatable, 1010Mhz, 44MCU Device #2: AMD FX(tm)-8120 Eight-Core Processor, skipped

Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable Optimizers:

Started: Wed Feb 17 08:33:57 2016 Stopped: Wed Feb 17 08:34:04 2016

• Re-issuance of certificates with export flag enabled

• Stealing User certificates with Mimikatz
• Stealing User certificates with Mimikatz
• KeyRaider malware steals certificates from iPhone

Test

WPS can pose a variety of risks for wireless network security. The PIN-based method can be vunerable to brute force attacks over the air. Other types (e.g. push-button methods) would require physical access to the router.

• Reaver on Google Code
• Cert Write-up on WPS PIN Vulnerability