Top Banner
Company Confidential Attacking Drupal Hacking and Securing Drupal Web Applications Greg Foss | @heinzarelli
104

Attacking Drupal

May 08, 2015

Download

Technology

Greg Foss

Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.

Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 1.Company Confidential AttackingDrupal HackingandSecuringDrupalWebApplications GregFoss|@heinzarelli

2. Company Confidential Greg.Foss[at]LogRhythm.com SeniorSecurityResearchEngineer@ LogRhythmLabs--ThreatIntelligenceTeam WebDeveloper=>PenetrationTester=>Researcher who 3. Company Confidential what 4. Company Confidential OpenSource! PopularGovernment,Business,Personal,etc. Easytoinstall,congure,anduse. Minimalback-endknowledgeorPHP/MySQLexperiencenecessary (forbasicsitecongurations) Excellentcommunity! why 5. Company Confidential thinklikethebadguys how 6. Company Confidential question 7. Company Confidential NO 8. Company Confidential Drupalcoreisfairlywellhardenedagainstinjectionattacks Contributedand/orthird-partymodulesarenot Goodexploitsarefewandfarbetween whyscanningisntenough 9. Company Confidential whyscanningisntenough 10. Company Confidential whyscanningisntenough 11. Company Confidential [domain.com]inurl:changelog.txt otherwaystofindsiteinformation 12. Company Confidential https://code.google.com/p/cms-explorer/ #perlcms-explorer.pl--urlhttp:// attacking.drupal.org/d7/--typedrupal--osvdb http://blindelephant.sourceforge.net/ #pythonBlindElephant.pyhttp:// attacking.drupal.org/d7drupal intelligentfingerprinting 13. Company Confidential 14. Company Confidential GitHubqueries 15. Company Confidential http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and- sensitive.html GitHubscraping 16. Company Confidential ScrapeaninternalGitHubdeployment GitHubscraping 17. Company Confidential Drupal6 MySQLConnectionString: [docroot]/sites/default/settings.php 18. Company Confidential Drupal7 MySQLCredentials DrupalHashSalt [docroot]/sites/default/settings.php 19. Company Confidential remediation 20. Company Confidential Staticanalysisisoutsideofthescopeofthistalk Formoreinformationontheinner-workingsofDrupalsecurity,please visitthefollowingresources: https://drupal.org/security http://crackingdrupal.com/ http://drupalscout.com/ http://www.madirish.net/ resources 21. Company Confidential Breaking Live Drupal Applications DynamicAnalysis 22. Company Confidential Appropriateaccessfortesting: Administrativeaccount Basicuseraccount Contentmanager/creatoraccount Otherapplicableaccounts necessaryaccess 23. Company Confidential Alreadyhaveserveraccess? Drushavailable? Createaone-timelinktologinasanadmin $cd[drupaldirectory] $drushuli necessaryaccess 24. Company Confidential necessaryaccess 25. Company Confidential Authentication 26. Company Confidential forgotpasswordabuse 27. Company Confidential forgotpasswordabuse 28. Company Confidential Iteratethroughaccounts Viewcomments,posts,etc. Socialfeatures,forums,etc. UserProles. Notseenasavulnbymany. userenumeration 29. Company Confidential userenumeration 30. Company Confidential userenumeration 31. Company Confidential https://drupal.org/node/1004778 userenumeration 32. Company Confidential dictionaryattacksdrupal6 33. Company Confidential dictionaryattacksdrupal7 34. Company Confidential dictionaryattacksdrupal7 35. Company Confidential dictionaryattacksdrupal7 36. Company Confidential #site="attacking.drupal.org" #id=$(curl-shttp://$site/user/|grep "form_build_id"|cut-d"""-f6) #/usr/bin/hydra-Lusernames.txt-Ppwds.txt$site http-form-post/? q=user/:name=^USER^&pass=^PASS^&form_id=user_login&form _build_id="$id":Sorry" dictionaryattackswithHydra 37. Company Confidential dictionaryattackswithHydraDrupal6 38. Company Confidential dictionaryattackswithHydraDrupal7 39. Company Confidential [demo] UserEnumerationandDictionaryAttackScripts https://github.com/gfoss/attacking-drupal/ 40. Company Confidential Replacethedefaultforgotpasswordandfailedlogonattempt messages Donotdisplayauthorsofarticles,ifpossibleusepseudonym Limitpermissionsofanonymous/basicuserstoviewuser proles:https://drupal.org/node/849602 Logandalertonattemptstoscrapeuseraccountinformation Notjustserverlogs! WatchdogorDrupalsyslogshouldbecapturedandstored remotely userenumeration(partial)mitigations 41. Company Confidential userenumerationwatchdoglogs 42. Company Confidential dictionaryattackwatchdoglogs 43. Company Confidential dictionaryattack-webserverlogs 44. Company Confidential dictionaryattackmitigations-CAPTCHA 45. Company Confidential congureCAPTCHAsecurely CAPTCHAsecurityprecautions 46. Company Confidential modules/user/user.moduleline2183 Drupal7built-inbrute-forceprotection 47. Company Confidential https://drupal.org/project/password_policy https://drupal.org/project/zxcvbn enforcestrongpasswords 48. Company Confidential LimitnumberofinvalidloginattemptsandblockattackerIP addresses https://drupal.org/project/login_security LDAPIntegration SingleSignOn(SSO) MultifactorAuthentication:https://drupal.org/project/tfa otherbruteforceprotections 49. Company Confidential sessionhandling Drupal6 Drupal7 50. Company Confidential EnableSSL! securetransport 51. Company Confidential Userpermissionsproperlyimplemented? administration=>people=>permissions trustbutverify Createnewrolesasnecessary Drupal6defaultsto2roles(anonymous&authenticated) Drupal7defaultsto3roles(anonymous,authenticated,&admin) Testtheappusingalluserroles,verifytheirpermissionsandsearch forsecurityweakness authorization 52. Company Confidential contentcreation&comments 53. Company Confidential commentspersistentXSS 54. Company Confidential commentsXSScookietheft 55. Company Confidential commentsMSFJavaScriptkeylogger 56. Company Confidential http://beefproject.com/ commentsBeEFXSS 57. Company Confidential [demo] Cross-SiteScripting(XSS)--ClientSideAttacks 58. Company Confidential persistentXSSeverywhere! 59. Company Confidential reflectedXSSevenmorecommon! 60. Company Confidential usercontent-fileuploads 61. Company Confidential lockdownpermittedfiletypes 62. Company Confidential UploadingandexecutingPHPcodehasbeenxedinrecentversions ofDrupalasofNovember2013 https://drupal.org/SA-CORE-2013-003 Codeexecutionprevention(Filesdirectory.htaccessforApache- Drupal6and7) fileuploadPHPcodeexecution 63. Company Confidential ModulesthatassistwiththeactivedevelopmentofaDrupal application. ExcellentforDevelopment RemovepriortoTest/Staging NeverleaveinstalledonProductionapplications Pickingon Masquerade(https://drupal.org/project/masquerade) Devel(https://drupal.org/project/devel) developmentmodules 64. Company Confidential Allowstheusertochangeaccountstoanyotheruser. Couldbeusedtoimplicateothersinsuspiciousactivities,elevate privileges,etc. masquerade 65. Company Confidential Moduleusedfordevelopment Shouldneverbeinstalledonproduction,ever Allowsuserstoviewdebugginginformation,includingfulldatabase detailsofapplicationcontent. AlsoallowsforPHPcodeexecution! devel 66. Company Confidential develaccountinfodisclosure 67. Company Confidential develscrapingaccountinfo 68. Company Confidential develaccountdisclosurelogtraces 69. Company Confidential [demo] DevelAccountHarvester https://github.com/gfoss/attacking-drupal 70. Company Confidential DenesthehashingalgorithmsforDrupal7 HashesthepasswordusingSHA512andarandomlygeneratedSalt. Passwordpassedthroughhashfunctionnumeroustimesto increasethetimeitwilltaketocrack. ./includes/password.inc 71. Company Confidential Drupal7 #johnlist.txtwordlist=salt= format=drupal7 Drupal6 #johnlist.txtwordlist= crackingDrupalhashes 72. Company Confidential crackingDrupal7hashes 73. Company Confidential crackingDrupal7hashes 74. Company Confidential develPHPcodeexecution 75. Company Confidential develPHPcodeexecution 76. Company Confidential [demo] DevelPHPCodeExecution 77. Company Confidential Easiersaidthandone Alertonunauthorizedleaccess/writes/etc. Strangeserverbehavior UtilizingWAF/WebProxy/NetFlowData/etc.-alertonreverse- shellattemptsandsimilaractivitiestheservershouldnotbedoing catchcodeexecution 78. Company Confidential WevediscussedmanyverycommonDrupaldevelopmentpitfalls today Howdowextheseissuesnowandavoidtheminthefuture? Simple whattodo?! 79. Company Confidential Checklist https://github.com/gfoss/attacking-drupal whattodo?! 80. Company Confidential 1. Integrateyoursecurityteamearlyoninthedevelopmentprocess toassurethatyourneedscanbemetinanacceptabletimeframe. Applicationsshouldperiodicallybereviewedbyathird-party,to assuresecurity. Developanongoingsecuritytestingplan,toregularlyreviewthe securityoftheapplications. Re-reviewtheapplicationwhenevermajorchangeshavebeenmade. Drupalsecuritychecklist 81. Company Confidential 2. Hardentheapplicationandserverarchitecture. ProtectriskyDrupallesfromtheinternet: Install.php,cron.php,&xmlrpc.php ExampleHardeningGuidesBareMinimum: HardenPHP: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet HardentheServer(Linux): http://www.sans.org/score/checklists/linuxchecklist.pdf HardentheServer(Windows): http://technet.microsoft.com/en-us/security/jj720323.aspx Drupalsecuritychecklist 82. Company Confidential 3. Disallowweakpasswordsforprivilegedusersandenforceastrong passwordpolicy. UtilizethePasswordPolicyDrupalmoduletoenforceapassword policythatmeetsyourcompanysecurityguidelines. https://drupal.org/project/password_policy https://drupal.org/project/zxcvbn Drupalsecuritychecklist 83. Company Confidential 4. ImplementServer,Application,andDrupallogging. Assurethatlogsarebeingstoredonaseparateandtrustedserver andactivelyreview/parsetheselogsforsecurityevents. Donotrelyontheintegrityoflocallogswithinthedatabaseoronthe serveritself Drupalsecuritychecklist 84. Company Confidential Twooptions WatchdogDrupalsbuiltinlogging,capturesdatawithinthe Watchdogdatabasetable. SyslogExportDrupalslogstotheLinuxsyslog.Createsaatle thatiseasytomonitor. Drupalsecuritychecklist 85. Company Confidential Watchdoglogsshouldbecapturedandstoredoutsideofthe databasetoensurelogintegrity. Centralizedlogmanagement SIEMSecurityInformationEventManagement Drupalhasabuilt-infeaturetocleartheselogs,eectivelyerasinga largeportionoftheevidencewithintheapplicationitself. remotelogmanagement-Watchdog 86. Company Confidential Extractthelogsfromthedatabase(MySQL/PostgresSQL)with UniversalDatabaseLayerAccess(UDLA): remotelogmanagement-Watchdog 87. Company Confidential SendwatchdoglogstoSyslog CoreModuleDrupal6&7 remotelogmanagement-Syslog 88. Company Confidential ParsethelogsusingRegularExpressions: ^.*?type=.*?(?.*?)smessage=(? .*?)variables=(.*?"|.*?)(?).*?referer=(.*?).*? hostname=.*?()s remotelogmanagementparsingrules 89. Company Confidential CongureMonitoringandAlerts remotelogmanagement-alerts 90. Company Confidential 5. MakesurethatDevelopmentmodulesarenotinstalledon productionapplications. RememberDevelandMasquerade? Drupalsecuritychecklist 91. Company Confidential 6. ReviewandapplyallavailableDrupalsecurityupdatesassoonas possible. Drupalsecuritychecklist 92. Company Confidential SetupalertswithinDrupal securityupdates 93. Company Confidential http://lists.drupal.org/mailman/listinfo/security-news https://drupal.org/security/rss.xml https://drupal.org/security/contrib/rss.xml https://drupal.org/security/psa/rss.xml securityupdatenotifications 94. Company Confidential 7. DisallowuntrusteduserrolesfromcreatingcontentusingHTML (ltered/unltered)toavoidJavaScriptinclusion.Alsoexplicitly disallowPHPcodeexecution. WhilelimitedHTMLisrecommendedbytheDrupalcommunity,a skilledattackermaystillbypasstheserestrictionsandattackasite oritsusersviauser-generatedcontent. BecarefulwithwhatHTMLentitiesareexplicitlyallowed Drupalsecuritychecklist 95. Company Confidential 8. Checklepermissions;verifytherearenounintentionalworld- writeableles. Drupalsecuritychecklist 96. Company Confidential 9. ImplementCAPTCHAorasimilarmechanisminfrontofuser- registrationandloginforms. Assurethatthisisnotconguredtoallowauthentication/ registrationattemptsfollowinganinitialsuccessfulCAPTCHA completion. Thiswillalsohelpmitigatethecreationofaccountsbyabotnetand detersubsequentcommentspam. Drupalsecuritychecklist 97. Company Confidential 10. InstallandruntheSecurityReviewmodule https://drupal.org/project/security_review Verifyandresolveanyuncoveredissues. InstallParanoiaifyouareespeciallysecurityconscious https://drupal.org/project/paranoia Drupalsecuritychecklist 98. Company Confidential 11. Regularlycheckthesitesstatusreportpageandresolveanyopen issues. Drupalsecuritychecklist 99. Company Confidential 12. AssurethattheHTTPOnlyagissettoprotectusersessionsfrom attackssuchasXSS. Wheneverpossible,implementtheSecureFlagaswell,sosession tokensarenotinadvertentlypassedinplaintextoverHTTP. Drupalsecuritychecklist 100. Company Confidential 13. Implementadditionallayersofapplicationprotection PHPIDS https://phpids.org/ DrupalModule:https://drupal.org/project/phpids ModSecurity http://www.modsecurity.org/ CommercialWebApplicationFirewalls(WAF)andIntrusion Detection/Prevention(IDS/IPS)appliances Drupalsecuritychecklist 101. Company Confidential 14. Assuretherearenoresidentphpinfoles/phpmyadmin installations/etc.accessibletousers Drupalsecuritychecklist 102. Company Confidential Doyourresearchtobetterunderstandyourorganizational architecture,servers,applications,logdata,etc. PenTestyourapplications,dontjustscan Updateearlyandoften! Leverageassistancefromexternalentitiesasnecessary ListentoGreg.;-) closingthoughts 103. Company Confidential https://github.com/gfoss/attacking-drupal/ downloadallthethings 104. Company Confidential ThankYou! questions?