Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009
Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.
Jan 04, 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Behind Enemy Lines
Administrative Web Application Attacks
Rafael Dominguez Vega
12th of March 2009
2
Main Objectives
• Insecurities
• Impact
• Attack Techniques
3
A little about me ...
4
What this talk will cover
• Intro
• DHCP Script Injection Attack
• SSID Script Injection Attack
• Scanning for Webmin Servers Attack
• Recommendations, Summary & QA
5
Introduction
6
Administrative Web Interfaces
• Administer Systems and Networks
• Help Administrators
• Most Network Systems have One
7
Why should they be secured?
• Vulnerable as any other Web Application
• Highly Privileged Access
• Different Services, Systems and Protocols
• Used in “Trusted Environment”
8
Today’s Web Application Attacks
• User Input Validation
• Security Best Practice
• Out of Band Channels
9
DHCP Script Injection Attack
10
DHCP “HandShake”
11
DHCP Request Packet
12
DHCP Script Injection Attack
• Active DHCP Leases List
• Attacker located in same LAN
• To Be Vulnerable
13
DHCP Script Injection Attack
14
DHCP Script Injection Attack
15
DHCP Script Injection Attack
16
DHCP Script Injection Attack
17
DHCP Script Injection Attack - DEMO
• pfSense
• Tool
• Remote Command Execution
18
SSID Script Injection Attack
19
SSID Script Injection Attack
• 802.11 Protocol
• Management Beacon Frames
• Malicious Code in SSID
20
SSID Script Injection Attack
• “Scan for Neighbours AP” Functionality
• Attacker located in Wireless Range
• Max. SSID length = 32 Characters
• SSID1/** **/SSID2 = 64 Characters
• Access to Internet Attacker Server
21
SSID Script Injection
22
SSID Script Injection
23
SSID Script Injection
24
SSID Script Injection
25
SSID Attack - DEMO
• Linksys – DD-WRT firmware
• Tool
• Disable Wireless Encryption
26
Scanning for Webmin Servers Attack
27
Webmin
28
Scanning for Webmin Servers
29
Scanning for Webmin Servers Attack
• Attacker located in same Network
• Redirect user to fake Webmin Server
• Obtain Administrator Credentials
• CSRF
30
Scanning for Webmin Servers Attack
31
Scanning for Webmin Servers Attack
32
Scanning for Webmin Servers Attack
33
Demo
34
Webmin Web Based Attack Propagation
35
Webmin Web Based Attack Propagation
36
Webmin Web Based Attack Propagation
37
Webmin Web Based Attack Propagation
38
Webmin Web Based Attack Propagation
39
Webmin Web Based Attack Propagation
40
Webmin Web Based Attack Propagation
41
Webmin Web Based Attack Propagation
42
Webmin Web Based Attack Propagation
43
Webmin Web Based Attack Propagation
44
Webmin Web Based Attack Propagation
45
Webmin Web Based Attack Propagation
46
Webmin Web Based Attack Propagation
47
Webmin Web Based Attack Propagation
48
Webmin Web Based Attack Propagation
49
Webmin Web Based Attack Propagation
50
Webmin Web Based Attack Propagation
51
Recommendations
52
Recommendations
53
Recommendations
• Assess Deployment
• Do not Trust your Internal Network
• Penetration Testing
• Strict Security Policy
• Risk Management
54
Summary
• Vulnerable as any other Web Application
• Additional Attack Vectors
• “Scanning”, “Detecting “ ,“Finding” Functionality
• Risks Increased
• Used in “Trusted Environment”
55
References & Further Reading
Project Web Site:
http://labs.mwrinfosecurity.com/
Contact Me
rafael.dominguez-vega( )mwrinfosecurity!com
56
Related Documents
