8/13/2019 Hacking Intranet Websites
1/36
8/13/2019 Hacking Intranet Websites
2/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Jeremiah Grossman (Founder and CTO)!Technology R&D and industry evangelist
!
Co-founder of the Web Application SecurityConsortium (WASC)!Former Yahoo Information Security Officer
T.C. Niedzialkowski (Sr. Security Engineer)!Manages WhiteHat Sentinel service for enterprisecustomers
!extensive experience in web application securityassessments
!key contributor to the design of WhiteHat's
scanning technology.
2
WhiteHat Sentinel - Continuous VulnerabilityAssessment and Management Service for Websites.
WhiteHat Security
8/13/2019 Hacking Intranet Websites
3/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Doing any of the following on theinternet would be crazy, but onintranet...
!
Leaving hosts unpatched!Using default passwords!Not putting a firewall in front ofa host
Is OK because the perimeterfirewalls block external accessto internal devices.
3
Assumptions of Intranet Security
8/13/2019 Hacking Intranet Websites
4/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
WRONG!
4
Assumptions of Intranet Security
8/13/2019 Hacking Intranet Websites
5/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
5
routers, firewalls, printers, payroll systems,
employee directories, bug tracking systems,development machines, web mail, wikis, IPphones, web cams, host management, etc etc.
Everything is web-enabled
8/13/2019 Hacking Intranet Websites
6/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
6
Intranet users have accessTo access intranet websites, control a user
(or the browser) which is on the inside.
SSH
Intranet
JavaScript
Malware
IP PhoneBug
Tracking
Wiki
Printer
New Web
Server
User
Firewall
HTTP
FTP
NetBIOS
8/13/2019 Hacking Intranet Websites
7/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
7
Hacking the Intranet
special thanks to:Robert RSnake Hansen
http://ha.ckers.org/
JavaScript
MalwareGets behind the firewall to attackthe intranet.
operating system and browserindependent
8/13/2019 Hacking Intranet Websites
8/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
8
The following examples DO NOT use
any well-known or un-patched webbrowser vulnerabilities. The codeuses clever and sophisticatedJavaScript, Cascading Style-Sheet(CSS), and Java Applet programming.Technology that is common to allpopular web browsers. Example codeis developed for Firefox 1.5, but thetechniques should also apply toInternet Explorer.
8/13/2019 Hacking Intranet Websites
9/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Contracting JavaScript Malware9
1. website owner embedded JavaScript malware.
2. web page defaced with embedded JavaScriptmalware.
3. JavaScript Malware injected into into apublic area of a website. (persistent XSS)
4. clicked on a specially-crafted link causing
the website to echo JavaScript Malware. (non-persistent XSS)
8/13/2019 Hacking Intranet Websites
10/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
10
Stealing Browser History
JavaScript can make links and hasaccess to CSS APIs
See the difference?
8/13/2019 Hacking Intranet Websites
11/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
11
Cyclethrough themost popular
websites
8/13/2019 Hacking Intranet Websites
12/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
12
NAT'ed IP Address
If we can get the internal subnet great, if not,we can still guess for port scanning...
IP Address Java Applet
This applet demonstrates that any server youvisit can find out your real IP address if youenable Java, even if you're behind a firewall oruse a proxy.Lars Kindermannhttp://reglos.de/myaddress/
Send internal IP address where JavaScript canaccess it
8/13/2019 Hacking Intranet Websites
13/36
8/13/2019 Hacking Intranet Websites
14/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
14
8/13/2019 Hacking Intranet Websites
15/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Apache Web Server/icons/apache_pb.gif
HP Printer/hp/device/hp_invent_logo.gif
PHP Imae Easter eggs/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
15
Blind URL FingerprintingThere is a web server listening, but can 't see
the response, what is it?
Cycle through unique URLs using Image DOM objects
If the onerror event does NOT execute, thenit 's the associated platform.
Use OnError!
Many web platforms have URLs to images that are unique.
Technically, CSS and JavaScript pages can be used for fingerprinting as well.
8/13/2019 Hacking Intranet Websites
16/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
16
8/13/2019 Hacking Intranet Websites
17/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
17
DSL Wireless/Router HackingLogin, if not already authenticated
http://admin:[email protected]/
Factory defaults are handy!
8/13/2019 Hacking Intranet Websites
18/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
18
Change the password
/password.cgi?sysOldPasswd=password&sysNewPasswd=newpass&sysConfirmP
asswd=newpass&cfAlert_Apply=ApplyPOST to GET
8/13/2019 Hacking Intranet Websites
19/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
19
DMZ Hacking
/security.cgi?
dod=dod&dmz_enable=dmz_enable&dmzip1=192&dmzip2=168&d
mzip3=1&dmzip4=9&wan_mtu=1500&apply=Apply&wan_way=1500POST to GET
20
8/13/2019 Hacking Intranet Websites
20/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
20
Network Printer Hacking
/hp/device/set_config_deviceInfo.html?DeviceDescription=0WNED!
&AssetNumber=&CompanyName=&ContactPerson=&Apply=Apply
POST to GET
21
8/13/2019 Hacking Intranet Websites
21/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
21
Network Printer Hacking
Auto-Fire Printer Test Pages
/hp/device/info_specialPages.html?Demo=PrintPOST to GET
22
8/13/2019 Hacking Intranet Websites
22/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
22
More Dirty Tricks
!black hat search engine optimization (SEO)
!Click-fraud
!Distributed Denial of Service
!Force access of illegal content
!Hack other websites (IDS sirens)
!Distributed email spam (Outlook Web Access)
!Distributed blog spam
!Vote tampering
!De-Anonymize people
!etc.
Once the browser closes there is little traceof the exploit code.
23
8/13/2019 Hacking Intranet Websites
23/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
23
Anybody can be a
victim on anywebsite
Trusted websites are hosting malware.
Cross-Site Scripting (XSS) and Cross-SiteRequest Forgery vulnerabilities amplify the
problem.
24
8/13/2019 Hacking Intranet Websites
24/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
XSS Everywhere24
SecurityFocus cataloged over1,400 issues.
WhiteHat Security has Identifiedover 1,500in custom webapplications. 8 in 10 websites
have XSS.Tops the Web Hacking IncidentDatabase (WHID)http://www.webappsec.org/projects/whid/
Attacks the user of a website, not the website
itself. The most common vulnerability.
25
8/13/2019 Hacking Intranet Websites
25/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
25
Exploited on popular websites
Exploitation Leads to website defacement, session hi-jacking, user impersonation, worms, phishing scams,
browser trojans, and more...
26
8/13/2019 Hacking Intranet Websites
26/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
CSRF, even more widespread26
A cross-site request forgery (CSRF orXSRF), although similar-sounding in name tocross-site scripting (XSS), is a very differentand almost opposite form of attack. Whereascross-site scripting exploits the trust auser has in a website, a cross-site requestforgery exploits the trust a website has in auserby forging the enactor and making arequest appear to come from a trusted user.Wikipediahttp://en.wikipedia.org/wiki/Cross-site_request_forgery
No statistics, but the general consensus isjust about every piece of sensitive websitefunctionality is vulnerable.
27
8/13/2019 Hacking Intranet Websites
27/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
CSRF hack examples27
Users logged-in todigg.com visiting http://4diggers.blogspot.com/will automatically digg
the story
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html
http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
A story that diggs itself
Compromising your GMail
contact listContact list available inJavaScript space.
28
8/13/2019 Hacking Intranet Websites
28/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Worms28
MySpace (Samy Worm) - first XSS worm
!logged-in user views samys profile page,embedded JavaScript malware.
!Malware ads samy as their friend, updatestheir profile with samy is my hero, and copiesthe malware to their profile.
!People visiting infected profiles are in turninfected causing exponential growth.
!
User receives a email w/ an attachmentembedded with JavaScript malware.
!User opens the attachment and malwareharvesting @yahoo.com and @yahoogroups.comaddresses from contact list.
!User is re-directed to another web page.
24 hours, 1 million users affected
http://namb.la/popular/tech.html
Yahoo Mail (JS-Yamanner)
CROSS-SITE SCRIPTING WORMS AND VIRUSESThe Impending Threat and the Best Defensehttp://www.whitehatsec.com/downloads/WHXSSThreats.pdfhttp://ha.ckers.org/blog/20060612/yahoo-xss-worm/
29
8/13/2019 Hacking Intranet Websites
29/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Solutions29
How to protect
yourselfOr at least try
30
8/13/2019 Hacking Intranet Websites
30/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
30
Two Factor Authentication
Corporate Web Surfing Filters
Security Sockets Layer (SSL)
Stay away from questionable websites
Not going to work
Patching and anti-virus
Useful for other threats, but not against
JavaScript malware.
31
8/13/2019 Hacking Intranet Websites
31/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Better End-User Solutions31
Text
!Be suspicious of long links, especially thosethat look like they contain HTML code.Whenin doubt, type the domain name manually intoyour browser location bar.
!no web browser has a clear securityadvantage, but we prefer Firefox. Foradditional security, install browser add-onssuch as NoScript(Firefox extension) or theNetcraft Toolbar.
!When in doubt, disable JavaScript, Java, andActive Xprior to your visit.
32
8/13/2019 Hacking Intranet Websites
32/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
We Need More Browser Security32
Text
!
Mozilla (Firefox), Microsoft and Operadevelopment teams must begin formalizingand implementing Content-Restrictions.
Sites would define and serve content restrictions forpages which contained untrusted content which they had
filtered. If the filtering failed, the content restrictionsmay still prevent malicious script from executing or doingdamage.Gervase Markhamhttp://www.gerv.net/security/content-restrictions/
!Mozilla (Firefox) developers, pleaseimplement httpOnly. It's been around foryears!
33
8/13/2019 Hacking Intranet Websites
33/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Fixing XSS and CSRF
Text
!rock solid Input Validation.This includes
URL's, query strings, headers, post data, etc.
!Protect sensitive functionality from CSRFattack.Implement session tokens, CAPTCHAs,or HTTP referer header checking.
ext
Text
$data =~ s/(|\"|\'|\(|\)|:)/''.ord($1).';'/sge;or$data =~ s/([^\w])/''.ord($1).';'/sge;
filter HTML from output
Preventing websites from hostingJavaScript Malware
34
8/13/2019 Hacking Intranet Websites
34/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Finding and Fixing
Text
!Find your vulnerabilities before the badguys do.Comprehensive assessments combineautomated vulnerability scanning andexpert-driven analysis.
!When absolutely nothing can go wrong withyour website, consider a web applicationfirewall (WAF).Defense-in-Depth(mod_security, URL Scan, SecureIIS).
!harden the intranet websites. They are nolonger out of reach. Patch and changedefault password.
35
8/13/2019 Hacking Intranet Websites
35/36
Copyright 2006 WhiteHat Security, inc. All Rights Reserved.
Recommended Reading
36
8/13/2019 Hacking Intranet Websites
36/36
For more information about WhiteHat Security,please call 408.492.1817 or visit our website,
www.whitehatsec.com
Jeremiah GrossmanFounder and Chief Technology Officer
T.C. NiedzialkowskiSR. Security [email protected]