Hacking Intranet Websites

8/13/2019 Hacking Intranet Websites

1/36


2/36

Copyright 2006 WhiteHat Security, inc. All Rights Reserved.

Jeremiah Grossman (Founder and CTO)!Technology R&D and industry evangelist

!

Co-founder of the Web Application SecurityConsortium (WASC)!Former Yahoo Information Security Officer

T.C. Niedzialkowski (Sr. Security Engineer)!Manages WhiteHat Sentinel service for enterprisecustomers

!extensive experience in web application securityassessments

!key contributor to the design of WhiteHat's

scanning technology.

2

WhiteHat Sentinel - Continuous VulnerabilityAssessment and Management Service for Websites.

WhiteHat Security


3/36


Doing any of the following on theinternet would be crazy, but onintranet...

!

Leaving hosts unpatched!Using default passwords!Not putting a firewall in front ofa host

Is OK because the perimeterfirewalls block external accessto internal devices.

3

Assumptions of Intranet Security


4/36


WRONG!

4

Assumptions of Intranet Security


5/36


5

routers, firewalls, printers, payroll systems,

employee directories, bug tracking systems,development machines, web mail, wikis, IPphones, web cams, host management, etc etc.

Everything is web-enabled


6/36


6

Intranet users have accessTo access intranet websites, control a user

(or the browser) which is on the inside.

SSH

Intranet

JavaScript

Malware

IP PhoneBug

Tracking

Wiki

Printer

New Web

Server

User

Firewall

HTTP

FTP

NetBIOS


7/36Copyright 2006 WhiteHat Security, inc. All Rights Reserved.

7

Hacking the Intranet

special thanks to:Robert RSnake Hansen

http://ha.ckers.org/

JavaScript

MalwareGets behind the firewall to attackthe intranet.

operating system and browserindependent



8

The following examples DO NOT use

any well-known or un-patched webbrowser vulnerabilities. The codeuses clever and sophisticatedJavaScript, Cascading Style-Sheet(CSS), and Java Applet programming.Technology that is common to allpopular web browsers. Example codeis developed for Firefox 1.5, but thetechniques should also apply toInternet Explorer.



Contracting JavaScript Malware9

1. website owner embedded JavaScript malware.

2. web page defaced with embedded JavaScriptmalware.

3. JavaScript Malware injected into into apublic area of a website. (persistent XSS)

4. clicked on a specially-crafted link causing

the website to echo JavaScript Malware. (non-persistent XSS)



10

Stealing Browser History

JavaScript can make links and hasaccess to CSS APIs

See the difference?



11

Cyclethrough themost popular

websites



12

NAT'ed IP Address

If we can get the internal subnet great, if not,we can still guess for port scanning...

IP Address Java Applet

This applet demonstrates that any server youvisit can find out your real IP address if youenable Java, even if you're behind a firewall oruse a proxy.Lars Kindermannhttp://reglos.de/myaddress/

Send internal IP address where JavaScript canaccess it


13/36



14



Apache Web Server/icons/apache_pb.gif

HP Printer/hp/device/hp_invent_logo.gif

PHP Imae Easter eggs/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

15

Blind URL FingerprintingThere is a web server listening, but can 't see

the response, what is it?

Cycle through unique URLs using Image DOM objects

If the onerror event does NOT execute, thenit 's the associated platform.

Use OnError!

Many web platforms have URLs to images that are unique.

Technically, CSS and JavaScript pages can be used for fingerprinting as well.



16



17

DSL Wireless/Router HackingLogin, if not already authenticated

http://admin:[email protected]/

Factory defaults are handy!



18

Change the password

/password.cgi?sysOldPasswd=password&sysNewPasswd=newpass&sysConfirmP

asswd=newpass&cfAlert_Apply=ApplyPOST to GET



19

DMZ Hacking

/security.cgi?

dod=dod&dmz_enable=dmz_enable&dmzip1=192&dmzip2=168&d

mzip3=1&dmzip4=9&wan_mtu=1500&apply=Apply&wan_way=1500POST to GET

20


20/36


20

Network Printer Hacking

/hp/device/set_config_deviceInfo.html?DeviceDescription=0WNED!

&AssetNumber=&CompanyName=&ContactPerson=&Apply=Apply

POST to GET

21


21/36


21

Network Printer Hacking

Auto-Fire Printer Test Pages

/hp/device/info_specialPages.html?Demo=PrintPOST to GET

22


22/36


22

More Dirty Tricks

!black hat search engine optimization (SEO)

!Click-fraud

!Distributed Denial of Service

!Force access of illegal content

!Hack other websites (IDS sirens)

!Distributed email spam (Outlook Web Access)

!Distributed blog spam

!Vote tampering

!De-Anonymize people

!etc.

Once the browser closes there is little traceof the exploit code.

23


23/36


23

Anybody can be a

victim on anywebsite

Trusted websites are hosting malware.

Cross-Site Scripting (XSS) and Cross-SiteRequest Forgery vulnerabilities amplify the

problem.

24


24/36


XSS Everywhere24

SecurityFocus cataloged over1,400 issues.

WhiteHat Security has Identifiedover 1,500in custom webapplications. 8 in 10 websites

have XSS.Tops the Web Hacking IncidentDatabase (WHID)http://www.webappsec.org/projects/whid/

Attacks the user of a website, not the website

itself. The most common vulnerability.

25


25/36


25

Exploited on popular websites

Exploitation Leads to website defacement, session hi-jacking, user impersonation, worms, phishing scams,

browser trojans, and more...

26


26/36


CSRF, even more widespread26

A cross-site request forgery (CSRF orXSRF), although similar-sounding in name tocross-site scripting (XSS), is a very differentand almost opposite form of attack. Whereascross-site scripting exploits the trust auser has in a website, a cross-site requestforgery exploits the trust a website has in auserby forging the enactor and making arequest appear to come from a trusted user.Wikipediahttp://en.wikipedia.org/wiki/Cross-site_request_forgery

No statistics, but the general consensus isjust about every piece of sensitive websitefunctionality is vulnerable.

27


27/36


CSRF hack examples27

Users logged-in todigg.com visiting http://4diggers.blogspot.com/will automatically digg

the story

http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html

http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/

A story that diggs itself

Compromising your GMail

contact listContact list available inJavaScript space.

28


28/36


Worms28

MySpace (Samy Worm) - first XSS worm

!logged-in user views samys profile page,embedded JavaScript malware.

!Malware ads samy as their friend, updatestheir profile with samy is my hero, and copiesthe malware to their profile.

!People visiting infected profiles are in turninfected causing exponential growth.

!

User receives a email w/ an attachmentembedded with JavaScript malware.

!User opens the attachment and malwareharvesting @yahoo.com and @yahoogroups.comaddresses from contact list.

!User is re-directed to another web page.

24 hours, 1 million users affected

http://namb.la/popular/tech.html

Yahoo Mail (JS-Yamanner)

CROSS-SITE SCRIPTING WORMS AND VIRUSESThe Impending Threat and the Best Defensehttp://www.whitehatsec.com/downloads/WHXSSThreats.pdfhttp://ha.ckers.org/blog/20060612/yahoo-xss-worm/

29


29/36


Solutions29

How to protect

yourselfOr at least try

30


30/36


30

Two Factor Authentication

Corporate Web Surfing Filters

Security Sockets Layer (SSL)

Stay away from questionable websites

Not going to work

Patching and anti-virus

Useful for other threats, but not against

JavaScript malware.

31


31/36


Better End-User Solutions31

Text

!Be suspicious of long links, especially thosethat look like they contain HTML code.Whenin doubt, type the domain name manually intoyour browser location bar.

!no web browser has a clear securityadvantage, but we prefer Firefox. Foradditional security, install browser add-onssuch as NoScript(Firefox extension) or theNetcraft Toolbar.

!When in doubt, disable JavaScript, Java, andActive Xprior to your visit.

32


32/36


We Need More Browser Security32

Text

!

Mozilla (Firefox), Microsoft and Operadevelopment teams must begin formalizingand implementing Content-Restrictions.

Sites would define and serve content restrictions forpages which contained untrusted content which they had

filtered. If the filtering failed, the content restrictionsmay still prevent malicious script from executing or doingdamage.Gervase Markhamhttp://www.gerv.net/security/content-restrictions/

!Mozilla (Firefox) developers, pleaseimplement httpOnly. It's been around foryears!

33


33/36


Fixing XSS and CSRF

Text

!rock solid Input Validation.This includes

URL's, query strings, headers, post data, etc.

!Protect sensitive functionality from CSRFattack.Implement session tokens, CAPTCHAs,or HTTP referer header checking.

ext

Text

$data =~ s/(|\"|\'|$|$|:)/''.ord($1).';'/sge;or$data =~ s/([^\w])/''.ord($1).';'/sge;

filter HTML from output

Preventing websites from hostingJavaScript Malware

34


34/36


Finding and Fixing

Text

!Find your vulnerabilities before the badguys do.Comprehensive assessments combineautomated vulnerability scanning andexpert-driven analysis.

!When absolutely nothing can go wrong withyour website, consider a web applicationfirewall (WAF).Defense-in-Depth(mod_security, URL Scan, SecureIIS).

!harden the intranet websites. They are nolonger out of reach. Patch and changedefault password.

35


35/36


Recommended Reading

36


36/36

For more information about WhiteHat Security,please call 408.492.1817 or visit our website,

www.whitehatsec.com

Jeremiah GrossmanFounder and Chief Technology Officer

[email protected]

T.C. NiedzialkowskiSR. Security [email protected]

Hacking Intranet Websites

Documents