1 of 17

DEEP(ER) PENETRATION�.�Reaching the Internal Network using Exposed Web Applications

2 of 17

Disclaimer

This presentation is meant for educational purposes only.

I shall not be held accountable in the event of any of the information presented in the following demos is used to hack/break-in into a non-authorized server.

3 of 17

Please don’t try this at home

4 of 17

About Me

  • Web Application Security Consultant, Penetration Tester and yours truly karniv0re

  • Published several vulnerabilities in open source applications

  • Author of ‘A Beginners Approach to Windows’

  • CVE-2010-1649, CVE-2011-1077, CVE-2011-1026, CVE-2011-1399, BID-45682, BID-48011, BID-48015 etc.

  • Major Stargate and Superman fan ☺

5 of 17

What is this talk about

  • Case Study of an actual Penetration Test (simplified for brevity)
  • Vulnerable Custom Web Application
  • Poorly configured Jboss Installation
  • Trusted access to MSSQL Server
  • Lots of Demos!! (Hackers love d3m05!!)

6 of 17

What is this talk NOT about

  • Securing Web Applications
  • Securing Jboss Installations
  • Securing MSSQL Servers
  • Cats with Guns
  • UFOs and Little Green Men

7 of 17

The Story – Web Server 1

  • Publicly accessible php web application
  • Only port 80 open

8 of 17

The Story – Web Server 1

  • Source Code, robots.txt and friendly error messages ☺
  • Brute Force!!
  • Admin Module – Modify Database ☺
  • Phpmyadmin root access - file write to upload dir using select into outfile <php code>

9 of 17

The Story – Web Server 1

  • for i in $(seq 1 254); do ping –c 1 192.168.100.$i | grep "bytes from" ; done
  • snmpcheck.pl –t 192.168.100.10
  • curl to 8080
  • jboss no auth ☺ ☺ Whos the Boss poda? ☺
  • shell via jboss.system:service=MainDeployer

10 of 17

The Story – Test Web Server 2

  • Internal Jboss Application server
  • App on port 8080

11 of 17

The Story – Test Web Server 2

  • Net user root letmein /add
  • Net user localgroup administrators root /add
  • netsh firewall show config && Allow TCP 3389
  • Tunnel RDP via port xyz from 10.10.10.25
  • mstsc to 10.10.10.25:xyz to connect to Internal System 192.168.100.10

12 of 17

The Story – Test Web Server 2

  • Browse filesystem
  • C:\NetQ\ - .NET Web Application
  • Browse code to identify test DB server
  • Another Internal box
  • MSSQL Management Studio
  • Enable xp_cmdshell, enable RDP and connect!

13 of 17

The Story – Developer Machine 3

  • Internal Dev Machine
  • Running test SQL Express 2005

14 of 17

Google Dorks ☺

15 of 17

Google Dorks ☺

16 of 17

Q & 42

17 of 17

Thank you!

riyazwalikar@gmail.com

http://www.riyazwalikar.com