Speaker Deck

0wn1ng The Web at www.wdcnz.com

by Kim Carter

Published September 8, 2015 in Technology

Abstract:

JavaScript is an incredibly powerful tool for good. With great power comes great responsibility. Are we taking our responsibility seriously? JavaScript is also an incredibly powerful tool for evil. As a developer it's time to empower your tech sense and see how easy it is for those hiding in the shadows to own not only you, but your friends, family, clients, customers... Anyone that uses a browser. New advances in technology look shiny... until we stop believing the hype, open our minds and start poking at them. Let me show you what happens when we start poking.

The Play:

The presentation is basically the process I take to carry out a small client penetration testing assignment, but with a focus on why and how web developers should be doing the same within their teams. It goes through:

1. Why we even care about breaking our or a clients code and/or system(s)
2. Reconnaissance (information gathering), tools and tips. What can the public actually get their hands on?
3. Vulnerability scanning, tools and tips
4. Vulnerability searching, tools and tips
5. Exploitation, where to start, how to start, tools (and why) and tips
6. Demo 1: Exploiting an XSS vulnerable web app and what you can get from it using the Browser Exploitation Framework (BeEF). The whole reason being here is to be able to show your employer, boss, client and why they need to do something about it. After seeing how easy it is and what you can do, few will deny that it just needs to be fixed and provide the resources for you to do it.
7. Discuss countermeasures
8. Demo 2: Exploiting people with spear phishing, obtaining their credentials by cloning, spoofing a website they frequently login at with the Social Engineer Toolkit's (SET) Credential Harvester.
9. Discuss countermeasures
10. doppelganger domains (domains that look like the real thing but are fakes)
11. Demo 3: Add ARP and DNS spoofing to the mix. Now when a victim browsers to a website that they like to spend time at, they will be visiting our spoofed website. In this demo, we add the BeEF hook.js to the cloned website. This hook converts the victims browser into a zombie that continually polls the BeEF comms server requesting commands to execute on the victims machine. This is the window of time we use to install a root-kit and pwn the victims machine.
12. Discuss countermeasures
13. Discuss what BeEF can do
14. Demo 4: Again we clone and host a website we know the victim likes to visit with SET. We use a couple of Metasploit attack methods and exploit memory injection. Then select a collection of payloads to deliver via shellcode injection. Encrypt the payloads and configure the reverse shells. launch Metasploit and watch the reverse shells connect. Attempt to escalate privileges to system account. anti-virus (AV) stops us.
15. Demo 5: We use Veil-Evasion to get around AV by creating our payload. We encrypt the payload with Hyperion using a weak 128-bit AES key, which decrypts itself by brute force at the time of execution on the victims machine. We use Metasploit to deliver our psexec exploit that we created with Veil-Evasion and Hyperion. We watch the attackers reverse shell connect straight to the system account.
16. Discuss countermeasures

Speaker Notes:

##############################################################
Why do we Care
##############################################################

As web developers we are hired to create business value and reduce business costs.
Anything you can do to assist in that endeavour will go down well for you.

##############################################################
Reconnaissance
##############################################################

The following set of tools I use often in research and security engagements.

Reconnaissance: The act of information gathering.
The quieter you can do this, the less likely you will be to raise suspicions or raise your clients defenses.

Here we want to gather as much information that will be potentially useful for taking into the following stages.
Where we start to obtain more information about services & other software being used & their versions.
Moving from passive to more active techniques.

We need to learn as much as possible about the people involved within & related to the target org.
This way we’ll be able to create successful pretexts (become them).

##############################################################
Discover
##############################################################

Lee Baird’s discover-scripts
- Shell scripts to aggregate Kali Linux tools & automate various pentesting tasks.
Both passive & active options.
- Allow you to dig up a lot of dirt on your target long before you start trying to penetrate them.
- Domain and Person is very useful.

##############################################################
Discover
##############################################################

For example
Recon -> Domain -> Passive combines:
goofile, goog-mail, goohost, theHarvester, Metasploit, dnsrecon, URLCrazy, Whois, and multiple websites.

Recon -> Domain -> Active combines:
Nmap, dnsrecon, Fierce, lbd, wafw00f, traceroute, Whatweb.

So rather than getting familiar with all the recon tools,
you can just get familiar with Discover Scripts.

Id also recommend Maltego.

##############################################################
Vulnerability Scanning
##############################################################

It’s really important to have done a good job at gathering information in the reconnaissance step.

You’ll know if you didn’t do well, as this step & even more so the exploitation stage will have you wondering what to attack first.
You’ll be hitting machines and people that are less vulnerable than others.
An attacker will focus on the lowest hanging fruit first, so should you.

##############################################################
Vulnerability Scanning: NMAP
##############################################################

We start off using options that are as passive as possible to avoid triggering alarms with IDS’s and savvy sys-admins.

NMap & scripts can tell us a lot, even when it’s configured to scan very quietly.

##############################################################
Vulnerability Scanning: Metasploit
##############################################################

Metasploit provides the ability to scan many services.
Last time I checked there was 449 scanners.

These are just the SSH ones.

##############################################################
Vulnerability Scanning
##############################################################

Use the scanner
Set any options
Check your options
Run

With the results you can feed into multiple vulnerability search tools
and often even get canned exploits.

##############################################################
Vulnerability Scanning: OpenVAS
##############################################################

Open Vulnerability Assessment System (OpenVAS) was forked from Nessus in 2005 before it went proprietary.
it’s accompanied with a daily updated feed of Network Vulnerability Tests, over 35,000 in total (as of April 2014).
Scans pretty much everything against known vulns.
Does make a lot of noise though.

Drive with CLI & web UI.

Covers OWASP Top 10:
- No.5 Security Misconfiguration
- No.7 Missing Function Level Access Control (formerly known as “failure to restrict URL access”)
- No.9 Using Components with Known Vulnerabilities.

##############################################################
Vulnerability Scanning: ZAP
##############################################################

OWASP ZAP is not only a great web intercepting proxy, but also very good for finding web vulnerabilities.

There are many other very good vulnerability scanning tools, with not enough time to cover them all now.

##############################################################
Vulnerability Searching
##############################################################

Now that you have a good idea of which vulns you should be trying to exploit,
You’ll need to look for which exploits are going to work.

Offensive Security (Kali creators) have exploit-database

##############################################################
Vulnerability Searching
##############################################################

Which has a web front end.

##############################################################
Vulnerability Searching
##############################################################

and a CLI.

##############################################################
Vulnerability Searching
##############################################################

We have Security Focus’s BugTraq

##############################################################
Vulnerability Searching
##############################################################

Rapid7: Metasploit owner, also has a database

##############################################################
Vulnerability Searching
##############################################################

NodeSecurity Advisories

National Vulnerabiltiy Database

##############################################################
Exploitation
##############################################################

Then a pen tester will generally move on to the exploitation stage.

The following tools are the main tools I use in this presentation.

##############################################################
Exploitation: BeEF
##############################################################

The Browser Exploitation Framework (BeEF) Exhibits XSS flaws -> How serious they can be

In order to use BeEF you have to get the hook.js (24 js files concatenated into one hook.js) into a web page & wait for the victim to bite.

1. You can do it via an (XSS) vulnerable web app
2. You can do it by cloning web app

##############################################################
Exploitation: SET
##############################################################

We use Set for:

- Cloning sites
- Credential harvesting

##############################################################
Exploitation: Ettercap
##############################################################

We use Ettercap for:

- ARP & DNS spoofing
- MitM’ing

##############################################################
Exploitation: Veil
##############################################################

We use Veil-Evasion for:

- Evading AV

##############################################################
Exploitation: Metasploit
##############################################################

We use Metasploit for:

- It’s huge database of exploits
- Sending stages and setting up listeners

##############################################################
Why These Tools?
##############################################################

So… why these tools?

1. Because they exhibit some of the most frequently compromised vulns on the web
2. Allows us to demonstrate many flaws in the target code and infrastructure

They give us the power to redeem our-selves before we are made another security failure statistic

Compel stakeholders that mitigation is necessary… by doing it, we’ll save face and potentially a lot of money.

##############################################################
Demo 1
https://www.youtube.com/watch?v=92AWyUfJDUw
##############################################################

Addresses the XSS vulnerable web app
A. Could be a web site regularly visited by your victim
B. Could be a web site you social engineer your victim to visit

The Play: ####################################################

Start BeEF
Log into the UI
Exploit XSS vulnerable web app
- Enable foxy proxy
- Fire up burp
- Drop our BeEF hook.js into our request

Victim visits XSS vulnerable web site
Victim browser hooked
See the zombie browser requesting commands
Execute Pretty Theft (one of the simplest BeEF attacks)
Victim enters their credentials for Facebook.
- kim@exploited.com
- notverysecurepassword

Of course to pull this off, you would have had to know that the victim lives on FB (recon stage).
Very quick look at module tree.

##############################################################
Countermeasures
##############################################################

##############################################################
Countermeasures
##############################################################

Fix your XSS vulns. Mention link to wiki.

##############################################################
Wiki
##############################################################

Leads to a section on my "Holistic InfoSec For Web Developers" wiki.
Which was the basis for the book of the same name that I’m currently writing.

"Wrongfully Trusting the Loading of Untrusted Web Resources"

- Escaping all untrusted data based on it's context (where and what it is)
- White-listing
- Constraining to types where possible
- Constrain max / min lengths.
- Basically thinking in terms of least privilege

##############################################################
Demo 2
https://www.youtube.com/watch?v=tb4o5UCHzSA
##############################################################

Shows a very simple way of obtaining your victim's credentials using the Social Engineer Toolkit.

The Play: ####################################################

Nothing currently in the public web dir
Run setoolkit
Select: 1) Social-Engineering Attacks
Select: 2) Website Attack Vectors
Select: 3) Credential Harvester Attack
Select: 2) Site Cloner
Enter IP address that set listens on to capture the key log
We clone accounts.google.com
Host cloned and php file in apache web dir and start apache if it’s not already running
Now we see the cloned artifacts and the key log file
- Currently empty

Victim clicks link that was passed to them via social engineering.
This could be any site that you know the victim has creds for.
- Vic enters
- - kim@pentester.org
- - myinsecurepassword

As soon as the victim posts,
1. SET uses the HTML referer header, in which it intercepts the request that comes from the victims IP address and harvests the posted credential fields.
2. The page redirects to the real accounts.google.com

setoolkit provides the ability to craft emails with spoofed from address. Just need to install and configure sendmail.

##############################################################
Countermeasures
##############################################################

##############################################################
Countermeasures
##############################################################

Don’t click unsolicited links.

It’s our job to train users to what and how things can go wrong.
Users need to become familiar with social engineering tactics to coerce them, in order to protect themselves & people they know.

I discuss some of the tactics on my “Holistic InfoSec” wiki. Linked to here.

##############################################################
Doppelgangers
##############################################################

So... it’d be nice if the URL looked legit.
Using doppelganger domains is quite effective

##############################################################
Doppelgangers
##############################################################

There’s usually a few options
& for the low price of $71.40

##############################################################
Demo 3
https://www.youtube.com/watch?v=ymnqTrnF85M
##############################################################

In this demo we add ARP & DNS spoofing to the mix.

The idea is that we take advantage of the fact we know which sites our victim likes to spend time at.

The Play: ####################################################

We wget the files that set misses
This is the index file that set cloned for us.
Add our BeEF hook.

Start BeEF
Add our ‘A’ record to the etter.dns
Run ettercap
- with the MITM option,
- ARP poisoning the victim and the gateway,
- using dns_spoof plugin

Log in to BeEF UI

Victim now visits cloned site they like to spend time at.
- Site spoofed.
- Browser hooked.

Now we can see the zombie browser continues to ask the BeEF comms server for commands.

End Play: ####################################################

BeEF can also be used to clone websites. It’s not quite as user friendly.

So long as the target machine has a browser window open running the BeEF hook code,
the attacker has this window of opportunity to create a persistent connection for when the browser window is closed.

##############################################################
Countermeasures
##############################################################

##############################################################
Countermeasures
##############################################################

Check out the Spoofing countermeasures on the BinaryMist wiki.
It covers:
- IP, ARP, DNS, Website & other types of spoofing
& the tools that can be used to help protect against these types of attacks.

##############################################################
Book Cover
##############################################################

Also keep your eye on the book I’m writing.
It’s got a lot of this sort of detail within & I’m republishing continually.

On LeanPub

##############################################################
Exploitation: Hooked Browsers... What now?
##############################################################

BeEF has a REST API

- BeEF has the concept of Extensions which change how BeEF behaves.
- BeEF has the concept of Modules which change how zombies behave.

BeEF has many of both out of the box & you can add your own.

##############################################################
Modules
##############################################################

These are some of the modules

##############################################################
Modules
##############################################################

BeEF can be installed on public VPS’s,
so you can attack a NATed victims machine from the BeEF web UI from anywhere.

Amazon even has a policy for using their VPS’s for penetration testing.

There are a bunch of other public & free VPS’s you can use.

There’s also a number of ways to automate the running of modules on successful hooking.
BeEF provides the autorun script allowing a single module to be run
& there’s the beef_injection_framework which integrates with BeEF allowing the running of many modules against many browsers concurrently.

Discuss WebRTC extension.
- Encourage all to not just take tech at face value, but to think about how it can be exploited.
- This makes us all much better programmers.

##############################################################
Demo 4
https://www.youtube.com/watch?v=WSwqNb_94No
##############################################################

BeEF has ways of getting shells directly and indirectly,
but lets look at some other options.

The Play: ####################################################

Run setoolkit
Select: 1) Social-Engineering Attacks
Select: 2) Website Attack Vectors
Select: 6) Multi-Attack Web Method
Select: 2) Site Cloner
Don’t need port forwarding
IP address that metasploit listens on
We clone accounts.google.com

Turn on “Java Applet Attack Method” & “Metasploit Browser Exploit Method”.
Select the vulns to exploit: “2) Meterpreter Multi-Memory Injection”.
Select the payloads to deliver. We hit em with everything.
Port 443 to help disguise the reverse connection as legit.
Encrypt the payloads & configure the reverse shells.

Take the easy option of (2) Java Applet.
Select Metasploit’s Autopwn for the Java Applet browser exploit.
Host the cloned site.
Start msfconsole.

Vic fetches our spoofed gmail.
Oh… we have a Java update.
Now we know we’re always supposed to keep our systems patched right.
Better update.
AV says we’re all safe. Must be all good.
PS exploit fails.

Here come the shells.
Lets interact with the first one.

Elevate privs?
List available meterpreter extensions. We need priv in order to bypass UAC.
That’s successful, but AV detects bad signatures on a couple of the root-kits.

We can’t actually get system on this shell, but possibly one of the other 2 shells we could.
We only get the privs of the user running the browser exploit.

##############################################################
Demo 5
https://www.youtube.com/watch?v=1EvwwYiMrV4
##############################################################

The Play: ####################################################

Start Veil-Evasion.
List available payloads to encrypt.
Here we choose a service because we are going to use psexec to install it on the victims box.
We want it to open a reverse shell for us.

Set some options -> generate -> give it a name.


We’re going to encrypt the payload with hyperion,
hyperion encrypts with a weak 128-bit AES key, which decrypts itself by brute force at the time of execution.

Now we’re going to run metasploit with a psexec exploit.
These are the options we use.
Now we’ve got the credentials from a previous exploit…
There are many techniques and tools to help capture these, whether you have physical access or not.
We just need the username & password or hash which is transmitted across the network for all to see.
Also easily obtainable if you have physical access to the machine.

& we’ve now got our shell.

Interact with it.
Lets go straight to where our hosts file lives.
Create a file beside hosts to demonstrate privs.

##############################################################
Countermeasures
##############################################################

There are lots of ways of obtaining the targets password hashes and a few defense techniques.

Obtaining hashes:
- Windows SAM file. Located at C:\Windows\System32\config Only accessible while system not running
- These values are also stored in the registry at HKEY_LOCAL_MACHINE\SAM, Only accessible while system not running
- Over the wire during authentication.

Retreival Tools that allow you to pull hashes from memory (LSASS.exe (Local Security Authority Subsystem Service)):
- Mimikatz
- WCE
- hashdump
- fgdump

##############################################################
Countermeasures
##############################################################

Defense techniques

- Long complex passwords which are changed regularly.
- Disabling LM Hashing (only accepting NTLMv2 auth requests).
- Using the SysKey Windows feature to help strengthen the encryption of the SAM file.
- Evaluate who has physical access.
Also consider social engineering. People are our strongest & weakest links

##############################################################
Documenting / Reporting
##############################################################

For completeness sake.
Few developers like documenting -> reporting
but without it, the rest of the process is a waste of time.

There are loads of tools like:
Dradis Framework
MagicTree (data consolidation, querying, external command execution & report generation) Also good for the Information Gathering stage.

Find what works for your team

##############################################################
Book cover and contents
##############################################################

About bringing security focus which is usually an after-thought
-> in-line with the dev process, as part of your DoD for each Sprint

http://binarymist.io/