Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher...
-
Upload
myrtle-reed -
Category
Documents
-
view
223 -
download
0
Transcript of Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher...
![Page 1: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/1.jpg)
clusterd: app server securityBryan Alexander
![Page 2: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/2.jpg)
who
pentester @ Coalfire Labs
Independent researcher
Breaking via building
![Page 3: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/3.jpg)
why?
![Page 4: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/4.jpg)
why?
ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing? Railo? Axis2? WebSphere?! More!?
![Page 5: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/5.jpg)
what
clusterd; application server attack toolkit Python-based, command line driven Support for Jboss, WebLogic, Tomcat,
Coldfusion, Railo, …
![Page 6: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/6.jpg)
what
JBoss Tomcat WebLogic ColdFusion Railo Axis2
![Page 7: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/7.jpg)
JBoss
So much has already been said (Matasano, Red Team Pentesting, HSC)
Let's talk about things that haven't been
![Page 8: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/8.jpg)
Jboss Recap
Versions 3.x – 7.x “Jboss” Versions 8.x+ rebranded to “WildFly” Make it rain shells with WARs No security by default clusterd currently features 7 unique
deployers Typically run as an
administrative/SYSTEM user
![Page 9: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/9.jpg)
Jboss Recap
![Page 10: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/10.jpg)
Jboss 7.x
One interface to rule them all (JSON API) They still haven't figured out how
authentication works Unauthenticated deploys via exposed
management interface
![Page 11: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/11.jpg)
Jboss UNC
Not a new attack, but a new application Force JBoss to load a remote resource via
a UNC path, capture hashes, crack 'em
![Page 12: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/12.jpg)
Jboss CVE-2005-2006
Nobody is using this bug to fetch credentials
![Page 13: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/13.jpg)
Jboss Auxiliary
Auxiliary modules used for scraping remote information
![Page 14: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/14.jpg)
Tomcat Recap
Tomcat 3.x – 8.x; very consistent platform Default creds! Roles! manager vs. manager-gui clusterd currently deploys to everything
![Page 15: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/15.jpg)
Tomcat
Not much going on; all the standard modules
![Page 16: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/16.jpg)
WebLogic
Oracle's very own Jboss/Tomcat (still Java) Very enterprise-y; clustering, systematic
backups, etc Difficult to obtain older versions (which
have default creds)
![Page 17: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/17.jpg)
WebLogic
WebLogic supports deploying WAR files, and so does clusterd
You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)
![Page 18: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/18.jpg)
WebLogic
Two versions of the admin interface; http and https (ports 7001 and 9002)
Typically run as a system service Clustered environment, deploys can
trickle down a domain Very often seen in high-availability
environments, ie. systems running active/active
![Page 19: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/19.jpg)
Coldfusion Recap
Coldfusion 6.x – 11.x clusterd currently has three deployers for
CF LFI leading to hash disclosure v6.x – 10.x No cracking when you can PTH No default credentials, but plenty of ways
to get around that
![Page 20: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/20.jpg)
Coldfusion
![Page 21: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/21.jpg)
Coldfusion
Everybody knows the task scheduler can be used to deploy
10.x+ restricts the extension (no cfml)
![Page 22: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/22.jpg)
Coldfusion
How about LFI to RCE?
![Page 23: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/23.jpg)
Railo
Railo 3.x – 4.x Essentially just a FOSS Coldfusion Task scheduler, plugin architecture,
clustered servers, lots of development By default very promiscuous
![Page 24: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/24.jpg)
Railo
No public vulnerabilities, yet... Two interfaces; server.cfm and web.cfm Runs jsp and cfml, much like CF
![Page 25: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/25.jpg)
Axis2
Axis2 1.2 – 1.6
Web services (soap/wsdl) engine; deploy services not applications
Couple ways to deploy; clusterd currently supports one (recently added)
Default creds!
Last release was 2012, but still heavily used
![Page 26: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/26.jpg)
Axis2
Generating payloads is pretty simple, but we can't use vanilla msfpayload
Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor
![Page 27: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/27.jpg)
Axis2
LFI in 1.4.x, obviously we're going to fetch creds
![Page 28: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/28.jpg)
other features
All platforms support brute forcing via supplied wordlist
![Page 29: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/29.jpg)
other features
Clean up after yourselves; every platform has an undeployer
![Page 30: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/30.jpg)
other features
Discovery module
![Page 31: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/31.jpg)
other features
Maybe demo?
![Page 32: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/32.jpg)
FOSSy
Well formed pull requests welcome
https://github.com/hatRiot/clusterd Public to-do hosted on Trello
https://trello.com/b/Bwcmrsyd/clusterd Research and 0days and fun stuff on my blog
http://hatriot.github.io/ Twat or email me your questions/bugs/requests
@dronesec ([email protected])
![Page 33: Clusterd: app server security Bryan Alexander. who pentester @ Coalfire Labs Independent researcher Breaking via building.](https://reader036.fdocuments.in/reader036/viewer/2022062315/56649d015503460f949d37aa/html5/thumbnails/33.jpg)
Questions¿
Comments?