Th1nk Y0u C4n h4cK $h4r3P0inTLiam Cleary

4b0uT M3

• Solution Architect @ Protiviti

• 7 time SharePoint MVP

• Past Life• Trainer

• Developer

• Network & Server Administrator

• Network Security Consultant

• Maybe a little “Ethical Hacking”

• All aspects of SharePoint, even dreaming about it

Ag3nD4

Hacker Employee Developer Administrator Security

H4ck3r M4n1f3sT0

"This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. I am a hacker, and this is my manifesto.“

"You may stop me, but you can't stop us all."

Persona: Th3 H4ck3r

• Two different Types, Hackers and then Virus Writers

• Script Kiddy• Using freely available tools

• Veteran Hacker• Custom Tools, Written themselves

• “Paid to Hack”

• External to the Organization / Company

• Anonymous, no trace – Secure VPN or Tor

• Loves: AutoBot & Denial of Service• Backdoor Exploits

• Worst Nightmare

Hacker

Hacker: T0oL$

• Manual: SharePoint “Brute-Force”• Test access for common URLs

• Google• Search for available / exposed SharePoint pages

• inurl:"/_catalogs/wt/“ – various syntax

• Bing• Search for available / exposed SharePoint pages

• Instreamset:url:”viewlsts.aspx”

• Nmap• Access Central Administration

• Shared Services

• Web Service Endpoints

• RegEx Tools

• SHODAN searching – “WWW-authenticate”, “MicrosoftSharePointTeamServices: 12/14/15”

Hacker

Hacker: Wh4T i$ tH3r3 t0 $e3 4nD F1nd?

Hacker

• Web Services Exposed• Inurl: “_vti_bin/spdisco.aspx”

• http://fuzzdb.googlecode.com/svn/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt

• “_layouts/viewlsts.aspx” can equal potential data leakage

• “_vti_bin” some functionality available without Authentication• WACProxy.ashx

• User Enumeration: "/_layouts/userdisp.aspx?Force=True&ID=1“

• “_vti_inf.html” exposes internal Front Page Extensions

• Common functionalities available to all users – not always• SearchPrinciples

• GetAllUserCollectionsFromWeb

D3m0h4Ck3r: H4cK1ng Sh4r3P0inT

Persona: Th3 3mPl0ye3

• Internal Staff / Contractor

• Inherently Trusted

• Security Access Controlled by Active Directory

• Always wanting to “test” access to everything

Employee

Employee: T0oL$

• “Trial & Error” hacking• Keep going until no more “Access Denied”

• Manual: SharePoint “Brute-Force”• Test access for common URLs

Employee

Employee: Wh4T i$ tH3r3 t0 $e3 4nD F1nd?

Employee

• User can request full Active Directory Tree contents

• Common functionalities available to all users – not always• SearchPrinciples

• GetAllUserCollectionsFromWeb

• Misconfigured Security can expose everything to end users• Incorrect Inheriting of Permissions

Persona: Th3 d3v3L0peR

• The “Uber” Geek or even Nerd

• Inherent Access - maybe• Circumventors of Security

• None rule abiding

• Do not like “Least Privilege” anything

• “Works on my Machine”

• Dislikes IT Administrators

Developer

Developer: T0oL$

• Visual Studio – All Versions

• Scripts• jQuery | JavaScript | VBS | PowerShell (Maybe)

• Managed Code

• Fiddler

• Manual: SharePoint “Brute-Force”• Test access for common URLs

• All Developers, think they are Hackers

Developer

Developer: Wh4T i$ tH3r3 t0 $e3 4nD F1nd? R34s0ns?

• Everything• Developers due to the core “root” access get everything

• Misconfiguration of Security

• Lack of CAS policies

• Requiring code to “RunWithElevatedPriviledges”

• Scripting to get round issues

• Requiring certain account permissions to run code

Developer

AdM1n1$Tr4t0r$eCuR1ng 0pT1on$

Persona: Th3 AdM1n1$Tr4t0r

• The Geek

• Inherent Access• Management of Security

• Firewall Owners

• Slightly “Condescending” to the users, just kidding

• Dislikes Developers

Administrator

Administrator: Pr0t3cT1on T0oL$ 4nd 4pPr04ch

Administrator

• Firewalls• Server Firewall

• Hardware Firewall

• Content Inspection Software

• Content Inspection Appliances

• Network Monitoring• Wireshark

• Many Hacker / Security Linux Distros

• Configure it correctly

• Only Allow permissions where needed

• Use Audit Checking Tools,3rd Party tools or open source such as Sushi.

$eCuR1tyG3n3r4l

Security: Pr0t3cT1on L4y3r$

• Database• Restrict Port Access – Non Standard Ports

• Encrypt the Database / Disk

• Application• Restrict Port Access through Firewall Policy

• Location Path – web.config

• Web• Restrict Port Access through Firewall Policy

• Location Path – web.config

• Perimeter• SSL Encryption & Inspection

• Edge Firewall – Port 80 / 443

• Offload Authentication – Delegation (remove standard Windows Auth Prompt)

Security

Security: D4taB4s3 F1r3w4ll R^l3s

Security

• netsh advfirewall firewall add rule name="SQLServer" dir=in action=allow protocol=TCP localport=1433 profile=DOMAIN

• netsh advfirewall firewall add rule name="SQL DAC" dir=in action=allow protocol=TCP localport=1434 profile=DOMAIN

• netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=UDP localport=1434 profile=DOMAIN

• netsh advfirewall firewall add rule name="Mirroring EndPoint" dir=in action=allow protocol=TCP localport=5022 profile=DOMAIN

• netsh advfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022 profile=DOMAIN

• netsh advfirewall firewall add rule name="T-SQL Debugger" dir=in action=allow protocol=TCP localport=135 profile=DOMAIN

Security: $h4r3P01nT F1r3w4ll R^l3s

• netsh advfirewall firewall add rule name="SharePoint HTTP/HTTPS" dir=in action=allow protocol=TCP localport=80,443 profile=DOMAIN

• netsh advfirewall firewall add rule name="SharePoint Cache" dir=in action=allow protocol=TCP localport=22233-22236 profile=DOMAIN

• netsh advfirewall firewall add rule name="SharePoint Farm Communication (TCP)" dir=in action=allow protocol=UDP localport=389,464 profile=DOMAIN

• netsh advfirewall firewall add rule name="SharePoint Search" dir=in action=allow protocol=TCP localport=16500-16519,445,137-139,5725 profile=DOMAIN

• netsh advfirewall firewall add rule name="SharePoint Workflow" dir=in action=allow protocol=TCP localport=9354-9356,9000 profile=DOMAIN

Security

Security: Wh3r3 t0 $t4rT?

• Page Lockdown

• Fix Security Slip-Ups

• No Automated Approach

• Claims “OR” not “AND” processing

• Comply with Compliance and Governance Policies

• Administrator can modify or delete logs

• No built in forensic capabilities

• Secure Web Site

• SQL injection, Brute Force Password Attack and Cross Site Scripting

• Understand SharePoint is SQL

• Privileged Users could hack Permission for SharePoint

• Fix Search Engine Visibility

• Mississippi National Guard apologized for exposing personal data through public SharePoint Site

Security

F1n4l Th0uGht$

• Pentest your SharePoint Site – plenty of tools out there for this

• Internal - Choice

• External – No Choice

• Ensure Latest Patches – my rule be two CU’s behind, unless you need the CU for bug

• Users will find a way of getting into content, just as they did with file shares

• Mostly legal ways of doing it too!!

• Hackers will always try to circumvent security

• Learn how to hack!! Just Kidding

• At least how to protect against the hack

• Make Security Top Priority

• Learn how to publish SharePoint correctly and securely

Security

R3s0uRc3$

SharePoint URL Endpoints (Use in Google)http://blog.helloitsliam.com/Presentations/Urls.txt

Is Your SharePoint Secure – Part 1http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=100

Is Your SharePoint Secure – Part 2http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=101

Is Your SharePoint Secure – Part 3http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=103

Is Your SharePoint Secure – Part 4http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=105

Hacking versus Misconfigurationhttp://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=115

Is Your SharePoint Vulnerable?http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=116

C0nt4cT & tH4nk$

Thank YouBlog: http://blog.helloitsliam.com

Twitter: @helloitsliam

Email: liamcleary@hacksharepoint.com

Coming Soon: http://www.hacksharepoint.com