RANDom Acts of Security

Advanced Web Shells - Ideas

Rand — Mon, 15 Jun 2020 16:11:00 GMT

Recently the NSA released a repository on guidance for mitigating web shells. The repo contains a number of signatures and tools to help mitigate web shells and provides some valuable insight on how APT's are using advanced webshells in their attacks.

Below I've gone through the guidance above and thought of several questions that will need to be answered ahead of time while building out an advanced web shell. In future posts, I'll do some research on these questions and identify answers. Then, we will build out a web shell based on these strategies and see how it performs against blue teams to help blue teams level up ... and more importantly, see if these monitoring characteristics are actually being implemented by IPS/EDR.

Detecting/Blocking Web Shells

"Administrators can programmatically compare the production site with the known-good version to identify added or changed files
With the rise of CI/CD in the Software Development Life Cycle (SDLC), production applications may have weekly or daily releases. If your webshell is dropped onto disk in a non temporary location (such as web root), it may disappear or worse kick off a signal if monitoring is in place for changed files."

As a red teamer:

Which day of the week would be best to upload my web shell? Can we identify any patterns within the organization that would suggest those who are monitoring network activity may not be paying attention?
Did our OSINT reveal anything about the development practices of the organization? Are they agile? Do they have continuous releases?

"Using a file integrity monitoring system can block file changes to a specific directory or alert when changes occur"

Where do you guess the web shell is being dropped on the server? If you've found an RFI/Unrestricted File Upload to gain a shell, what directory are you targeting? Is it a temporary directory on a different disk than webroot (apps following best practices will do this), or are you in webroot itself?
Is there a way to bypass HIPS rules for directories?

Detecting abnormalities in Logs

"This analytic is likely to produce significant false positives in many environments, so it should be employed cautiously... Therefore, this analytic should only be one part of a broader defense in depth approach to mitigating web shells."

Do any solutions in 2020 actually flag on these behaviours? Do companies actually turn it on or is it too much noise?
What are typical User-Agents used by internal applications?
What are typical User-Agents used by cloud applications?
What are typical Referrer-Headers used by applications? Can you cycle through referrer headers based on cralwed application URLs?

Detecting Artifacts

"Web shells are easy to modify without losing functionality and can thus be tailored to avoid host base signatures such as file artifacts."

Can our shell be dynamically generated and tested against a list of Yara signature rules? NSA provides Yara rules on github, how can we learn from these rules?
Can our shell avoid network based detection (IDS/WAF)? Look into snort signatures
Can we achieve fileless execution? What are some strategies for this? More research needed...
How can we avoid TLS MITM inspections?
Can we avoid launching common system calls that EDR is detecting on with a blacklist? Such as whoami.exe or ifconfig (Auditd linux)

Standard BurpSuite Config

Rand — Mon, 20 Apr 2020 01:37:00 GMT

Proxy Tab

This is the single most important tab in BurpSuite. The proxy tab allows you to monitor the flow of application traffic while making notes. I use several extensions such as 'Scope Monitor' which greatly help organize the content.

A common pitfall I see among junior application pentesters is failing to have the proxy filters setup to observe more traffic at the beginning of their engagement, often overlooking requests for binary content. I filter out and analyze JS in the 'target' tab, don't need it cluttering up my proxy tab. And I tend to only include requests in scope once that has been established after crawling the app.

Intruder

You can send an item from Intruder directly to a Burp Scanner config to analyze one parameter
Make sure you know how to use the different attack types. I use the 'pitchfork' attack type almost as much as the standard 'sniper' payload.
Experiment with the Payload Processing, it's extremely useful for transforming data that you may feel needs to be scripted. This is quicker.
Payload encoding is often an issue when dealing with wordlists of already encoded characters. May want to disable this upon monitoring Intruder data.
Save your intruder scan results, you may forget to take a screenshot.

Repeater

Check the 'auto-scroll to match when text changes' option to save yourself some time when hunting for reflected content.

You may need to disable Repeater options such as "Update Content-Length" when validating for issues such as HTTP Request Smuggling.

Templates

With the release of Burp 2.0 a wide range of templating options have become available. So far, I've created several scan profiles which I use when running my scans. For example, an XSS only profile is easily created.

Project Options

TLS: Select the 'use custom protocols and ciphers' and select everything in both lists. The reason we're doing this is to avoid TLS issues in the future with misconfigured middleware. Additionally, check the Unsafe renegotiation option.

Sessions: These are typically left default, until I understand the application more in detail and need additional macro's or cookie jar handling functionality (such as cookies -> scanner)

Misc: If your organization has a private burp collaborator server, fill it in here. Also, if you have internal proxy issues polling for Burp Collaborator over unencrypted HTTP will be your solution.

User Options

Typically I have a SOCKS Proxy setup to relay my burp traffic, but it's not always necessary depending on where you're executing your pentest from.

On the TLS tab, I enable both Java TLS options by default. When things go wrong with Burp, these are the first to be disabled.

Make sure to disable proxy interception at startup so you don't go crazy.

Note: User options sometimes need to be reloaded for whatever reason. If burp is acting weird or your extensions didn't load, load them from the file menu.

Extensions

Make sure you use both Jython and JRuby to get access to all the burp extensions.

My favorite shortlist of extensions (though I'm probably missing some as I experiment with new ones and swap configs all the time).

As you learn more about your target add additional extensions into your assessment.

Logger++

Make sure logger++ is the very last extension loaded otherwise it will miss some of the extensions traffic.

Additionally, change the maximum log entries to a larger result or you will be very sad when you forget and have to redo 20,000 requests :(

Decoder Improved

I love decoder improved, but don't use it for XXE payloads as it handles nested XML poorly. Might take a look at the source code for it one day.

Collaborator Everywhere

Great extension but if the app starts breaking you may need to switch it back to "Collaborator Nowhere".

Launcher

I tend to give burpsuite an extra couple gigs of ram because Java.

java -Xmx4098m -jar burpsuite_pro.jar

Troubleshooting

Why is Burp not working? It's probably the TLS options. Or you have intercept on by default. Or collaborator everywhere is breaking the app.
Why did my extensions disappear? Your default options loaded most likely don't point to the correct Jython/Jruby instances.

Appsec Kickoff Calls

Rand — Sun, 01 Mar 2020 15:35:00 GMT

Kickoff Call

Every application penetration test you perform should be accompanied with a kickoff call to understand the scope, timeframe, and objective of the test. Here are the typical questions I ask during these calls. The goal of your kickoff call should be to understand the application in as much detail as possible. Ideally, we would want a developer to be on the call for the technical questions.

General

At a high level, what does this application do? Who are the typical business users/consumers of the application?
What is the sensitivity of the data the application handles? (PCI, PHI/PII, GLBA, SSN's etc.)
Is there any attack scenarios you as a customer are worried about? Any sensitive functionality that should be analyzed in depth?

Environment

Is there a WAF protecting the application? Will our attack boxes need whitelisting?
What environment are we testing in? Is the infrastructure owned by the company or will we need approval?
Are administrators notified of errors/logs via email? (To avoid spamming your PoC's)
Are we allowed to test 24/7? Timezone restrictions?

Technical Questions

What language(s) is the application written in?
What front end technologies are in use? (React/Vue/Angular etc)
What is the backend database? Are you using Cloud Service Provided Databases?
What is the authentication mechanism? Is there any 2FA? Account lockout rules?
Are there any data-flow-diagrams, network or application architecture diagrams available?
Roughly how many dynamic pages are there/How many lines of code?
Are there multiple user roles in the application? Do you have a user role/permissions chart available?
Is there an API associated with the application? Do we have access to documentation/swagger/wsdl specs?
If not a black-box pentest, do we have access to the source code? If not.... can we have it?

Tweaking Aquatone: ReClustering

Rand — Fri, 09 Aug 2019 01:49:33 GMT

Aquatone is one of my favorite tools for performing recon against a wide range of web servers and it's goal is to capture screenshots of the applications running on the web servers, categorize them based on similarity, and output a visual report. Compared to tools such as eyewitness, aquatones clustering feature makes it the tool of choice when attempting to identify applications across a wide range of assets.

I'm going to detail some features I've added to aquatone throughout this post and provide an example of my improvements to the initial session feature.

Similarity Option

I've added a quick option to actually change the similarity ratio inside of aquatone. By default, aquatone attempts to categorize applications based on 80% similarity, which has been hardcoded. This option will allow any perfect float value to be used as an argument for additional correlation, this is especially helpful as you can now rerun reports easily if the applications are not mapped to your liking.

InputFile Option

Additionally, I've added another option to parse input into aquatone from a file: either an nmap scan or a raw file containing a list of hosts/urls. In a prior version of aquatone, this feature was there, however with the rewrite in golang the choice was made to parse standard input. I have some other tools that really depend on reading from a file when chaining together tools, so a quick fix here allows input from a file. I've created a pull request with the aquatone project for these two features.

ReClusterSessions Option

Lastly, the most interesting feature I've added into the aquatone project is the ability to recluster already 'aquatoned' assets. Previously, if you wanted to scan multiple lists of hosts (perhaps days apart, or splitting up scanning based on subnets) you would be forced to have individual aquatone folders containing all the screenshots/headers/responses inside of them with a single report for each of your split out groups. This is not ideal, as you cannot go back and regroup similar web applications across these groups of files.

For example, we have the following hosts file containing three websites along with the corresponding aquatone report splitting these assets into their unique buckets.

Hosts.txt

first aquatone report html

Next, we have a second hosts file containing three additional websites along with the corresponding report.

Hosts2.txt

second aquatone report html

In the current state of aquatone, that's the structure you will have to unfortunately cope with. However, I have added a feature to fix this which works fairly well. I've changed aquatone to output the 'sessions.json' into individual unique sub directories, and then parse all of those sessions and recluster them to create a new report.

Working off our example above, we now have each scan inside their own sessions folder containing the json files.

folder structure of new /sessions/ directory

Now all we have to do is recluster those sessions and we get a freshly merged aquatone html report.

-reclustersessions argument provided

Final Report, All sessions merged into one report

You can grab the code for this option here, I will not be attempting to merge this into the aquatone source as it's not in the best state at the moment, and messes with the overall structure of the aquatone output that I'm not sure follows the authors direction.

Just writing this blog post so I can remember the purpose of this code in the future when I need to do more recon again.

In the future, I want to dive into the actual clustering ratio and see if we can improve upon the current categorization of web applications in aquatone. For now, I'll continue to learn golang and add some more quality of life improvements to aquatone :)

XSS Tools #1 - SleepyPuppy

Rand — Tue, 25 Jun 2019 23:42:20 GMT

SleepyPuppy is a Cross-Site Scripting (XSS) management tool which is not only full of features and customization options, but also has a really enjoyable name. SleepyPuppy was originally developed by the Netflix Skunkworks security team released back in ~2015, and unfortunately deprecated from future updates around ~2018. While the original creators state that other tools have come along which streamline the process, which may be true, other tools are lacking in the features that I personally want: dynamic customization of payloads, payload templating, and a way to logically sort and filter out all the responses you may get back. These XSS management tools are especially useful when attempting Blind XSS.

Let's quickly cover the risk of Blind XSS. In traditional XSS variants, an attacker is attacking the 'front door' of an application... meaning whatever is user facing. Most commonly you're targeting other users of the same application, or perhaps an administrator account to steal. While you may be able to go several applications deep if this is a portal application, all your attacks typically end up executing at the 'front of the stack.' However, in Blind XSS, an attacker attempts to send malicious payloads through any service they can get their hands on such as APIs, Logging, Headers, Database calls, File Uploads, and more in order to pop a payload somewhere down the stack.

For example, in order to keep up with modern standards and demands of clients, a development team is forced to implement logging across the board for all their APIs... and to meet the demands they decide to log everything and anything from an HTTP request. They're sending these logs to 'XYZ Log Viewer' which someone occasionally checks when errors arise. We decide to start uploading xss payloads inside of the User-Agent calling back to our xss tool of choice. Several days/weeks/months later all of a sudden we've received a callback to our tool! What happened? Well in this hypothetical scenario, let's say the XYZ Log Viewer is vulnerable to some form of XSS, and finally some internal user decided to check the logs and because they've been logging all HTTP data, our User-Agent XSS pops and we get our execution.

These various XSS tools present an attacker the insight on script execution and a feedback mechanism to tailor, and potentially chain, attacks against a given target, especially against services several layers deep typically hidden from an external point of view.

So back to SleepyPuppy, what are its features?

Create templated script variants to share across pentesters
Dynamically update these 'PuppyScript' payloads (in case of error, new features, or de-weaponizing)
Provides a way to have a single generic payload that only requests the data you need
Allows "assessments" to be created which can sort assessment A from assessment B; critical for deploying the tool on a single asset for pentesters
Takes a screenshot upon xss execution
Has Access Logs independent of script execution (handy for troubleshooting or identifying controls)
Actually has Users and Authentication

In future posts I'll touch on why those bullet points above are especially important, and touch on other tools that are missing some (such as ezXSS).

Modern application development has started relying on the LocalStorage and SessionStorage for storing sensitive information and by default SleepyPuppy does not support this unless you stub stealing that data in a generic collector payload. Borrowing this UI idea from ezXSS, I've decided to stub in this information by default into SleepyPuppy payloads, as well as clean up the theme, update the UI to the newest Flask Admin templates, and fix a couple hardcoded url issues. In the near future I'm hoping to take a crack at fixing the Burp Plugin to work with Burp 2.0 in order to allow an easy stub for SleepyPuppy payloads.

https://github.com/randomactsofsecurity/sleepy-puppy

General Approach for XML External Entity (XXE) Testing

Rand — Fri, 19 Apr 2019 22:18:00 GMT

There's a bunch of articles floating around the internet on XML External Entity (XXE) Injection which typically describe various payloads, attack vectors, and general use cases when it comes to this fun vulnerability. However, back when I was first learning about XXE I could never come across a proper thought process for testing XXE. After running into XXE during various penetration tests, I've decided to share how I personally test this vulnerability, and moreover, what my mindset is when I'm on the hunt for XXE.

Check the bottom of this post for some great references and additional guides to XXE which have helped me over the years.

Quick Review: Internal Entities vs External Entities

Before we dive in, knowing the difference between internal and external entities will save you some headache in the long run. Even though internal entities are not as juicy of an attack vector (other than denial of service), they can be very useful as a litmus test for xxe protections.

This is an Internal XML Entity which is used to expand text:


]>

Testing for &my_entity;bar expansion

This will render as: Testing for foobar expansion

And this is an External Entity which is supposed to be used to pull in other XML content


]>

copy.xml could contain the html entity ©

Pull in my external entity &my_external_entity; 2019

Now with that background we can continue on to my personal attack thought process for XXE

DOCTYPE Callbacks

First, can I attempt to load an External DTD and get a DNS (and hopefully HTTP) callback via DOCTYPE declaration? Often times when pentesting an internet facing application firewall rules or network segmentation will block HTTP callbacks; however as an internal pentester, you should be able to receive a HTTP callback most of the times if DNS was at least successful.

The golden response signaling a great chance at XXE will be valid DNS and HTTP callbacks. It's important to remember at this stage, just because we got a connection doesn't mean we'll be able to retrieve any files or perform other malicious actions.

If we do not get back at least a DNS lookup, odds are network controls are preventing any sort of connection from being made which will make life more difficult for stealing files if we end up with an oob exploit. 99% of the time in my XXE experience I've been at least able to obtain a DNS callback, however your results may vary.

Reflection

The next area I'm keying in on is the application request and response. In order for our traditional XXE to be successful, I'm going to need some application request parameter/data reflected back in the response.... with several caveats we'll get to in a second. The questions I ask myself are:

How does a normal request work on the vulnerable endpoint?
Are we getting any reflected content back from our input?

Without understanding or estimating how the application functionally works, or attempting to guess at how its processing request data, you're going to be blindly throwing payloads at the application hoping for an exploit. You're a better tester than that.

Instead, look at the content of the request, try to understand if XML parsing is occurring, or if your request is being transformed in some way. For non XML requests, try to understand why that request type is being transformed back into an XML response (and vice-versa). I've seen first hand XML data inside of JSON requests with an XML response, so pay attention to response types!

To the second question, if our input is getting reflected, great! If not, what about an invalid request, are there verbose errors that would allow our user input to get reflected back there?

For the sake of brevity, the scenario below will be about traditional XML Requests and XML responses.

For example, if we have the following request:

POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


    1337



With the following response:

HTTP 200 OK
Content-type: text/xml


    1337
    Hello_World.txt
    foobar

And an invalid request reflects as:


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


    1337xyzabc



With the following response:

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337xyzabc

We can see that the file_uuid element is reflecting it's data back in the response of the XML processor, we can now use this to our advantage. Once we've established we have reflection, we can begin testing for XXE.

Confirm internal entity expansion to determine if entities are disabled across the board by the XML processor.


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


]>

    1337&internal



Will **hopefully** return the following response:

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337foobar

2. If we have internal entity expansion, let's move on to a pure XXE payload and retrieve a local file. Based on the architecture of the system the application is running on, choose your given payload (Windows vs Linux). Note: I've started using /etc/group in addition to /etc/passwd as payload types due to file system permission restrictions.


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


]>

    1337&xxe;



Will hopefully return a successful file include

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337  root:!:0:0::/:/usr/bin/sh
daemon:!:1:1::/etc:.......

3. Try a parameter variant. While parameters are typically used in out of band variants, they could be fruitful based on your XML processor and it's worth the 10 seconds it takes to check.


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


    
]>

    1337&xxe;



Will **hopefully** return the following response:

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337 contents of file:  root:!:0:0::/:/usr/bin/sh
daemon:!:1:1::/etc:.......

4. If the above has failed, it's time to move on to the Out of Band variants

Out of Band (OOB)

What we're referring to with 'Out of Band (OOB)' XXE (sometimes referred to as blind) variants is utilizing XML parameter entities to send the contents of our file to an attacker controlled webserver. What we're attempting to do is retrieve the contents of a given file and then steal one line of that data via a GET request to a local webservers access logs that we're monitoring.

As an attacker, I will typically spin up a python HTTP or HTTPS SimpleHTTPServer module in order to serve up my various XML payloads. Here is a link on how to setup a HTTPS variant of this module.

From my personal experience with oob xxe variants, there is a single requirement which needs to be met in order for you to continue on to more interesting exfiltration vectors such as FTP (for multiline file retrieval):

The parameter nested inside of an entity must expand when called


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


    
]>

    1337 &xxe;



Can return any response, but on your webserver you will check for expansion

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337

XXE Python Simple HTTP Server

If you were successful, congrats you've got OOB XXE and can exfiltrate data one line at a time via a GET request in your access logs.

If you do not recieve a GET to /foobar, and instead recieve a GET /%param we're going to have to dive quite a bit deeper into various request types. The next major variant will be attempting to force the entity itself to be written to the doctype and trigger the expansion, rather than triggering the expansion inline. There are several different types of payloads here which all may work (we're starting to have to guess a bit and see what sticks):


POST /get_file HTTP/1.1
Host: blah.com
Content-type: text/xml
Content-length: 0


    %param;
    %p;
]>

    1337 &xxe;


Our External DTD file contains the following:
--------------------

">

Can return any response, but on your webserver you will check for expansion

HTTP 404 NOT FOUND
Content-type: text/xml


    Could not find file with uuid 1337

XXE Showing /etc/group line 1 returned

%param gets called which triggers a connection to our remote server for the "dtd.xml" file.
%p has been loaded into the namespace of our current XML, so we can now trigger %p to load which will write the xxe entity to the namespace.
During this write the %exfil parameter is expanded which triggers a file retrieval of /etc/group and stores it in the %exfil parameter.
Lastly, &xxe; is called which triggers the data to be exfiltrated back to our server and the first line of root is retrieved and logged.

If that example does not work, feel free to seek out more additional payloads at this time as they all follow that same structure for the most part. It all revolves around how the XML processor will actually expand out the parameters when doing HTTP connections.

Wrap Up

At a high level, that was my basic approach to testing for XXE. There are a lot more payloads and examples that I have not covered as there not really necessary and other articles are more detailed on them (see staaldrads FTP link at the bottom). I'll continue to update this page as I flesh out and discover new techniques for XXE testing.

References

Note	Link
XXE Payloads	PayloadAllTheThings XXE
XXE Payloads 2	staaldraad XXE
Whitepaper (A must Read)	VSecurity XML DTD Entity Attacks
XXE Overview Slides	OWASP XXE Presentation
Whitepaper (A must Read)	VSecurity XML DTD Entity Attacks
Forcing Errors	NetSpi Forcing XXE Reflection
FTP XXE	staaldrad XXE via FTP