Demo: Security Misconfiguration

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 30 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> In the written lesson,
00:00
I talked about using this tool called Shodan.
00:00
Now Shodan is like a Google for hackers.
00:00
Is basically something that goes out
00:00
there and looks for open ports.
00:00
We talked about exposed ports being a danger.
00:00
People leaving ports exposed to the Internet,
00:00
also searching for things like banners.
00:00
I talk about a security researcher that looks for things
00:00
like exposed versions of Jenkins.
00:00
In this demonstration, I'm not going to do Jenkins,
00:00
I'm going to do JBoss.
00:00
Just like it's important for developers to understand
00:00
the applications or middleware that they're deploying,
00:00
it's important for us as attackers to also understand,
00:00
the default configuration settings,
00:00
the potential misconfiguration of things like JBoss,
00:00
what it is, what it does.
00:00
I know that it deploys Java applications.
00:00
I know there's a lot of exploits that we can
00:00
use and things like Metasploit.
00:00
There's also things like
00:00
Exploit DB that we could use to exploit JBoss.
00:00
All that being said,
00:00
I found JBoss 4.2.3,
00:00
which is very outdated on this server here.
00:00
Now, I'm not going to actually go to this server.
00:00
I don't want to do anything that could be
00:00
construed as hacking because I don't have permission.
00:00
That's what separates the good guys from the bad guys or
00:00
good hackers from the bad hackers
00:00
is that cyber criminals,
00:00
I should say, is the fact that I don't
00:00
have permission to access
00:00
this server or exploit the server.
00:00
I'm not I'm going to stop right here.
00:00
All that being said is,
00:00
I found this using Shodan,
00:00
the researcher use Jenkins
00:00
but I'm not going to go any further from here.
00:00
This is just to show you that I can look at X-Powered-By.
00:00
We have servlet 2.4,
00:00
the JBoss version, things like that.
00:00
What I did, is I deployed a version of JBoss locally.
00:00
You'll see if we're,
00:00
Shodan we're searching for open ports,
00:00
we can see the X-Powered-By servlet 2.5 JBoss 5.0,
00:00
JBoss Web 2.1 and I come across this server here.
00:00
Now I'm already at the admin console.
00:00
Let's go back here.
00:00
We can see there's juicy information.
00:00
Of course the admin console me as
00:00
a hacker pen tester that's
00:00
the first thing I want to look at.
00:00
The JMX console, the JBoss web console,
00:00
Tomcat, we can look at the status and things like that.
00:00
It's important to know what all these are.
00:00
That's why I said it's good to have a background
00:00
in system administration,
00:00
network administration application,
00:00
with things like setting up a Tomcat server,
00:00
what those are and what they do.
00:00
Now, I have to do research as a hacker,
00:00
it's equally as important for me to
00:00
understand what the JMX console is,
00:00
what the web console is,
00:00
what the administration console is.
00:00
Now, I can look up the default credentials for JBoss.
00:00
I know it's admin, admin.
00:00
Now, the developer hasn't changed the credentials.
00:00
I can log in as admin,
00:00
you can see I just did that here.
00:00
What I'm going to do is use a tool.
00:00
I'm going to use a tool called JexBoss.
00:00
This good for Purple Team,
00:00
for Blue Team to check and see if JBoss is vulnerable.
00:00
I'm going to run that now. It's checking.
00:00
I can see some interesting information.
00:00
I can see that the JMX console is vulnerable,
00:00
the web console is vulnerable.
00:00
Invocker Servlets is vulnerable,
00:00
and the admin console is exposed.
00:00
I verified that the admin console is exposed.
00:00
This is going to try to run automated exploitation,
00:00
is going to do it in a few different ways.
00:00
Now, because I know the admin console is exposed,
00:00
let's just take a look
00:00
at the war files that are deployed.
00:00
I know this is Java that uses WAR files.
00:00
I see these three here.
00:00
Now it's important to know what the tools you're
00:00
using does or do as an attacker.
00:00
I'm going to say no to the JMX console.
00:00
I say no to the web console.
00:00
I am going to say no to the JMX Invoker Servlet.
00:00
I'm going to say yes to the admin console.
00:00
This is going to deploy a shell.
00:00
It's trying to perform authentication
00:00
with default credentials.
00:00
Again, the danger in having default credentials is
00:00
this Python script already
00:00
has that installed to look for default credentials.
00:00
Successfully deployed code, so
00:00
it's successfully deployed a WAR file.
00:00
Let's take a look at our war files again,
00:00
see if anything's changed.
00:00
You can see here that we do have a new WAR file.
00:00
This is the exploit here
00:00
and now we can see that we have a shell,
00:00
we're the root user.
00:00
This is bad segmentation
00:00
because now I've access to the full box.
00:00
As a pen tester I already cat
00:00
etc password to see what users are on
00:00
here and I want
00:00
cat etc shadow to see if any hashes are in there.
00:00
This is darker, so most likely not,
00:00
which we don't see any hashes in there.
00:00
But now using this tool, JexBoss,
00:00
I now have full access to this server.
00:00
I know what it does.
00:00
As a good hacker I know what my tools are doing.
00:00
I know if I wanted to talk to the developers,
00:00
they could then delete this WAR file because I
00:00
know that that's what was deployed in
00:00
the console to clean it up.
00:00
Because as a good pen testers,
00:00
its important for me to talk
00:00
to the developers and let them know
00:00
exactly what I did to exploit the server.
00:00
I can exit out of here.
00:00
You can see you can make a bitcoin donation
00:00
and our results are potentially compromised server.
00:00
That's all to show you the dangers
00:00
of misconfiguring this middleware,
00:00
this JBoss server here,
00:00
where I've left port 8080 exposed.
00:00
If this is something like an EC2,
00:00
if I've left port 8080 exposed to the internet,
00:00
someone can, of course, access that.
00:00
Someone can then try to go to the admin console.
00:00
Again, searching and things like Shodan and find
00:00
the fact that the JBoss server is running,
00:00
go to the admin console,
00:00
log in and deploy malicious WAR file and achieve
00:00
remote code execution or upload a shell
00:00
from there and perform malicious actions from there,
00:00
especially as the root user.
00:00
That is the danger of security misconfigurations.
Up Next
Scenario: Misconfigured Jenkins Servers
10m
Lab: Misconfigured Jenkins Servers
45m
Scenario: Facebook XXE Vulnerability
10m