Categories
Web Application Security

Introduction to Burp Suite Pro

Burp Suite is, as far as I’m concerned, the de facto tool for Web Application Assessments. It’s simple to use and takes little time to get the hang of, but to make sure you’re making the most out of your toolset, I thought I’d post a quick introduction to run through the main tabs and features.

Burp Suite is a man-in-the-middle proxy which can intercept HTTP/HTTPS data from web browsers and mobile applications and allow you to read, modify, and repeat requests to servers. It can detect and monitor WebSockets. It’s ideal for testing for a range of security issues within applications. It can automate many of the tasks required for an effective penetration test and it’s even extensible!

Categories
Build Security

PrivEsc: DLL Hijacking

I posted earlier about Privilege Escalation through Unquoted Service Paths and how it’s now rare to be able to exploit this in the real world due to the protected nature of the C:\Program Files and C:\Windows directories. It’s still possible to exploit this vulnerability, but only when the service executable is installed outside of these protect directories which in my experience is rare. Writing that post though got me thinking about another method of privilege escalation which I think is a little more common to see – DLL Hijacking.

Categories
Infrastructure

PrivEsc: Insecure Service Permissions

/I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s  pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!

Categories
Build Security

PrivEsc: Unquoted Service Path

A couple of days ago I posted an article about the first steps an attacker would likely take to perform a desktop breakout attack. Where that post left off was at the point of looking for privilege escalation from domain user to local administrator.

Categories
Build Security

Windows Desktop Breakout

Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down an attacker but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be tricky, so I’ll run you through how I assess them here, highlight some of the tricks and the methodology that I use with the intention that both breakers and defenders can get a better look at their options.

Categories
Infrastructure

The Myth of Account Lockout: Observation Windows

During Penetration Tests I often gain access to a selection of domain user accounts on my path to compromising a domain admin account. This is often a requirement these days for enumerating domain policy and also it’s quite common to find standard user accounts that have access to interesting information, such as HR or Finance accounts with access to staff and payroll information or a user with VPN access. During the post-engagement meeting with clients they’re often shocked at how I could launch online brute-force attacks against accounts without locking them out.

Categories
Web Application Security

JSONP Vulnerabilities

Same Origin Policy (SOP) is a key security mechanism within the browser that I’ve written about previously. In short, it prevents applications at different origins from interacting with each other. An origin is defined as the domain name, application protocol, and port number.

There are now features in HTML5 that allow cross origin communication called Cross Origin Resource Sharing and Cross Domain Messaging (postMessage) which addresses the possible business need for cross origin sharing, however before this a workaround was developed called JavaScript Serialised Object Notation with Padding (JSONP).

Categories
Web Application Security

HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

Categories
Breach

Data Breaches and Stock Prices

When talking to companies about the effects of hacking and data breaches I often talk to companies about the effect on stock prices and the potential for brand damage – but, does a security breach really cause a noticeable effect on share prices? Incidentally I was recently working on a script to pull historical stock data for companies at specific dates. So I figured I’d test drive the new script and pull some historic data for companies immediately following a breach, to show the ultra-short term affect on their share price. So I offer my raw data here without analysis and allow you to draw your own conclusions. It’s pretty interesting to see the initial drops in stock and the patterns that affect all companies and all breaches regardless of how well it is handled.

Categories
Infrastructure

PrivEsc: Group Policy Preference Passwords

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).

GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.

This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a local administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.