Behind Enemy Lines

Administrative Web Application Attacks

Rafael Dominguez Vega

12th of March 2009

2

Main Objectives

• Insecurities

• Impact

• Attack Techniques

3

A little about me ...

4

What this talk will cover

• Intro

• DHCP Script Injection Attack

• SSID Script Injection Attack

• Scanning for Webmin Servers Attack

• Recommendations, Summary & QA

5

Introduction

6

Administrative Web Interfaces

• Administer Systems and Networks

• Help Administrators

• Most Network Systems have One

7

Why should they be secured?

• Vulnerable as any other Web Application

• Highly Privileged Access

• Different Services, Systems and Protocols

• Used in “Trusted Environment”

8

Today’s Web Application Attacks

• User Input Validation

• Security Best Practice

• Out of Band Channels

9

DHCP Script Injection Attack

10

DHCP “HandShake”

11

DHCP Request Packet

12

DHCP Script Injection Attack

• Active DHCP Leases List

• Attacker located in same LAN

• To Be Vulnerable

13

DHCP Script Injection Attack

14

DHCP Script Injection Attack

15

DHCP Script Injection Attack

16

DHCP Script Injection Attack

17

DHCP Script Injection Attack - DEMO

• pfSense

• Tool

• Remote Command Execution

18

SSID Script Injection Attack

19

SSID Script Injection Attack

• 802.11 Protocol

• Management Beacon Frames

• Malicious Code in SSID

20

SSID Script Injection Attack

• “Scan for Neighbours AP” Functionality

• Attacker located in Wireless Range

• Max. SSID length = 32 Characters

• SSID1/** **/SSID2 = 64 Characters

• Access to Internet Attacker Server

21

SSID Script Injection

22

SSID Script Injection

23

SSID Script Injection

24

SSID Script Injection

25

SSID Attack - DEMO

• Linksys – DD-WRT firmware

• Tool

• Disable Wireless Encryption

26

Scanning for Webmin Servers Attack

27

Webmin

28

Scanning for Webmin Servers

29

Scanning for Webmin Servers Attack

• Attacker located in same Network

• Redirect user to fake Webmin Server

• Obtain Administrator Credentials

• CSRF

30

Scanning for Webmin Servers Attack

31

Scanning for Webmin Servers Attack

32

Scanning for Webmin Servers Attack

33

Demo

34

Webmin Web Based Attack Propagation

35

Webmin Web Based Attack Propagation

36

Webmin Web Based Attack Propagation

37

Webmin Web Based Attack Propagation

38

Webmin Web Based Attack Propagation

39

Webmin Web Based Attack Propagation

40

Webmin Web Based Attack Propagation

41

Webmin Web Based Attack Propagation

42

Webmin Web Based Attack Propagation

43

Webmin Web Based Attack Propagation

44

Webmin Web Based Attack Propagation

45

Webmin Web Based Attack Propagation

46

Webmin Web Based Attack Propagation

47

Webmin Web Based Attack Propagation

48

Webmin Web Based Attack Propagation

49

Webmin Web Based Attack Propagation

50

Webmin Web Based Attack Propagation

51

Recommendations

52

Recommendations

53

Recommendations

• Assess Deployment

• Do not Trust your Internal Network

• Penetration Testing

• Strict Security Policy

• Risk Management

54

Summary

• Vulnerable as any other Web Application

• Additional Attack Vectors

• “Scanning”, “Detecting “ ,“Finding” Functionality

• Risks Increased

• Used in “Trusted Environment”

55

References & Further Reading

Project Web Site:

http://labs.mwrinfosecurity.com/

Contact Me

rafael.dominguez-vega( )mwrinfosecurity!com

56