Boooooom · 2015/08/11 offense
0 x01 background
Why is access to the Intranet as a goal to discuss, because I think from the attacker’s point of view, the core goal of the attack is to obtain data. Relatively speaking, almost all the data an attacker wants is on the Intranet, and relatively speaking, the security defense capability of the Intranet itself is almost zero. Therefore, looking for a breakthrough to enter the internal network from the outside is the most critical link in the whole process of obtaining data.
Based on such a topic, I originally wanted to talk about the means of accessing the Intranet from the periphery. I made a preliminary review and classified them into two categories: legal entrance and illegal entrance. The legal entrance is actually a channel from the outside to the inside of the enterprise, which mainly includes VPN, mail and wifi. In the VPN and mail the two entrances to see we see most of the attack methods mainly use the user name (http://zone.wooyun.org/content/18372) and password big data to attack. In terms of wifi, I think the wifi master key is a typical entrance (WooYun: see how I use the wifi master key to physically navigate through the Intranet). Illegal entry takes advantage of vulnerabilities in applications or hosts and services deployed on the border. There are all kinds of common bugs that I won’t go into here.
And I also don’t want to in this article described above all the content is to elaborate again, limited space can’t be special trust, each point and a lot of things I believe many people have talked a lot before, may I also cannot speak better than them, so I want to tell you more likely to not speak, or speak less. So, going back to the theme for the big Internet companies, I think it’s important to take on a master like that. So the ultimate question is, where are the lifeblood of big companies? With that ultimate question in mind, let’s go back and forth.
0x02 into the border, also lost the border
And where is the big company? We know that since we want to enter the internal network from the periphery, then one thing we must do is to cross the border, so we should naturally look for this door in the enterprise’s internal and external network border.
Why would an enterprise need to deploy such a boundary between the Intranet and extranet? We just as a big business, he will have hundreds or even thousands of lines of business, and security team may have dozens of men, that dozens of people to ensure the safety of the thousands of lines of business, obviously if certainly cannot complete coverage in the stationing of way, so the enterprise will choose when thinking about how to defend the regional defense.
Regional defense refers to placing important services and data to be protected in a designated area, isolating the area, and specifying a firewall policy for entering the area. Then conduct regular security checks on the area.
If this works well, everything looks perfect. But in fact, it is not satisfactory, the fact is that in the enterprise, the business department is usually stronger than the security department, which I believe we all know, which leads to a problem, the security department always wants to circle the business, all kinds of strict policies and norms to implement, The business unit will have a hard time executing your strategy rigorously in the context of rapid business iteration. They will require you to tailor a strategy for their particular business scenario, or even deploy to fly isolation areas, and this is not uncommon. As a result, the security sector will have more and more policies and specifications to maintain. This leads directly to poor implementation of policies and specifications. Now that we know some of the problems with enterprise defense, how do you implement attack testing?
Above we mentioned two very important links, one is to formulate the specification and implement, one is to carry out the compliance inspection of the implementation results of the specification (safety inspection). So what might go wrong with these two links? One is the external Intranet services, directly separated from the boundary control; One is the blind spot of compliance detection, weakness scanning.
0x03 Attack Idea Internal Network Services are directly external
Let’s start with a picture:
We can see from the picture when I am on a public IP port 80 launched a HTTP request, he will return a js code, this paragraph of js execution will jump straight to the http://passport.oa.com/passport/… But I found an address like passport.oa.com was actually inaccessible because it pointed to an Intranet IP address. So that seems like an odd question. Why access a public IP but jump to an Intranet address, we are looking at this domain name is passport.oa.com; From the name seems to say oa (office network) unified login authentication address? What does that mean? Let’s venture a guess. Is it because the server corresponding to the public IP actually hosts an internal service, which seems reasonable to explain? To test my idea, I did a batch probe of all the IP addresses of the company’s c-segment open HTTP service and found something equally interesting:
If you visit a host that points to the internal network (.oa.com), it will redirect to an internal service address. If you visit a host that points to the external network (.qq.com), it will redirect to an internal service address. Then it jumps to an external service address. So I’m going to simply bind this IP to host to test it:
According to the returned content, it is indeed an Intranet service.
Let’s further analyze why there are such problems. I think there are probably several reasons as follows:
- The problem with the online process is how the applications that are supposed to be deployed on the Intranet are deployed on a machine that has access to the Internet, and the security check before going online is problematic.
- There is a problem with the management of the machine’s network permissions. Maybe this machine has applied for a short-term Internet permission, but it expires and does not go offline. As a result, other people may not know that this machine has Internet permission when they use this server.
0x04 Internal Service External Vulnerability Mining
First, obtain the asset information of the target enterprise, that is, Ip and domain name information. Then obtain the banner information through the obtained extranet domain name and IP information. Then determine whether the IP/ domain name has internal service external problems by judging the characteristics of the returned banner information. The specific characteristics are as follows:
-
The characteristics of the headers returned, such as the Location field, directly redirect to the Intranet IP address and domain name.
-
The characteristics of the returned body: The body contains the Intranet IP or domain name; Or some keywords, such as title with internal XXX system and so on
In addition, some common internal domain names can be forcibly bound to public IP addresses for enumeration. And then by going back to the characteristics of the package to judge.
Related cases:
WooYun: Some internal business of Tencent has multiple SQL injection (a small number of QQ account passwords leaked base64)
WooYun: From a PHPInfo to a Tencent Intranet roaming tour by the wayside
Copy the code0x05 Vulnerability scan of attack train of thought
Vulnerability scanning is a typical blind spot of enterprise compliance testing, that is, the detection of backup files and test code files. This relies entirely on the dictionary’s violence enumeration for detection. Generally, some test files developed and the backup files of operation and maintenance spider cannot be captured and can only rely on the dictionary to enumerate them by force. Then, two problems will occur when conducting security detection of black boxes:
- The dictionary of violence enumeration is limited, not to say that enterprises can not write a very long dictionary, but that enterprises need to periodically scan thousands of domain names and IP addresses when scanning; If the dictionary file is too large, it will inevitably lead to a long scan cycle and occupy too many resources.
- Some test files do not have obvious vulnerability characteristics and need to be assisted by manual judgment. Large enterprises have too many objectives and it is impossible to involve too much manual participation, which leads to missing reports.
Then based on the above two shortcomings, the attacker can first round of target enterprise of domain name and IP enumeration of the dictionary, the dictionary can as far as possible big, because the attacker actually don’t need too much consideration scanning time, can run slowly, and then the judgment of the scan results can write some easing strategy, as long as the judge whether a file exists, for example, several bytes and return. Or there are some sensitive keywords, such as internal system, the array structure of the test, etc., first write down, and then assist some manual judgment. Of course, there are also skills in manual judgment, for example, you can iframe 50 potential targets on a page at a time to carry out visual + experience recognition.
Here are some examples that were discovered in this way:
http://wooyun.org/bugs/wooyun-2015-092833
http://wooyun.org/bugs/wooyun-2015-0122949
Copy the code0x06 is written at the end
For a large Internet company, it’s not because they are safe doing is not good enough, but need to consider is a surface, which need only a point, to in-depth excavation of a point, can certainly find a breakthrough point, and the safety of the enterprise itself is also has been improving attack threshold, is not watertight.
For both the attacker and the defender, their ability to detect security problems is the core determinant of this lasting offensive and defensive battle. Therefore, we can expect TangScan to have the strongest ability to detect security problems by combining all the forces of white hats.