210 likes | 419 Views
Th1nk Y0u C4n h4cK $h4r3P0inT. Liam Cleary. 4b0uT M3. Solution Architect @ Protiviti 7 Time SharePoint MVP Cover Everything-SharePoint Development Branding Design Architecture Security Dream about SharePoint, well sometimes. Ag3nD4. H4ck3r M4n1f3sT0.
E N D
Th1nk Y0u C4n h4cK $h4r3P0inT Liam Cleary
4b0uT M3 • Solution Architect @ Protiviti • 7 Time SharePoint MVP • Cover Everything-SharePoint • Development • Branding • Design • Architecture • Security • Dream about SharePoint, well sometimes
H4ck3r M4n1f3sT0 "This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. I am a hacker, and this is my manifesto.“ "You may stop me, but you can't stop us all."
WhY 4 S3$s1oN 4b0uT H4ck1nG • Famous WikiLeaks • “Wget” scripts targeting SharePoint downloads • 250,000 government cables sent to WikiLeaks • Famous Snowden • Released massive amounts of documents • Multi Government Involvement • Tried to blame SharePoint
WhY 4 S3$s1oN 4b0uT H4ck1nG • Large Hacks
Persona: Th3 H4ck3r • Two different Types, Hackers and then Virus Writers • Script Kiddy • Using freely available tools • Veteran Hacker • Custom Tools, Written themselves • “Paid to Hack” • External to the Organization / Company • Anonymous, no trace – Secure VPN or Tor • Loves: AutoBot & Denial of Service • Backdoor Exploits • Worst Nightmare
Hacker: T0oL$ • Manual: SharePoint “Brute-Force” • Test access for common URLs • Google • inurl:"/_catalogs/wt/“ – various syntax • Bing • Instreamset:url:”viewlsts.aspx” • Nmap • Access Central Administration • Shared Services • Web Service Endpoints • RegEx Tools • SHODAN searching – “WWW-authenticate”, “MicrosoftSharePointTeamServices: 12/14/15”
Hacker: Wh4T i$ tH3r3 t0 $e3 4nD F1nd? • Web Services Exposed • Inurl: “_vti_bin/spdisco.aspx” • http://fuzzdb.googlecode.com/svn/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt • “_layouts/viewlsts.aspx” can equal potential data leakage • “_vti_bin” some functionality available without Authentication • WACProxy.ashx • User Enumeration: "/_layouts/userdisp.aspx?Force=True&ID=1“ • “_vti_inf.html” exposes internal Front Page Extensions • Common functionalities available to all users – not always • SearchPrinciples • GetAllUserCollectionsFromWeb
Hacker: Wh4T i$ tH3r3 t0 $e3 4nD F1nd? • Cross Site Scripting (XSS) • http://{siteurl}/Lists/Calendar/calendar.aspx?test=<script>javascript:alert('XSS');</script> • 3rd Party components, such as web parts • “http://{siteurl}/_layouts/{Vendor Name Removed}.Feature/userpresensesvc.ashx?userID=68&userProfileUrl=http://{site url}/_layouts/userdisp.aspx?ID=68” • wget -r A.pdf --no-check-certificate https://{siteurl}/Forms/AllItems.aspx • REST API Endpoints • http://{siteurl}/_api/search/query / _api/search/postquery/ _api/search/suggest • http://{siteurl}/_api/web/lists • http://{siteurl}/_api/web/siteusers • http://{siteurl}/_vti_bin/client.svc
D3m0 h4Ck3r: H4cK1ng Sh4r3P0inT
Persona: Th3 H4cK3r$ • Hackers • The real world hackers • Employees • The ones you always do, though you shouldn’t trust • Developers • No-one trusts these guys • Administrators • “We have the Power”
Administrator: Pr0t3cT1on T0oL$ 4nd 4pPr04ch • Firewalls • Server Firewall • Hardware Firewall • Content Inspection Software • Content Inspection Appliances • Network Monitoring • Wireshark • Many Hacker / Security Linux Distros • Configure it correctly • Only Allow permissions where needed • Use Audit Checking Tools,3rd Party tools or open source such as Sushi.
$eCuR1ty G3n3r4l
Security: Pr0t3cT1on L4y3r$ • Database • Restrict Port Access – Non Standard Ports (More obscurity) • Encrypt the Database / Disk • Application • Restrict Port Access through Firewall Policy • Location Path – web.config • Web • Restrict Port Access through Firewall Policy • Location Path – web.config • Perimeter • SSL Encryption & Inspection • Edge Firewall – Port 80 / 443 • Offload Authentication – Delegation (remove standard Windows Auth Prompt)
Security: D4taB4s3 F1r3w4ll R^l3s • netshadvfirewall firewall add rule name="SQLServer" dir=in action=allow protocol=TCP localport=1433 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL DAC" dir=in action=allow protocol=TCP localport=1434 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=UDP localport=1434 profile=DOMAIN • netshadvfirewall firewall add rule name="Mirroring EndPoint" dir=in action=allow protocol=TCP localport=5022 profile=DOMAIN • netshadvfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022 profile=DOMAIN • netshadvfirewall firewall add rule name="T-SQL Debugger" dir=in action=allow protocol=TCP localport=135 profile=DOMAIN
Security: $h4r3P01nT F1r3w4ll R^l3s • netshadvfirewall firewall add rule name="SharePoint HTTP/HTTPS" dir=in action=allow protocol=TCP localport=80,443 profile=DOMAIN • netshadvfirewall firewall add rule name="SharePoint Cache" dir=in action=allow protocol=TCP localport=22233-22236 profile=DOMAIN • netshadvfirewall firewall add rule name="SharePoint Farm Communication (TCP)" dir=in action=allow protocol=UDP localport=389,464 profile=DOMAIN • netshadvfirewall firewall add rule name="SharePoint Search" dir=in action=allow protocol=TCP localport=16500-16519,445,137-139,5725 profile=DOMAIN • netshadvfirewall firewall add rule name="SharePoint Workflow" dir=in action=allow protocol=TCP localport=9354-9356,9000 profile=DOMAIN
Security: Wh3r3 t0 $t4rT? • Page Lockdown • Fix Security Slip-Ups • No Automated Approach • Claims “OR” not “AND” processing • Comply with Compliance and Governance Policies • Administrator can modify or delete logs • No built in forensic capabilities • Secure Web Site • SQL injection, Brute Force Password Attack and Cross Site Scripting • Understand SharePoint is SQL • Privileged Users could hack Permission for SharePoint • Fix Search Engine Visibility • Mississippi National Guard apologized for exposing personal data through public SharePoint Site
F1n4l Th0uGht$ • Pentest your SharePoint Site – plenty of tools out there for this • Internal - Choice • External – No Choice • Ensure Latest Patches – my rule be two CU’s behind, unless you need the CU for bug • Users will find a way of getting into content, just as they did with file shares • Mostly legal ways of doing it too!! • Hackers will always try to circumvent security • Learn how to hack!! Just Kidding • At least how to protect against the hack • Make Security Top Priority • Learn how to publish SharePoint correctly and securely
R3s0uRc3$ SharePoint URL Endpoints (Use in Google) http://blog.helloitsliam.com/Presentations/Urls.txt Is Your SharePoint Secure – Part 1 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=100 Is Your SharePoint Secure – Part 2 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=101 Is Your SharePoint Secure – Part 3 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=103 Is Your SharePoint Secure – Part 4 http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=105 Hacking versus Misconfiguration http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=115 Is Your SharePoint Vulnerable? http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=116
Contact & Thank You Blog http://blog.helloitsliam.com http://helloitsliam.azurewebsites.net Twitter @helloitsliam @hacksharepoint Email Work: liam.cleary@protiviti.com Personal: liamcleary@hacksharepoint.com