Your SlideShare is downloading. ×
0
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Everyone Matters In Infosec 2014

506

Published on

Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory …

Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory Enumeration vulnerability and making a better exploitation tool. Or perhaps contributing in other ways.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
506
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Every start something out that you thought was one thing and morphed to another? Yeah, that is this talk.
  • As a senior infosec engineer, I mentor junior staff.They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”I tell them…
  • This is so true!I’ve been backpacking and had that annoying buzzing in my tent. I didn’t sleep at all.Same is true for vulnerabilities. Sometimes the small ones matter the most. Don’t ignore them.
  • Transcript

    • 1. Everyone matters in infosec IIS TILDE ENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
    • 2. Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
    • 3. Sometimes it is the little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
    • 4. We can all contribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
    • 5. Ask yourself…. Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 5
    • 6. Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
    • 7. What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
    • 8. An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
    • 9. Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
    • 10. How can we do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
    • 11. tilde_enum.py Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
    • 12. tilde_enum.py (con’t) Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
    • 13. Demo 13Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
    • 14. Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
    • 15. Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
    • 16. Continue to… Investigate the mysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
    • 17. Questions? https://github.com/WebBreacher/tilde_enum EVERYONE MATTERS IN INFOSEC 17Micah Hoffman @WebBreacher

    ×