Everyone Matters In Infosec 2014


Published on

Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory Enumeration vulnerability and making a better exploitation tool. Or perhaps contributing in other ways.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Every start something out that you thought was one thing and morphed to another? Yeah, that is this talk.
  • As a senior infosec engineer, I mentor junior staff.They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”I tell them…
  • This is so true!I’ve been backpacking and had that annoying buzzing in my tent. I didn’t sleep at all.Same is true for vulnerabilities. Sometimes the small ones matter the most. Don’t ignore them.
  • Everyone Matters In Infosec 2014

    1. 1. Everyone matters in infosec IIS TILDE ENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
    2. 2. Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
    3. 3. Sometimes it is the little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
    4. 4. We can all contribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
    5. 5. Ask yourself…. Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 5
    6. 6. Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
    7. 7. What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
    8. 8. An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
    9. 9. Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
    10. 10. How can we do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
    11. 11. tilde_enum.py Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
    12. 12. tilde_enum.py (con’t) Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
    13. 13. Demo 13Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
    14. 14. Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
    15. 15. Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
    16. 16. Continue to… Investigate the mysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
    17. 17. Questions? https://github.com/WebBreacher/tilde_enum EVERYONE MATTERS IN INFOSEC 17Micah Hoffman @WebBreacher