BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Auditing Tool !

15,696 views

Published on

A brief details of the tool to be released at BlackHat USA 2013 Arsenal.

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
15,696
On SlideShare
0
From Embeds
0
Number of Embeds
12,740
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Auditing Tool !

  1. 1. Sparty : A Frontpage and Sharepoint Auditing Tool Aditya K Sood (@AdityaKSood) BlackHat Arsenal USA - 2013 SecNiche Security Labs
  2. 2. About Me • Senior Security Practitioner – IOActive • PhD Candidate at Michigan State University – Worked for Armorize, COSEINC, KPMG and others. – Active Speaker at Security conferences » DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and others – LinkedIn - http ://www.linkedin.com/in/adityaks – Twitter: @AdityaKSood – Website: http://www.secniche.org
  3. 3. Sparty Overview ! • Open source tool written in python • Assist penetration testers in routine jobs • Written in python 2.6 • Libraries support • import urllib2 • import re • import os, sys • import optparse • import httplib • Use Sparty with Back Track for penetration testing purposes • Works on other flavors also
  4. 4. Frontpage Overview ! • Frontpage Flavors  Microsoft IIS (.dll)  Unix (.exe) • Frontpage Access File Settings  service.pwd  frontpage passwords  service.grp  list of groups  administrators.pwd  passwords for administrators  authors.pwd  authors password  users.pwd for  users password
  5. 5. Frontpage Overview (cont.) ! • Frontpage DLLs  _vti_bin/_vti_adm/admin.dll  administrative tasks  _vti_bin/_vti_aut/author.dll  authoring FrontPage webs  _vti_bin/shtml.dll  browsing component • Frontpage virtual directories  vti_bin  _vti_bin_vti_aut  _vti_bin_vti_adm  _vti_pvt  _vti_cnf  _vti_txt  _vti_log.
  6. 6. Frontpage Configuration Flaws ! • RPC service querying • Command execution using author.dll via RPC • File uploading through RPC interface • Information disclosure in _vti_pvt, _vti_bin, etc. • Information disclosure in HTTP Response Headers • Directory indexing • Exposed password files in the web directories Sparty helps the penetration tester to gather information and to perform manual analysis later on !
  7. 7. Sharepoint Configuration Flaws ! • Exposed services on the Internet • Excessive user Access [ admin.asmx, permissions.asmx] • Information disclosure in HTTP Response Headers • Publicly available insecure deployments [GOOGLE/SHODAN] • Directory indexing • Some of the manual tests: • Third-party plugin checks • Inappropriate deployment of sharepoint services Sparty helps the penetration tester to gather information and to perform manual analysis later on !
  8. 8. Sparty Functionalities ! • Sharepoint and Frontpage Version Detection • Dumping Password from Exposed Configuration Files • Exposed Sharepoint/Frontpage Services Scan • Exposed Directory Check • Installed File and Access Rights Check • RPC Service Querying • File Enumeration • File Uploading Check
  9. 9. Sparty Options!
  10. 10. Version Fingerprinting !
  11. 11. Dumping Passwords !
  12. 12. Directories Check!
  13. 13. Scanning Access Permissions (1) !
  14. 14. Scanning Access Permissions (2) !
  15. 15. Exposed Services Check !
  16. 16. RPC Querying !
  17. 17. RPC Service Listing !
  18. 18. Try Other Options of Your Own 
  19. 19. Sparty : Next Version ! • Integration of publicly available vulnerabilities • Detection of more advanced payloads for checking admin.dll • Additional checks and tests against author.dll • Extended payloads
  20. 20. Project Details ! • Projects page: http://sparty.secniche.org • Documentation: http://sparty.secniche.org/usage.html
  21. 21. Questions and Thanks ! • SecNiche Security Labs: http://www.secniche.org • BlackHat USA Arsenal 2013 Team • IOActive Inc.

×