Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

KiwiCon 2016 - Kicking Orion's Assets Slide 1 KiwiCon 2016 - Kicking Orion's Assets Slide 2 KiwiCon 2016 - Kicking Orion's Assets Slide 3 KiwiCon 2016 - Kicking Orion's Assets Slide 4 KiwiCon 2016 - Kicking Orion's Assets Slide 5 KiwiCon 2016 - Kicking Orion's Assets Slide 6 KiwiCon 2016 - Kicking Orion's Assets Slide 7 KiwiCon 2016 - Kicking Orion's Assets Slide 8 KiwiCon 2016 - Kicking Orion's Assets Slide 9 KiwiCon 2016 - Kicking Orion's Assets Slide 10 KiwiCon 2016 - Kicking Orion's Assets Slide 11 KiwiCon 2016 - Kicking Orion's Assets Slide 12 KiwiCon 2016 - Kicking Orion's Assets Slide 13 KiwiCon 2016 - Kicking Orion's Assets Slide 14 KiwiCon 2016 - Kicking Orion's Assets Slide 15 KiwiCon 2016 - Kicking Orion's Assets Slide 16 KiwiCon 2016 - Kicking Orion's Assets Slide 17 KiwiCon 2016 - Kicking Orion's Assets Slide 18 KiwiCon 2016 - Kicking Orion's Assets Slide 19 KiwiCon 2016 - Kicking Orion's Assets Slide 20 KiwiCon 2016 - Kicking Orion's Assets Slide 21 KiwiCon 2016 - Kicking Orion's Assets Slide 22 KiwiCon 2016 - Kicking Orion's Assets Slide 23 KiwiCon 2016 - Kicking Orion's Assets Slide 24 KiwiCon 2016 - Kicking Orion's Assets Slide 25 KiwiCon 2016 - Kicking Orion's Assets Slide 26 KiwiCon 2016 - Kicking Orion's Assets Slide 27 KiwiCon 2016 - Kicking Orion's Assets Slide 28 KiwiCon 2016 - Kicking Orion's Assets Slide 29 KiwiCon 2016 - Kicking Orion's Assets Slide 30 KiwiCon 2016 - Kicking Orion's Assets Slide 31 KiwiCon 2016 - Kicking Orion's Assets Slide 32 KiwiCon 2016 - Kicking Orion's Assets Slide 33 KiwiCon 2016 - Kicking Orion's Assets Slide 34 KiwiCon 2016 - Kicking Orion's Assets Slide 35 KiwiCon 2016 - Kicking Orion's Assets Slide 36 KiwiCon 2016 - Kicking Orion's Assets Slide 37 KiwiCon 2016 - Kicking Orion's Assets Slide 38 KiwiCon 2016 - Kicking Orion's Assets Slide 39 KiwiCon 2016 - Kicking Orion's Assets Slide 40 KiwiCon 2016 - Kicking Orion's Assets Slide 41 KiwiCon 2016 - Kicking Orion's Assets Slide 42 KiwiCon 2016 - Kicking Orion's Assets Slide 43 KiwiCon 2016 - Kicking Orion's Assets Slide 44 KiwiCon 2016 - Kicking Orion's Assets Slide 45 KiwiCon 2016 - Kicking Orion's Assets Slide 46
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

KiwiCon 2016 - Kicking Orion's Assets

Download to read offline

My talk at KiwiCon 2016 - http://2016.kiwicon.org/the-con/talks/#e226

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

KiwiCon 2016 - Kicking Orion's Assets

  1. 1. KICKING ORION’S ASSETS M U B I X “ R O B ” F U L L E R
  2. 2. WHO ARE YOU?
  3. 3. AGENDA No time for that… 15 min talk...
  4. 4. DEFAULT ACCOUNT • ADMIN / BLANK FORCES CHANGE
  5. 5. EVERYONE LIKES CREDENTIALS! • VMWare ESX creds • SNMPv3 creds • Windows creds • Orion creds Asset management is what Orion does, it needs creds to do this to be more effective than Nmap, no surprises here
  6. 6. REFLECTIVE CREDS? NOPE.
  7. 7. CONVENIENT DATABASE TOOL
  8. 8. SO WHERE ARE THE CREDS?!
  9. 9. AHH, THERE IT IS.. ENCRYPTED?...
  10. 10. HOW DOES IT ENCRYPT THESE THINGS? MAYBE IN THE SECURITY.DLL?
  11. 11. REVERSE ENGINEER ADDED TO MY RESUME... #SHABOWWOW. This slide is for all the exploit devs and reverse engineers who think they can pentest because they can spin up Metasploit and generate shellcode. Much love <3 <3
  12. 12. You saw that coming right?
  13. 13. DECRYPT!!
  14. 14. DECRYPT!!  CERTIFICATE BASED…
  15. 15. WHERE IS CERT?
  16. 16. THERE SHE BLOWS… BUT IT COULDN’T POSSIBLY BE EXPORTABLE RIGHT…?
  17. 17. FINDING #1 – EXPORTABLE ENCRYPTION CERTIFICATE
  18. 18. FINDING #1 – REALITY CHECK •You have to be SYSTEM on the Orion box to export this key. •Certificate doesn’t seem to ever change. Get it once you have it forever. •It is created per-install.
  19. 19. LET’S DECRYPT! You do not need to be SYSTEM or even Admin to run this…
  20. 20. WHAT ABOUT THE ORION USERS?
  21. 21. YUP, ENCRYPTED THE SAME WAY…
  22. 22. WAIT, WHAT IS THIS PASSWORD FIELD... IT JUST HAS NUMBERS…
  23. 23. WAIT... WHAT DOES THAT SAY?
  24. 24.
  25. 25. HUH… SO WHY IS IT IN THE DATABASE?
  26. 26. THEY ARE USED RIGHT AFTER EACH OTHER…
  27. 27. LET’S DECRYPT! WAIT... WHY IS THAT UPPERCASE?
  28. 28. REVENGE OF THE LANMANAGER!! LM
  29. 29. FINDING #2 – EASILY REVERSIBLE “ENCRYPTED” PASSWORD STORED • Does a lot of bit flipping and changing the password around to obfuscate it. I didn’t recognize the function as anything type of encoding I’ve seen before • Doesn’t use system data, the certificate, or any type of encryption, more like encoding than encryption. • Disabled if FIPS compliance enabled but doesn’t force a password change. • FIPS compliance can break things, especially in older applications. Test before enabling.
  30. 30. OK… BUT HOW DID YOU ACCESS THE DATABASE??
  31. 31. SO MANY TOOLS AUTOMATICALLY LOG IN...
  32. 32. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?
  33. 33. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?
  34. 34. FINDING #3 – CLEAR TEXT AND OLD CONFIGURATIONS KEPT IN TEXT FILE • No screenshot for proof that old configurations stick around  but I have seen it, just haven’t had a chance to reproduce on lab box. • Old configurations may have database password in clear text. This was also observed but no screenshot available. • Encrypted credential uses the same certificate to encrypt as the other account passwords. SolarWinds responded saying it’s using DPAPI instead… Haven’t had a chance to confirm either way.
  35. 35. RESULTS Y O U A R E G O I N G T O T E L L U S H O W T O F I X T H I S R I G H T ?
  36. 36. RESULTS / FIXES 1. Exportable RSA encryption key certificate 1. Mark certificate as non-exportable. This may break things. 2. Storage of creds in easily reversible format (Basically LM reinvented) 1. Enable FIPS compliance if you can 2. Change passwords once this is done to ensure fix is effective. 3. Cleartext credentials in configuration file (SWNetPerfMon.DB) 1. Clear out ”old” connection strings
  37. 37. RESULTS / FIXES Generic Solution: • Ensure Orion server is protected as much as possible. • No access from standard user network, block SMB/WMI/WinRM. • Require RDP w/ Smartcard for administration). • Restrict access to the HTTP/S ports as much as possible.
  38. 38. OVERALL RATING: A- • Really impressed with SolarWinds usage of certificate encryption for the encryption of passwords. It’s much better than most implementations I’ve seen. • Impressed with SolarWinds reaching out about the talk and being cordial and understanding about how slow/busy I am in responding to emails. • Would definitely work with the SolarWinds team again. • One request: I didn’t see the ability to use U2F/MFA on the web interface, it would be nice if that was available.
  39. 39. THANKS KIWICON! M U B I X @ H A K 5 . O R G
  • KenUdagawa

    Feb. 17, 2020

My talk at KiwiCon 2016 - http://2016.kiwicon.org/the-con/talks/#e226

Views

Total views

28,943

On Slideshare

0

From embeds

0

Number of embeds

28,409

Actions

Downloads

9

Shares

0

Comments

0

Likes

1

×