SlideShare a Scribd company logo
1 of 21
Download to read offline
Sparty : A Frontpage and
Sharepoint Auditing Tool
Aditya K Sood (@AdityaKSood)
BlackHat Arsenal USA - 2013
SecNiche Security Labs
About Me
• Senior Security Practitioner – IOActive
• PhD Candidate at Michigan State University
– Worked for Armorize, COSEINC, KPMG and others.
– Active Speaker at Security conferences
» DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and
others
– LinkedIn - http ://www.linkedin.com/in/adityaks
– Twitter: @AdityaKSood
– Website: http://www.secniche.org
Sparty Overview !
• Open source tool written in python
• Assist penetration testers in routine jobs
• Written in python 2.6
• Libraries support
• import urllib2
• import re
• import os, sys
• import optparse
• import httplib
• Use Sparty with Back Track for penetration testing purposes
• Works on other flavors also
Frontpage Overview !
• Frontpage Flavors
 Microsoft IIS (.dll)
 Unix (.exe)
• Frontpage Access File Settings
 service.pwd  frontpage passwords
 service.grp  list of groups
 administrators.pwd  passwords for administrators
 authors.pwd  authors password
 users.pwd for  users password
Frontpage Overview (cont.) !
• Frontpage DLLs
 _vti_bin/_vti_adm/admin.dll  administrative tasks
 _vti_bin/_vti_aut/author.dll  authoring FrontPage webs
 _vti_bin/shtml.dll  browsing component
• Frontpage virtual directories
 vti_bin
 _vti_bin_vti_aut
 _vti_bin_vti_adm
 _vti_pvt
 _vti_cnf
 _vti_txt
 _vti_log.
Frontpage Configuration Flaws !
• RPC service querying
• Command execution using author.dll via RPC
• File uploading through RPC interface
• Information disclosure in _vti_pvt, _vti_bin, etc.
• Information disclosure in HTTP Response Headers
• Directory indexing
• Exposed password files in the web directories
Sparty helps the penetration tester to gather information and to
perform manual analysis later on !
Sharepoint Configuration Flaws !
• Exposed services on the Internet
• Excessive user Access [ admin.asmx, permissions.asmx]
• Information disclosure in HTTP Response Headers
• Publicly available insecure deployments [GOOGLE/SHODAN]
• Directory indexing
• Some of the manual tests:
• Third-party plugin checks
• Inappropriate deployment of sharepoint services
Sparty helps the penetration tester to gather information and to
perform manual analysis later on !
Sparty Functionalities !
• Sharepoint and Frontpage Version Detection
• Dumping Password from Exposed Configuration Files
• Exposed Sharepoint/Frontpage Services Scan
• Exposed Directory Check
• Installed File and Access Rights Check
• RPC Service Querying
• File Enumeration
• File Uploading Check
Sparty Options!
Version Fingerprinting !
Dumping Passwords !
Directories Check!
Scanning Access Permissions (1) !
Scanning Access Permissions (2) !
Exposed Services Check !
RPC Querying !
RPC Service Listing !
Try Other Options of Your Own 
Sparty : Next Version !
• Integration of publicly available vulnerabilities
• Detection of more advanced payloads for checking admin.dll
• Additional checks and tests against author.dll
• Extended payloads
Project Details !
• Projects page: http://sparty.secniche.org
• Documentation: http://sparty.secniche.org/usage.html
Questions and Thanks !
• SecNiche Security Labs: http://www.secniche.org
• BlackHat USA Arsenal 2013 Team
• IOActive Inc.

More Related Content

What's hot

Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
Niall Merrigan
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
Deepu S Nath
 

What's hot (20)

Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
LDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP InjectionLDAP Injection & Blind LDAP Injection
LDAP Injection & Blind LDAP Injection
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 

Viewers also liked

Cyber as WMD- April 2015- GFSU
Cyber as WMD- April 2015- GFSUCyber as WMD- April 2015- GFSU
Cyber as WMD- April 2015- GFSU
Mohit Rampal
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-ppt
Mohit Rampal
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
 

Viewers also liked (20)

Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Preventing Security Leaks in SharePoint with Joel Oleson & Christian BuckleyPreventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
Preventing Security Leaks in SharePoint with Joel Oleson & Christian Buckley
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
 
Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in images
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Cyber as WMD- April 2015- GFSU
Cyber as WMD- April 2015- GFSUCyber as WMD- April 2015- GFSU
Cyber as WMD- April 2015- GFSU
 
sebis research profile
sebis research profilesebis research profile
sebis research profile
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-ppt
 
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
 
M.Tech. Cyber Security & Incident Response
M.Tech. Cyber Security & Incident ResponseM.Tech. Cyber Security & Incident Response
M.Tech. Cyber Security & Incident Response
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Social Media at NASA, 2012 Edition
Social Media at NASA, 2012 EditionSocial Media at NASA, 2012 Edition
Social Media at NASA, 2012 Edition
 

Similar to BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Auditing Tool !

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)
Petter Skodvin-Hvammen
 

Similar to BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Auditing Tool ! (20)

OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Cms integration of apache solr how we did it.
Cms integration of apache solr   how we did it.Cms integration of apache solr   how we did it.
Cms integration of apache solr how we did it.
 
Apache Solr CMS Integration @ Lucene/Solr Revolution San Diego 2013
Apache Solr CMS Integration @ Lucene/Solr Revolution San Diego 2013Apache Solr CMS Integration @ Lucene/Solr Revolution San Diego 2013
Apache Solr CMS Integration @ Lucene/Solr Revolution San Diego 2013
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Introduction to Monsoon PHP framework
Introduction to Monsoon PHP frameworkIntroduction to Monsoon PHP framework
Introduction to Monsoon PHP framework
 
VA Smalltalk Update
VA Smalltalk UpdateVA Smalltalk Update
VA Smalltalk Update
 
Mis 450 final presentation
Mis 450 final presentation Mis 450 final presentation
Mis 450 final presentation
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Enterprise Search @EPAM
Enterprise Search @EPAMEnterprise Search @EPAM
Enterprise Search @EPAM
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 

More from Aditya K Sood

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
Aditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Recently uploaded (20)

1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 

BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Auditing Tool !

  • 1. Sparty : A Frontpage and Sharepoint Auditing Tool Aditya K Sood (@AdityaKSood) BlackHat Arsenal USA - 2013 SecNiche Security Labs
  • 2. About Me • Senior Security Practitioner – IOActive • PhD Candidate at Michigan State University – Worked for Armorize, COSEINC, KPMG and others. – Active Speaker at Security conferences » DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and others – LinkedIn - http ://www.linkedin.com/in/adityaks – Twitter: @AdityaKSood – Website: http://www.secniche.org
  • 3. Sparty Overview ! • Open source tool written in python • Assist penetration testers in routine jobs • Written in python 2.6 • Libraries support • import urllib2 • import re • import os, sys • import optparse • import httplib • Use Sparty with Back Track for penetration testing purposes • Works on other flavors also
  • 4. Frontpage Overview ! • Frontpage Flavors  Microsoft IIS (.dll)  Unix (.exe) • Frontpage Access File Settings  service.pwd  frontpage passwords  service.grp  list of groups  administrators.pwd  passwords for administrators  authors.pwd  authors password  users.pwd for  users password
  • 5. Frontpage Overview (cont.) ! • Frontpage DLLs  _vti_bin/_vti_adm/admin.dll  administrative tasks  _vti_bin/_vti_aut/author.dll  authoring FrontPage webs  _vti_bin/shtml.dll  browsing component • Frontpage virtual directories  vti_bin  _vti_bin_vti_aut  _vti_bin_vti_adm  _vti_pvt  _vti_cnf  _vti_txt  _vti_log.
  • 6. Frontpage Configuration Flaws ! • RPC service querying • Command execution using author.dll via RPC • File uploading through RPC interface • Information disclosure in _vti_pvt, _vti_bin, etc. • Information disclosure in HTTP Response Headers • Directory indexing • Exposed password files in the web directories Sparty helps the penetration tester to gather information and to perform manual analysis later on !
  • 7. Sharepoint Configuration Flaws ! • Exposed services on the Internet • Excessive user Access [ admin.asmx, permissions.asmx] • Information disclosure in HTTP Response Headers • Publicly available insecure deployments [GOOGLE/SHODAN] • Directory indexing • Some of the manual tests: • Third-party plugin checks • Inappropriate deployment of sharepoint services Sparty helps the penetration tester to gather information and to perform manual analysis later on !
  • 8. Sparty Functionalities ! • Sharepoint and Frontpage Version Detection • Dumping Password from Exposed Configuration Files • Exposed Sharepoint/Frontpage Services Scan • Exposed Directory Check • Installed File and Access Rights Check • RPC Service Querying • File Enumeration • File Uploading Check
  • 18. Try Other Options of Your Own 
  • 19. Sparty : Next Version ! • Integration of publicly available vulnerabilities • Detection of more advanced payloads for checking admin.dll • Additional checks and tests against author.dll • Extended payloads
  • 20. Project Details ! • Projects page: http://sparty.secniche.org • Documentation: http://sparty.secniche.org/usage.html
  • 21. Questions and Thanks ! • SecNiche Security Labs: http://www.secniche.org • BlackHat USA Arsenal 2013 Team • IOActive Inc.