4. Identity for everyone who doesnt pay for privacy
Identity for everyone who doesnt pay for privacy and isnt subject to GDPR!
STILL USEFUL! (But check out RDAP!)
5. We need a more flexible model to find issues. Assets aren’t just PCs anymore, and we need to query
many sources to find the assets we care about.
Linking disparate datasets often provides insight. Think: Email addresses <> Leaked Creds.
In the exploratory phase it requires a human, but we should be able automate this.
The cloud (read: shared) security model (AWS, etc) means we need a more complete picture of hosts
to understand what an asset (ip, dns, etc) really is.
Graphs turn data into information. Distinct entities become important because of their relationships.
Why Graph Disovery?
21. Core “Engine”
running light
“active” discovery
Load in a set of seeds per project:
(read: Organization) … ex: Google:
Domain#google.com
Domain#googlemail.com
Domain#gmail.com
Nameserver#ns1.google.com
Nameserver#ns2.google.com
...
Per-Org
CSV
JSON
Load in a Per-project
No-Traverse list (Blacklist):
Domain#microsoft.com
Domain#yahoo.com
Domain#walmart.com
Domain#.com
...
Export
Now we can ask some interesting questions!
22. What sort of app
stacks are exposed
externally by the f500?
23. What sort of Microsoft-based services are exposed? https://github.com/intrigueio/intrigue-ide
nt/blob/master/checks/microsoft.rb
27. Intrigue Ident
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
JSON
App fingerprinting isn’t a solved problem
If you can’t fingerprint it, you can’t attack it well. (and
more to the point, you can’t automate attacks)
More here:
http://core.intrigue.io/2019/03/09/using-intrigue-ident-for-application-fingerprinting/
32. Lesson :Heuristic-Based Scoping - Multi-Stage
If the entity was created manually (either via api or via webform), scope it in [and thus, iterate on it with
whatever machine is defined for the run]
If the entity was created by code with a :scoped => true setting, scope it in
If the entity was created by code with an :unscoped => true setting, scope it out
If the task that was run to create the entity had an :auto_scope => true setting, automatically scope in any
entities created by that task [this is helpful when you know anything created by that source/task is valid]
If you need more specific logic on an entity, you can create a "scoped?" method on the entity definition
that will override all prior logic, and let you set it. An example of where this is useful is on the NetBlock
object.
33. Heuristic-Based Scoping - Multi-Stage (NetBlock)
Check existing Dns/Domain and
Organization names to see if there’s a
match with our whois text
First, “Seeds”
Then, discovered entities.
If not, default back to original scope.
34. DNS NSECWalk Enabled
Zone Transfer Enabled
Hijackable Subdomain *
SSL - Deprecated Protocol enabled
SSL - Weak Ciphers enabled
Missing Application Security Headers
Discovered Sensitive Content (Forced Brute)
Leaked Email / Password Account (via HIBP)
Git Secret Exposure (Gitrob)
Misconfigured Google Groups Account enabled
Misconfigured Google Calendar enabled
Misconfigured (No Auth) S3 Bucket
New! “Issues”
(Current: March 2019)
35. Let’s go find some bugs!
Handy Information Disclosures & Vulns
36. Quick run of Core over the last 48 hours…
Machine Flow:
Manually create an “AwsRegion” entity, pulls
down AWS JSON, filter on EC2, creates
NetBlock if in scope
Creates many “NetBlock” entities, which are
set to check for open :80,443,:8080 etc
Which then creates many “Uri” entities and
uns uri_brute_focused_content, creating the
“Issues” we’ll analyze
Task: uri_brute_focused_content (above)
Checks the fingerprint and looks for
technology-specific paths that leak sensitive
info. Fast, because we’re not checking a
bunch of irrelevant paths!
37. $ head *applications* …. 29,175 fingerprinted in ~48 hours … ~10s
Baseline… 8% were Wordpress (2407/29175)
40. Fun vuln? Magento Unauth’d SQLi
The affected versions are 2.1 prior to 2.1.17, 2.2prior
to 2.2.8, and 2.3 prior to 2.3.1.
Version 1 fingerprinting:
/RELEASE_NOTES.txt
No (known) version fingerprint (without
checksum method) for Magento 2+
Relative versions:
/skin/frontend/default/css/styles.css
Found 127/29175
(Pretty common. 0.4%)
(Work in progress)
41. SAP NetWeaver Web Dynpro 6.4 to 7.5
Paths:
- /webdynpro/dispatcher/sap.com/caf~eu~gp
~example~timeoff~wd/ACreate
- /webdynpro/dispatcher/sap.com/caf~eu~gp
~example~timeoff~wd/com.sap.caf.eu.gp.ex
ample.timeoff.wd.create.ACreate
Allows you to enumerate users, roles, etc
Uncommon, 0 instances detected in AWS
scanning. Have run into a few on enterprise
networks though.
https://www.exploit-db.com/exploits/44647
42. VMWare Horizon View (CVE-2019-5513)
/portal/info.jsp - lists hostname
/broker/xml - lists authentication
mechanism, internal hostname etc
Very common, almost all Horizon
instances currently vulnerable.
Not much (1) Horizon on AWS, but
tons on corporate networks
Thanks @hdmoore!