sparty : a frontpage and sharepoint auditing tool...blackhat arsenal usa - 2013 secniche security...
TRANSCRIPT
![Page 1: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/1.jpg)
Sparty : A Frontpage and Sharepoint Auditing Tool
Aditya K Sood (@AdityaKSood)
BlackHat Arsenal USA - 2013 SecNiche Security Labs
![Page 2: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/2.jpg)
About Me
• Senior Security Practitioner – IOActive
• PhD Candidate at Michigan State University – Worked for Armorize, COSEINC, KPMG and others.
– Active Speaker at Security conferences
» DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and others
– LinkedIn - http ://www.linkedin.com/in/adityaks
– Twitter: @AdityaKSood
– Website: http://www.secniche.org
![Page 3: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/3.jpg)
Sparty Overview !
• Open source tool written in python
• Assist penetration testers in routine jobs
• Written in python 2.6
• Libraries support • import urllib2
• import re
• import os, sys
• import optparse
• import httplib
• Use Sparty with Back Track for penetration testing purposes
• Works on other flavors also
![Page 4: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/4.jpg)
Frontpage Overview !
• Frontpage Flavors Microsoft IIS (.dll)
Unix (.exe)
• Frontpage Access File Settings
service.pwd frontpage passwords
service.grp list of groups
administrators.pwd passwords for administrators
authors.pwd authors password
users.pwd for users password
![Page 5: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/5.jpg)
Frontpage Overview (cont.) !
• Frontpage DLLs _vti_bin/_vti_adm/admin.dll administrative tasks
_vti_bin/_vti_aut/author.dll authoring FrontPage webs
_vti_bin/shtml.dll browsing component
• Frontpage virtual directories vti_bin
_vti_bin\_vti_aut
_vti_bin\_vti_adm
_vti_pvt
_vti_cnf
_vti_txt
_vti_log.
![Page 6: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/6.jpg)
Frontpage Configuration Flaws !
• RPC service querying
• Command execution using author.dll via RPC
• File uploading through RPC interface
• Information disclosure in _vti_pvt, _vti_bin, etc.
• Information disclosure in HTTP Response Headers
• Directory indexing
• Exposed password files in the web directories
Sparty helps the penetration tester to gather information and to perform manual analysis later on !
![Page 7: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/7.jpg)
Sharepoint Configuration Flaws !
• Exposed services on the Internet
• Excessive user Access [ admin.asmx, permissions.asmx]
• Information disclosure in HTTP Response Headers
• Publicly available insecure deployments [GOOGLE/SHODAN]
• Directory indexing
• Some of the manual tests:
• Third-party plugin checks
• Inappropriate deployment of sharepoint services
Sparty helps the penetration tester to gather information and to perform manual analysis later on !
![Page 8: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/8.jpg)
Sparty Functionalities !
• Sharepoint and Frontpage Version Detection
• Dumping Password from Exposed Configuration Files
• Exposed Sharepoint/Frontpage Services Scan
• Exposed Directory Check
• Installed File and Access Rights Check
• RPC Service Querying
• File Enumeration
• File Uploading Check
![Page 9: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/9.jpg)
Sparty Options!
![Page 10: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/10.jpg)
Version Fingerprinting !
![Page 11: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/11.jpg)
Dumping Passwords !
![Page 12: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/12.jpg)
Directories Check!
![Page 13: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/13.jpg)
Scanning Access Permissions (1) !
![Page 14: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/14.jpg)
Scanning Access Permissions (2) !
![Page 15: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/15.jpg)
Exposed Services Check !
![Page 16: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/16.jpg)
RPC Querying !
![Page 17: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/17.jpg)
RPC Service Listing !
![Page 18: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/18.jpg)
Try Other Options of Your Own
![Page 19: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/19.jpg)
Sparty : Next Version !
• Integration of publicly available vulnerabilities
• Detection of more advanced payloads for checking admin.dll
• Additional checks and tests against author.dll
• Extended payloads
![Page 20: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/20.jpg)
Project Details !
• Projects page: http://sparty.secniche.org
• Documentation: http://sparty.secniche.org/usage.html
![Page 21: Sparty : A Frontpage and Sharepoint Auditing Tool...BlackHat Arsenal USA - 2013 SecNiche Security Labs About Me •Senior Security Practitioner – IOActive •PhD Candidate at Michigan](https://reader035.vdocuments.net/reader035/viewer/2022062415/5fdbaa1c65112265d9202ade/html5/thumbnails/21.jpg)
Questions and Thanks !
• SecNiche Security Labs: http://www.secniche.org
• BlackHat USA Arsenal 2013 Team
• IOActive Inc.