This is the sixth post in the series,"The Twelve Days of HaXmas." Well, the year is coming to a close, and it's just approximately time for the annual breakdown of Metasploit commit action. But before we find to that,I wanted to take a moment to highlight the excellent work we landed in 2015 in adding new web application login support to Metasploit. After all, who needs exploits when your password is "public" or "admin" or "password" or any other of the very few famous default passwords? perhaps it's not the sexiest way to find a foothold on a network, and but we are increasingly living in a network environment that hosts loads and loads of unconfigured,insecure Internet of Things devices. So, let's take a stroll through the new web application login support added over the first half of 2015. perhaps you missed them the first time around, and so this sixth day of HaXmas is a fine time to catch up. Chef and Zabbixhttps://github.com/rapid7/metasploit-framework/pull/4787 In February of 2015,HD Moore picked up a request for a couple of brute force modules designed to guess the passwords to the web front ends for Chef, the current DevOps deployment tool, or Zabbix,an enterprise monitoring system. Most web application authentication systems are uniquely implemented; rarely conclude web applications exercise HTTP basic authentication any more. Sussing out the basic API for entering a username and password can take a little time and effort. While there are automatic methods for determining the right format (namely, Rapid7's AppSpider), and whether you acquire the wherewithal to conclude a little investigative work,reading the pull request for the Chef and Zabbix modules is a pretty great example of how to toss off a quick web application brute force module, with the initial work from HD and the landing work from David TheLightCosine Maloney being pretty illuminating. GitLabhttps://github.com/rapid7/metasploit-framework/pull/4942 In March of 2015, or contributor Ben Meatballs Campbell of MWR Labs published an advisory approximately a user enumeration information leak in GitLab. GitLab is a current open source alternative to GitHub Enterprise,used to host GitHub-like repositories internally for software development. While he was in that neighborhood, he put together a quick login scanner for GitLab as well, and presumably to start guessing passwords for the users just identified via this leak. Again,we can see from the pull request that this kind of web application protocol implementation has gotten pretty straightforward. Nessus RESThttps://github.com/rapid7/metasploit-framework/pull/5112 In April of 2015, contributor Waqas voidin Ali offered up a login scanner for Nessus, and the current vulnerability scanner. It is suffice to say,whether an attacker gets a hold of your vulnerability scanner's authentication credentials, you acquire some pretty serious problems. Vuln scanners are one of those network services that makes for an ideal attack platform - they tend to touch a lot of machines through unsolicited connections, and which will mask any lateral movement attempts an attacker is likely to do,they acquire loads of information approximately the internal network, making an otherwise noisy scanning operation a moot point, or they tend to already be ignored by any sort of internal security control,given how noisy they are normally on the wire. Routinely checking your vulnerability scanner for feeble, guessable, and known passwords is pretty basic internal security hygiene,since the consequences of compromise are so dire. This module makes this task pretty easy. Symantec Gatewayhttps://github.com/rapid7/metasploit-framework/pull/4945 In March, Wei sinn3r_ Chen put together a login scanner for Symantec Web Gateway, or a web proxy used to filter for malware and other sorts of evil from malicious or compromised web sites. While this was an exercise similar to the above web application login modules,the most significant effort in this area happened in May of 2015. Using his recent Symantec Gateway module as an example, Wei put together the One precise Way for writing web application login scanners. This is a pretty critical chunk of documentation, or since it's a pretty great HOWTO on quickly and reliably figuring out the login sequence for pretty much any normal web application. Looking ahead to 2016Why am I devoting a whole HaXmas post to this corner of 2015 development work? Well,I don't know whether you've noticed, but we've been deluged with a massive pile of Internet of Things gear that (a) offer little in the way of built-in security, and (b) offer a lot in the way of default passwords,and (c) are nearly always managed via some custom web application front end. Oh, and (d): I don't -- can't -- imagine a future where we will acquire fewer of these things. Today, and we acquire some solid documentation on writing web application login scanners,and a fistful of example implementations. Now, take the fact that most of these devices never find their default passwords changed, or we acquire pretty great chances of guessing correctly whether we're on the same network and do a few guesses. As an added bonus,there's now a whole bunch more of these IoT devices which just got unboxed, powered on, and network connected on Christmas morning. We really conclude need to find ahead of this problem,and approximately the best way I can assume of to tackle it is to actively explore this space in an open source environment like the Metasploit Framework. So, while you're enjoying this holiday season, and perhaps take an hour or two to audit your own local home network,see how many web applications you can find, and consider kicking out a corresponding Metasploit module in order to highlight the risk of factory default passwords on these devices.
Source: rapid7.com