Toppling Domino - 44CON 4012

  • View
    747

  • Download
    0

Embed Size (px)

DESCRIPTION

 

Text of Toppling Domino - 44CON 4012

  • 1. SecQuestINFORMATIONSECURITY44Con 2012: Toppling DominoTesting security in a Lotus Notes environment Written&PresentedbyDarrenFuller SecQuestInformationSecurityLtd. 2012 SecQuest Information Security Ltd.

2. 44Con: London, September 2012About this Presentation This presentation was originally given at 44Con 2012 in London and had a number of interactive demos which obviously cannot be included. If you or your company would like further information about Domino security or to arrange a re-run of this talk on your premises please contact us. https://www.secquest.co.uk Tel: 0845 19 31337 2012 SecQuest Information Security Ltd. 3. 44Con: London, September 2012Who Am I? Darren Fuller Lotus PCLP* Security Consultant Ex IBM Notes developer Ex IBM EMEA X-Force Run a company called SecQuest Been using Notes since V3 on IBM OS/2* Domino R5 2012 SecQuest Information Security Ltd. 4. 44Con: London, September 2012What Im Talking About Today Although there have been a number of technicalpapers published by different researchers coveringLotus Notes/Domino security it is rarely covered bythe wider pen testing community. In this presentation Ill aim to give a general overview of Domino security and demonstrate ways of breaking in. This will cover security issues from the point of view of the web server, native Domino server and demonstrate some tricks you can use from the client side of things. 2012 SecQuest Information Security Ltd. 5. 44Con: London, September 2012Typical! Nothing about Notes/Domino for a while then William Dawson talked about it at BSides Vegas this year! Interesting talk about Domino hashes which well cover in a bit of detail later Link to talks: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2012/mainlist 2012 SecQuest Information Security Ltd. 6. 44Con: London, September 2012Used By More than half of Fortune 100 companies & more 2012 SecQuest Information Security Ltd. 7. 44Con: London, September 2012Lotus Notes/Domino: History Created by Ray Ozzie/Iris Associates V1 Shipped in 1989 Included public key cryptography 3 major editions available in the early days V8.5.4 is currently in beta 2012 SecQuest Information Security Ltd. 8. 44Con: London, September 2012Crypto Background Information US Edition used 64 bit keys International keys restricted to 40 bits due to US export rules before 1997 Deal with US .gov to allow 64 bit international keys after 1997 providing they had the first 24 bits France didnt like this! A French edition was made with 40 bit encryption keys These days 128 and 256 bit AES can be used 2012 SecQuest Information Security Ltd. 9. 44Con: London, September 2012Security Overview ID Files Database ACL (Access control list) Execution Control List (ECL) NAB Groups 2012 SecQuest Information Security Ltd. 10. 44Con: London, September 2012Security Overview Encryption Layers Database Encryption Document Encryption Field Encryption Transport Layer Encryption 2012 SecQuest Information Security Ltd. 11. 44Con: London, September 2012Cmon! Were h4X0rs.. Can we whack it? 2012 SecQuest Information Security Ltd. 12. 44Con: London, September 2012Yes we Can! Examples given in this presentation are based on real world tests. These techniques have been used a number of times to compromise various client sites. Obviously root is nice but the data is the thing to go for, the right Notes user will give you the keys to the kingdom! 2012 SecQuest Information Security Ltd. 13. 44Con: London, September 2012Breaking In Externally What to look for names.nsf database with anonymous access domlog.nsf with anonymous access webadmin.nsf (youll be lucky!) 2012 SecQuest Information Security Ltd. 14. 44Con: London, September 2012Checking out the /hacker Domain Anonymous access to domlog.nsf can give you a session ID, these default to 30 minute expiry 2012 SecQuest Information Security Ltd. 15. 44Con: London, September 2012NAB Access! 2012 SecQuest Information Security Ltd. 16. 44Con: London, September 2012Because.. The admins have messed up and granted anonymous reader access 2012 SecQuest Information Security Ltd. 17. 44Con: London, September 2012HTTPPassword in Document Source Vulnerability documented in 2005 Still overlooked by a lot of admins 2012 SecQuest Information Security Ltd. 18. 44Con: London, September 2012HTTPPassword in Document Source Metasploit can automate hash gathering 2012 SecQuest Information Security Ltd. 19. 44Con: London, September 2012Cracking Passwords Grab password hashes from the document source Domino has two types of password hashes for internet passwords; normal and more secure Use JTR with Jumbo Patchnormal = lotus5more secure = dominosec 2012 SecQuest Information Security Ltd. 20. 44Con: London, September 2012Cracking Passwords: results 2012 SecQuest Information Security Ltd. 21. 44Con: London, September 2012Targeting Interesting Users Once you have cracked some passwords you should be able to authenticate and access catalog.nsf If internet authentication is set to Fewer name variations with higher security you need to use the full canonical username: Joe King/hacker catalog.nsf contains a list of all databases on the server + access control information The By Name view will give you a list of databases your user can access 2012 SecQuest Information Security Ltd. 22. 44Con: London, September 2012Targeting Interesting Users 2012 SecQuest Information Security Ltd. 23. 44Con: London, September 2012Access Control List Info 2012 SecQuest Information Security Ltd. 24. 44Con: London, September 2012Check group members in names.nsf JTR popped this one earlier! 2012 SecQuest Information Security Ltd. 25. 44Con: London, September 2012Getting More Access Running Commands webadmin.nsf allows an administrator to run server commands. 2012 SecQuest Information Security Ltd. 26. 44Con: London, September 2012Getting More Access You can run O/S commands using load but cant see the results when using quick console. For some reason writing output to a web accessible directory didnt work on Linux Solution: upload a Notes database shell! 2012 SecQuest Information Security Ltd. 27. 44Con: London, September 2012Introducing shell.nsf aka D99Shell You may get a certificate error after uploading.. 2012 SecQuest Information Security Ltd. 28. 44Con: London, September 2012D99Shell in action! 2012 SecQuest Information Security Ltd. 29. 44Con: London, September 2012Also works on Windows servers 2012 SecQuest Information Security Ltd. 30. 44Con: London, September 2012Demo: Breaking In!Oh Noez! U R demoin dis live!?! 2012 SecQuest Information Security Ltd. 31. 44Con: London, September 2012Breaking in from the Inside - Objectives Find ID files on the network Crack passwords Get in to the NAB on the server Find ID files with higher levels of access Pw0nage! 2012 SecQuest Information Security Ltd. 32. 44Con: London, September 2012Are Employees the Biggest Threat? Many breaches of security are done by insiders - Katherine Spanbauer, Domino senior product manager 2012 SecQuest Information Security Ltd. 33. 44Con: London, September 2012Gaining A Toehold Since R5 you need an ID file to access the client ID file needs to be valid and not in a deny access group in the NAB. Shared directories FTW! 2012 SecQuest Information Security Ltd. 34. 44Con: London, September 2012Gaining A Toehold It used to be hard to crack native Notes passwords! There are a number of products available to crack ID file passwords Huge thanks to Nataly at Passware for the software * being used in the following demo.. * http://www.lostpassword.com 2012 SecQuest Information Security Ltd. 35. 44Con: London, September 2012Demo: Notes ID Password CrackingI can haz beerz after, right? 2012 SecQuest Information Security Ltd. 36. 44Con: London, September 2012Were going after the payroll Our freshly cracked ID file gives catalog.nsf & names.nsf access 2012 SecQuest Information Security Ltd. 37. 44Con: London, September 2012Check the NAB (names.nsf) for group members Oops! 2012 SecQuest Information Security Ltd. 38. 44Con: London, September 2012The result.. 2012 SecQuest Information Security Ltd. 39. 44Con: London, September 2012Client-side Tricks Spoofing mail.. Removing restrictions of local access LotusScript can access the Windows API! Declare Function GetClipboardData Lib "User32" (Byval wFormat As Long) As Long 2012 SecQuest Information Security Ltd. 40. 44Con: London, September 2012Mail spoofing; getting a payrise! SMTP mail can be easily spoofed using telnet but document properties are a dead giveaway 2012 SecQuest Information Security Ltd. 41. 44Con: London, September 2012The Spoof Memo Form This is all that is required: 2012 SecQuest Information Security Ltd. 42. 44Con: London, September 2012The result Create a new mail using the evil form and copy/paste it in to the mail.box database on the spoofed users serverThe onlygiveaway..Looks Good.. 2012 SecQuest Information Security Ltd. 43. 44Con: London, September 2012Local Access Protection Lotus Notes has an ACL setting to Enforce consistent ACL Opening a protected database locally gives an error like this: Not this -> 2012 SecQuest Information Security Ltd. 44. 44Con: London, September 2012I Cant Access It Locally Eh! There are companies out there selling various unlock solutions Prices for software range from $49 to $657!! Ive tested a few versions of these life saving products.. One of them changed 4 bytes, another changed 6! 2012 SecQuest Information Security Ltd. 45. 44Con: London, September 2012I Cant Access It Locally Eh! I mentioned to colleagues @ IBM in 2004 that youcould change 1 byte to remove protection These apps are doing 75% too much work! Sorry guys, the secrets out: Changing 0x000002C4 from 20 to 00 could save $700! 2012 SecQuest Information Security Ltd. 46. 44

Search related