KiwiCon 2016 - Kicking Orion's Assets

•Descargar como PPTX, PDF•

1 recomendación•31,323 vistas

Rob Fuller

My talk at KiwiCon 2016 - http://2016.kiwicon.org/the-con/talks/#e226

Software

KICKING ORION’S
ASSETS
M U B I X “ R O B ” F U L L E R

DEFAULT ACCOUNT
• ADMIN / BLANK
FORCES CHANGE

EVERYONE LIKES CREDENTIALS!
• VMWare ESX creds
• SNMPv3 creds
• Windows creds
• Orion creds
Asset management is what
Orion does, it needs creds to
do this to be more effective
than Nmap, no surprises
here

HOW DOES IT ENCRYPT THESE THINGS?
MAYBE IN THE SECURITY.DLL?

REVERSE ENGINEER ADDED TO MY
RESUME... #SHABOWWOW.
This slide is for all the exploit devs
and reverse engineers who think
they can pentest because they can
spin up Metasploit and generate
shellcode.
Much love <3 <3

THERE SHE BLOWS…
BUT IT COULDN’T POSSIBLY BE
EXPORTABLE RIGHT…?

FINDING #1 – EXPORTABLE
ENCRYPTION CERTIFICATE

FINDING #1 – REALITY CHECK
•You have to be SYSTEM on the Orion
box to export this key.
•Certificate doesn’t seem to ever
change. Get it once you have it forever.
•It is created per-install.

LET’S DECRYPT!
You do not need to be SYSTEM or even
Admin to run this…

WAIT, WHAT IS THIS PASSWORD
FIELD... IT JUST HAS NUMBERS…

LET’S DECRYPT!
WAIT... WHY IS THAT UPPERCASE?

FINDING #2 – EASILY REVERSIBLE
“ENCRYPTED” PASSWORD STORED
• Does a lot of bit flipping and changing the password around to
obfuscate it. I didn’t recognize the function as anything type of
encoding I’ve seen before
• Doesn’t use system data, the certificate, or any type of
encryption, more like encoding than encryption.
• Disabled if FIPS compliance enabled but doesn’t force a
password change.
• FIPS compliance can break things, especially in older
applications. Test before enabling.

OK… BUT HOW DID YOU ACCESS THE
DATABASE??

BUT WHAT KIND OF DATABASE IS
‘SWNETPERFMON.DB’?

FINDING #3 – CLEAR TEXT AND OLD
CONFIGURATIONS KEPT IN TEXT FILE
• No screenshot for proof that old configurations stick around 
but I have seen it, just haven’t had a chance to reproduce on
lab box.
• Old configurations may have database password in clear text.
This was also observed but no screenshot available.
• Encrypted credential uses the same certificate to encrypt as
the other account passwords. SolarWinds responded saying
it’s using DPAPI instead… Haven’t had a chance to confirm
either way.

RESULTS
Y O U A R E G O I N G T O T E L L U S H O W T O
F I X T H I S R I G H T ?

RESULTS / FIXES
1. Exportable RSA encryption key certificate
1. Mark certificate as non-exportable. This may break things.
2. Storage of creds in easily reversible format (Basically
LM reinvented)
1. Enable FIPS compliance if you can
2. Change passwords once this is done to ensure fix is
effective.
3. Cleartext credentials in configuration file
(SWNetPerfMon.DB)
1. Clear out ”old” connection strings

RESULTS / FIXES
Generic Solution:
• Ensure Orion server is protected as much as
possible.
• No access from standard user network, block
SMB/WMI/WinRM.
• Require RDP w/ Smartcard for administration).
• Restrict access to the HTTP/S ports as much as
possible.

OVERALL RATING: A-
• Really impressed with SolarWinds usage of certificate
encryption for the encryption of passwords. It’s much better
than most implementations I’ve seen.
• Impressed with SolarWinds reaching out about the talk and
being cordial and understanding about how slow/busy I am in
responding to emails.
• Would definitely work with the SolarWinds team again.
• One request: I didn’t see the ability to use U2F/MFA on the
web interface, it would be nice if that was available.

THANKS
KIWICON!
M U B I X @ H A K 5 . O R G

Más contenido relacionado

Similar a KiwiCon 2016 - Kicking Orion's Assets

Our Brave Modular Future

Orchestrate

Indianapolis Splunk User Group Dec 22

WesComer2

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices. To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.

Shameful secrets of proprietary network protocols

Slawomir Jasek

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

jonmccoy

Sql server security in an insecure world

Gianluca Sartori

Software developers are screwing up the digital world. Security is often an afterthought, or worse, the job of I.T., who is expected to sprinkle magic fairy dust on an app that magically makes it secure. That's an impossible ask and forces a perimeter-based security model that cannot succeed alone in a world of cloud apps, mobile devices, and distributed data. Developers must embrace security by design principles and fundamentally shift their attitude about who is responsible for security.

Stop expecting magic fairy dust: Make apps secure by design

Patrick Walsh

How to hide your browser 0-days

Zoltan Balazs

This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.

SSL Checklist for Pentesters (BSides MCR 2014)

Jerome Smith

"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right. To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

Yevgeniy Brikman

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Chris Gates

Bit_Bucket_x31_Final

Sam Knutson

Security for AWS : Journey to Least Privilege (update)

dhubbard858

Security for AWS: Journey to Least Privilege

Lacework

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

adamleff

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)

Gabriella Davis

Websec

Kristaps Kūlis

Confidence web

Dan Kaminsky

Secure Channels Presentation

Richard Blech

Security - The WLF Principle

Marco Gralike

Similar a KiwiCon 2016 - Kicking Orion's Assets (20)

Our Brave Modular Future

Indianapolis Splunk User Group Dec 22

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Shameful secrets of proprietary network protocols

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Sql server security in an insecure world

Stop expecting magic fairy dust: Make apps secure by design

How to hide your browser 0-days

SSL Checklist for Pentesters (BSides MCR 2014)

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Bit_Bucket_x31_Final

Security for AWS : Journey to Least Privilege (update)

Security for AWS: Journey to Least Privilege

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)

Websec

Confidence web

Secure Channels Presentation

Security - The WLF Principle

Más de Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

Talk given at DerbyCon 2016 and RuxCon 2016 Malware authors and reverse engineers have been playing cat and mouse for a number of years now when it comes to writing and reversing of malware. From nation state level malware to the mass malware that infects grandmas and grandpas, mothers and fathers, the different types of malware employ a myriad of techniques to stop those who look at it from guessing the true intent. This talk will be about some of the unorthodox methods employed by some malware to stay hidden from, or out right ignore the reverse engineering community.

Writing malware while the blue team is staring at you

Rob Fuller

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)

Rob Fuller

Attacker Ghost Stories - ShmooCon 2014

Rob Fuller

GiTFO

Rob Fuller

NotaCon 2011 - Networking for Pentesters

Rob Fuller

As The Phish Turns

Rob Fuller

RIT 2009 Intellectual Pwnership

Rob Fuller

Metasploit magic the dark coners of the framework

Rob Fuller

Windows Attacks AT is the new black

Rob Fuller

Practical Exploitation - Webappy Style

Rob Fuller

Intro to White Chapel

Rob Fuller

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

A @textfiles approach to gathering the world's DNS

Rob Fuller

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Rob Fuller

Memory Forensics for Pentesters: Firefox

Rob Fuller

From Couch To Career In 80 Hours

Rob Fuller

Más de Rob Fuller (17)

Why isn't infosec working? Did you turn it off and back on again?

Writing malware while the blue team is staring at you

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)

Attacker Ghost Stories - ShmooCon 2014

GiTFO

NotaCon 2011 - Networking for Pentesters

As The Phish Turns

RIT 2009 Intellectual Pwnership

Metasploit magic the dark coners of the framework

Windows Attacks AT is the new black

Practical Exploitation - Webappy Style

Intro to White Chapel

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

A @textfiles approach to gathering the world's DNS

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Memory Forensics for Pentesters: Firefox

From Couch To Career In 80 Hours

Último

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

masabamasaba

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal. Attraction Spells

%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...

masabamasaba

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

The title is not connected to what is inside

shinachiaurasa2

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

ADR, or Architecture Decision Record, is a valuable tool in software development for several reasons. It provides a centralized location for documenting and tracking architectural decisions, aiding both current and future team members. ADRs enhance communication among team members by documenting the rationale behind architectural decisions, especially beneficial during onboarding of new team members or when revisiting decisions. They serve as a knowledge base, enabling teams to learn from past decisions and refine their decision-making process. Additionally, ADRs contribute to transparency by helping stakeholders understand the reasons behind specific architectural choices. As with any other tool or process, introducing them into an organization can face several obstacles, and overcoming these challenges is crucial for successful implementation. In this talk I go through some common problems and our way of solving them.

Architecture decision records - How not to get lost in the past

Papp Krisztián

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic near me by a powerful astrologer and spell caster in Atlanta. Bring back your lover with Asaf's voodoo-love witchcraft. Psychic Reading | Astrologer | Spell Caster | Obsession Spells | Black Magic | Witchcraft | Protection spell | wiccan spells. Black magic expert and voodoo love spells that work overnight to retrieve that love | lost love spell caster with powerful love psychic reading. Best astrologer & psychic in Sandy Springs, GA to renew your relationship & make your relationship stronger. love spells to bring back the feelings of love for ex-lovers. Increase the intimacy, affection & love between you and your lover using voodoo relationship obsession spells in USA. Money spells, easy love spells with just words, think of me spell, powerful love spell, spells of love, spells that work, love potion to attract a man, easy love spells with just words, pink candle prayer, white magic spells, call me spell, manifestation spell, gay love spells, Commitment spells, business spells and, how to bring back lost love in a relationship, Witchcraft love spells that work immediately to increase love & intimacy in your relationship. Attraction love spells to attract someone, stop a divorce, prevent a breakup & get your ex back. When using love binding spells, there are several things you should know, particularly how to protect yourself from negative energies and how to use the powers of incantations for the good of all people involved. When the focus is love, the results are truly magical. It’s important to remember love is not manipulative, it is not forceful, and it does not bend another to its will. Love is free-flowing, accepting, kind, and generous. For your love spell to work as intended, you must have good intentions in your heart. Below, we share the top five love spells you can use today to shift the energies in your life and create a future filled with love and fulfilment. Obsession spells to Get Your Ex-Lover Back. All women want one thing the most in life to be love and love in return – not much to ask. A lady wants a good man who loves you unconditionally and loyally. You want a man who is honest, hardworking, and loyal – not a complainer or a weakling or a self-centred man. You are a strong, independent, sensual, caring, loving woman. And you don’t think it’s asking too much to want to be with a loving, intelligent man with a good sense of humour and daring, an upright and confident man – who knows who he is. No one wants a chauvinistic and macho man, but you do want someone who will be willing to protect and care for you. Who loves you for you and not some kind of imaginary. You have no doubt that when the right guy appears on your doorstep, you’ll never let him go. But sometimes a man doesn’t realize he has that good woman.

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...

chiefasafspells

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of Winnipeg back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal. Attraction Spells

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...

masabamasaba

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

%in Benoni+277-882-255-28 abortion pills for sale in Benoni

masabamasaba

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

masabamasaba

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

WSO2

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

KiwiCon 2016 - Kicking Orion's Assets

1. KICKING ORION’S ASSETS M U B I X “ R O B ” F U L L E R

2. WHO ARE YOU?

3. AGENDA No time for that… 15 min talk...

4. DEFAULT ACCOUNT • ADMIN / BLANK FORCES CHANGE

5. EVERYONE LIKES CREDENTIALS! • VMWare ESX creds • SNMPv3 creds • Windows creds • Orion creds Asset management is what Orion does, it needs creds to do this to be more effective than Nmap, no surprises here

6. REFLECTIVE CREDS? NOPE.

7. CONVENIENT DATABASE TOOL

8. SO WHERE ARE THE CREDS?!

9. AHH, THERE IT IS.. ENCRYPTED?...

10. HOW DOES IT ENCRYPT THESE THINGS? MAYBE IN THE SECURITY.DLL?

11.

12. REVERSE ENGINEER ADDED TO MY RESUME... #SHABOWWOW. This slide is for all the exploit devs and reverse engineers who think they can pentest because they can spin up Metasploit and generate shellcode. Much love <3 <3

13. You saw that coming right?

14.

15. DECRYPT!!

16. DECRYPT!!  CERTIFICATE BASED…

17. WHERE IS CERT?

18. THERE SHE BLOWS… BUT IT COULDN’T POSSIBLY BE EXPORTABLE RIGHT…?

19. FINDING #1 – EXPORTABLE ENCRYPTION CERTIFICATE

20. FINDING #1 – REALITY CHECK •You have to be SYSTEM on the Orion box to export this key. •Certificate doesn’t seem to ever change. Get it once you have it forever. •It is created per-install.

21. LET’S DECRYPT! You do not need to be SYSTEM or even Admin to run this…

22. WHAT ABOUT THE ORION USERS?

23. YUP, ENCRYPTED THE SAME WAY…

24. WAIT, WHAT IS THIS PASSWORD FIELD... IT JUST HAS NUMBERS…

25. WAIT... WHAT DOES THAT SAY?

26. …

27. HUH… SO WHY IS IT IN THE DATABASE?

28. THEY ARE USED RIGHT AFTER EACH OTHER…

29. LET’S DECRYPT! WAIT... WHY IS THAT UPPERCASE?

30. REVENGE OF THE LANMANAGER!! LM

31. FINDING #2 – EASILY REVERSIBLE “ENCRYPTED” PASSWORD STORED • Does a lot of bit flipping and changing the password around to obfuscate it. I didn’t recognize the function as anything type of encoding I’ve seen before • Doesn’t use system data, the certificate, or any type of encryption, more like encoding than encryption. • Disabled if FIPS compliance enabled but doesn’t force a password change. • FIPS compliance can break things, especially in older applications. Test before enabling.

32. OK… BUT HOW DID YOU ACCESS THE DATABASE??

33. SO MANY TOOLS AUTOMATICALLY LOG IN...

34.

35. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?

36. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?

37. FINDING #3 – CLEAR TEXT AND OLD CONFIGURATIONS KEPT IN TEXT FILE • No screenshot for proof that old configurations stick around  but I have seen it, just haven’t had a chance to reproduce on lab box. • Old configurations may have database password in clear text. This was also observed but no screenshot available. • Encrypted credential uses the same certificate to encrypt as the other account passwords. SolarWinds responded saying it’s using DPAPI instead… Haven’t had a chance to confirm either way.

38. RESULTS Y O U A R E G O I N G T O T E L L U S H O W T O F I X T H I S R I G H T ?

39. RESULTS / FIXES 1. Exportable RSA encryption key certificate 1. Mark certificate as non-exportable. This may break things. 2. Storage of creds in easily reversible format (Basically LM reinvented) 1. Enable FIPS compliance if you can 2. Change passwords once this is done to ensure fix is effective. 3. Cleartext credentials in configuration file (SWNetPerfMon.DB) 1. Clear out ”old” connection strings

40. RESULTS / FIXES Generic Solution: • Ensure Orion server is protected as much as possible. • No access from standard user network, block SMB/WMI/WinRM. • Require RDP w/ Smartcard for administration). • Restrict access to the HTTP/S ports as much as possible.

41. OVERALL RATING: A- • Really impressed with SolarWinds usage of certificate encryption for the encryption of passwords. It’s much better than most implementations I’ve seen. • Impressed with SolarWinds reaching out about the talk and being cordial and understanding about how slow/busy I am in responding to emails. • Would definitely work with the SolarWinds team again. • One request: I didn’t see the ability to use U2F/MFA on the web interface, it would be nice if that was available.

42.

43.

44.

45.

46. THANKS KIWICON! M U B I X @ H A K 5 . O R G

Notas del editor

Honestly I’m not sure if this is required by Orion or not. This may be needed for it’s agents, clustering or other infrastructure pieces. While this isn’t good, to be able to

KiwiCon 2016 - Kicking Orion's Assets

Recomendados

Recomendados

Más contenido relacionado

Similar a KiwiCon 2016 - Kicking Orion's Assets

Similar a KiwiCon 2016 - Kicking Orion's Assets (20)

Más de Rob Fuller

Más de Rob Fuller (17)

Último

Último (20)

KiwiCon 2016 - Kicking Orion's Assets

Notas del editor