Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

KiwiCon 2016 - Kicking Orion's Assets

124 visualizaciones

Publicado el

My talk at KiwiCon 2016 - http://2016.kiwicon.org/the-con/talks/#e226

Publicado en: Software
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

KiwiCon 2016 - Kicking Orion's Assets

  1. 1. KICKING ORION’S ASSETS M U B I X “ R O B ” F U L L E R
  2. 2. WHO ARE YOU?
  3. 3. AGENDA No time for that… 15 min talk...
  4. 4. DEFAULT ACCOUNT • ADMIN / BLANK FORCES CHANGE
  5. 5. EVERYONE LIKES CREDENTIALS! • VMWare ESX creds • SNMPv3 creds • Windows creds • Orion creds Asset management is what Orion does, it needs creds to do this to be more effective than Nmap, no surprises here
  6. 6. REFLECTIVE CREDS? NOPE.
  7. 7. CONVENIENT DATABASE TOOL
  8. 8. SO WHERE ARE THE CREDS?!
  9. 9. AHH, THERE IT IS.. ENCRYPTED?...
  10. 10. HOW DOES IT ENCRYPT THESE THINGS? MAYBE IN THE SECURITY.DLL?
  11. 11. REVERSE ENGINEER ADDED TO MY RESUME... #SHABOWWOW. This slide is for all the exploit devs and reverse engineers who think they can pentest because they can spin up Metasploit and generate shellcode. Much love <3 <3
  12. 12. You saw that coming right?
  13. 13. DECRYPT!!
  14. 14. DECRYPT!!  CERTIFICATE BASED…
  15. 15. WHERE IS CERT?
  16. 16. THERE SHE BLOWS… BUT IT COULDN’T POSSIBLY BE EXPORTABLE RIGHT…?
  17. 17. FINDING #1 – EXPORTABLE ENCRYPTION CERTIFICATE
  18. 18. FINDING #1 – REALITY CHECK •You have to be SYSTEM on the Orion box to export this key. •Certificate doesn’t seem to ever change. Get it once you have it forever. •It is created per-install.
  19. 19. LET’S DECRYPT! You do not need to be SYSTEM or even Admin to run this…
  20. 20. WHAT ABOUT THE ORION USERS?
  21. 21. YUP, ENCRYPTED THE SAME WAY…
  22. 22. WAIT, WHAT IS THIS PASSWORD FIELD... IT JUST HAS NUMBERS…
  23. 23. WAIT... WHAT DOES THAT SAY?
  24. 24.
  25. 25. HUH… SO WHY IS IT IN THE DATABASE?
  26. 26. THEY ARE USED RIGHT AFTER EACH OTHER…
  27. 27. LET’S DECRYPT! WAIT... WHY IS THAT UPPERCASE?
  28. 28. REVENGE OF THE LANMANAGER!! LM
  29. 29. FINDING #2 – EASILY REVERSIBLE “ENCRYPTED” PASSWORD STORED • Does a lot of bit flipping and changing the password around to obfuscate it. I didn’t recognize the function as anything type of encoding I’ve seen before • Doesn’t use system data, the certificate, or any type of encryption, more like encoding than encryption. • Disabled if FIPS compliance enabled but doesn’t force a password change. • FIPS compliance can break things, especially in older applications. Test before enabling.
  30. 30. OK… BUT HOW DID YOU ACCESS THE DATABASE??
  31. 31. SO MANY TOOLS AUTOMATICALLY LOG IN...
  32. 32. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?
  33. 33. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?
  34. 34. FINDING #3 – CLEAR TEXT AND OLD CONFIGURATIONS KEPT IN TEXT FILE • No screenshot for proof that old configurations stick around  but I have seen it, just haven’t had a chance to reproduce on lab box. • Old configurations may have database password in clear text. This was also observed but no screenshot available. • Encrypted credential uses the same certificate to encrypt as the other account passwords. SolarWinds responded saying it’s using DPAPI instead… Haven’t had a chance to confirm either way.
  35. 35. RESULTS Y O U A R E G O I N G T O T E L L U S H O W T O F I X T H I S R I G H T ?
  36. 36. RESULTS / FIXES 1. Exportable RSA encryption key certificate 1. Mark certificate as non-exportable. This may break things. 2. Storage of creds in easily reversible format (Basically LM reinvented) 1. Enable FIPS compliance if you can 2. Change passwords once this is done to ensure fix is effective. 3. Cleartext credentials in configuration file (SWNetPerfMon.DB) 1. Clear out ”old” connection strings
  37. 37. RESULTS / FIXES Generic Solution: • Ensure Orion server is protected as much as possible. • No access from standard user network, block SMB/WMI/WinRM. • Require RDP w/ Smartcard for administration). • Restrict access to the HTTP/S ports as much as possible.
  38. 38. OVERALL RATING: A- • Really impressed with SolarWinds usage of certificate encryption for the encryption of passwords. It’s much better than most implementations I’ve seen. • Impressed with SolarWinds reaching out about the talk and being cordial and understanding about how slow/busy I am in responding to emails. • Would definitely work with the SolarWinds team again. • One request: I didn’t see the ability to use U2F/MFA on the web interface, it would be nice if that was available.
  39. 39. THANKS KIWICON! M U B I X @ H A K 5 . O R G

×