KiwiCon 2016 - Kicking Orion's Assets

•Télécharger en tant que PPTX, PDF•

1 j'aime•31,318 vues

Rob Fuller

My talk at KiwiCon 2016 - http://2016.kiwicon.org/the-con/talks/#e226

Logiciels

KICKING ORION’S
ASSETS
M U B I X “ R O B ” F U L L E R

DEFAULT ACCOUNT
• ADMIN / BLANK
FORCES CHANGE

EVERYONE LIKES CREDENTIALS!
• VMWare ESX creds
• SNMPv3 creds
• Windows creds
• Orion creds
Asset management is what
Orion does, it needs creds to
do this to be more effective
than Nmap, no surprises
here

HOW DOES IT ENCRYPT THESE THINGS?
MAYBE IN THE SECURITY.DLL?

REVERSE ENGINEER ADDED TO MY
RESUME... #SHABOWWOW.
This slide is for all the exploit devs
and reverse engineers who think
they can pentest because they can
spin up Metasploit and generate
shellcode.
Much love <3 <3

THERE SHE BLOWS…
BUT IT COULDN’T POSSIBLY BE
EXPORTABLE RIGHT…?

FINDING #1 – EXPORTABLE
ENCRYPTION CERTIFICATE

FINDING #1 – REALITY CHECK
•You have to be SYSTEM on the Orion
box to export this key.
•Certificate doesn’t seem to ever
change. Get it once you have it forever.
•It is created per-install.

LET’S DECRYPT!
You do not need to be SYSTEM or even
Admin to run this…

WAIT, WHAT IS THIS PASSWORD
FIELD... IT JUST HAS NUMBERS…

LET’S DECRYPT!
WAIT... WHY IS THAT UPPERCASE?

FINDING #2 – EASILY REVERSIBLE
“ENCRYPTED” PASSWORD STORED
• Does a lot of bit flipping and changing the password around to
obfuscate it. I didn’t recognize the function as anything type of
encoding I’ve seen before
• Doesn’t use system data, the certificate, or any type of
encryption, more like encoding than encryption.
• Disabled if FIPS compliance enabled but doesn’t force a
password change.
• FIPS compliance can break things, especially in older
applications. Test before enabling.

OK… BUT HOW DID YOU ACCESS THE
DATABASE??

BUT WHAT KIND OF DATABASE IS
‘SWNETPERFMON.DB’?

FINDING #3 – CLEAR TEXT AND OLD
CONFIGURATIONS KEPT IN TEXT FILE
• No screenshot for proof that old configurations stick around 
but I have seen it, just haven’t had a chance to reproduce on
lab box.
• Old configurations may have database password in clear text.
This was also observed but no screenshot available.
• Encrypted credential uses the same certificate to encrypt as
the other account passwords. SolarWinds responded saying
it’s using DPAPI instead… Haven’t had a chance to confirm
either way.

RESULTS
Y O U A R E G O I N G T O T E L L U S H O W T O
F I X T H I S R I G H T ?

RESULTS / FIXES
1. Exportable RSA encryption key certificate
1. Mark certificate as non-exportable. This may break things.
2. Storage of creds in easily reversible format (Basically
LM reinvented)
1. Enable FIPS compliance if you can
2. Change passwords once this is done to ensure fix is
effective.
3. Cleartext credentials in configuration file
(SWNetPerfMon.DB)
1. Clear out ”old” connection strings

RESULTS / FIXES
Generic Solution:
• Ensure Orion server is protected as much as
possible.
• No access from standard user network, block
SMB/WMI/WinRM.
• Require RDP w/ Smartcard for administration).
• Restrict access to the HTTP/S ports as much as
possible.

OVERALL RATING: A-
• Really impressed with SolarWinds usage of certificate
encryption for the encryption of passwords. It’s much better
than most implementations I’ve seen.
• Impressed with SolarWinds reaching out about the talk and
being cordial and understanding about how slow/busy I am in
responding to emails.
• Would definitely work with the SolarWinds team again.
• One request: I didn’t see the ability to use U2F/MFA on the
web interface, it would be nice if that was available.

THANKS
KIWICON!
M U B I X @ H A K 5 . O R G

Contenu connexe

Similaire à KiwiCon 2016 - Kicking Orion's Assets

Our Brave Modular Future

Orchestrate

Indianapolis Splunk User Group Dec 22

WesComer2

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices. To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.

Shameful secrets of proprietary network protocols

Slawomir Jasek

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

jonmccoy

Sql server security in an insecure world

Gianluca Sartori

Software developers are screwing up the digital world. Security is often an afterthought, or worse, the job of I.T., who is expected to sprinkle magic fairy dust on an app that magically makes it secure. That's an impossible ask and forces a perimeter-based security model that cannot succeed alone in a world of cloud apps, mobile devices, and distributed data. Developers must embrace security by design principles and fundamentally shift their attitude about who is responsible for security.

Stop expecting magic fairy dust: Make apps secure by design

Patrick Walsh

How to hide your browser 0-days

Zoltan Balazs

This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.

SSL Checklist for Pentesters (BSides MCR 2014)

Jerome Smith

"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right. To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

Yevgeniy Brikman

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Chris Gates

Bit_Bucket_x31_Final

Sam Knutson

Security for AWS : Journey to Least Privilege (update)

dhubbard858

Security for AWS: Journey to Least Privilege

Lacework

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

adamleff

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)

Gabriella Davis

Websec

Kristaps Kūlis

Confidence web

Dan Kaminsky

Secure Channels Presentation

Richard Blech

Security - The WLF Principle

Marco Gralike

Similaire à KiwiCon 2016 - Kicking Orion's Assets (20)

Our Brave Modular Future

Indianapolis Splunk User Group Dec 22

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Shameful secrets of proprietary network protocols

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Sql server security in an insecure world

Stop expecting magic fairy dust: Make apps secure by design

How to hide your browser 0-days

SSL Checklist for Pentesters (BSides MCR 2014)

Cloud adoption fails - 5 ways deployments go wrong and 5 solutions

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Bit_Bucket_x31_Final

Security for AWS : Journey to Least Privilege (update)

Security for AWS: Journey to Least Privilege

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)

Websec

Confidence web

Secure Channels Presentation

Security - The WLF Principle

Plus de Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

Talk given at DerbyCon 2016 and RuxCon 2016 Malware authors and reverse engineers have been playing cat and mouse for a number of years now when it comes to writing and reversing of malware. From nation state level malware to the mass malware that infects grandmas and grandpas, mothers and fathers, the different types of malware employ a myriad of techniques to stop those who look at it from guessing the true intent. This talk will be about some of the unorthodox methods employed by some malware to stay hidden from, or out right ignore the reverse engineering community.

Writing malware while the blue team is staring at you

Rob Fuller

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)

Rob Fuller

Attacker Ghost Stories - ShmooCon 2014

Rob Fuller

GiTFO

Rob Fuller

NotaCon 2011 - Networking for Pentesters

Rob Fuller

As The Phish Turns

Rob Fuller

RIT 2009 Intellectual Pwnership

Rob Fuller

Metasploit magic the dark coners of the framework

Rob Fuller

Windows Attacks AT is the new black

Rob Fuller

Practical Exploitation - Webappy Style

Rob Fuller

Intro to White Chapel

Rob Fuller

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

A @textfiles approach to gathering the world's DNS

Rob Fuller

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Rob Fuller

Memory Forensics for Pentesters: Firefox

Rob Fuller

From Couch To Career In 80 Hours

Rob Fuller

Plus de Rob Fuller (17)

Why isn't infosec working? Did you turn it off and back on again?

Writing malware while the blue team is staring at you

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)

Attacker Ghost Stories - ShmooCon 2014

GiTFO

NotaCon 2011 - Networking for Pentesters

As The Phish Turns

RIT 2009 Intellectual Pwnership

Metasploit magic the dark coners of the framework

Windows Attacks AT is the new black

Practical Exploitation - Webappy Style

Intro to White Chapel

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

A @textfiles approach to gathering the world's DNS

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Memory Forensics for Pentesters: Firefox

From Couch To Career In 80 Hours

Dernier

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

Foundation models are machine learning models which are easily capable of performing variable tasks on large and huge datasets. FMs have managed to get a lot of attention due to this feature of handling large datasets. It can do text generation, video editing to protein folding and robotics. In case we believe that FMs can help the hospitals and patients in any way, we need to perform some important evaluations, tests to test these assumptions. In this review, we take a walk through Fms and their evaluation regimes assumed clinical value. To clarify on this topic, we reviewed no less than 80 clinical FMs built from the EMR data. We added all the models trained on structured and unstructured data. We are referring to this combination of structured and unstructured EMR data or clinical data.

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

harshavardhanraghave

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

👉 𝑾𝑰𝑳𝑳 𝑷𝑹𝑶𝑽𝑰𝑫𝑬 𝒀𝑶𝑼 𝑾𝑰𝑻𝑯 𝑺𝑬𝑿𝒀 𝑴𝑶𝑫𝑬𝑳𝑺 𝑾𝑯𝑶 𝑾𝑰𝑳𝑳 𝑫𝑨𝑵𝑪𝑬 & 𝑫𝑹𝑰𝑵𝑲 𝑾𝑰𝑻𝑯 𝒀𝑶𝑼 𝑨𝑵𝑫 𝑨𝑳𝑺𝑶 𝑷𝑹𝑶𝑽𝑰𝑫𝑬 𝒀𝑶𝑼 𝑺𝑬𝑿𝑼𝑨𝑳 𝑩𝑶𝑫𝒀 𝑻𝑶 𝑩𝑶𝑫𝒀 𝑴𝑨𝑺𝑺𝑨𝑮𝑬 𝑾𝑰𝑻𝑯 𝑺𝑬𝑿. 👉𝒀𝑶𝑼 𝑴𝑨𝒀 𝑻𝑨𝑲𝑬 𝑻𝑯𝑬𝑴 𝑶𝑼𝑻 𝑭𝑶𝑹 𝑨 𝑷𝑨𝑹𝑻𝒀 𝑶𝑹 𝑨𝑳𝑺𝑶 𝑭𝑶𝑹 𝑨𝑵𝒀 𝑷𝑹𝑰𝑽𝑨𝑻𝑬 𝑷𝑨𝑹𝑻𝑰𝑬𝑺. 👉𝑻𝑯𝑬𝑺𝑬 𝑮𝑰𝑹𝑳𝑺 𝑨𝑹𝑬 𝑰𝑵𝑻𝑬𝑹𝑬𝑺𝑻𝑬𝑫 𝑰𝑵 𝑯𝑨𝑽𝑰𝑵𝑮 𝑺𝑶𝑴𝑬 𝑭𝑼𝑵 𝑾𝑰𝑻𝑯 𝒀𝑶𝑼 𝑨𝑵𝑫 𝑾𝑰𝑳𝑳 𝑬𝑵𝑺𝑼𝑹𝑬 𝑻𝑯𝑨𝑻 𝒀𝑶𝑼 𝑯𝑨𝑽𝑬 𝑪𝑶𝑴𝑷𝑳𝑬𝑻𝑬 𝑭𝑼𝑵. 28/April/2024 {{🎗️SCH🎗️}} 8923113531 How to book call girls The Booking process is particularly time-saving and more comfortable for us. Below mentioned are the steps you need to follow to hire our call girl: Step 1 - Visit our Call Girls Service website Step 2 - check for the portfolios of our sexy and hot call girls Step 3 - check on the services provided by the specific call girls Step 4 - Once you have selected the call girls and respective services, go to the contact us page. Step 5 - on the contact page, you will get our phone number, WhatsApp number, and email address. You can choose any one of them to connect with us. Call Us – 8923113531 ✣ ✤ ✥ ✦ 𝑻𝑰𝑴𝑬 𝑾𝑨𝑺𝑻𝑬𝑹𝑺 𝑨𝑵𝑫 𝑩𝑨𝑹𝑮𝑨𝑰𝑵𝑬𝑹𝑺 𝑨𝑹𝑬 𝑷𝑳𝑬𝑨𝑺𝑬 𝑬𝑿𝑪𝑼𝑺𝑬, 𝑾𝑬 𝑹𝑬𝑺𝑷𝑬𝑪𝑻 𝒀𝑶𝑼𝑹 𝑺𝑨𝑭𝑬𝑻𝒀 𝑨𝑵𝑫 𝑷𝑹𝑰𝑽𝑨𝑪𝒀 𝑨𝑵𝑫 𝑬𝑿𝑷𝑬𝑪𝑻 𝑻𝑯𝑬 𝑺𝑨𝑴𝑬 𝑭𝑹𝑶𝑴 𝒀𝑶𝑼.✣ ✤ ✥ ✦ Duration Normal Girls Housewives High-Profile Models (Celebrities) 1 Shot ₹ 8,000 ₹ 10,000 ₹ 15,000 2 Shots ₹ 15,000 ₹ 15,000 ₹ 25,000 Full Day ₹ 35,000 ₹ 35,000 ₹ 40,000 Full Night ₹ 40,000 ₹ 40,000 ₹ 50,000 Weekend ₹ 45,000 ₹ 45,000 ₹ 50,000 Party Nights ₹ 50,000 ₹ 50,000 ₹ 60,000

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️

anilsa9823

Software Quality Assurance Interview Questions

Arshad QA

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live Booking Contact Details :- WhatsApp Chat :- [+91-9999965857 ] The Best Call Girls Delhi At Your Service Russian Call Girls Delhi Doing anything intimate with can be a wonderful way to unwind from life's stresses, while having some fun. These girls specialize in providing sexual pleasure that will satisfy your fetishes; from tease and seduce their clients to keeping it all confidential - these services are also available both install and outcall, making them great additions for parties or business events alike. Their expert sex skills include deep penetration, oral sex, cum eating and cum eating - always respecting your wishes as part of the experience (29-April-2024(PSS)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

kellynguyen01

Diamond Application Development Crafting Solutions with Precision

SolGuruz

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service

anilsa9823

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

HR Software Buyers Guide in 2024 - HRSoftware.com

Fatema Valibhai

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

OnePlan Solutions

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

Dernier (20)

Unlocking the Future of AI Agents with Large Language Models

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Optimizing AI for immediate response in Smart CCTV

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️

Software Quality Assurance Interview Questions

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

Diamond Application Development Crafting Solutions with Precision

Right Money Management App For Your Financial Goals

Microsoft AI Transformation Partner Playbook.pdf

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service

A Secure and Reliable Document Management System is Essential.docx

HR Software Buyers Guide in 2024 - HRSoftware.com

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

KiwiCon 2016 - Kicking Orion's Assets

1. KICKING ORION’S ASSETS M U B I X “ R O B ” F U L L E R

2. WHO ARE YOU?

3. AGENDA No time for that… 15 min talk...

4. DEFAULT ACCOUNT • ADMIN / BLANK FORCES CHANGE

5. EVERYONE LIKES CREDENTIALS! • VMWare ESX creds • SNMPv3 creds • Windows creds • Orion creds Asset management is what Orion does, it needs creds to do this to be more effective than Nmap, no surprises here

6. REFLECTIVE CREDS? NOPE.

7. CONVENIENT DATABASE TOOL

8. SO WHERE ARE THE CREDS?!

9. AHH, THERE IT IS.. ENCRYPTED?...

10. HOW DOES IT ENCRYPT THESE THINGS? MAYBE IN THE SECURITY.DLL?

11.

12. REVERSE ENGINEER ADDED TO MY RESUME... #SHABOWWOW. This slide is for all the exploit devs and reverse engineers who think they can pentest because they can spin up Metasploit and generate shellcode. Much love <3 <3

13. You saw that coming right?

14.

15. DECRYPT!!

16. DECRYPT!!  CERTIFICATE BASED…

17. WHERE IS CERT?

18. THERE SHE BLOWS… BUT IT COULDN’T POSSIBLY BE EXPORTABLE RIGHT…?

19. FINDING #1 – EXPORTABLE ENCRYPTION CERTIFICATE

20. FINDING #1 – REALITY CHECK •You have to be SYSTEM on the Orion box to export this key. •Certificate doesn’t seem to ever change. Get it once you have it forever. •It is created per-install.

21. LET’S DECRYPT! You do not need to be SYSTEM or even Admin to run this…

22. WHAT ABOUT THE ORION USERS?

23. YUP, ENCRYPTED THE SAME WAY…

24. WAIT, WHAT IS THIS PASSWORD FIELD... IT JUST HAS NUMBERS…

25. WAIT... WHAT DOES THAT SAY?

26. …

27. HUH… SO WHY IS IT IN THE DATABASE?

28. THEY ARE USED RIGHT AFTER EACH OTHER…

29. LET’S DECRYPT! WAIT... WHY IS THAT UPPERCASE?

30. REVENGE OF THE LANMANAGER!! LM

31. FINDING #2 – EASILY REVERSIBLE “ENCRYPTED” PASSWORD STORED • Does a lot of bit flipping and changing the password around to obfuscate it. I didn’t recognize the function as anything type of encoding I’ve seen before • Doesn’t use system data, the certificate, or any type of encryption, more like encoding than encryption. • Disabled if FIPS compliance enabled but doesn’t force a password change. • FIPS compliance can break things, especially in older applications. Test before enabling.

32. OK… BUT HOW DID YOU ACCESS THE DATABASE??

33. SO MANY TOOLS AUTOMATICALLY LOG IN...

34.

35. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?

36. BUT WHAT KIND OF DATABASE IS ‘SWNETPERFMON.DB’?

37. FINDING #3 – CLEAR TEXT AND OLD CONFIGURATIONS KEPT IN TEXT FILE • No screenshot for proof that old configurations stick around  but I have seen it, just haven’t had a chance to reproduce on lab box. • Old configurations may have database password in clear text. This was also observed but no screenshot available. • Encrypted credential uses the same certificate to encrypt as the other account passwords. SolarWinds responded saying it’s using DPAPI instead… Haven’t had a chance to confirm either way.

38. RESULTS Y O U A R E G O I N G T O T E L L U S H O W T O F I X T H I S R I G H T ?

39. RESULTS / FIXES 1. Exportable RSA encryption key certificate 1. Mark certificate as non-exportable. This may break things. 2. Storage of creds in easily reversible format (Basically LM reinvented) 1. Enable FIPS compliance if you can 2. Change passwords once this is done to ensure fix is effective. 3. Cleartext credentials in configuration file (SWNetPerfMon.DB) 1. Clear out ”old” connection strings

40. RESULTS / FIXES Generic Solution: • Ensure Orion server is protected as much as possible. • No access from standard user network, block SMB/WMI/WinRM. • Require RDP w/ Smartcard for administration). • Restrict access to the HTTP/S ports as much as possible.

41. OVERALL RATING: A- • Really impressed with SolarWinds usage of certificate encryption for the encryption of passwords. It’s much better than most implementations I’ve seen. • Impressed with SolarWinds reaching out about the talk and being cordial and understanding about how slow/busy I am in responding to emails. • Would definitely work with the SolarWinds team again. • One request: I didn’t see the ability to use U2F/MFA on the web interface, it would be nice if that was available.

42.

43.

44.

45.

46. THANKS KIWICON! M U B I X @ H A K 5 . O R G

Notes de l'éditeur

Honestly I’m not sure if this is required by Orion or not. This may be needed for it’s agents, clustering or other infrastructure pieces. While this isn’t good, to be able to

KiwiCon 2016 - Kicking Orion's Assets

Recommandé

Recommandé

Contenu connexe

Similaire à KiwiCon 2016 - Kicking Orion's Assets

Similaire à KiwiCon 2016 - Kicking Orion's Assets (20)

Plus de Rob Fuller

Plus de Rob Fuller (17)

Dernier

Dernier (20)

KiwiCon 2016 - Kicking Orion's Assets

Notes de l'éditeur