How to hack VMware vcenter server in 60 seconds

Similar documents
How to hack VMware vcenter server in 60 seconds

Virtually Pwned Pentesting VMware. Claudio

Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Turning your managed Anti-Virus

Linux Network Security

Thick Client Application Security

Vulnerability Assessment and Penetration Testing

1. LAB SNIFFING LAB ID: 10

VMware: Advanced Security

What is Web Security? Motivation

CYBERTRON NETWORK SOLUTIONS

Learn Ethical Hacking, Become a Pentester

Penetration Testing Report Client: Business Solutions June 15 th 2015

Kerem Kocaer 2010/04/14

Application Security Testing

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Testing Scope Factors

Penetration: from Application down to OS

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

FORBIDDEN - Ethical Hacking Workshop Duration

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Metasploit The Elixir of Network Security

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Information Technology Policy

Penetration Testing with Kali Linux

Adobe Systems Incorporated

Penetration Testing //Vulnerability Assessment //Remedy

PowerChute TM Network Shutdown Security Features & Deployment

CRYPTUS DIPLOMA IN IT SECURITY

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

PENTEST. Pentest Services. VoIP & Web.

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Information Security. Training

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

(WAPT) Web Application Penetration Testing


CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Hack Your SQL Server Database Before the Hackers Do

Topics in Network Security

Loophole+ with Ethical Hacking and Penetration Testing

Internet Banking System Web Application Penetration Test Report

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

VMware vcenter Support Assistant 5.1.1

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Implementing Cisco IOS Network Security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Using Websense Data Endpoint Client Software

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Using Nessus In Web Application Vulnerability Assessments

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Passing PCI Compliance How to Address the Application Security Mandates

Information Security Services

Locking down a Hitachi ID Suite server

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Web Application Security

CEH Version8 Course Outline

WHITEPAPER. Nessus Exploit Integration

Installing and Configuring Nessus by Nitesh Dhanjani

Vulnerability analysis

Web Application Report

OWASP Top Ten Tools and Tactics

Common Criteria Web Application Security Scoring CCWAPSS

Penetration Testing in Romania

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Build Your Own Security Lab

8 steps to protect your Cisco router

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Client logo placeholder XXX REPORT. Page 1 of 37

Invest in security to secure investments Oracle PeopleSoft applications are under attacks!

Firewalls and Intrusion Detection

Ethical Hacking Course Layout

Chapter 1 Web Application (In)security 1

Automated Vulnerability Scan Results

Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Enumerating and Breaking VoIP

June 2014 WMLUG Meeting Kali Linux

(maybe?)apt1: technical backstage

Adobe Systems Software Ireland Ltd

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Rational AppScan & Ounce Products

IINS Implementing Cisco Network Security 3.0 (IINS)

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

SAST, DAST and Vulnerability Assessments, = 4

Exploiting Foscam IP Cameras.

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Data Breaches and Web Servers: The Giant Sucking Sound

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

NetBrain Security Guidance

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

Transcription:

Invest in security to secure investments How to hack VMware vcenter server in 60 seconds Alexander Minozhenko

#whoami Pen-tester at Digital Security Researcher DCG#7812 / Zeronights CTF Thanks for ideas and support to Alexey Sintsov 2

Scanning Fingerprinting Banner grabbing Play with passwords Find vulns. Exploit vulns. Escalate privs. Dig in Find ways to make attacks And e.t.c. What do pen-testers do? 3

Find vulns. Static Source code review regexp formal methods hand testing Reverse Engineering formal methods hands Dynamic Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering Hand testing Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc) 4

Pen-tester env. Tasks: pwn target 8) show most dang. vulns. show real attacks and what an attacker can do Time: Not much ) Targets: Large number of targets, different types 5

Find vulns. Static Source code review regexp formal methods hand testing Reverse Engineering formal methods hands Dynamic Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering Hand testing Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc) BlackBox Not much time 6

Target 7

VMware vcenter Server VMware vcenter Server is solution to manage VMware vsphere vsphere virtualization operating system 8

Target Vmware vcenter version 4.1 update 1 Services: Update Manager vcenter Orchestrator Chargeback Other Each services has web server 9

CVE-2009-1523 Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../file Discovered by Claudio Criscione But Fixed in VMware Update Manager 4.1 update 1 :( 10

Directory traversal..again? Directory traversal in Jetty web server http://target:9084/vci/download/.%5c..%5c..%5c..%5c..%5c..% 5C..%5C..%5C..\FILE.EXT Discovered by Alexey Sintsov Metasploit module vmware_update_manager_traversal.rb by sinn3r 11

Directory traversal What file to read? Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680- FB72656A1DCB'/Username= FakeDomain\FakeUser'/SoapSession/Id='A D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 Contains logs of SOAP requests with session ID 12

VASTO VASTO collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions. http://vasto.nibblesec.org/ vmware_updatemanager_traversal.rb Jetty path traversal vmware_session_rider.rb Local proxy to ride stolen SOAPID sessions 13

Fixed in version 4.1 update 1, contain ip - addresses 14

Attack Make arp poisoning attack Spoof ssl certificate 15

Attack Administrators check SSL cert 16

Attack Steal ssl key via directory traversal http://target:9084/vci/downloads/.\..\..\..\..\..\..\..\documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key Make arp-spoofing Decrypt traffic with stolen ssl key What if arp-spoofing does not work? 17

Vmware vcenter Orchestrator Vmware vco software for automate configuration and management Install by default with vcenter Have interesting file C:\Program files\vmware\infrastructure\orchestrator \configuration\jetty\etc\passwd.properties 18

Vmware vcenter Orchestrator Which contains md5 password without salt Could easy bruteforce using rainbow tables 19

We get in 20

Plain text passwords 21

Vmware vcenter Orchestrator vco stored password at files: C:\Program Files\VMware\Infrastructure\Orchestrator\appserver\server\vmo\conf\plugins\VC.xml C:\Program Files\VMware\Infrastructure\Orchestrator\appserver\server\vmo\conf\vmo.properties 22

VC.xml <?xml version="1.0" encoding="utf-8" standalone="yes"?> <virtual-infrastructure-hosts> <virtual-infrastructure-host <enabled>true</enabled> <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administratorusername> <administratorpassword>010506275767b74786b383a4a60be76786474032 9d5fcf324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> </virtual-infrastructure-hosts> 23

Password Encoding 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079 vcenter Red bytes look like length Green bytes in ASCII range Black bytes random 24

Algorithm password Encoding 25

Password Decoder 26

VMSA-2011-0005 VMware vcenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2 27

Example exploit 28

Attack Vectors Directory traversal + ARP poisoning Directory traversal + password decoding/bruteforcing Remote code execution using Struts2 bug 29

Hardering Update to latest version 4.2 update 4 or 5 Filter administration service services VMware KB 2021259. VMware vsphere Security Hardering Guide 30

Conclusions Password must be stored in hash with salt or encrypted Fixed bugs not always fixed in proper way Pen-tester will get more profit if he tries to research something One simple bug and we can own all infrastructure 31

Thank you! a.minozhenko@dsec.ru @al3xmin 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information