Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Check out SharePoint RegEx Search, a new open source pentesting tool on codeplex. Development was funded by JW Secure, Inc.

The purpose of the tool is to allow a security analyst to scan a SharePoint (WSS) or MOSS site for Office documents (Word, Excel, PowerPoint) containing text matching a specified pattern.

I know what you’re thinking: doesn’t SharePoint already provide search capability out of the box? And for public portals couldn’t you just use Google? Well, to the first question, SharePoint search is limited to the capabilities of the SQL ‘LIKE’ and ‘CONTAINS’ keywords. Regular expressions (”RegEx”), on the other hand, are much more powerful. For example, with RegEx, I can find all documents containing Social Security Numbers, phone numbers, strong passwords, credit card numbers, etc. That’s not feasible with the built-in SharePoint search.

Google doesn’t expose full RegEx capability either. And further more, the biggest security disclosure problem around SharePoint right now exists in intranets (as opposed to the internets ;)). In other words, sensitive corporate data exposed to anyone inside the firewall (in addition to the above, try searching for salaries).

A good introduction to the .NET regular expression library, as well as some useful sample patterns, can be found here.

Regarding SharePoint RegEx Search, contributions are of course welcome. A feature wish list is here. An introduction to the tool is here. And to try it out, the built win32 binary can be found here.

Permalink | Comments (0)

Hacking SharePoint, Part 2

September 10, 2008

Wanted to do a follow-up to my previous post about Windows SharePoint Services (WSS) security, and using NMap to fingerprint WSS servers.

Actually, this post is closely related. While NMap is useful for enumerating and classifying computers on a LAN, it doesn’t scale nearly as well to larger address spaces (although it has its place there; more on that at the end of this post). The thing is, if you’re looking for WSS servers on the internet, Google is a great tool.

There’s a great introductory post on this subject here. For a taste, try the following search:

"all site content" site:.com

The results you see consist of all of the sites in the .com TLD that have exposed their WSS content publicly to the internet. And not to spoil the surprise, but there are lots of them.

Here’s the thing. Gartner suggests that, in the next couple of years, WSS will be more prevalent than LAN-based file shares. For the majority of those who make that transition, it’ll be the same content exposed via WSS that was previously on the LAN shares.

This is a slippery slope, though, because as you can see from the Google search above, large numbers of WSS servers are now publicly exposed on the internet. There are several reasons for this:

  • WSS is a more natural collaborative environment than previous technologies such as net shares.
  • As is the case with productivity technologies in general, once users are ramped up on it, they want to use it in every possible applicable situation, rather than having to learn something new. In other words, people assume that what works well on the intranet works well on the internet too.
  • Since WSS is a web server, it’s easy to put on the internet (even unintentionally), and it feels natural to most sysadmins to do so. Unlike web servers, net shares are typically protected by a firewall and are only intentionally exposed externally via VPN.

So there are going to be some juicy targets out there.

Aside from your sensitive data, there’s other scary stuff that can be exposed by a misconfigured WSS server. For example, FrontPage extensions have a user password reset option. You don’t want to find your site this way via Google:

"use this page to reset a user's password"

There are more common WSS administrative pages that you wouldn’t want anyone to be able to access, either. You can find them by scrolling over the admin links on your WSS site internally, and then confirming that they aren’t accessible from the internet. For example, http://www.mysite.com/_layouts/deleteweb.aspx.

An equally important consideration regarding WSS admin URLs such as the above is they expose a logon prompt that doesn’t implement account lockout. That is, a bad guy can do brute-force automated password guessing on your WSS admin account until he gets it right. Those attacks can be audited, but that capability isn’t exposed in a way that the typical WSS operator is likely to find it. Use a strong password.

Another interesting one that I haven’t fully researched yet: this link, http://www.mysite.com/_layouts/mysite.aspx, dynamically generates a personal site for you, if one doesn’t already exist. There’s a redirection URL that fires at the end of that process the first time around. Probably not a good idea if that be done from the internet.

Finally, for small sites that use a public WSS server intentionally, it’s natural to conclude that many of these are remotely administered, either by a local IT services firm or by a friend. Be sure to check for open ports (see, again, my previous post), including not just the WSS admin port, but others such as Terminal Services. Keep in mind that, if Google can find your site, so have the bad guys, and they’ll be trying those ports too.

Permalink | Comments (0)

Just read The Richest Man in Babylon, written in the 1920s by an American entrepreneur named George Clason. It’s short and entertaining.

Several of the Amazon reviewers observe that the book could basically be boiled down to a very short message: save a certain amount of all of your income, and sock it away in principal-preserving investments. But then the same could be said about the Bible. In doing so, you’d be missing out on the parables and storytelling.

And Clason’s lessons, as simple as they seem, are easy to forget, especially for the small business owners who make up most of the cast in his stories. Many entrepreneurs, after struggling to make ends meet, are satisfied when they finally attain a predictable cashflow, to say nothing of profits or savings. But profit is the whole point of business, and Clason reminds us that, if you’re not systematically investing in the future, then you’re doing everyone a disservice.

Permalink | Comments (0)

Just been listening to my own custom radio station on Pandora. I was looking for some “old school trance” and stumbled onto this site, although I’d heard of it before. I actually just typed in “trance,” selected one of the random albums that popped up, and now I’ve got an endless virtual station of that type of music. And the reliability is high; unlike many real radio stations that stream online, the signal hasn’t dropped once in several hours.

Two drawbacks. One, I had to provide an email address and sign-up info after pausing the audio once. Obviously, they want to get people to register. It’s still free though.

The other drawback is that you can’t actually listen to a specific song or album; that’s the nature of how Pandora’s licensing works with the record labels. And I’m not sure how these guys are going to make real money, since the page doesn’t show ads, and once the music is playing you don’t have to look at the page anyway (and there are no audio commercials, either). Anyway, I’m a fan - hope it lasts.

Permalink | Comments (0)

Here’s a subject near and dear to my heart: a whitepaper from Microsoft (a JW Secure customer) discussing how Blue Ridge Networks (a JW Secure customer) used several of the Solution Accelerators kits, including the Forefront Integration Kit for Network Access Protection (a JW Secure project).

Permalink | Comments (0)

Just uploaded the latest SmartUtil. Today’s drop has two important changes:

  1. The Erase All button on the first tab (”Certificates” - see the screenshots at the link above) has been renamed to De-Personalize. The reason is that that feature didn’t actually flatten the whole card. Instead, it just deletes the user certificates crypto key containers.
  2. A new button - Format - has been added to the same tab. This button actually does flatten the whole card. In fact, we created this drop mostly for the purpose of adding that button, since it’s really helpful when debugging smart card applications to be able to tear down the card file structure and reset it to its initial state.

Enjoy!

Permalink | Comments (0)

Check out this short YouTube segment.

It shows Adam Savage, one of the co-hosts of the Discovery channel’s Mythbusters show, explaining what happened when they started research for a segment on RFID. In summary, the chief counsels of the major credit card companies hijacked a conference call and threatened the Mythbusters producers to back down.

Pretty funny. Or perhaps not. If you’re using a security or communications technology, especially one involved in banking, and information about how it works is being supressed, that’s a good sign that it’s actually not secure. The result is that the bad guys figure out how to hack it anyway, and consumers aren’t aware of the risk.

Permalink | Comments (0)

Penny Arcade Expo 2008 (PAX) took place this past weekend at the convention center here in Seattle. It’s becoming one of the biggest gaming conventions in the world, and it’s definitely already the coolest.

This was the first year I’d attended, though. What prompted me to attend? Well, for starters, I read a blurb (scroll to “Events,” about half-way down the page) in the Wall Street Journal late last week, claiming that 50,000 people would attend PAX. Plus, it was my birthday, so I figured I deserved to cut loose! Anyway, I’m glad I went.

First impressions: lots of young people walking around with their own Guitar Hero (GH) style guitars sticking out of backpacks. In fact, that style of game - GH and its competitor Rock Band - were the biggest theme at PAX this year. I counted at least three Rock Band stages, including one large one in the main Expo area, with long lines of people waiting to play. And there were at least three separate stations where you could play GH: World Tour - the new multi-instrument version, currently available only in demo.

Having played Rock Band, I wanted to check out GH:WT. In summary, the games are essentially equivalent. The station where I demoed it was a reasonably large “stage” in one corner of the Expo hall. It wasn’t elevated, but it had real stage lights and a few large LCD screens. We initially thought the the game was setup in “no fail” mode, but personal experience while on stage proved that was not the case! And now I’m reading blog posts that GH:WT won’t even support “no fail” mode.

We played Bon Jovi “Livin on a Prayer” and Pat Benatar “Heartbreaker” and had a great time doing it. The list of songs available at the demo station was pretty short, though. The publisher better include about 10 times as many songs if the new GH is going to compete well with Rock Band.

The drums setup for GH seems pretty cool - four regular pads plus two elevated pads as cymbals, plus a bass pedal. Still just four triggers total, though; the cymbals duplicate two of the pads. The bass pedal kept slipping forward on me; when are manufacturers going to learn how to make those things stick to carpet?

One additional observation - one of the cymbal mounts broke on me during our first failed Heartbreaker attempt. I didn’t even notice, but one of the attendants did. He promptly fixed it, and was really cool about it. I felt bad at the time, but in retrospect, I’m not a very big guy, and I don’t hit very hard. If the GH drum set breaks that easily, they’re going to get a bad reputation quickly. Drumset quality issues plagued early versions of Rock Band.

What else was hot? Wizards of the Coast had a huge sponsership presence, although I’m not much of a Magic fan. StarCraft II is pretty hot, which I find to be shocking, seeing as how the first version came out
more than 10 years ago. Functionally, the new version doesn’t look that different, although I can’t imagine Blizzard would want to mess too much with the winning formula of the original.

Warhammer Online had some buzz, but I was glad to see that the tabletop version is still being played as well (ah, human interaction).

Who wasn’t hot? Well, being a Halo fan, I stopped by Bungie to see what they had to show. Answer: nothing. Just a bunch of Halo death match pods. Boring. Come on, guys. What’s next?

Permalink | Comments (0)

The line-up for ToorCon X - promising to be the premier hacker conference of the year - has been finalized. See here.

I’ll be speaking Sunday afternoon (September 28) about Hacking SharePoint. See you in San Diego!

Permalink | Comments (0)