eLearnSecurity Blog

From XSS to Domain Admin

It’s a long way to the root if you wanna Rock and Roll!

On August 26th, our Security Researcher Davide Girardi, a.k.a. GiRa, will present an exploitation scenario on a typical company network. The exploitation will start from a Cross-Site-Scripting flaw in the company blog and will get us to a full Active Directory Administrator account.

The network has up-to-date client and server operating systems, a DMZ between two firewalls and a company website.

As an image worth a thousand words, here it is a network diagram for you:

From XSS to Domain Admin - webinar scenario

You have the opportunity to see some groovy usage of Beef-XSS, metasploit and some Active Directory knowlege.

Register your seat here!

 

Tags: , , , , , ,

32 Comments

  • Alagu Jeeva M says:

    Hi Happy to see a nice scenario like this! But my question here is what is the firewall you are using?? can you tell me about it??

  • Max says:

    I’m interested in heavy firewalls like the ZyXEL USG 2000, because that is more tight security.
    What if you were in a Company with such security?. It does also have IDP & IPS. Beside that a spamfilter which is the NAT controls which mails(eg. Barracuda), are allowed or disallowed, and got it’s own database of signatures, for filtering out viruses, Worms etc..

    • Layered security is always a good approach, but a next generation firewall cannot guarantee that an attacker will not be able to exploit an insecure application or another flaw.

      Good skills, investing in training and penetration tests will help you in keeping your data and infrastructure secure.

    • Schuyler says:

      Max and all-

      One of the important things about many IDS systems is they are usually signature based so can only block what is known. So if there is a known XSS attack in WordPress and it has a signature, it can block it. But if it is a custom web-app, it will not have a signature for it and most likely will not block it. (again, depends on the specific IDS)

      Some defenses to this are Web Application Firewalls which can monitor for XSS and injection strings, IDS systems can do heuristics or allow you to create custom signatures.. and cannot forget to mention – secure coding practices!

      • Mircea D. says:

        I believe the most important and effective defense against this specific type of attack is input validation and escaping. This alone can combat injection. Without it even the strongest IDS might be bypassed because as you said they are rule based and if no rule covers a custom injection pattern it will fall through as legit traffic.

        It’s amazing how many websites are vulnerable to injection (XSS or SQL) especially taking into account how simple the solution is.

        Offtopic: congrats on the great webinary, I was able to watch most of it after which the connection dropped (I was in a pub/restaurant). Can’t wait for the recording to watch it again properly.

  • Nadjib says:

    Hey, thank you for sharing this one with us.
    The question that came to my mind everytime I see pentesting demonstration like this is : does the pentester has prepared for this ? if yes, what will be different if he doesn’t ? I’m a new pentester and I want to know to how pentesters start their process.
    thanks again.

    • Hi, being prepared is the key to be effective!

      As a pentester you have to write a full and comprehensive report of all the vulnerabilities in the scope of your engagement. To do so, you have to train yourself by studying and by making practice in a lab.

      Of course from time to time you encounter new scenarios and new challenges. In those cases your knowledge, your method and your intelligence will help you to reach your goal. This, of course, takes time 😉

      But, what if you had to invest a lot of time on every vulnerability you discover in your engagement? What if you have two weeks for a pentest of a system with three vulnerabilities and you have to invest ten days to exploit each vulnerability?

  • Nice, just registered looking forward.

  • devi says:

    Hi,
    My name is Devi , it is nice to see .I would like to learn about security testing, for this what is minimal subject I have to know first? I came from computer background and I did a QA tester job ,is it enough or any strong skill set? Pls let me know.
    Thanks,
    Devi.

    • Hi Devi,
      to fully follow this webinar you need some knowledge about XSS and the basic usage of Metasploit.

      Anyway, I’d suggest you to partecipate, you will get something to start your research on 😉

  • JG says:

    Does the blog site supports CORS?
    Im new to this so would you use nmap to scan the target and use a trace route to find out information about the multiple hosts on the network? Then metasploit framework to execute a remote connection to the specific host to be compromised? Will you be explaining the steps to gaining administrator privileges? Thank you

  • JG says:

    This wouldn’t work using nmaps traceroute?

    http://hackingbuzz.com/nmap-firewalk-script/

    Or is it because this particular firewall is configured specifically to pick up events that are synonymous with using traceroute?

    • In this case the perimeter firewall just performs a NAT, mapping the port of the published webserver. There’s no access to the DMZ.

      I will explain the network layout at the beginning of the webinar.

  • Jake says:

    Are you only going to be using a canned exploit package like metasploit or are you going to use modified scripts/exploits? If you are using metasploit, I am assuming you will be using it along with proxychains to tunnel to other machines? And if we cannot make it to the live demo will it be up for replay later?

    • Hi,
      The key of our exploitation process will be manual 😉

      No need for proxychains in this example, there are also other methods to pivot… You will see that on the webinar or in the recording we will provide later.

  • nasar says:

    i am registered for your webinar , but where is the link to webinar???

  • Drasgo says:

    Hi davide,
    I’m amazed by the opportunity that you are offering, and I was waiting for this webinar for long time. I have just one problem: when I reserved a seat in the webinar I didn’t know where I would have been the time of it.. Now I’m in the Balkans for holiday and tomorrow I’ll not be able to get the chance to follow the webinar in live. Is there any chance for you to record it so I will be able to watch once back at home?
    Thank you so much anyway for the great opportunity you are giving us!

    • You will get an email with the link of the recording.

      I’m also thinking about publishing another post with the “solution” of the attack and the more interesting questions and answers.

      What do you guys think?

  • Hummer says:

    It doesn’t start?..

  • Ammar Brohi says:

    Hello,

    My Question is: We will be using BeEF to exploit browser vulnerabilities in order to gain root shell and then transfer our meterpreter shell to another service, but the thing is what, If i am doing penetration test against a Organization that doesn’t use any Vulnerable Browser?

    Plus, We have to Social Engineer victim to go to our BeEF servers url, How is it possible in real life penetration test?

    Can you guide me, Best Practicies for Browser Exploitation and XSS Social Engineering.

    Thanks,

    • Hi,
      if there is a stored XSS in a company site, you will have many odds to hook a lot of internal browsers.
      You don’t need SE or user interaction to trigger a stored XSS attack.

      In our scenario the browser is not vulnerable, a plugin is.

  • Nick says:

    SNAP ! I missed it. Is there any way to get a vodcast of this ?

  • Dinesh Kumar says:

    Hi,

    When this webinar video will be available ?

    Regards,
    Dinesh

  • Random says:

    Can you post the video for download for those of us who missed this?

  • GiRa says:

    Hi folks!

    I published a post with the solutions and the link to download the webinar recording.

    Bye

Leave a Reply

Your email address will not be published.

Go to top of page