Over this past year I have been travelling around various SharePoint Saturdays and SharePoint Conferences, presenting primarily on Authentication, Authorization and Security within SharePoint. The penultimate of these presentations was really my session in Cincinnati about "Hacking SharePoint". The reason I chose this topic is that there is not really a lot written about security as a whole and what it means in SharePoint. There are plenty of blog posts that talk about permissions, how to login with Windows, Forms Based as well as SAML Based Authentication mechanisms, but there are not so many that walk through the core options, the pros and cons, the infrastructure security and then for me the best bit how to at least try to stop the hackers. These sessions have been well received (so far anyway) so I wanted to write a few blog posts about the reasoning behind these as topics.
In this post I am going to focus on what SharePoint is exposing inside and outside the organization, the primary focus will be the external for this post. To begin with let's look at what a hacker could do quite easily. One of the best hacking tools out there is something that each of use on a daily basis, the y key is knowing what to look for and the syntax.
Using defined syntax you are able to search for sites in the example above that are exposing the "View All Site Content" pages. With the syntax above we get the following results from Google.
Caveat: These techniques are running against current live publicly exposed SharePoint sites, hence the redact of the returned details
For obvious reasons I am going to blank out the URLs, but you get the idea.
Now how do we go from this to a full scale hacker panic attack?
Well let's look at what else we can glean from the main search engines. We can search for any of the following pages to identity a potentially vulnerable SharePoint site.
One of my favorite searches to use is the following:
This syntax is looking for user details that are published to the internet, either on purpose or incorrectly. If I was an actual hacker then I can glean all kinds of details from these exposed pages. Clicking the top link of the following results gets me these details.
Notice I get not only the users name, email address but also the user account.
In fact we can search for any of the following to get access to further lists of user accounts.
A little more digging and I am able to get the following from one site.
So with little or no effort we can find personal details and information that would help me as a hacker to compromise the system. Actually if we search for something different we can get access, potentially to the actual web services that SharePoint exposes.
This page is used to display using XML the web services that are available on this SharePoint Server.
If we for example take two of the web services end points:
We can then load these in the browser and see the methods that are available. The "People.asmx" will return the first image if it is SharePoint 2007 and the second one if it is SharePoint 2010 or 2013.
The method we want to try and use here is the "SearchPrincipals". This will allow us to retrieve user account details via the web service, if it is not locked down as it should be. SharePoint 2007 was inherently bad at locking this down but SharePoint 2010 does a pretty good job unless is it configured incorrectly. Using something like "SoapUI" I am able to connect to these web services and create requests.
SoapUI allows for the web service to be connected and creates request testing so you can run them directly from the application.
Using the selected request above you can populate the parameters. The core parameters are:
- Search Text
- Number of Results to return
- Distribution List
- Security Group
- SharePoint Group
For this service we can complete it as follows:
Now when we run this we will either get the results or various permission denied messages. Someone who is trying to use this approach really is going to take time to test again and again to get the data they need. When one does work it will return the following details:
The "UserGroup" web service can also be used the same way but instead we will use specific methods.
Using the "GetAllUserCollectionFromWeb" will return the following data.
As you can see I get account SIDs, Names, Email Addresses and at the end of the screenshot you can see that I can see who is a Site Administrator, very useful information for a potential hacker, even if it just scraping the email addresses. Of course if the web services don't work and other pages are available I can construct the following URL to get people of the site.
This will return the following depending on the site version.
Sometimes you can even get pictures (blurred for obvious reasons).
Ass you can see this can be achieved on SharePoint 2007 and 2010. The same mechanisms are also available within SharePoint 2013.
So I suppose what is the purpose of me showing this?
As you can see the information that is exposed can be very personal, or at least very important to the company. As well as retrieving user details, emails etc. most sites that are also exposing these details are also allowing anyone to access the lists and libraries within the SharePoint site such as policies, customer documents or even vast amounts of PODF files, and sometimes even pictures of staff members.
The reason for showing this in this post is to make you aware that your site may also be exposing the same type of data to the outside world without you even knowing. This example below, redacted a lot is a military SharePoint Conference site that for some reason is exposing all the registration details from Names. Rank/Title, Organization, Emails, Phone Numbers, Job Details, Hotel they are staying in and dates of stay. For obvious reasons I am not showing you these details.
This is not uncommon for a SharePoint Platform, too often it is installed, configured and published to the world with no real thought as to what it is for and what level of content or people data is going to be stored on the site. In the hacking presentation I gave recently I ended my presentation with the following steps / questions that we should all be asking ourselves before we just publish SharePoint to the world.
Who is the audience for the site and its content?
Why do they need access? Public viewing or Collaboration?
During business work hours or do you need to monitor it 24 hours a day
Are they using VPN? SSL web access? What authentication mechanism are they going to be using?
In the next post we will look at the "hackers" that we need to watch out for, and yes the below diagram is correct as to who the hackers are J