In the last post we looked at some of the basics of hacking SharePoint, well what the hackers can get too. We will continue the same theme in this post. However for this one we focus on getting access to the administration mechanism of SharePoint.
As we learnt in the last post search engines are a great way of finding SharePoint servers that are potentially available to the internet. We looked at using standard syntax in both Google and Bing to find the SharePoint pages we have all come to love. To recap we could use the following:
Now these work well and can be used with all the different "_layouts" pages or other content pages. However what you really want to get to as a hacker is the administration pages and potentially central administration. To look for the administration pages that could be exposed incorrectly, you will need to use the following syntax, which is very similar to the above. Interestingly enough you would hope that these pages were not available at all. However using the following we are able to gain access to a SharePoint 2010 site.
If we choose the bottom option and click the link we would hopefully get stopped by a windows login prompt. As you can see it does not and more concerning is that I am somehow logged in as the "Search Service Account" as an anonymous user.
So what we can we do now that we are logged in, hopefully even though these pages are open I would not be able to make any changes to the site. SO let's see if I can get to the root site collection settings by clicking the following link:
So this time I get stopped with a login prompt:
So the issue here is that permission are set as they should be at the root site collection but not down in the site I am currently in. So let's see how much permission we have, could we change the title of the site perhaps?
And after saving the site title is now?
No we cannot and that's great, so even though this site is exposing some elements outside it is not completely vulnerable, but is allowing anonymous users to see content and settings.
So what does this mean?
Well it means that if there was some custom configuration, components or other items that were registered in the "settings" page a potential hacker could gain access to them, the same as with using "_layouts/viewlsts.aspx" as the search parameter.
Now if we wanted to see if an exposed SharePoint site was hosting some other services you would then turn to a useful hacker tool called "NMap". This tool helps you to see what ports are open for a specific address. So based on our search before using the "/_layouts/settings.aspx" we have a host name. This host name can then be put into an "NMap" command line as shown below to see what other ports might be open.
The results for this will show the following:
In a basic scan it shows the ports that are open, for this specific site used only HTTP and HTTPS are available. In other environments you may get a whole list of ports that may be available. An example would be the following:
The above is showing that not only is HTTP but also SMTP is open to this machine. With a little telnet commands this could be used to relay emails, once again this is based on how well it is configured.
Another approach to finding ports that are open is to use Google itself. An undocumented feature allows you to perform syntax like we have used before to find port ranges of sites. An example would be:
This syntax will find all sites that Google has indexed ending in ".com" and using any port between "7777" and "9999". This can be a very useful way of looking for those odd random ports that SharePoint uses. If you find a port in the results and you are not sure whether it is a SharePoint site then the next step is bringing back our trusty friend "NMap" and performing the following syntax.
This returns the following details about the address we passed in the above command.
As you can see we can see its best guess of Operating System as well as the title of the site, plus what is very important the version of IIS that is being used on this windows server. All these things are very useful to the hacker who is trying to gain access to your site.
So now we now we can perform a port search, which might reveal a vulnerable SharePoint Server, we can also use "NMap" as the mechanism for scanning known SharePoint Servers that we find via our searches. However these may not be as effective so we could use a site called "ShodanHQ". This web site allows you to search for SharePoint Servers and other devices that are available to the internet and could be potential targets for hacking. This is a great place to check that your site is not shown. To use it, visit the following URL: http://www.shodanhq.com
To use this system effectively you will need to register for a free account, which will allow you to retrieve more results and perform more complex searches. To perform a search for a SharePoint Server, simple use the following syntax:
Nice and simple, you can do very complex searches such as the following:
The results come back and allow for drilling down by various tags etc.
The results will display the IP Address, Company Name (not always) and any other details that it has retrieved. Now for you as the hacker, you would then reuse the "NMap" tool and perform further investigation of the addresses. An interesting thing to note is the "MicrosoftSharePointTeamServices" displays the version number of the installed SharePoint. The ones listed above are all for SharePoint 2010. You could change the search syntax to something like these for the versions you are looking for:
So if we take one of the results, the one based in "Charleston" we would run the same "NMap" command as before:
The results are actually quite intriguing:
From the above results we can see the server has port 80 and port 3389 open. Also that connections are currently closed but 443 and 8000 are also available. As we all know port 3389 is the remote desktop port, so not only is the server running SharePoint, on the internet but also allowing RDP to it from the world. To validate this I simply launched "MSTSC" and typed the address and got prompted to login, of course I don't know the login credentials yet for this one. I am not going to show you how to brute force an RDP login box but be aware it can be done with some freely available tools and a bunch of username and password lists. The real key here is making sure that your SharePoint server is not showing up on this site, if it is then it is potentially open to all kinds of hacks. What you don't want is your environment to show up on there and then when running an "NMap" scan show something like this:
As you can see from this what you think may be just a simple SharePoint Server in fact could have far reaching consequences when someone decides they want to compromise the server. In the next post we will run through some prevention techniques that will help in the battle to protect your SharePoint environment.