Posted on October 16th, 2015
BreakPoint Labs puts a large focus on the “hunter” mindset when approaching offensive and defensive challenges in cybersecurity. The “hunter” mindset is all about understanding the technology being targeted or defended and thinking beyond the limitations of automated tools to find what others have missed.
Whether we are hunting for sophisticated threats, or emulating them to identify business risk, we identify biases and think critically to achieve the desired objective.
“BreakPoint Labs strives to go beyond automated tools to hunt for what others have missed.”
In the cybersecurity domain, one may develop a false sense of security that is a result of an incomplete understanding of the environment which may be reinforced by lack of automated tool report. When hunting through a mountain of pcap, or trying to find vulnerabilities others have missed, the right mindset is key to success.
BreakPoint Labs adopts the “hunter” mindset and embraces the challenge of finding what others have missed. This blog post aims at sharing insights into our hunter mindset through technical examples, and introducing some Tactics, Techniques, and Procedures (TTPs) that future blog posts will expand on.
Offensive Use Cases
Unlinked Content Enumeration
Web application content can be tied into the main application (linked content), or have no connection to the application (unlinked content). When assessing the security of enterprise systems, one thing that is often missed by automated tools is unlinked application content. BreakPoint Labs engineers have found a lot of vulnerabilities in unlinked resources, including, but not limited to:
- Files containing large amounts of Personally Identifiable Information (PII)
- Resources containing critical vulnerabilities allowing for compromise of the system
- Default administrative content related to Content Management Systems (CMS): WordPress, ColdFusion, DotNetNuke, Oracle, etc.
Tips for Unlinked Content Enumeration:
- Leverage pre-built word lists (Fuzzdb, Carnal0wnage’s Metasploit modules, etc.) + Burp’s Intruder
- Run the appropriate tool or script for the target technology (WordPress: wpscan, SharePoint: SharePointURLBrute, etc.)
- Run Burp’s Content Discovery Feature
Open Source Intelligence (OSINT) Gathering
Finding useful information online is something that most automated tools miss. OSINT has many uses during an assessment, including, but not limited to:
- Enumerating additional systems that the customer may not know about
- Evidence of past compromise (Pastebin password dumps, YouTube videos of adversaries exploiting vulnerabilities on systems in scope, etc.)
- Finding Administrators posting configuration files on forums like stackoverflow
Tips for OSINT:
- Dig into all registrant information for the target organization
- Try to find additional domains, and CIDRs registered with the same or similar registrant information
- Leverage Shodan’s API to automate search queries
- Find what search engines know about the target organization (Google hacking, Yandex, Bing, etc.)
- Search for company mergers, and acquisitions to enumerate trust relationships and new potential targets
- Target searches for the organization across various online resources (Social Media, YouTube, Pastebin, Stack Overflow, Job Boards, etc.)
Username enumeration is a vulnerability often missed by automated tools and it can lead to identifying additional vulnerabilities (weak credentials, lack of brute force controls, etc.). It is often possible to enumerate usernames by abusing application features:
- Account Registration: Attempt to register a username that might be in use (Ex: Username ‘admin’ already exists)
- Authentication Errors/Responses: Applications may respond with different error messages when using a valid username vs. invalid. Inspect authentication responses carefully for variances that may allow you to glean a valid username.
- Password Reset Features: The application features often require a username, or email address to reset the password for the account. This form submission can be automated with Burp’s intruder and misused to enumerate usernames.
- CMS specific features: Many CMS have default usernames, or ways to enumerate usernames (Ex: You can enumerate usernames in DotNetNuke by requesting the following resources: /Activity-Feed/My-Profile/UserId/[num])
- Document Metadata: Metadata in documents can help in enumerating usernames. Many tools exist to help extract useful data from documents (exiftool, metagoofil)
Thinking Differently about System Features
Part of the offensive assessment process is to think creatively to attempt to abuse system features in ways defenders did not consider. For example, imagine a Contact Us feature that allows a user to submit input that generates an Email to the system administrators. BreakPoint Labs engineers commonly find these types of features introduce vulnerabilities to a web application.
We have seen situations where there are hidden HTML form elements that define the sender email address, and the recipient email address. By catching the request in a proxy, we’ve been able control these parameters, effectively allowing us to send email through the web application via the vulnerable contact us form. This type of vulnerability is missed by automated tools and can allow an attacker to send malicious links to an organization user coming from the CEO’s email address.
Defensive Use Cases
- Thinking critically!
- “188.8.131.52” does map to China. But doesn’t it make more sense a non-technical person was following some poorly crafted tutorial?
- Tool X alerted on an attempted connection to a known hostile IP. We must be owned! What evidence needs to be collected to confirm an actual intrusion occurred.
- Mac address -> OUI lookup: Identify hardware in your network
- Know your organization; know your adversary -> force them to work on your schedule
- Hunt at night when most users are at home
- Easier to distinguish between human vs automated processes
- Know your toolsets (Linux, cli utilities, Python)
- If you have a pentest team, engage them.