Sparty : A Frontpage and Sharepoint Auditing Tool

Aditya K Sood (@AdityaKSood) BlackHat Arsenal USA - 2013 SecNiche Security Labs

About Me
Senior Security Practitioner IOActive PhD Candidate at Michigan State University
Worked for Armorize, COSEINC, KPMG and others. Active Speaker at Security conferences DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and others LinkedIn - http ://www.linkedin.com/in/adityaks Twitter: @AdityaKSood Website: http://www.secniche.org

Sparty Overview !
Open source tool written in python Assist penetration testers in routine jobs Written in python 2.6 Libraries support
import urllib2 import re import os, sys import optparse import httplib

Use Sparty with Back Track for penetration testing purposes Works on other flavors also

Frontpage Overview !
Frontpage Flavors
Microsoft IIS (.dll) Unix (.exe)

Frontpage Access File Settings

service.pwd frontpage passwords service.grp list of groups administrators.pwd passwords for administrators authors.pwd authors password users.pwd for users password

Frontpage Overview (cont.) !

Frontpage DLLs
_vti_bin/_vti_adm/admin.dll administrative tasks _vti_bin/_vti_aut/author.dll authoring FrontPage webs _vti_bin/shtml.dll browsing component

Frontpage virtual directories

vti_bin _vti_bin\_vti_aut _vti_bin\_vti_adm _vti_pvt _vti_cnf _vti_txt _vti_log.

Frontpage Configuration Flaws !

RPC service querying Command execution using author.dll via RPC File uploading through RPC interface Information disclosure in _vti_pvt, _vti_bin, etc. Information disclosure in HTTP Response Headers Directory indexing Exposed password files in the web directories

Sparty helps the penetration tester to gather information and to perform manual analysis later on !

Sharepoint Configuration Flaws !

Exposed services on the Internet Excessive user Access [ admin.asmx, permissions.asmx] Information disclosure in HTTP Response Headers Publicly available insecure deployments [GOOGLE/SHODAN] Directory indexing Some of the manual tests: Third-party plugin checks Inappropriate deployment of sharepoint services Sparty helps the penetration tester to gather information and to perform manual analysis later on !

Sparty Functionalities !
Sharepoint and Frontpage Version Detection Dumping Password from Exposed Configuration Files Exposed Sharepoint/Frontpage Services Scan Exposed Directory Check Installed File and Access Rights Check RPC Service Querying File Enumeration File Uploading Check

Sparty Options!

Version Fingerprinting !

Dumping Passwords !

Directories Check!

Scanning Access Permissions (1) !

Scanning Access Permissions (2) !

Exposed Services Check !

RPC Querying !

RPC Service Listing !

Try Other Options of Your Own

Sparty : Next Version !

Integration of publicly available vulnerabilities Detection of more advanced payloads for checking admin.dll Additional checks and tests against author.dll Extended payloads

Project Details !
Projects page: http://sparty.secniche.org Documentation: http://sparty.secniche.org/usage.html

Questions and Thanks !

SecNiche Security Labs: http://www.secniche.org BlackHat USA Arsenal 2013 Team IOActive Inc.