Archive

Archive for the ‘Hacking’ Category

Enabling HTTPS for Seafile (Windows)

May 7, 2014 71 comments

EDIT: Video tutorial can be found at http://www.youtube.com/watch?v=HRNCpR_mSSs&feature=youtu.be

While there has been documentation on how to enable HTTPS for seafile in *nix environment. There is no documentation for doing this on windows.   Looking at the nginx implementation, it is essentially doing a reverse proxy. This is something that IIS+URL Rewrite can easily achieve!   Before we proceed, take a look and understand the reverse proxy requirements found at https://github.com/haiwen/seafile/wiki/Enable-Https-on-Seafile-web-with-nginx   I will not go into steps on how to generate your own SSL cert, but rather focus on how to use IIS to reverse proxy the necessary ports.   Requirements

  1. Standard implementation of seafile ONLY
    1. ie seafile listens on the following port: 8000, 8082, 10001, 12001
  2. HTTP requests to port 80 will be redirected to HTTPS calls on port 443
  3. HTTPS requests on port 443 will be treated as follows
    1. if it starts with seafhttp, send it to seafile port 8082
    2. otherwise send it to seafile port 8000

Step by Step Guide

  1. Install seafile on the server
  2. Install IIS with default options
  3. Run IIS Manager image
  4. Install Web Platform Installer (WebPI)
  5. Inside WebPI, install URLRewrite
  6. Create 2 websites, pointing to separate physical folders. Ensure the https website is associated with a valid SSL certificate image
  7. Edit the web.config for the HTTP site

    <?xml version=”1.0″ encoding=”UTF-8″?> <configuration> <system.webServer> <rewrite> <rules> <rule name=”Redirect to HTTPS” stopProcessing=”true”> <match url=”(.*)” /> <action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  8. Edit the web.config for the HTTPS site

    <configuration> <system.webServer> <rewrite> <rules> <rule name=”seafhttp” stopProcessing=”true”> <match url=”seafhttp/(.*)” /> <action type=”Rewrite” url=”http://127.0.0.1:8082/{R:1}” appendQueryString=”false” logRewrittenUrl=”true” /> </rule> <rule name=”Reverse Proxy” patternSyntax=”ECMAScript” stopProcessing=”true”> <match url=”(.*)” /> <!– Redirect all requests to non-HTTPS site. –> <action type=”Rewrite” url=”http://localhost:8000/{R:1}” logRewrittenUrl=”true” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  9. Enjoy a secure version of seafile 🙂
Categories: General, Hacking, IIS

SG Prime Minister Office compromised

November 11, 2013 Leave a comment

After Anonymous’s threat of major attacks on 5th Nov 2012 and Prime Minister’s mentioned about sparing no effort to bring attackers to justice (http://www.channelnewsasia.com/news/singapore/govt-will-spare-no-effort/876922.html)

 

Almost immediately after, the PMO’s website was hacked (http://www.thejakartaglobe.com/international/singapore-prime-ministers-website-hacked-after-lee-threatens-anonymous/), with some people attributing this to Anonymous (http://sg.news.yahoo.com/singapore-pms-website-hacked-anonymous-175123528.html)

 

IDA’s official statement can be found at http://www.channelnewsasia.com/news/singapore/subpages-on-pmo-and/878906.html

 

The Infocomm Development Authority of Singapore (IDA) said vulnerability in a Google search bar within the sites was targeted and that the integrity of both sites had not been compromised.

 

Separately, IDA said it observed an "unusually high" amount of traffic to many government websites on 5 November – which indicated attempted cyber-intrusions.

 

Ok so lets take this into perspective before blowing things out of proportion

      1. Hacking is not like what you see in the movies, a few keystrokes and you are in. It is definitely way more than that
      2. ONLY NOOBS attempt DDOS attacks, this typically comes from people who have nmaps, kismet, sqlmap etc installed (these are the PUBLICLY available tools), some might even throw in age old worms like the Nimbda virus for kicks
      3. In any form of hacking, the weakest chain is ALWAYS HUMANS
        1. Social engineering
        2. Never changing password
        3. Use obvious passwords
        4. Use SAME passwords etc

        Ok, so lets now look at the PMO case from a white hat perspective:

        Firing up the website, all content looks pretty normal.

      What is interesting is that all seems to be static content and comes with an ETag(meaning the content should be cached locally) and sent gzipped (which typically means a load balancer or some hardware device is proxying the content). Other identifying headers are also stripped out, so this should be a typical hardened server, not easy to hack into!

    image

    A simple ping test reveals that the content is hosted on akamai –> PURELY static content, which means hacking this is a waste of time, there is probably an admin interface or better still backend job that syncs the content over, and which you will never have direct access to.

    image

    Just to be sure, an attempt to a non-existent page is tried. Conclusion is still the same, no point hacking this server.

    image

    Looking further at the site, we find a search bar. Now anyone with some IT background would know that a search bar displays DYNAMIC results so this cannot be cached by akamai i.e possible target to attempt non intrusive take over

    image

     

    Doing a simple search which comes up in a POP UP windows (indicating something that was not changed for ages) throws up the following screen and gems

    image

     

    A host :wasdc.shine.gov.sg which resolves to an ip address

    image

    Which belongs to IDA

    image

    A request timed out ping also indicates that the server has been hardened and possibly have a RDP port outside of 3389 as well as no other open ports except port 80.

     

    Now from the headers, it indicates IIS7.5, which means that it is running Windows Server 2008 R2.

     

    Now some of you might remember Microsoft indicating a zero day attack around the same time. The CVE number is CVE-2013-3906 (http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx) which is a vulnerability in MSWord. I highly doubt this is used as the launchpad.

     

    So back to the server. In a typical enterprise, patches are never installed on Patch Tuesday, they will have to go thru staging, testing and what not, meaning the server might not be patched. Chances are the administrator would also have installed the GUI for ease of configuration.

     

    So now I have my possible attack vector, target Windows Server 2008 R2 exploits especially those pertaining to IIS 7.5.

     

    I shall stop here and leave out the HOW of attacking a web server

     

    Just like to point out a few things before I end off

    1. Notice how all the things that I’ve done so far, looks like a normal process to anyone watching the logs if it even generated any.
    2. I’ve left out social engineering and social media tracking from the picture (although this is one of the most used tools)
    3. No DDos, portscan or any analysis which will cause high traffic is done, why? Because every system in the world takes this to be the first sign of a cyber attack and have configuration in place to block them.
    4. I’m pretty sure the attack is NOT done by Anonymous, they are way better than that
    Categories: Hacking