Pwning through antispams

Introduction

One of the activity provided by Microlab is what is called “zero-knowledge penetration test”, where the target is the whole customer infrastructure and the only information given before starting is the name of the company.

The goal is to mimic, as much as possible, a real attack scenario where the first part is dedicated to information gathering and to the discovery of the low hanging fruit, i.e. the weakest target to attack. This provides the customer with an overview of the publicly available resources and how they can be abused by a threat actor.

During this kind of activities, it has been possible to get complete control of the customer network by leveraging antispam systems. How? Just keep reading.

Attack surface

The first phase of a penetration test is normally dedicated to gathering as much information as possible about the target, regardless of its nature: it could be an application, a device, a whole network, a company. It really does not matter: you have to know what you are going to attack.

While doing a zero-knowledge pentest for one of my customer, let’s call it Acme Inc., I started by passively mapping (i.e.: without direct interaction) the attack surface, that in this case was composed by all the systems and the applications owned by Acme Inc. that were directly reachable from Internet.

After mapping quite deeply this surface and after checking with the customer that all of the discovered targets were under its whole control, I moved to Shodan to get an idea of the exposed services and applications. One of the reachable system was fingerprinted as “Barracuda Network Spam Firewall”.

The information reported by Shodan.

This has been confirmed by visiting the web interface exposed on port 443/TCP.

The web interface of the Barracuda antispam.


Default creds should burn in hell

Guess what? The first thing I did was to jump to Google and search “barracuda email security gatewat default login”, get admin/admin as result and acquire access to the system, because those default credentials were still valid.

Default credentials are always hard to discover.

There are multiple attacks that a threat actor could carry out after getting access to this kind of systems:

  • get an almost complete list of the email addresses of the company;
  • get access to the emails waiting to be delivered;
  • allow malicious emails to be delivered to the mailboxes;
  • copy / forward emails to a third party address (this is very stealthy);
  • get insights of the private network(s) behind the antispam;
  • get Domain Admin credentials;
  • get instant access to the network behind the antispam.

Wait. Everything is clear but, “Domain Admin credentials”? “Instant access to the network behind the antispam”? No way.

Retrieve the credentials

One of the feature that is present in almost any enterprise antispam solution is the ability to connect to a Microsoft Active Directory to get the list of the users and to allow them to authenticate on the system with their domain’s credential. Unluckily, more often then not, domain privileged accounts are used to allow the antispam to access the Active Directory. In this case, my customer used the domain administrator’s account for this task.

The domain administrator’s credentials. Ouch.

Thanks to some limitations in the web interface imposed by Barracuda, it is not possible to directly recover the credentials. This can be achieved with a simple trick, by changing the “LDAP Server” address to a system under your control and by selecting “OpenLDAP” as “LDAP Server Type”. Then through the “Test LDAP” button the antispam will connect to your system and will deliver the plaintext credentials to you.

Sometimes, testing is fun. And profitable.

Be careful though, because you have to setup an SSL/TLS connection between the antispam and your fake OpenLDAP server; if not, you are going to expose the credentials to anyone listening to the traffic between the two hosts.

Port forward & antispam

In case the customer is using a read-only, limited domain account to retrieve information from the Active Directory, there is another feature an attacker could leverage: port forwarding.

While I still have to find a scenario where it is ok to have the antispam managing port forwarding (this is normally in charge to the firewall), it seems that this is a feature made available by different producers. For sure, Barracuda is one of them.

I will pay a couple of beers to anyone who could explain me the goal of this feature.

An attacker could configure multiple port forwarding rules to use the antispam as an hop to the internal network. Moreover, it is the perfect way to create a backdoor for example for a malicious employee who is leaving the company, thanks to the fact this feature is quite hidden into the menus and because it is normally not expected (at least for me) to have an antispam who is capable to do this kind of stuffs.

Conclusions

I do not know why but from my experience it is quite common to find antispam systems running with default credentials.

If you are a pentester, it makes sense to spent some time to test for default login or to try to break into the system with weak passwords associated to the local administrator account.

If you are a network administrator who is running an antispam, double check the configuration and, in any case, never use domain administrator’s credentials on these kind of stuffs. Less is more. Lol.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s