Category Archives: ASP.Net / IIS

Web Application Fortification with ModSecurity over IIS : Brutus

Et tu, Brute?”==> “and you, Brutus?”

ASP.Net whether WebForms of time past or MVC and even Core are all plaforms that can utilise BasicAuthentication and with this comes the daunting task of securing the username and password.

In comes Brutus: from main site (google flagged as dangerous – omitted)

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future. Brutus was written originally to help me check routers etc. for default and common passwords

We know password re-use is predominant. We know that common user names are utilised. Many techniques exist to oversee if the accounts that are part of your domain are compromised. There are password lists , haveibeenpwned, and password dumps online (legality of pulling these is in question}. 

The best way to defend yourself against dictionnary attacks is to perform them. In comes our friend Brutus with Basic Autentication based attacks on our ASP.Net platform on IIS.

In this video we perform such an attack and ModSecurity over IIS is able to stop the cycle and also add forensics for us to identify the attack along with data for the security offices if need be.

Another consideration is Brutus not only can read from a text file but can also based on AutoGeneration. This is why I do not like exposing the password strength requirements. The brute force engines can iterate the site using the conditions imposed and well…..exposed by the site and this with pleasure.

Bf-partialknowledge.jpg

The consideration we have here is that ModSecurity was not only able to stop Brutus as it excessively iterates the website or web.api but the forensics to report on this are also present. Alerting is also possible .

In a previous demo I used an HTTPModule to stop excessive iterations and report back a 500 internal server error to thwart certain attacks. Issue with this is it is not automaticly logging and providing forensics. 

Here is an example event viewer entry: 

Note the idnetification that that a security scanner has iterated the site. The scanner is brutus/aet and it was identified by OWASP CRS/2.2.9.

The CRS stands for CoreRule Set https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

ASP.Net / Web.API’s can report whom is excessively iterating them when under the umbrella of ModSecurity.

Happy coding!

ASP.Net Web Api Security : Remove Generated Http Response Headers

IIS and some of the constructs in ASP.Net love to let the populace know that you are utilizing IIS and what flavor of ASP.Net or MVC you are using. 

This can be great when debugging payloads and you know what the partner has as infrastructure but for an attacker it is an excellent way to reflect your landscape.

Let’s see what a standard payload looks like.

Start with creating a stand web app.

Select Web API and follow the same indices as illustrated.

Run the application to ensure it compiles and renders.

Start up a proxy of your choice , here we are using Telerik Fiddler.

 

Note, 

  1. Server
  2. X-AspNetMvc-Version
  3. X-AspNet-Version
  4. X-Powered-By

To remove these headers (from http://stackoverflow.com/questions/12803972/removing-hiding-disabling-excessive-http-response-headers-in-azure-iis7-without):

 You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null && application.Context != null)
        {
            application.Context.Response.Headers.Remove("Server");
        }
    }

To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...

Happy defending!