Hackfest 2023 - Back to the Future

Weaponizing and auditing secret servers for further compromise
2023-10-13, 09:00–09:50, Track #1

Applications use secret servers to store the credentials required for their day-to-day operations. Their usage increases as businesses improve application security and follow best practices. When permissions given to an application are too broad, the secret server becomes a central point of failure that can represent a new kind of weak link for an organization. It may be used as a stepping stone to further compromise the network.

As an attacker, when you compromise an application that can access a secret server and leak its credentials, the next logical step is to remotely access the secrets contained in the secret server. However, it can be tedious to thoroughly abuse secret servers within the duration of a security assessment. Even more so when credentials obtained in the secret server can connect to the secret server themselves, and recursivity comes into play. Recursive extraction of credentials is useful to get the full potential out of your obtained accesses. A tool to tackle the issue will be released and detailed.

The target audience of this presentation is security professionals, application developers and application owners.

The presentation will start by explaining the concept of a secret server, or vault, and highlight why they are part of the current application security best practices. They empower administrators in the management of application credentials, they offer better storage options than the traditional methods such as on-disk storage and help greatly in maintaining an accurate inventory of accounts. Applications are given initial credentials, which may be Windows domain credentials, to connect to the secret server and gather all the other secrets they require for their normal operations. These new secrets can be usernames, passwords, RSA keys, certificates, files, etc.

As an attacker, when you compromise an application that can access a secret server and leak its credentials, the next logical step is to remotely access the secrets contained in the secret server. Doing so, you may gain access to hundreds of secrets. The obtained new secrets may also be able to connect to the secret server, and leak even more secrets, and so on and so forth. Some of them you may already have, some of them may be new. It results in a lot of data that requires processing, and a lot of attack surface to explore. It quickly gets tedious to audit and perform a thorough assessment. The recursive process of abusing secret server secrets in a tree-like fashion to gather an exponential number of secrets is a new concept that requires proper tooling and needs to be exploited in offensive security engagements.

Currently, there are no tools available to remotely interact with the secret server APIs and extract secrets recursively. Current tools dump and decrypt the databases when accessed on the local file system, but it is not a scenario that happens often as it requires compromising the secret server's machine itself. To tackle the problem, I developed a tool called SSCrawl. It is a multi-threaded recursive secret gatherer for secret servers. It supports multiple secret server vendors and is extendable to support even more. It will gather secrets for an account and use the found secrets to attempt to connect to the secret server recursively. An overview of the tool's implementation and features will be presented, along with a demo.

SSCrawl also generates graphs of the compromised secrets for better visualization and to facilitate presenting the results to stakeholders. Graph demos will be shown to visualize the exploitation paths.

SSCrawl will be released after the presentation.

The presentation will end with recommendations on how to prevent the issue by hardening accounts and monitoring secret server accesses.

Are you releasing a tool? – Yes