Post-exploitation can be one of the most time-consuming but worthwhile tasks that an offensive security professional engages in. Fundamentally, it is where you are able to demonstrate what an adversary may do if they compromise a business. A big component of this is trying to get as far as you can without alerting the defenders to what you’re doing. The best way to do this is to “live off of the land,” to use tools and services that are part of everyday activities so that your actions blend into the background noise. With the proliferation of cloud and the
DevOps tools that have become a big part of modern computing, there are new ways for an attacker to move across a network. Configuration management (CM) servers are one of those cases.
CM servers are used to provision systems in a consistent manner as well as automate tasks such as
patching, updates, and fixing downed services. They also can be used to manage secrets that are used across multiple systems. CM servers are not only useful in the context of day-to-day operations, but they can also be used by an attacker. When wielded properly, an attacker can use them to run arbitrary commands or scripts on any connected system.
Because there are several different configuration management tools on the market, there is no guarantee that a given target will be using one that a security professional on an engagement is familiar with. Each tool has its own language and process for doing things. Subsequently, it can be incredibly time-consuming to figure out how to use these systems to do whatever the security professional intends to do. Given that time is always a massive constraint, the barrier to entry can be costly, and subsequently, the attack scenario can be overlooked or even skipped altogether. Furthermore, mistakes can be incredibly costly, not only in the sense of alerting the blue team to the attacker’s position on the network but also in that they can take down hundreds, thousands, or even tens of thousands of systems all at once. MOSE (Master Of SErvers) was created to address these problems.
MOSE empowers a security professional to weaponize an organization’s CM servers without having to worry about implementation-specific details. It effectively acts as a translator between the user and CM servers. It also can find CM-specific secrets and decrypt them, which can lead to additional attack paths.
MOSE takes input in the form of a command or script that the user wants to run on the systems managed by the target CM server. The input is used to generate a binary, which can be transferred to the target via a web server that is automatically stood up by default. Alternatively, the user can opt to output the binary to their file system and transfer the payload to the target through other means, such as Secure Copy Protocol (SCP). Once the binary is in place and is run by the attacker, it spawns code based on the user input and then modifies existing CM files to get the code to run on the managed systems (removing the need for the attacker to integrate it manually). Once this process is complete, it will hunt for secrets and attempt to decrypt them. When the systems that are managed by the CM server check-in (typically every 20 minutes for most of these tools), they will execute the rogue code introduced by MOSE.
For security professionals with CM experience, MOSE can still be a very useful tool, as it uses templates to craft rogue CM code. These can be modified, and the user can use the automation that MOSE provides around identifying potential exploitation paths and finding managed secrets.
The Master of Servers project also has attack labs for all four CM tools used in modern computing environments. The attack labs can be used to test payloads built by MOSE, to ensure that the expected results occur before unleashing them on a target network. This process can easily be automated as part of a pipeline for defensive teams testing for regressions and failures in their defensive capabilities, as well.
MOSE was released at DEF CON 27 in 2019 and has since gained support for three-fourths of configuration tools used by most enterprise-scale businesses. It is a free and open-source project; there are many ways to contribute, both in adding functionality and testing existing functionality. We would love to see contributions and feedback from the community. Come to
my talk at BSidesSF to learn more about how MOSE can be used by both offensive and defensive security professionals to test the protection mechanisms (or lack thereof) around configuration management.
About the Author: Jayson Grace is a Penetration Tester on the Product Security Team at Splunk. Previously he founded and led the Corporate Red Team at Sandia National Laboratories. He holds a BS in Computer Science from the University of New Mexico, which gave him some great knowledge and also made him fatter and added a bunch of grey hairs. He has also previously worked as a tool developer, system administrator, and DevOps engineer. Jayson is passionate about empowering engineers to create secure applications, as well as coming up with novel automation methods to break things.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
