SharePoint 2013 Pentest – Part 2

So in the last post that was done a while ago, we looked at the first step in a Penetration test, “RECON“. We started to work through our plan of attack which is the following (highlighted ones covered in last post):

  1. Operating System Version
  2. Web Service Versions
  3. Installed Components
  4. Available Ports
  5. SharePoint Version
  6. SharePoint endpoints
  7. SharePoint Web Service Endpoint
  8. SharePoint FrontPage/RPC Query results

The first step we took was to utilize tools like “NMAP” and “METASPLOIT” to fingerprint the server. We looked at a quick example of port scanning, fingerprinting the server operating system, scanning for SQL server and then a basic attempt to exploit the SQL credentials. For this and future posts we will go through a methodical approach with various tools.

When you perform a penetration test the very first task is to “get to know” your target. This does not mean speaking to people, this means using the internet to see what is around that can help you find a hole somewhere, credentials maybe or just enough information to perform a social engineering attack. As I tell my kids, “once something is on the internet, it is there forever“, and that is true with client websites, social media profiles etc. There is always a place to find it.

Our first stop is to use a website called http://www.archive.org. As the name suggests it is valuable in finding older versions stored in the “Way back Machine” that could contain information that should not be there, well at least the new all secure website the client created does not contain that. So to use this simply access the site:


Now for this example I am going to use my own blog address of http://blog.helloitsliam.com. When it loads you will see that the current URL I have been using goes back to 2011.

Underneath the time bar are the months, with blue circles that represent snapshots that are available.

Selecting one of these dates will allow me to see what the site looking like. So I am going to select October 13, 2011. This will the start to process the site.

Once it has retrieved the snapshot it will then render the site. Changing the URL to http://www.helloitsliam.com retrieves a different timeline which goes back to 2007, when I click on one of those dates my site renders the home page as shown below.

Using this mechanism you are able to not only see older versions but also navigate through the site clicking on the URLs looking for details that will help you build a picture of the target. This is a great site for looking at how a web application has been modified, changed and updated within a platform or multiple platforms. This could allow you as the pen tester to retrieve valuable insight into the organization or even gain configuration or security information that could be used in the pen test process.

This kind of Reconnaissance is about getting information about the various versions of the application, but to assist you if you are thinking about a social engineering attack then you can potentially use something like the “US Securities and Exchange Commission” website to find details about the company you are going to test.

Simply visit https://www.sec.gov/edgar/searchedgar/companysearch.html and type the company name you wish to test.

I am going to use a company you may have heard of, so will type “Microsoft” and this is what is returned.

Clicking on the number “0000789019” shows me further details such as quarterly reports that may contain details that could be useful in a social engineering attack.

These records are freely available for anyone to see and read, so they are a good start to finding out more details about the target company you are working with or for. Notice in the above image that is shows me that “Microsoft” are working with “Deloitte & Touche LLP“, which could make it very useful when trying to validate in a social engineering attack.

Now this is not the only way to find information. We live in an age where we freely give away information about ourselves and the company we work for by posting messages on all the many social network. There are various ways of finding details about individuals or organizations on these social networks.

Once of the tools that is great for this type of work if you want to find details about people etc. is “Maltego“. There is a community version of this that comes with the Kali Linux setup that you can use, I won’t go through all the “ins and out” of how to use it, you can get training and read the documentation for that over here: https://www.paterva.com/web6/products/maltego.php

The application itself looks very much like an office type application with a ribbon bar, left navigation and a pane for creating the content. In the left panel you select the types of objects you wish to use.

For my example let’s add a URL object, by selecting it and dragging it onto the pane.

I am going to use the “www.microsoft.com” website like we did earlier.

If we now right click the object we are able to choose the process that needs to be ran.

For our example we will simply select the “To Website [Convert]“, which will display a message that the transform is now running.

Once it has completed, you should see the following.

We can now go deeper and inspect what technology is running the website by right clicking the new object and choosing “ToServerTechnologiesWebsite” option.

This will then run a transform and should display the following in the pane, interestingly I don’t see “SharePoint” listed J

Now we can start digging deeper, as our goal is really to find details about the technology, company and people, that will help is perform some kind of attack. You can really have fun with this tool, choosing different transforms going deeper finding information about every facet of the company, as an example getting IP address of the site.

Transform: “Resolve to IP

As you keep search, running transforms you can end up finding other sites, people etc. and could end up with a pane that looks like this.

Notice I have changed the view to hide the details, this one was one I did to show a friend and SharePoint Guru Dan Holme while presenting on Hacking at the European SharePoint Conference in Barcelona this year.

As you can see there are great option to finding details about companies and people, even as simple as just “google” and “bing” searches.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...