Wednesday, August 15, 2012

Scanning SharePoint with PowerShell

A few months ago, I published Get-HttpStatus - a PowerShell function that aides in generic directory and file fuzzing.  In order to get it added to PowerSploit, Matt suggested several improvements and eventually made a few of his own.  The function supports SSL and includes several dictionaries derived from other projects such as Nikto, Yokoso and SharepointURLbrute.  Without dictionaries, the function is pretty useless so a big thanks goes out to the developers of each of those tools and the hard work that went into creating the file and directory dictionaries.   

Lets take a look at one specific use-case for Get-HttpStatus - scanning a SharePoint installation.  We can start by opening PowerShell and copying and pasting the function into the shell.

Next we provide the function a target website and the path to the dictionary file.

In this example, there is an interesting directory and file that is accessible without credentials.  Lets check it out:

It appears that we may have the ability to increase permissions by adding users to different groups on the server.  That is definitely a security finding that could aid in a penetration test.  As with other scripts and functions that are added to the PowerSploit project, the maintained version is available on the github site.

Get-HttpStatus Function

Please check out the other dictionaries and let me know if you see any other use cases for this script.  Thanks for checking this out and if you haven't bought your DerbyCon tickets yet, you should do so! If you are interested in PowerShell and security, Carlos Perez is teaching one of the first courses on the topic: "Introduction to PowerShell for Security Professionals" at this year's DerbyCon so sign up for it.  I can't wait!