WildFly, Pentesting
WildFly: a key pentesting lab for DORA
In today’s digital world, cybersecurity is more crucial than ever. Financial institutions face a constant increase in cyber threats, which has led the European Union to implement the Digital Operational Resilience Regulation (DORA). This regulatory framework focuses on strengthening cybersecurity and operational resilience in the financial sector.
What is DORA?
DORA aims to ensure that financial institutions can effectively manage risks related to information and communication technologies (ICT). This means that organizations must be able to withstand and recover from cyberattacks and other technological disruptions.
DORA Key Areas
The regulation establishes requirements in several critical areas, including:
• Risk management: Establishing controls and processes to mitigate cyber risks.
• Vendor oversight: Evaluating and monitoring third parties that provide ICT services.
• Penetration testing (pentesting): Conducting regular tests to detect and correct vulnerabilities in systems.
At ARENA, we conducted a pentesting lab on WildFly, a widely used application server, to assess its security and compliance with DORA requirements.
What is WildFly?
WildFly is an open-source application server that allows you to deploy Java applications and services. In this lab, we used version 21 Final on a Windows Server 2019 virtual machine.
Tools used in the Pentest:
To carry out this pentest, we used three main tools:
1. Nmap: A port and network scanner.
2. WildPwn: A tool specializing in brute-force attacks on servers.
3. Msfvenom: Used for creating custom payloads.
Phase 1: Scanner
This tool is primarily used as a port scanner, although, as we’ll see later, it has other uses. Nmap allows us to detect the different machines on our network and see if they have open ports or are running any applications. In this case, we’ve discovered that the Windows machine’s IP address is 192.168.1.135, and that port 8080 is open with a web application running.
Investigating the previous interface, we discovered that clicking on Administration Console redirects us to another webpage (deployed on port 9990) where we require certain administrative credentials to access it. This is where we will begin analyzing a possible entry point.
After this scan, we can create a network diagram that can help us visually understand the structure of the system we want to attack.
Phase 2: Brute Force Attack with WildPwn
A brute-force attack involves trying multiple combinations of credentials until the correct one is found.
Now, our main objective is to gain access to this restricted screen. To do this, we will use the wildPwn tool, which has a specialized module for brute-force attacks on these types of servers. We will use files that compile the most common usernames and passwords to try to force a login.
The screenshot shows that authentication credentials with the username and password admin:4dm1n1998 and administrator:Admin19? have been found. These are most likely system administrator accounts. If we try entering the obtained credentials, the following screen will be displayed:
As we might expect, this is a server administration screen for the applications available for deployment. A malicious user who can gain virtually unrestricted access to our system could cause significant damage.
Fase 3: Reverse Shell with Msfvenom
A reverse shell allows an attacker to gain remote access to the target system.
Taking advantage of the fact that we have, as far as we know, unlimited access to the management system, we will attempt to gain access to the machine hosting the WildFly application.
To do this, we’ll use the msfvenom tool. This tool is designed for creating custom payloads (malicious code). In our case, the goal is to create a .war file that will allow us to open a command prompt on the victim machine (reverse shell).
To upload it to the application, we’ll simply go to the deployments section and upload our malicious file.
Now, we need to keep our machine listening on the port we specified during payload creation, in this case, port 445. We’ll use the netcat tool for this.
With our machine listening, accessing the website’s URL on port 8080 (the homepage), and adding `/reverse-shell` will execute the code we entered, granting us administrator access to the machine that runs the entire service.
From this point on, we can consider this vulnerability critical, since the attacker will have the means to do whatever they want. For example, they could steal data directly from the server, or in more extreme cases, completely destroy it by deleting key files.
Final recommendations to protect your organization
Maintaining default settings in applications and systems can lead to serious security vulnerabilities. It is crucial that companies in the financial sector, in compliance with DORA, constantly review and improve the security of their systems.
In this lab, we observed two very common flaws in the deployment of these types of services.
Starting with brute-force attacks, passwords contain special characters, which makes them difficult to crack. However, the ability to make thousands of consecutive requests from the same device until the correct combination is found is a major security weakness. One possible solution would be the implementation of services like IpBan, which allows IP addresses to be blocked after a certain number of failed login attempts.
As can be seen during the penetration test, poor connection management was the factor that ultimately allowed us to gain access to the machine hosting the server. Thanks to the implementation of firewalls or Windows’ own security rules, the likelihood of these types of incidents occurring can be significantly reduced.
In conclusion, keeping the default settings of our applications or systems can cause serious security vulnerabilities. We should always dedicate time to properly configuring the security of our devices.
How can ARENA help you strengthen your security?
At ARENA, we not only conduct security audits through penetration testing, but we also offer tailored solutions to mitigate risks such as brute-force attacks and poor connection management.
With our expertise in cybersecurity and compliance with regulations like DORA, we can implement advanced, customized protection measures and prepare your company to withstand cyberattacks and meet the regulatory standards of the financial industry.
