sync: auto-sync from GURU-5070 at 2026-06-04 09:45:37
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-04 09:45:37
This commit is contained in:
@@ -63,3 +63,46 @@ Folded the findings into the security record: added **Appendix A — Intrusion /
|
||||
- Wiki: `wiki/clients/glaztech.md`
|
||||
- Ticket: Syncro **#32378** (Glaztech website security — Waiting on Customer)
|
||||
- RMM API: `http://172.16.3.30:3001` | agent id `455a1bc7-1c29-42bc-b597-fa1e64f08eec`
|
||||
|
||||
---
|
||||
|
||||
## Update: 09:38 PT — Deep host + SQL-infrastructure recon (Grok gap-analysis loop)
|
||||
|
||||
### Session Summary
|
||||
Ran a collaborative gap-analysis loop (Claude + Grok CLI, 4 Grok turns on session `019e9351-…`) plus 3 read-only GuruRMM pulls on the `WWW` host to find what the website security assessment had not yet checked. Grok identified overlooked surfaces; Claude pulled the requested read-only host telemetry + SQL **metadata**; results were fed back to Grok each turn. Findings were folded into the assessment report. All read-only; no CHD and no secret values intentionally retrieved.
|
||||
|
||||
### Key Findings (new vs. prior report)
|
||||
- **GTIware card engine is co-resident in the public IIS worker on the `tom` sysadmin connection.** `gt_auto_process_2020.dll` / `glaztech_utilities_2020.dll` live in `D:\web\glaztech_4\Bin\`; their `.dll.config` carry no own connection strings → they use the website's `tom` connections. `w3wp` PID 13752 = `IIS APPPOOL\glaztech_new`.
|
||||
- **`xp_cmdshell = 1` (enabled) on `GTI-INV-SQL`** → instant OS RCE from a `tom` SQLi (`clr`/`Ole`/`Ad Hoc`/`remote admin` all 0).
|
||||
- **SQL Agent service runs as `Administrator@glaztech.com`** (domain-admin class).
|
||||
- **Cleartext `glaztech\administrator` domain-admin password embedded in `msdb` SQL Agent backup-copy job steps** (`xp_cmdshell 'net use … /user:glaztech\administrator <pw>'`) — readable by any sysadmin/`tom` connection. **Value redacted from all artifacts (sed-scrubbed from the recon output); flagged for rotation.**
|
||||
- **7 linked servers** (remote-login + data-access) across `192.168.0.x` and `192.168.8.x` (`mas_gti`, `qqest`/TimeForce, backup hosts, `GTI-INV-SQL\GTISQL`).
|
||||
- **`sa` login enabled; all 47 DBs `is_encrypted=False` (no TDE);** CHD `.bak` backups copied to `\\192.168.8.52\sql_backup\`.
|
||||
- **`Web.config` holds two processors' secrets in cleartext** (CyberSource `cybs.*` + on-disk signing keys; PNC `pnc_key/pin/token`); **`Everyone:(R)` ACL** on web root + `bin` + `Web.config`.
|
||||
- Host firewall Domain=On, **Private/Public=Off**; **TLS 1.0 explicitly `Enabled=1`**; new endpoints `/webhooks` (Samsara receiver) + `/webhooks1`.
|
||||
- Server-side billing engine `d:\sql_jobs\bin\gt_console_apps.exe` (`cp`/`is`/`oa`/`lo`) run by the Agent (domain-admin).
|
||||
- Extra hosts surfaced: `\\192.168.0.147\web\glaztech_4`, backups `8.52`/`8.212`, MAS `0.55`, linked `0.54`.
|
||||
|
||||
### Corrections / retractions
|
||||
- An initial pass mis-flagged the `kgc7jt` ScreenConnect Cloud instance as "foreign/unrecognized third-party access" (draft finding **C6**). Per Mike: ScreenConnect (both), Datto RMM/EDR, Syncro, Splashtop are **ACG's sanctioned management stack**. **C6 fully retracted.** RealVNC is **Steve's** tool, kept as **H2** strictly for its end-of-life age (RealVNC 4.x ≈2009, listening 5900/5800).
|
||||
- `machineKey` is AutoGenerate (not hardcoded); the app-pool identity is least-privilege locally — the privilege issue is the SQL `tom` login, not the Windows identity.
|
||||
|
||||
### Key Decisions
|
||||
- Folded findings into the existing report as a new **C0-Extended** section + findings **C5/H9/H10** + an **Emergency-containment** roadmap bucket (E1–E5) ahead of all other work, rather than a separate report.
|
||||
- Domain-admin password returned incidentally in a job-step preview was scrubbed from the on-disk recon artifact and never written to the report (no-secrets constraint).
|
||||
|
||||
### Configuration Changes
|
||||
- Edited `clients/glaztech/reports/2026-06-03-website-security-assessment.md` (347 → 415 lines): method/date, Exec summary, findings table (+C5/H9/H10, −C6), C0 attack chain, new **C0-Extended** section, H2 rewrite, "Why the Cards Are Stored" nuance, Assumptions, PCI mapping, Emergency-containment bucket + structural items 22–26, status footer.
|
||||
|
||||
### Commands & Outputs
|
||||
- GuruRMM read-only PowerShell to `WWW` (agent `455a1bc7…`): **recon1** (IIS/app-pool/tasks/services/GTIware hunt/ACLs/net/firewall/TLS/certs), **recon2** (w3wp identity, GTIware `.dll.config` safe-parse, SQL metadata via the app's `tom` connection — `sys.configurations`/`dm_server_services`/`sys.servers`/`msdb` jobs+backups/principals/`sys.databases`), **recon3** (ScreenConnect probe).
|
||||
- Grok CLI session `019e9351-ed1c-7bc3-b171-b4cf4b53745d` (4 turns) for gap analysis + corrected remediation sequencing.
|
||||
|
||||
### Pending / Incomplete Tasks
|
||||
- Coord todos filed: **6d15fc88** (rotate `glaztech\administrator` + purge `msdb` cleartext use; disable `xp_cmdshell`/`sa`), **aebaf751** (least-privilege `tom` migration).
|
||||
- Recon the second host `\\192.168.0.147\web\glaztech_4`; lock down `/webhooks`.
|
||||
- Carried: `corp` DB `cc_file` anomaly; IDOR on `get_cc_data`; Payrilla scope.
|
||||
|
||||
### Reference Information
|
||||
- Grok session `019e9351-ed1c-7bc3-b171-b4cf4b53745d`; SQL host `GTI-INV-SQL` `192.168.8.62,3436` (instance `GTISQL`).
|
||||
- Coord todos `6d15fc88-db4f-4a35-a76a-a5a6a9f50795`, `aebaf751-d778-423f-a84b-314fbb294f30`.
|
||||
|
||||
Reference in New Issue
Block a user