SHIPS is a solution to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts for both Windows and Linux. Clients may be configured to rotate passwords automatically. Stored passwords can be retrieved by desktop support personnel as required, or updated when a password has to be manually changed in the course of system maintenance. By having unique passwords on each machine and logging of password retrievals, security can be improved by making networks more resistant to lateral movement by attackers and enhancing the ability to attribute actions to individual persons.
When performing penetration tests, our common attack vector is through compromising one host and pivoting to other systems with the information obtained. It is common to see large-scale breaches utilizing this method and that is where SHIPS comes into play.
SHIPS is designed to make post-exploitation more difficult and minimize what systems attackers gain access to. Once SHIPS is set up, there isn’t much else that is needed and it’s simple to integrate into existing business processes.
SHIPS version 2 Released!
A script is deployed to the endpoints, servers, and any other systems through group policy or similar deployment tools. The script is run on a determined timeframe from the organization. The script makes a password request to the server, which generates unique password string that it stores and transmits to the client. The client script than applies the new password on the client. TrustedSec recommends deploying SHIPS to servers, workstations, or any other windows-based systems. The passwords will now be unique per individual server and workstation.
For organizations where client and server support roles are segregated to different groups of employees, multiple instances of the SHIPS server can be run on a single host. Simply change the listing port on one of server instances and configure each to authorize the appropriate users. TrustedSec recommends using the alternate listening port for the instance supporting server infrastructure. In most cases accommodating requests on the alternate port from servers will be easier than frequently more mobile clients, with regard to firewalls or proxies.
When users with permission to access account passwords wish to retrieve them, they simply log into the SHIPS admin server and do a lookup of the machine name. The web application will display the current password associated with the device. SHIPS authorization can be tied to external systems such as LDAP
Client Password Server is implemented as a standalone Ruby application. The application is web based, however, http handling is provided by WEBrick, an in-process webserver included in the standard library. This application has minimal external dependences, gems sqlite and optionally ruby-ldap. The ruby-ldap dependency is not required if installation of ruby-ldap is a problem on your platform, LDAP integration will not be available if omitted. Keeping external dependencies minimized allows the application to be installed on a host that may have existing web services running and alongside applications that may use large frameworks such as RAILS without the need for a separate Ruby environment. It also helps ensure the application can be stood up quickly in a disaster recovery scenario.
Clients perform password updates using a single https request. The request and response are kept to a minimal size to facilitate large numbers of clients across WAN links while keeping impact and data utilization low. Remote clients can be supported as well as this request may be handled securely over the Internet and be passed by proxies if the client script implementation such as the VBS client provided for Windows clients supports it. SHIPS has both a Linux and Windows version built into it.
Support personnel access the information using a web interface. Functions such as creating, removing, and clearing passwords on computer objects may also be accessed via a web service call that does not require sessions or cookies for transactions with scripts.
git clone https://github.com/trustedsec/SHIPS.git