Upload
johncenafls
View
228
Download
0
Embed Size (px)
Citation preview
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
1/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Assessing and Exploiting
Web Applications with Samurai-WTF
Justin SearleManaging Partner UtiliSecjustin@meeas com // justin@utilisec com // @me
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
2/163
2Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
CC Attribution-ShareAlike
For more details, visit http://creativecommons.org/licenses/by-sa/3.0/
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
3/163
3Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Course Contributors
Course AuthorsJustin Searle - [email protected] - @meeasRaul Siles - [email protected] - @taddong
Course Sponsors
UtiliSec http://www.utilisec.comSecure Ideas L.L.C. http://www.secureideas.net
Taddong S.L. http://www.taddong.com
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
4/163
4Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Two-Day Course Outline
Day 1 MorningTesting MethodologyTarget 1: Mutillidae Mapping Walkthrough Discovery Walkthrough Exploitation Walkthrough
Day 2 Morning Finish up DVWA (if needed)Target 3: WebGoat Mapping Walkthrough Discovery Walkthrough Exploitation Walkthrough
Day 1 Afternoon
Target 2: DVWA Mapping Walkthrough Discovery Walkthrough Exploitation Walkthrough
Day 2 Afternoon
Target 4: Samurai Dojo Student Challenge Challenge Answers
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
5/163
6Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Samurai-WTF
2 Versions: Live DVD and VMware image Based on Ubuntu Linux
Over 100 tools, extensions, and scripts,included: w3af BeEF
Burp Suite Grendel-Scan DirBuster
Maltego CE Nikto
WebScarab Rat Proxy nmap
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
6/163
7Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Samurai-WTF vs. Other Live CDs
Live CD/DVD Primary Goal Purpose ReleaseCycle
Backtrack Pentesting for all environments 6-12months
NodeZero(Ubuntu PentestLive)
Pentesting for all environments too youngto tell
Samurai-WTF Focus on pentesting for Web Applications 3-4months
OWASP Live CD Showcase major OWASP tools & projects 1 year
All are based on Ubuntu
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
7/163
8Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Future of Samurai-WTF
Move to KDE (Kubuntu) and Gnome (Ubuntu)versions
Move to the Ubuntu Live CD build process Move all software and configurations to
Debian packages Software upgrades between official releases Easier for users to customize the distro Provides access to WTF tools in all Ubuntu installs Facilitate collaboration within dev team
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
8/163
9Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Project URLs Main project page:
http://www.samurai-wtf.org Support information (and tracker) at:
http://sourceforge.net/projects/samurai/support
Development mailing list at: https://lists.sourceforge.net/lists/listinfo/samurai-devel SVN repository:
svn co https://samurai.svn.sourceforge.net/ svnroot/samurai samurai Project Leads:
Kevin Johnson - [email protected] - @secureideas Justin Searle - [email protected] - @meeas Frank DiMaggio - [email protected] - @hanovrfst Raul Siles - [email protected] - @taddong
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
9/163
10Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Setting up Your Course VM
Copy the SamuraiWTF ISO file to your hard drive Open your virtual machine software and create a new virtual
machine without using the automatic installation options If you are using VMware Player, Workstation, or Fusion:
When warned about an installation disk, select "Continue without disc" When asked about installation media, choose "Create a custom virtual
machine" When asked about your Operating System choose "Linux" and
"Ubuntu"
Once created, edit your virtual machine and point the VM
machine's CD/DVD virtual drive a the SamuraiWTF ISO file onyour hard drive
Boot your virtual machine and verify SamuraiWTF starts up Don't install SamuraiWTF to your virtual hard drive for this class Look around and see if your neighbors need any help !
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
10/163
11Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Logging In
Username: samurai Password: samurai http://whatisthesamuraipassword.com
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
11/163
12Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Samurai Desktop
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
12/163
13Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Major Samurai Tools
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
13/163
14Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Firefox Extensions
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
14/163
15Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Samurai Firefox Add-on Collection
Set of Firefox add-ons for web app securitytesting
Convert your web browser in the ultimatepen-testing tool
Available within Samurai Firefox setup Add-on updates from official web page
Open to suggestions & contributions Site: https://addons.mozilla.org/en-US/firefox/collections/rsiles/samurai/
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
15/163
16Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Web Based Tools
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
16/163
17Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Other Command Line Tools
Note the directory location CLI tools are not in $PATH yet.
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
17/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Testing Methodology
Because we are professional pen-testers You cant see the wood for the trees
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
18/163
19Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Types of Tests
Black box testing Little to no information is provided Extra time spent on Recon and Mapping
White box or crystal box testing Other end of the scale Virtually all access to the host server provided Often includes source code review
Grey box testing Most "discoverable" information is provided
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
19/163
20Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Formal Methodology
A simple methodology: Recon : Gathering information
from external sources aboutyour target
Mapping : Learning about thetarget app from a user's AND adeveloper's perspective
Discovery : Learning the appfrom an attacker's perspective
Exploitation : Attempting tomeasure the true risk ofdiscovered vulnerabilities
Successful exploitation oftenleads to new functionality tomap and a second layer ofvulnerabilities to discover
Recon
MappingExploitation
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
20/163
21Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Methodology in Real Life
We still follow theoverall clockwise flow,but we often move backand forth betweenprocesses
Trick is to keep focusedand progressingthrough the steps
General rule fordeviation fromclockwise progression: 5 attempts or 5 minutes
Recon
MappingExploitation
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
21/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
First Target: Mutillidae
Mutillidae are a family of wasps whose wingless females resemblecommon namevelvet ant refers to their dense hair which may be red, blasilver, or gold. They are known for their extremely painful sting,to be strong enough to kill a cow, hence the common namecow killer orcow ant is
applied to some species. -- Wikipedia
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
22/163
23Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mutillidae
Author: Irongeek Site:
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
Purpose: A PHP/MySQL web application that implements theOWASP Top 10 vulnerabilities
Accessing: http://mutillidae
Register a username,
password & signature Features:
Includes learning hints OWASP Top 10 menu
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
23/163
24Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Testing Plan for Mutillidae
Mapping Tools: Built-in Firefox tools Tamper Data
Request history Firebug
Discovery Tools: User Agent Switcher Tamper Data
Interception SQLi / XSS fuzzing
Exploitation Tools: Manual techniques Add N Edit Cookies Selenium
Of course, some toolsapply to multiple testingphases (e.g. Tamper Data:Mapping, Discovery andExploitation?)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
24/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Recon
The most under utilized steps
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
25/163
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
26/163
27Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Step 1: Recon
Recon is one of the most under utilized steps Findings here allow you to start building assumptions
to test
Provides key information needed for later steps Selection and verification (most important) of targets Information about technologies used and configurations Lists of users, employees, and organization info Password reset information and contact information
Trust relationships to exploit (friends and managers) Even occasionally find code snippets with vulnerabilities and
authentication information
(Potentially) Without touching target environment
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
27/163
28Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
The MOST Underutilized Step...
Which we are going to underutilize today. "
Why? Sites we are testing are fictional Recon skills and tools are the same we use for
network pentesting Little to no new tricks for web applications
Don't make this mistake on your tests!!! Check out the appendix for some info on
tools and exercises
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
28/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mapping Mutillidae
FirefoxTamper Data
Firebug
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
29/163
30Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mapping Steps
Recon
Exploitation
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
30/163
31Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Firefox
Author: Mozilla Foundation Site: mozilla.org Purpose: a full featured, cross platform web browser.
Now includes a mobile version for your smartphone Language: C++ Notable Features: Extensions (add-ons)!!! Caveats: still thinking
Secret trick: Open a second Firefox process and profile:
firefox -p
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
31/163
32Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Built-in Firefox Tools
Page Info Determine if page is static or dynamic via modification date Shows URLs for all media objects in the page
Error Console Determine if you browser is properly rendering the page DOM Inspector (moved to an extension in 3.5+)
Shows current state of the page as rendered in the browser
View Page Source and View Selection Source Used to quickly expose source code of selected content
Most web browsers provide similar tools
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
32/163
35Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data Author: Adam Judson Site: http://tamperdata.mozdev.org &
https://addons.mozilla.org/en-us/firefox/
addon/tamper-data/ Purpose: A Firefox extension to track and
modify HTTP/HTTPS requests Language: Firefox add-on
Features: Modify HTTP(S) headers and POST parameters HTTP request/response tracing & timing GET parameters & HTTP(S) responses?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
33/163
36Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Firebug
Author: FirebugWorkingGroup et. al. Site: http://getfirebug.com &
https://addons.mozilla.org/en-US/firefox/addon/firebug/
Purpose: Set of web development tools Language: Firefox add-on
Features: Inspect & modify HTML, CSS, XML, DOM JavaScript debugger & profiler Error finding & monitor network activity
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
34/163
37Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mapping Exercise
Which operating system is hosting the application? Which web server and/or application server is hosting the
application? Which language is the application written in?
Which programming model did the developer use? Front Controller uses a single page for all functionality
/index.aspx?action=AddToCard&Item=42
Page Controller uses a separate page for each function /AddToCart.php?Item=42
Model View Controller (MVC) can be much more complex, often using the
resource path to specify input instead of actual files and directories /Product/AddToCard/42
What functionality does the application provide? Are there any process flows involving multiple pages? Have you visited every page and recorded each possible
request/response pair?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
35/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mutillidae Discovery
User Agent Switcher Tamper Data- Interception
- SQLi / XSS fuzzing
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
36/163
39Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Discovery Steps
Recon
MappingExploitation
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
37/163
40Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
So What Are We Looking For?
OWASP Top 10 + other vulnerabilities https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project
Most vulnerabilities can be categorized: Information leakage Mis-configurations
Various types of injection Control bypass
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
38/163
41Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Information Leakage
Fingerprinting artifacts Identify the hardware, OS, webserver, appserver, proxies, WAFs,
programming language, database, backend, etc
Development and staging artifacts
Backup files or alternate copies of files Source code comments and development tools fingerprinting Detailed debug messages
User artifacts Usernames and passwords
Personally Identifiable Information (PII) Error messages Username is correct but password is not You have 3 more attempts You have been locked out for 5 minutes The username already exists
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
39/163
42Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mis-Configurations
Things that people forgot to do Change default usernames and passwords Change default permissions and configurations Remove default contents and scripts Block admin web interface from the Internet
Things that people forgot to undo Security feature X disabled while testing Logging disabled for troubleshooting
File permissions changed during installation Things people did on purpose
Backdoors and Easter eggs Supreme Being permissions on personal accounts
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
40/163
43Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Injections
Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF)
SQL injection Command injection Malicious file execution
Local and remote file inclusion
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
41/163
44Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Control Bypass
Allows attackers to bypass variouscontrols such as: Authentication Authorization Access controls Server and client sandboxes
Session management
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
42/163
45Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Authentication and SessionManagement Exercise
Does the application authenticate users? How do you login, logout, and change your password? Can you reset or recover an account? Are all of these functions protected by encryption? Does the application reveal if a username is valid or not? Does the application provide user lockout?
How does the application track session state? Is the session token predictable?
Is a new session token provided to you at login? Is the session token deleted upon logout? Are authenticated session tokens protected by encryption? Are session token cookie flags set to secure and HttpOnly?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
43/163
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
44/163
49Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
User Agent Switcher
Author: chrispederick Site:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
Purpose: Switch the user agent of web browser Language: Firefox add-on
Features: Predefined set of user agents (IE, robots, iPhone) Flexible editor to customize any user agent
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
45/163
50Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
User Agent Switcher Exercise
On the "Browser info" (A1) page: Try all the built in User-Agents, reloading the page each time Create a new User-Agent using "Googlebot/2.1" Create a new User-Agent to test for XSS
Are there any other pages that show your User-Agent? Which are examples reflected and persistent XSS? Dont forget to switch back to your default UA!!!
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
46/163
51Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
User Agent Switcher Findings "Browser info" (A1) Show log (A1)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
47/163
52Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data Interception Exercise
Enable Tamper Data & Start Tamper(ing) On the "Login" page:
Tamper the request & inspect POST fields Try again but modifying the user/pass
On the "Browser Info" page: Change User-Agent header by hand
Visit other links: Submit, Tamper, or Abort Request
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
48/163
53Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data Interception Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
49/163
54Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data SQLi Fuzzing Exercise
On the "Login" page: Be sure you are NOT logged in Try logging in with user "admin" and a single quote for the
password
Why did you get an error page? Enable the Tamper Data extension and Start Tamper(ing) Intercept a login request for user "admin" and use Tamper
Data's "select all" from their SQL menu to auto-populate the"password" field
Why did this log you in? Why would it be unsafe to try all of Tamper Data's SQL
requests? Create your own SQL menu item in Tamper Data's Option
menu
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
50/163
55Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data SQLi Fuzzing Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
51/163
56Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Tamper Data XSS Fuzzing Exercise
On the "Add to your blog" page: Enable the Tamper Data extension and Start Tamper(ing) Intercept a blog entry request and use Tamper Data's XSS
menu to auto-populate the "input_from_form" field Try every XSS menu entry individually Why didn't any of these work? In Tamper Data's "Option" menu, create your own XSS
menu entry named Quoteless Alert with the followingvalue:
alert(42) Check out the other potential XSS injection points we
identified earlier
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
52/163
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
53/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mutillidae Exploitation
Manual techniques Add N Edit Cookies
Selenium
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
54/163
59Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Exploitation Steps
Recon
Mapping
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
55/163
60Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Step 4: Exploitation
Verifying identified vulnerabilities byattacking and exploiting them
Go after the data or functionality thatreal attackers would go after
Successful exploitation is a steppingstone and should open up a new roundof mapping and discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
56/163
61Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Exploitation Examples
Downloading the contents of a database Uploading a malicious web page Gaining shell on the server Making a target server send data to a remote
host Pivoting from the DMZ to the internal network
Leveraging a target users browser to scanthe internal network Exploiting target users browser vulnerabilities
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
57/163
62Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Manual Techniques
Tool: Web browser (e.g. Firefox) Exercises:
index.php, login.php, add-to-your-blog.php XSS SQLi
Privilege escalation to admin (index.php) Unvalidated redirects & forwards (credits.php)
Findings: (new Mutillidae versions) Check: http://www.irongeek.com/i.php?
page=mutillidae/vulnerabilities
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
58/163
63Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Add N Edit Cookies
Author: goodwill (Add-on aka Cookie Editor) Site: http://addneditcookies.mozdev.org &
https://addons.mozilla.org/en-US/firefox/addon/add-n-edit-cookies/
Purpose: Add and edit session and persistentcookies, plus all their properties
Language: Firefox add-on Features:
Cookie settings take priority over Cookie Editor Cookie search filters
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
59/163
64Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Add N Edit Cookies Exercise
Be sure you are NOT logged in (Logout) &Clear the web browser cache and history
Go to Login & Tamper Data Ensure there are no cookies yet
Login with a valid set of credentials Was a cookie set? What is its value?
Permanently modify the value through CookieEditor, trying to escalate privileges to admin
Are there other cookies used by the web app?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
60/163
65Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Add N Edit Cookies Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
61/163
66Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Selenium
Author: Community project (Selenium IDE) Site: http://seleniumhq.org/projects/ide/ Purpose: Record and play back interactions
with web browser Language: Firefox add-on Features:
Record, edit, debug and play tests (interactions) Click, typing and other actions
IDE for Selenium tests Multi-browser, multi-platform and multi-language
automated web application testing system
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
62/163
67Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Selenium Exercise
Start Selenium IDE Create a New Test Case and name it Login
Be sure you are NOT logged in & Go to Home Start recording (big red button) Go to the Login page and authenticate with a
valid set of credentials
Stop recording & move speed slide to Slow Logout Play the current test case in Selenium
You are logged in as !!
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
63/163
68Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Selenium Findings
2 - PLAY
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
64/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Second Target: DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web applicationdamn vulnerable. Its main goals are to be an aid for security prof
their skills and tools in a legal environment, help web develounderstand the processes of securing web applications and aid
students to teach/learn web application security in a class room
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
65/163
74Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Damn Vulnerable Web App(DVWA)
Project Lead: Ryan Dewhusrt (ethicalhack3r) Site: http://sourceforge.net/projects/dvwa Purpose: a light weight PHP/MySQL web application that is easy to
use and full of vulnerabilities to exploit. Used to learn or teach theart of web application security
Language: PHP Accessing:
http://dvwa https://dvwa
admin password
Notable features: GET requests 3 difficulty levels Includes PHP IDS
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
66/163
75Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Testing Plan for DVWA Mapping Tools:
Nikto FoxyProxy
ZAP Proxy
Spider
Discovery Tools: DirBuster ZAP
Vuln. Scanner Fuzzer
WebScarab Session Analysis
CeWL
Exploitation Tools: sqlmap sqlmap + ZAP BeEF BeEF + Metasploit
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
67/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DVWA Mapping
NiktoFoxyProxy
ZAP (proxy)ZAP (spider)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
68/163
77Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mapping Steps
Recon
Exploitation
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
69/163
78Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Fingerprinting Tasks
Port Scanning nmap Zenmap
Platform Scanning Nikto
Validating HTTP Trace methods wget & curl
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
70/163
79Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
nmap
Author: Fyodor (Gordon Lyon) and many more Site: http://nmap.org Purpose: Premier TCP/IP host and port scanning tool.
Also provides excellent OS fingerprinting, servicefingerprinting, and the Nmap Scripting Engine (NSE)which provides advanced and customizablefunctionality
Language: C/C++ (LUA for NSE scripts)
Syntax:nmap [options] sudo nmap [options]
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
71/163
80Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
nmap Basics
nmap -sP 127.42.84.0-7 Ping sweep 8 of your localhost addresses. (actually does an ARP, ICMP, then TCP 80)
nmap 127.42.84.0/29 Port scans top 1000 TCP ports.
nmap -p 80,443 127.42.84.0/29 Port scans TCP ports 80 & 443
sudo nmap -A 127.42.84.0/29 Port scans top 1000 TCP ports, fingerprints OS and services, then runs NSE scripts
sudo nmap -A -p- localhost Port scans all 65535 TCP ports, fingerprints them, and runs NSE scripts
sudo nmap -sU 127.42.84.0/29 Port scans top 1000 UDP ports
sudo nmap -sU -p- localhost Port scans all 65535 UDP ports. Find more ports?
sudo nmap -sU -p- -A localhost Port scans all 65535 UDP ports, fingerprints them, and runs some NSE scripts. WARNING: Service scanning UDP ports on the Internet can be VERY time consuming
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
72/163
81Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
nmap Optimization
Finding the right balance between speed and false negatives Tune your options on a subset of IPs (first /24 of 127.42.0.0/16)
sudo nmap -p 80,443 127.42.0.0/24sudo nmap -n -PN -p 80,443 -T5 127.42.0.0/24sudo nmap -n -PN -p 80,443 -T5 --max-retries 0 127.42.0.0/24sudo nmap -n -PN -p 80,443 --max-rtt-timeout 100 --min-rtt-timeout
25 --initial-rtt-timeout 50 --max-retries 0 127.42.0.0/24sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 127.42.0.0/24 Now we have a finely tuned scan, lets run on the full /16 subnet
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 --reason -oN /tmp/AllIPs-ports80_443 127.42.0.0/16sudo nmap -n -PN -sS -sU -p 80,443 -A --max-retries 1 --reason
-oN /tmp/LiveWebServers-Top1000TcpUdpPorts-All 127.42.84.1-5 Understanding Nmap Scripting Engine (NSE)
ls /usr/local/share/nmap/scripts | grep iE http|html
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
73/163
83Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Zenmap
Author: Adriano Monteiro Marques and nmap project Site: http://nmap.org/zenmap Purpose: Graphical nmap interface to make it easier
for beginners, provide basic analysis capabilities,facilitate rescans, display network topologies, andcompare scans
Language: C/C++ Samurai notes:
Two menu items, one runs as root and the other does not
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
74/163
84Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Zenmap Topology
I m a g e s o u r c e : n m a p . o
r g .
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
75/163
85Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Nikto
Author: Sullo Site: http://cirt.net/nikto2 Purpose: A web server scanner that fingerprints,
correlates to known vulnerabilities, and looks forknown malicious or potentially dangerous files/CGIs Language: Perl Syntax:
nikto.pl -host
Samurai notes: Must be in /usr/bin/samurai/Nikto_2
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
76/163
86Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Nikto Exercise
Instructor lead exercise: Updating Nikto
./nikto.pl -update
Running Nikto./nikto.pl -host dvwa
Using Nikto evasion techniques./nikto.pl -host dvwa -evasion 1 [-useproxy]
Using Niktos single request mode./nikto.pl -Single
Using non-default ports in Nikto./nikto.pl -host webgoat -port 8080
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
77/163
87Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Nikto Findings
DVWA: Server type, powered by & outdated versions HTTP methods, robots.txt & CGIs? (-C all)
TRACE method: XST
Interesting resources: config, login, icons,phpinfo
WebGoat: Very limited web platform scan of Tomcat
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
78/163
88Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
wget and curl
Author: Hrvoje Nik ! i &Giuseppe Scrivano
Site: https://www.gnu.org/software/wget/
Purpose: Software package forretrieving files using HTTP,HTTPS and FTP, the mostwidely-used Internet protocols.It is a non-interactive commandline tool, so it may easily becalled from scripts.
Language: C Syntax:
Author: Haxx (Team) Site: http://curl.haxx.se Purpose: curl is a command line
tool for transferring data withURL syntax, supporting DICT,FILE, FTP, FTPS, GOPHER,HTTP, HTTPS, IMAP, IMAPS,LDAP, LDAPS, POP3, POP3S,RTMP, RTSP, SCP, SFTP, SMTP,SMTPS, TELNET and TFTP.
Language: C
Syntax:
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
79/163
89Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
wget and curl Exercise
wget -q -O- http://dvwawget http://dvwa/index.phpwget --user-agent "Googlebot" http://dvwawget --post-data "user=admin" http://dvwawget -spider -e robots=off -r http://dvwaN/AN/AN/A
curl http://dvwacurl -O http://dvwa/index.phpcurl --user-agent "qualys" http://dvwacurl -d "user=admin" http://dvwaN/Acurl -fO http://localhost/icons/[a-z][a-z].gifcurl -X OPTIONS -v http://localhostcurl -X TRACE -v http://dvwa
Primary advantage of wget: basic spidering capabilities Primary advantage of curl: custom HTTP methods Here are some side-by-side examples, each line does the
same thing in each tool:
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
80/163
90Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
wget and curl Findings
Localhost's /doc/ directory had a LOT ofpages
Localhost does in fact have TRACEenabled
Nothing is modifying our requestheaders to the origin server
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
81/163
91Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
FoxyProxy
Author: Eric H. Jung Site: http://getfoxyproxy.org
Purpose: Web browser proxy switcher Language: Firefox add-on
Features: Basic, Standard, Plus http://getfoxyproxy.org/downloads.html#editions
Exercise: Check all options/proxies & create a new local proxy E.g. ZAP = localhost:8080 (Burp)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
82/163
92Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Interception Proxies
Testing tools that "Man-in-the-Middle" yourown traffic
Provide a historic record of all interactions
with the application Provide ability to intercept and modify
requests Provide additional tools to manipulate and
interact with the application Provide a single location to track all of your
notes and findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
83/163
93Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Zed Attack Proxy (ZAP) Lead: Simon Bennetts (Psiinon) Site: code.google.com/p/zaproxy Purpose: An interception proxy
with integrated tools to findvulnerabilities. This project was
forked from Paros Proxy and isactively maintained (unlike Paros). Language: Java Notable Features:
Port Scanner Automated and Passive Scanner Spider, Brute Force, Fuzzing tools Adding Notes and Alerts to request/
response pairs Great "Filters" which allow logging of
unique elements and auto regexsearch/replace
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
84/163
94Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Updating ZAP
Simon and team published the ZAP 1.3.4 releaseprior to this workshop to provide the following newfeatures: Custom input files for the Fuzzing and Brute Force tools Ability to disable recursion in the Brute Force tool Inverse regex searches and Fuzz match highlighting Support for cookies and POST data in third party tools
We'll be using this version (1.3.4) for this workshop Download it at: http://code.google.com/p/zaproxy Extract the files and run "zap.sh Check: /home/samurai/ZAP_1.3.4/zap.sh
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
85/163
95Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
ZAP's Extra Polish
Beautiful Java UI regardless of OS Built in user documentation and help pages Automatically checks for updates Flexible UI allows you to focus on important
items Universal status bar for all tools in one place
Supports 12 languages and growing REST API for advanced users (http://zap) Client certificate and smartcard support
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
86/163
96Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Using Firefox with ZAP
Configuring Firefox to trust ZAP'sdynamic SSL certificates Have ZAP generate a SSL Root CA Save the certificate to your file system Import it into FireFox
Use FoxyProxy to quickly configure
Firefox to use ZAP as a proxy
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
87/163
97Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Mapping Exercise
Which operating system is hosting the application? Which web server and/or application server is hosting the
application? Which language is the application written in?
Which programming model did the developer use? Front Controller uses a single page for all functionality
/index.aspx?action=AddToCard&Item=42
Page Controller uses a separate page for each function /AddToCart.php?Item=42
Model View Controller (MVC) can be much more complex, often using theresource path to specify input instead of actual files and directories
/Product/AddToCard/42
What functionality does the application provide? Are there any process flows involving multiple pages? Have you visited every page and recorded each possible
request/response pair?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
88/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DVWA Discovery
DirBuster ZAP (vulnerability scanner)ZAP (application integration)
ZAP (fuzzer)WebScarab (session analysis)
CeWL
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
89/163
105Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Discovery Steps
Recon
MappingExploitation
Authentication and Session
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
90/163
106Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Authentication and SessionManagement Exercise
Does the application authenticate users? How do you login, logout, and change your password? Can you reset or recover an account? Are all of these functions protected by encryption?
Does the application reveal if a username is valid or not? Does the application provide user lockout?
How does the application track session state? Is the session token predictable? Is a new session token provided to you at login? Is the session token deleted upon logout? Are authenticated session tokens protected by encryption? Are session token cookie flags set to secure and HttpOnly?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
91/163
107Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Data Validation and Brute Force Exercise
Where does the application accept user input? Which inputs are reflected back to the user? Which inputs might be used in queries to a database? Do any inputs appear to be used in system commands?
Do any inputs appear to reference local files? Do any inputs appear to reference remote files?
Possible denial of service issues: Do any requests take a relatively long time to respond? Can any inputs force the application to increase processing
time such as wild card searches? Do any inputs appear to be written to the file system or log? Can user accounts be systematically locked out?
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
92/163
108Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DirBuster
Author: OWASP Project Site: http://www.owasp.org/index.php/
Category:OWASP_DirBuster_Project Purpose: Brute force of web directories and files Language: Java Pros:
Very quick for what it does Has the best list of default files and directories out there
Caveats: Minor stability issues Scans can take a long time if you aren't careful with configs Can overwhelm servers (connections and log disk storage)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
93/163
109Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DirBuster Exercise
Before you do anything, turn off recursion! Takes FOREVER! Scan http://dvwa with the small directory list
Disable recursive checks and brute force file checks /usr/bin/samurai/DirBuster/directory-list-2.3-small.txt
While the scan is running, experiment with the number ofthreads Be careful over 10 threads if you are on in a virtual machine!
Experiment with the other word lists and other settings Try brute forcing localhosts top level directories
Change your scanning type to Pure Brute Force Change the Char set to a-z0-9 Set min length to 1 and max length to 4 Uncheck Brute Force Files
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
94/163
110Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DirBuster Findings
DVWA:
Localhost brute forcing: /doc, /beef
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
95/163
111Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DVWA ZAP Discovery Exercises
1. Finding unlinked resources with theZAP Brute Force tool (recursive?)
2. Passive vulnerability scans3. Active vulnerability scans4. Third party tool integration
We'll be using nikto for the demo Syntax:
nikto -host %site% -port %port%
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
96/163
112Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
ZAP Scanner Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
97/163
113Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
ZAP Application Integration
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
98/163
114Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
ZAP Fuzzer Exercise
Sending manual requests Web browser ZAP - History or Sites - Resend
Fuzzing single parameters /vulnerabilities/sqli?id= ZAP - History or Sites Fuzz
Fuzzing with custom lists /usr/bin/samurai/fuzzdb & jbrofuzz
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
99/163
115Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
ZAP Fuzzer Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
100/163
116Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebScarab
Author: OWASP Project Site: http://www.owasp.org/index.php/
Category:OWASP_WebScarab_Project
Purpose: A web application assessment suitewith an interception proxy, spidering tool,session analysis, Web Services, and more
Language: Java Caveats: Not currently maintained
(WebScarab-NG)
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
101/163
117Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebScarab Session Exercise
Deleting all your cookies in Firefox Check with Cookie Editor or
Capturing a session value (cookie)
DVWA: / WebScarab: SessionID Analysis
Collecting a sample of session values SessionID Analysis: Collection
Analyzing for patterns SessionID Analysis: Analysis & Visualization Real-time
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
102/163
118Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebScarab Session Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
103/163
119Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
CeWL
Author: DigiNinja (Robin Wood) Site: http://www.digininja.org/projects/
cewl.php
Purpose: A wordlist generator which collectswords by spidering websites
Language: Ruby Features: Custom dicts are very useful Syntax:
cewl [options]
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
104/163
120Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
CeWL Exercise
Review the CeWL options d: depth w: write to (dictionary) file e: e-mail addresses a: metadata
Create a wordlist for DVWA
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
105/163
121Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
CeWL Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
106/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
DVWA Exploitation
sqlmapsqlmap + ZAP
BeEFBeEF + Metasploit
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
107/163
123Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Exploitation Steps
Recon
Mapping
Discovery
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
108/163
124Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
SQLMap
Author: Bernardo Damele A. G. (inquis) Site: http://sqlmap.sourceforge.net Purpose: An automated SQL injection tool that both
detects and exploits SQL injection flaws on MySQL,Oracle, PostgreSQL, and MS SQL Server
Language: Python Features: Check the help (-h) Syntax:
sqlmap.py -u [options]
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
109/163
125Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
SQLMap Exercise
Review the options for sqlmap (-h) Run sqlmap on SQL flaw to verify it can
see it (discovery) Use sqlmap to exploit the SQL flaw
Users & Passwords Databases & Tables (-D )
Dump tables contents (-T -D) OS interaction
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
110/163
126Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
SQLMap Findings
Discovery SQL injectable parameter: id= Back-end DB fingerprinting
Users: root DB: dvwa Tables: guestbook & users Dump: Avatar, first name, last name,
password, user user ID
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
111/163
128Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
SQLMap + ZAP Exploitation
SQLMap and ZAP integration Base syntax for ZAP & sqlmap integration:sqlmap -u %url% --cookie=%cookie% -v 0 --drop-
set-cookie [options] Various exploits to add to the above syntax:--dbs (list of databases)--file-read=/etc/passwd (&& cat output/dvwa/files/)
Non-interactive commands
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
112/163
129Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
SQLMap + ZAP Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
113/163
130Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF Author: Wade Alcorn and others Site: http://www.beefproject.com Purpose: A PHP (or Ruby) web-based
interface for command and control of XSS-edzombie browsers including several exploitsand modules
Language: PHP or Ruby
Samurai notes: PHP: /var/www/beef Ruby: /usr/bin/samurai/beef-ruby
( )
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
114/163
131Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF (PHP) Exercise
Accessing the control console (setup?)http://localhost/beef/ui
Spawn a zombie example
/beef/hook/example.php Experiment with the different modules Insert the following hook in the XSS flaw:
Reflected or persistent XSS
B EF (PHP) Fi di
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
115/163
132Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF (PHP) Findings
B EF (R b ) E i
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
116/163
133Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF (Ruby) Exercise
Accessing the control panelhttp://localhost:3000/ui/panel (beef/beef)
Spawn a zombie example
http://localhost:3000/demos/basic.html Experiment with the different commands Insert the following hook in the XSS flaw:
Reflected or persistent XSS
B EF (R b ) Fi di
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
117/163
134Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF (Ruby) Findings
Hi h Q li B EF
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
118/163
135Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
High Quality BeEF
YouTube Channel https://www.youtube.com/user/
TheBeefproject
TunnelingProxy (localhost:6789) Become the victim user on the web-app Burp Suite & sqlmap & (same domain)
XssRays Metasploit integration
M l i
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
119/163
136Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Metasploit
Author: HD Moore and others (Rapid7) Site: http://www.metasploit.org Purpose: The open-source penetration-testing and
exploitation (MetaSploit) Framework (MSF) Language: Ruby Notable Features:
Its up to you to decide !
Syntax:msfconsole, msfcli, msfgui (Armitage), msfpayload
B EF + M t l it E i
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
120/163
137Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF + Metasploit Exercise
Setup BeEF (PHP) /beef/include/msf.inc.php
Setup Metasploit (3.x)> load xmlrpc Pass=BeEFMSFPass
Explore the Metasploit plugins in BeEF Browser Modules MSF Browser Exploit
Check the Browser Exploitation for Fun& Profit Series (http://bit.ly/hWXWZv)
B EF + M t l it Fi di
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
121/163
138Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF + Metasploit Findings
B EF + M t l it E i
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
122/163
139Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
BeEF + Metasploit Exercise
Run BeEF (Ruby) Setup Metasploit (4.x) msgpack
xmlrpc plugin removed (use msgpack)> db_connect > load beef
Site: https://github.com/xntrik/beefmetasploitplugin
Homework !
h d b
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
123/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Third Target: WebGoat
Why the name "WebGoat"? Developers should not feel bknowing security. Even the best programmers make securi
they need is a scapegoat, right?Just blame it on the 'Goat !
W bG t
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
124/163
141Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebGoat
Author: OWASP Project Sponsor: Aspect Security Site: http://www.owasp.org/index.php/
Category:OWASP_WebGoat_Project
Purpose: a deliberately insecure web application designed toteach web application security lessons Language: Java Accessing:
http://webgoat OR http://webgoat:8080/weboat/attack
WebGoat Walkthro ghs
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
125/163
142Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebGoat Walkthroughs
Aung Khant (YGN Ethical Hacker Group) hascreated a series of movies showing possiblesolutions to the WebGoat lessons. Thesetraining movies can be viewed athttp://yehg.net/lab/pr0js/training/webgoat.php
Testing Plan for WebGoat
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
126/163
143Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Testing Plan for WebGoat
Mapping Tools: wget/curl Burp Suite
(Proxy &) Spider Encoder / Decoder Repeater
Discovery Tools: w3af RatProxy
Burp Suite Sequencer Intruder
JBroFuzz
Exploitation Tools: Firebug Burp Suite
Proxy
w3af Payloads MonkeyFist
W bG M i
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
127/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebGoat Mapping
wget/curlBurp Suite (proxy)Burp Suite (spider)
Burp Suite (encoder/decoder)Burp Suite (repeater)
Burp Suite
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
128/163
145Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Burp Suite
Author: PortSwigger Ltd. Site: http://portswigger.net/suite Purpose: A web application assessment suite of tools including
an interception proxy, spidering tool, limited attack tool, sessiontolken analyzer, and others A commercial version exists which adds an automated vulnerability
scanner and extended attack tool
Language: Java Samurai Notes:
Dont forget that interception is on by default
Burp Suite Exercises
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
129/163
146Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Burp Suite Exercises
1. Burp Proxy introduction2. Burp Spider3. Burp Encoder / Decoder4. Burp Repeater
W bG t Di
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
130/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebGoat Discovery
w3af RatProxy
Burp Suite (sequencer)Burp Suite (intruder)
JBroFuzz
w3af
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
131/163
155Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
w3af
Author: Andres Riancho and many others Site: w3af.sourceforge.net Purpose: one of the most feature rich open source web
auditing tools for both automated and semi-automated Phases: mapping, discovery, and exploitation Language: Python Notable Features:
Choice of GUI and CLI interfaces Very scriptable to re-audit apps Includes most python based web auditing tools
Caveats: stability and consistency issues !!!NEVER!!! enable all plugins
w3af Exercise
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
132/163
156Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
w3af Exercise
1. Automated Discovery2. Information Leakage3. Exploitation: Command Injection4. Exploitation: SQLi5. Exploitation: XSS
Basic W3AF Audits
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
133/163
157Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Basic W3AF Audits
2 - Target
RatProxy
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
134/163
162Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
RatProxy Author: Michal Zalewski Site: http://code.google.com/p/ratproxy/ Purpose: A passive web application audit tool that
also includes some flash decompilation capabilities
Language: C Syntax:./ratproxy -v -w -d -lfscm
Things to try: Start ratproxy:
./ratproxy -v ~/tmp/RatProxy -w ~/tmp/RatProxy/Report.log -d webgoat -xtfscgX
Configure Firefox to use ratproxy Start manually exploring http:webgoat Stop ratproxy ( C) and create the report
./ratproxy-report.sh ~/tmp/RatProxy/Report.log > ~/tmp/RatProxy/Report.html
Burp Sequencer Exercise
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
135/163
168Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Burp Sequencer Exercise
Provides the ability to collect andanalyze session keys
Not restricted to session keys.Sequencer will analyze any set of datayou throw at it.
Provides several different types of
mathematical analysis of the given dataset
Burp Intruder Exercise
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
136/163
170Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Burp Intruder Exercise
One of the most flexible web fuzzingtools out there, tied into one of the bestinterception proxies.
Intruder is limited in the free version ofBurp Requests are severely throttled
Not usable. More of tease-ware
JBroFuzz
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
137/163
172Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
JBroFuzz
Author: OWASP Project Site: http://www.owasp.org/index.php/
Category:OWASP_JBroFuzz
Purpose: Generates fuzzed requests andcollects the responses for manual analysis Language: Java
WebGoat Exploitation
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
138/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
WebGoat Exploitation
Firebug Burp Suite (proxy)w3af (payloads)
MonkeyFist
Firebug Exercise
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
139/163
176Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Firebug Exercise
Time to revisit the Firebug extension forFireFox.
Interactive editing of web pages allows you to remove client side filters can interact directly with data full control over AJAX functions in the page
w3af Exploitation Payloads
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
140/163
178Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
w3af Exploitation Payloads
SQLi XSS Command Injection others.....
Monkeyfist
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
141/163
182Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Monkeyfist
Author: Hexagon Security Group Site: http://hexsec.com/misc/monkeyfist Purpose: MonkeyFist is a tool that creates dynamic request
forgeries based on cross-domain data leakage. The tool thenconstructs a payload based on data in the payloads.xml file andsends it to the user's browser. This may include session databypassing protection mechanisms for Cross-Site RequestForgery.
Language: Python
Final Target: Samurai
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
142/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Dojo A dojo ( , d j) is a Japanese term which literally means "place ofInitially, d j were adjunct to temples. The term can refer to a formplace for any of the Japanese do arts but typically it is considere gathering place for students of any Japanese martial arts style
training, examinations and other related encounters. -- Wik
Student Challenge
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
143/163
188Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Student Challenge
You can find the challenge at http://dojo Collect as many keys as you can
Up to 20 keys could be found (err but it appears some are broken " )
Keys look like: 1dcca23355272056f04fe8bf20edfce0 A key ID will be with or near the actual key
such as KEY00=1dcca23355272056f04fe8bf20edfce0
Keys can be found in all steps of the methodology, so dontfocus only on exploitation
Bonus points: How were the keys generated? Can you you calculate what the 21 st key would be?
STOP
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
144/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
STOP
The next page contains the Student Challenge answeYouve been warned.
STOP NOW
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
145/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
I'm not joking this time
So I lied about the next page containing the answerIts really the NEXT page.
(Full Disclosure: I Needed a second stop page because books have show
Walkthrough: Keys 0-4
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
146/163
191Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Walkthrough: Keys 0 4
Key 00 = cfcd208495d565ef66e7dff9f98764da allowed HTTP method in OPTIONS method response
Key 01 = a1d0c6e83f027327d8461063f4ac58a6 in TRACE file in web root
Key 02 = 68d30a9594728bc39aa24be94b319d21 in header parameter Server on all responses
Key 03 = 069059b7ef840f0c74a814ec9237b6ec used as your session variable 50% of the time
Key 04 = 006f52e9102a8d3be2fe5614f42ba989 html comment on index.php
Walkthrough: Keys 5-9
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
147/163
192Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Walkthrough: Keys 5 9
Key 05 = 6f3ef77ac0e3619e98159e9b6febf557 ??? brute force password
Key 06 = 03c6b06952c750899bb03d998e631860 GET parameter in /admin/index.php form submit
Key 07 = 6883966fd8f918a4aa29be29d2c386fb default text for comment field on contactus.php
Key 08 = 6855456e2fe46a9d49d3d3af4f57443d hidden field on support.php
Key 09 = 8bf1211fd4b7b94528899de0a43b9fb3 currently not placed
Walkthrough: Keys 10-14
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
148/163
193Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Walkthrough: Keys 10 14
Key 10 = b6f0479ae87d244975439c6124592772 meta tag on kevin.php
Key 11 = 51d92be1c60d1db1d2e5e7a07da55b26 in unlinked directory crack in file called key11
Key 12 = b337e84de8752b27eda3a12363109e80 DNS entry in a zone transfer
Key 13 = ed265bc903a5a097f61d3ec064d96d2e hidden in database (missing half the number)
Key 14 = daca41214b39c5dc66674d09081940f0 hidden outside of web root
Walkthrough: Keys 15-19
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
149/163
194Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Walkthrough: Keys 15 19
Key 15 = 9cc138f8dc04cbf16240daa92d8d50e2 dissallow entry in robots.txt
Key 16 = 2dea61eed4bceec564a00115c4d21334 Allowed domain in crossdomain.xml
Key 17 = d14220ee66aeec73c49038385428ec4c new HTTP header response value in all responses
Key 18 = 2823f4797102ce1a1aec05359cc16dd9 default directory in web root
Key 19 = 9e3cfc48eccf81a0d57663e129aef3cb brute force password abc123 on /admin/index.php
Next Steps
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
150/163
195Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Next Steps
We will all continue to learn A few things will help us down that path
Continue exploring the tools Build a test lab Teach others Join projects
Contact Information
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
151/163
197Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Co tact o at o
Raul SilesFounder & Senior Security Analyst
@taddong
Upcoming Samurai-WTF courses:
APPENDICES
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
152/163
Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
APPENDICES
Extra material if time allows
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
153/163
Recon Outline
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
154/163
200Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Domain and IP Registrations Google Hacking Social Networks DNS Interrogation and ZT Fierce Domain Scanner
Domain and IP Registrations
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
155/163
201Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
g
What is WHOIS & RIRs? A protocol for searching Internet registration databases
based on RFC 3912 for domain names, IPs, and autonomoussystems (AS)
Regional IP Registrars: AfriNIC, APNIC, ARIN, LACNIC, RIPE
Common tools to use: whois command line tool (standard with Linux and Macs) http://www.whois.net or http://www.internic.net/whois.html
Examples to Try: whois secureideas.net whois 66.135.50.185 whois kevin johnson (should fail, why?) whois h whois.arin.net kevin johnson
WHOIS Findings
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
156/163
202Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
g
Contact Information Employees / Users: Denise Johnson, Frank DiMaggio Address: 661 Blanding Blvd., S.103 #351, Orange Park, Florida 32073 Phone: 904-403-8024 Emails: [email protected], [email protected]
Owned Domain Names secureideas.net (5/20/2003 - 5/20/2012, updated (bi)annually)
Name Servers: NS1.SECUREIDEAS.NET (66.135.50.185) NS2.SECUREIDEAS.NET (66.135.47.101)
Registrar: GoDaddy.com ISP or Hosting Provider: ServerBeach (San Antonio, TX)
SERVER-17 (possible SERVER-32 & SERVER-33) AS13768 & 66.135.32.0/19
Google Hacking / Google Dorks
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
157/163
203Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
g g g
What is Google hacking? Using Google advanced operators to search for interesting
information Jonny Longs GHDB
http://www.hackersforcharity.org/ghdb
Also great for Social Network Farming
Examples: intitle:Index+of..etc+passwd intitle:admin+intitle:login
intitle:index.of.private intitle:ColdFusion+Administrator+Login filetype:asmx OR filetype:jws inurl:asmx?wsdl OR inurl:jws?wsdl
Social Networks
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
158/163
204Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Precursor to Social Networks Usenet (Google Groups Deja News acquisition) Mailing lists Web Forums
Modern day Social Networks Facebook Linkedin Myspace Twitter
Ning Orkut
Several methods exist to harvest data from these site
gpscan
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
159/163
205Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
gp
Author: Robin Wood Site: http://www.digininja.org/projects/gpscan.php Purpose: Uses Google to search for Google Profiles
(gp) of individuals working at specific companies Language: Ruby Syntax:
gpscan.rb
Examples to try:
./gpscan.rb redhat
./gpscan.rb owasp
./gpscan.rb google
./gpscan.rb hewlett packard
Changes in the serviceinterface (or API), e.g.Google, might break thetool/script!
DNS Interrogation
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
160/163
206Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
g
Common tools: host (default on Linux and Macs) dig (default on Linux and Macs) nslookup (default on everything)
Forward lookups:host www.samurai-wtf.orgdig www.samurai-wtf.orgnslookup www.samurai-wtf.org
Reverse lookups:host 66.135.50.185dig -x 66.135.50.185nslookup 66.135.50.185
DNS Zone Transfers
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
161/163
207Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Made so administrators dont have to update each DNS serverseparately (DNS server synchronization)
Often left wide open internally and occasionally to the Internet Must query an authoritative server for the domain Make sure you try all authoritative servers, only one might work Examples to try:
dig -t AXFR secureideas.net (should fail, why?)dig -t NS secureideas.netdig -t AXFR secureideas.net @ns1.secureideas.netdig -t AXFR secureideas.net @ns2.secureideas.net
host -la secureideas.net (should work, why?)host -t ns secureideas.nethost -la secureideas.net ns1.secureideas.nethost -la secureideas.net ns2.secureideas.net
Fierce Domain Scanner
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
162/163
208Copyright 2009-2012 Justin Searle / Raul Siles - This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License
Author: RSnake Site: http://ha.ckers.org/fierce Purpose: Performs forward and reverse lookups
recursively until target IPs and domains are
exhausted (wordlist based) Language: Perl Syntax:
./fierce.pl -dns
Examples to try:./fierce.pl dns secureideas.net
8/13/2019 SamuraiWTF Course Slides v9.0 - AppSecDC2012
163/163