Developer/Security 542 Web App Penetration Testing and Ethical Hacking

March 7-12, 2011

Instructor: Kevin Johnson

• 5000 facebook accounts
• Has twin brother Keith
• Worked with Matt Carpener
• graduated H.S. 1991

Elluminate being used for video broadcast to about 30 remote students

Sponsers:

• Aruba Networks
• FireEye
• IBM

Quote from a tee shirt: I am a bomb Technician, if you see me running, try to keep up.

Breaks:

• 1030-1050
• 1500-1520

Lunch:

• 12-1330

Randy's Cell 250-7681

Open Source Vulnerability Bulletin Board, OSVBB

Security Testing should be part of Job description

HTTP/1.1 defined in RFC 2616

http://tools.ietf.org/rfc2616

original design considerations

http://www.w3.org/Protocols/DesignIssues.html

GET http://www.google.com HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; NET CLR 1.1.4322; .NET CLR 2.0.50727) Paros/3.2.13
Host: www.google.com
Proxy-Connection: Keep-Alive
Cookie:PREF=ID=6aa36b...:LM=11198...:GM=1:S=CZy0...
Content-length:0

Mozilla/4.0 - This signifies that the browser is compliant with the standards set by netscape

MSIE 7.0 - Internet Explorer 7.0 is the software type

Windows NT 5.1 - This browser is running on Windows XP

NET CLR 1.1.4322; .NET CLR 2.0.50727 - These two versions of the .NET client are supported

Paros/3.2.13 - added by Paros

• Windows NT 6.0 - Windows Vista; Windows server 2008
• Windows NT 5.2 - Windows Server 2003; Windows XP x64 Edition
• Windows NT 5.1 - Windows XP
• Windows NT 5.01 - Windows 2000, Service Pack 1 (SP1)
• Windows NT 5.0 - Windows 2000
• Windows NT 4.0 - Windows NT
• Win 9x 4.90 - Windows Millennium Edition (Windows Me)
• Windows 98 - Windows 98
• Windows 95 - Windows 95
• Windows CE - Windows CE

* McAffee dropp(ed) App Firewall if “scanalert” (is)was in the user agent field

rfc2616

Prevents scripts from running code from another site.

GET
POST
HEAD
TRACE
OPTIONS
CONNECT
PUT
DELETE

Check if OPTIONS is enabled - it is not necessary.

• 1xx Informational
  • 100 Continue
• 2xx Success
  • 200 OK
• 3xx Redirection
  • 302 Redirect
  • 304 Not modified
• 4xx Client Error
  • 401 Unauthorized
  • 404 Not Found
• 5xx Server Error
  • 500 Server Error
  • 502 Bad Gateway

$ nc www.sec542.org 80
POST /form_auth/login.php HTTP/1.0
Content-Length: 42

user=testuser&pass=opensesame&button=Login

• Basic ..1.49
• Digest ..1.51
• HTTP Client Certificate Authentication ..1.54
• Windows Integrated Authentication ..1.57
• Forms Based ..1.60

paros - as a simple proxy - a new fork is zap by owasp

examples use this for Authentication

cd /usr/bin/samurai/paros
java -jar paros.jar

• Client Side vs. Server Side ..1.77

• Session ID
  • Cookies ..1.78
  • URL Encoding ..1.79
  • Hidden form fields ..1.80

SSL v2, turn it off

• Wireshark on Web server
  • import key to decrypt Data

• Black Box ..1.95
• Crystal Box ..1.96
• Grey Box ..1.97

• Preparation ..1.103
• Mananging ..1.104
• Scope ..1.105
• Gathering Information ..1.106
• Rules of Engagement ..1.107
• Identifying Tester Traffic ..1.108
• Time ..1.109
• Communications Planning ..1.110

1. Executive summary ..1.114
2. Introduction ..1.115
3. Methodology ..1.116
4. Findings - includes recommendations ..1.117
5. Conclusions .. 1.118

Chris Dickerson - Just released a sample report

• twitter ID indi303
• exotic liability podcast

• CAL9000
  • OWASP Project written in HTML and JavaScript that runs in browser
• Freemind
  • mind mapping
• Wiki

• Reconnaissance ..1.127
  • Begin with Zone Transfer
• Mapping ..1.130
  • Spidering
    • Burp
    • w3af
• Discovery ..1.132
  • finding issues, not exploiting them
• Exploitation ..1.133
  • actually attacking flaws

• Information Leakage ..1.126
• Configuration Flaws ..1.137
• Bypass Flaws ..1.138
  • Authentication bypass
  • Authorization bypass
  • File control bypass
  • Front-end bypass
• Injection Flaws ..1.139
  • Command injection
  • Code Injection
  • SQL Injection
  • Cross Site Scripting (XSS)
  • HTTP Response Splitting
  • Cross Site Request Forgery (CSRF)
    • targets the trust a site has in the user. For Example, performing bank transactions on the target's behalf.

Inline HTML

as a script tag

<script>alert("Sec542 Rocks")</script>

as part of an HTML item

<img src="images/logo.gif" onload="javascript:alert('Loaded');">

loaded from another document

<script src=http://www.inguardians.com/malicious.js>

copy the HTML file from the JavaScript directory and the DVD to your desktop

Between Head tags add:

Between <head> and </head> tags, add:
<script>alert("Hello World!");</script>

Test index.html

Change to

<script src="attack.js"></script>

Create a file called attack.js and put in it:

alert("Hello World!");

Test index.html

change attack.js to

function formChange() {
  document.forms[1].action="http://www.sec542.org/"
  document.forms[1].sushi.value="Toro"
}

In the index.html file:

<body onload="formChange();">

Reload the page in the browser. Submit the form to see the URI change

Add this to the attack.js file

function createCookie() {
     document.cookie = "userid=kevin;expires=Fri, 27-Feb-2009;path=/";
}

In the index.html file, add the mouseover event

<form id="login" onmouseover=alert(document.cookie);" name="login" action="#" method="post">

• The work Toro should be pre-filled
• A pop-up should be displayed due to mousover
• pop-up should contain cookie

Python scripting

create a file beginning with

#!/usr/bin/python

chmod 755 custom.py

#!/usr/bin/python

import httplib
conn = httplib.HTTPConnection("www.sec542.org")
url = "/python/index.php
conn.request('GET',url)
reps = conn.getresponse()

print resp.getheader("Server")
print resp.getheader("Date")
print resp.getheader("Cookie")

n = 1
outfile = open("results.txt","a")

while n<=100:
  conn = httplib.HTTPConnextion("www.sec542.org")
  url = "/python/index.php?id="+str(n)
  conn.request('GET',url)
  resp = conn.getresponse()
  print resp.getheader("Server")
  print resp.getheader("Date")
  print resp.getheader("Cookie")
  respcode = resp.status
  outfile.write(result)
  n+=1

whatis whois

whois for fbcgalax.org, www2.sans.org, www3.sans.org

Looking at hosted services

nslookup [host] [DNS_server]

set debug gives more information

nslookup is depricated on Linux for dig

• -t MX
• -t AXFR
• -t ANY

Simple scanner designed to find hosts within a domain by Robert “RSnake” Hansen and updated to 2.0 by Joshua “Jabra” Abraham

• performs a series of test to find hosts within a domain
  • queries the system DNS servers to find target DNS servers
  • Attempts to retrieve SOA records
  • Proceeds to guess host names using a wordlist
  • Once an IP address is found, does a reverse lookup on next 5 and previous 5 IP addresses
  • Uses a set of prefixes to find hosts (i.e. www2, www3)

Lookup various hosts in a domain

perl fierce.pl -dns sec542.org

Scan an IP range

perl fierce.pl -range 192.168.1.0-255 -dnsservers ns1.sec542.org

Perform reverse lookups after finding CNAMEs

perl fierce.pl -dns sec542.org -wide -output output.txt

nslookup mail.sec542.org

dig sec542.org
dig sed542.org mx

perform zone transfer

dig AXFR sec542.org

host -la sec542.org

Fierce

cd /usr/bin/samurai/fierce2

run fierce with a DNS name specified

fierce -dns sec542.org

run fierce on an IP range

fierce -range 192.168.1.0-255 -dnsservers 192.168.1.41

• Facebook
• Linked-In
• MySpace

• MSN - Bing

ip:72.14.204.147

• Yahoo
• Altavista
• Google

site:www.sans.org
inurl:phpinfo
intitle:"Admin Login"
link:sans.org
ext:xls

Quotes for literal matches

"sans Web Application"

“-” omits pages or pages with specific strings from results

site:sans.org -site:www.sans.org
site:sans.org -handlers

• “*” is used as a keyword wildcard
• “+” forces Google to include ignored words
  • “the”
  • “and”
  • “or”, etc

• groups.google.com
• also supports

author:kevin@inguardians.com
insubject:"Problems with my code"

• Converts Google SOAP API requests into general searches of the Google website
• violates google's terms of service

• Aura is needed if you do not have a Google SOAP API key

• Aura is needed if you do not have a Google SOAP API key

• Google may block the IP address for 1 to 24 hours

• Automated search method showing new results based on any search terms

Robin Wood created gpscan.rb to search Google profiles for specific targets

./gpscan.rb Microsoft

http://www.digininja.org/projects/gpscan.php

Jason Wood created the LinkedIn user name generator Reconnoiter

./usernameGen.py InGuardians 10

http://www/jwnetworksconsulting.com/blog

• mapping tool that finds the relationships between people, sites and companies
• Community and Professional versions available

• Port Scan
  • OS Fingerprinting
    • SSL Analysis
      • Virtual Hosting & Load Balancer Analysis
        • Software Configuration Analysis
          • Spidering
            • Detailed Analysis of Spidering Results

sudo nmap -sV -O www.inguardians.com

• Passively detects operating system types based on traffic generated by target
• http://lcamtuf.coredump.cx/p0f.shtml

sudo nmap -sV -O www.inguardians.com

printf "GET / HTTP/1.0\n\n" | nc -v www.inguardians.com 80

(This does not work on my laptop.)

• fingerprint web servers
• http://www.net-square.com/httprint

Side note:

• Apache capitalizes Header Responses
• IIS switches the order of Referer

• Webserver analysis site, reportin server use statistics for public sites
• Kevin does not want to reveal customer information to netcraft

$ nc www.sec542.org 80
HEAD / HTTP/1.0
<enter><enter>

$ nc www.sec542.org 443
HEAD / HTTP/1.0
<enter><enter>

(No SSL, so it cannot connect.)

nmap -sV www.sec542.org

• *Applications, Wine, Programs, HTTPrint Options, uncheck ICMP enable item in the “ICMP (Ping before testing)” area and click “OK” Load, play**.

• Anything below SSLv3 or TLSv1 is older and has issues

• openssl
• THCSSLCheck
• sitedigger

Test for SSLv2

openssl s_client -connect www.aoe.vt.edu:443 -ssl2

Test for NULL Cipher (clear text)

openssl s_client -connect www.aoe.vt.edu:443 -cipher NULL

Verify SSLv3

openssl s_client -connect www.aoe.vt.edu:443 -ssl3

script from sslthing

if ! [ $1]; then
  echo syntax: $0 host:sslport [-v]
  exit
fi

if ! [ -e $ossl ]; then
  echo The path to openssl is wrong, please edit $0
  exit
fi

## Request available ciphers from openssl and test them for ssl in -ssl2 -tls1
for ssl in -ssl2 -tls1
do
  echo Testing `echo $ssl | cut -c2- | tr "a-z "A-Z"'...
  $ossl ciphers $ssl -v | while read line
  do
    ciphers=`echo $line | awk '{print $1}'`
    bits=`echo $line | awk '{print $5}' | cut -f2 -d\( | cut -f1 -d\)`
    if  ($ossl s_client $ssl -cipher $cipher -connect $1 < sslthing.tmp 2>&1 | grep ^New > /dev/null); then
      if [ $2 ]; then
        echo OK
      else
        echo $cipher - $bits bits
      fi
    else
      if [$2 ]; then
        echo Failed
      fi
    fi
  done | grep -v error
don

• Windows exe, but can run in Wine

• Foundstone tool

Run the command using wine

$ TCHSSLCheck.exe www.sec542.org 443 > ~/THC_443.txt

Fixme messages won't affect the program

$ TCHSSLCheck.exe www.sec542.org 10000 > ~/THC_10000.txt

cd /usr/bin/samurai/sslthing
./sslthing www.sec542.org:443 > ~/Thing_443.txt
./sslthing www.sec542.org:10000 > ~/Thing_10000.txt

Bing

ip:<ip address>

• url analysis
• Timestamp analysis
• Last modified values comparison
• Load balancer cookies detection
• SSL differences
• HTML source code discrepancies

#!/bin/bash
for method in GET POST PUT TRACE CONNECT OPTIONS;
do
  printf "$method / HTTP/1.1\nHost: www.aoe.vt.edu\n\n | nc www.aoe.vt.edu 80
done

cd /usr/bin/samurai/nikto
./nikto.pl -host www.sec542.org -Format HTM -output ~/nikto.html

robots.txt

User-agent: *
Disallow: /images/
Disallow: /css/

individual pages

• Tags to prevent caching of the content

These should both be use as different clients respect each of them

<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

• Tags to control search engine spiders and where they go

These are useful for controlling search engine spiders and where they go

<META NAME="ROBOTS" CONTENT="INDEX,NOFOLLOW">
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">

Robot Exclusion Protocol - http://www.robotstxt.org

• ignores robots.txt and robots meta tags
• Select Fetch Recursively check box
• then click Fetch Tree
• from OWASP

• www.parosproxy.org

• Free basic version
• browse to site and select spider check box
• available from portswigger.net

• -r recurse option
• -l [N] maximum link recursion depth (default is 5)
• adheres to robots.txt directives
• to ignore robots.txt

robots=off

• CeWL from Robin “digininja” Wood http://www.digininja.org
• spiders a web site and then generates a word list for use as passwords or other dictionary attacks
  • will grab information from EXIF data

wget -r http://www.sec542.org --no-check-certificate

java -jar webscarab.jar
  spidering tab
  browse to site
  Fetch Tree
  Fetch Tree until no other pages are found

cd /usr/bin/samurai/burpsuite_v1.2
  java -jar burpsuite_v1.2.jar
  check spider running check box

cd /usr/bin/samurai/cewl
./cewl.rb http://www.sec542.org
./cewl.rb http://www.sec542.org -w ~/cewl_wordlist

• Comments that reveal useful or sensitive information
• Commented code and links
• Disabled functionality
• Linked Servers

w3m -dump index.html > index.txt

• Visio - has capability built in
• Kivio for Linux
• Omnigraffle for MacOSX ..2 154
• WebScarab, Burp and w3af has graphing built in ..2.155

Dreamweaver has notes for pages which get put in _notes with .mno extension

directory-list-2.3-small.txt
directory-list-2.3-medium.txt
directory-list-2.3-big.txt
directory-list-2.3-lowercase-2.3-big.txt

cd /usr/bin/samurai/DirBuster-1.0-RC1
java -jar DirBuster-1.0-RC1.jar
  Enter http://www/sec542.org in Target URL
  Browse to select word list
  other options as desired
  Select start

cd /usr/bin/samurai
java -jar webscarab.jar
  Session ID Analysis
    Select session within "Previous Requests:" drop down
    Click Test

On Sec542 Target VM

cd Desktop/Jetty
./runjetty.sh

jetty runs on port 8080

Select "GET http://www.sec542.org:8080/examples/servlet/SessionExample 200 OK" from "Previous Requests:"
click Test
set the number of samples to 1000 and click fetch
switch to the analysis tab

cd /usr/bin/samurai/burpsuite_v1.2
java -jar burpsuite_v1.2.jar
Clear Private Data including cookies in Firefox
Switch to Burp proxy and visit Jetty and Webmin bookmarks
Right Click SessionExample and select send to sequencer
Select sequencer tab the select each URL in turn and click "start capture".
click "analyze now"
click "Stop" when finished

Who does Kevin Johnson follow:

• twitter
  • Robin Wood
  • Chris John Rilley
  • Jason Wood - in Utah

Who are the up and coming people?

• Frank Majo
• Jack Daniel

• this part of the methodology starts the exploitation part of the test

• Web scanners interact with the site, through spidering or proxies and this interaction actually changes the way the plug-ins send traffic.

• http://grendel-scan.com
• automates a large portion of the discovery step
• provides a manual interface for manual interaction during the automatic scan
• further work has been done, but not released in a new version. Some updates are in code repositories.

* two methods

• typical spider, but can provide one or more URL's for the spider to start with
• interception proxy, allows user to manually walk through the application. Grendal-scan the uses these pages as a basis of it's scan.

• things requiring human interaction
  • Form submission pages
  • Dynamic JavaScript creating links

cd /usr/bin/samurai/grendel-scan
./grendel.sh

Enter the target URL's and click add (one at a time)

http://www.sec542.org
http://www.sec542.org/scanners

Output directory

/home/samurai/scanresults/grendel/

Select plug-ins

• default scan except
  • uncheck website mirror under application architecture
  • check Comment Lister under information leakage

In the menu, select:

Scan -> Start Scan

Launch Firefox and select Grendel-Scan in the SwitchProxy toolbar

select the bookmark for BASE

This adds this url to the Grendel scan

open report.html in a browser.

• open source web application scanner
• http://w3af.sourceforge.net
• GUI and command line interface (similar to Metasploit)
• w3af is designed to perform the spidering part of mapping, all of the server-side vulnerability discovery and exploitation
  • it bundles multiple tools such as sqlmap and BeEF built in as modules
• run the latest development versions
• GUI uses profiles ..3.22
  • enter url, including protocol as the starting point for the scan.
• The w3af Console ..3.23

$ ./w3af_console
w3qf>>> plugins
w3af/plugins>>> output console,textfile
w3af/plugins>>> output config textFile

• a script file can be created with the commands in it ..3.24

$ w3af_console -s filename

• discovery plugins ..3.25
  • Robots Reader
    • Reads and report on the robots.txt file
  • Detect Transparent Proxy
    • Uses Trace method to find proxies
  • Google Spider
    • spider using google cache
• Evasion plugins ..3.26
  • Modification that bypass mod_security installations
  • adding self-referential directories to the URL
    • http://www.sec542.org/./cgi-bin/./script.pl
  • using hex encoding
  • Changing the case of letter randomly
• w3af Audit Plug-Ins ..3.37
  • discovery step in this course
  • tries to find flaws
    • XSS
    • SQL injection
    • Response splitting
  • some examples of Audit plugins
    • sslCertificate
      • finds issues with SSL confugurations
    • unSSL
      • Determines if SSL content is available via HTTP
    • osCommanding
      • Attempts to find command injection flaws
• w3af Grep Plug-Ins ..3.28
  • Path disclosure
  • Code being disclosed
  • AJAX code
  • E-mail addresses
  • w3af can even determine the language used in the site
• w3af Brute force plug-ins
  • use information gathered by the other plug-ins
    • E-mails gathered can be used as usernames
    • Words form the site can be used as passwords
  • Currently the brute force plug-ins are available for
    • Forms based authentication
    • HTTP Basic authentication
    • No Digest
    • No NTLM
• Running w3af
  • enter one url to start the test from(one is the limit)
  • create a profile
    • select which plug-ins to use
    • select output
    • make sure that in the configuration of the spider, you limit it to the target
  • press Start
• w3af Results
  • response navigator tab will allow for search strings
• w3af exploitation
  • depending on the discovered flaw, these features can be used to
    • get command shell access of target web server
    • hook browsers via XSS flaws in the server
    • interact with a command shell on a database server using sqlmap
    • numerous others
• Kevin's favorite open source tool

cd /usr/bin/samurai/w3af
./w3af_gui

click profile menu and select new profile. Give it a name such as sec542

In the target URL, enter https://www.sec542.org/scanners

• select the following plug-ins
  • Audit
    • osCommanding
    • sqli
    • sslCertificate
    • unSSL
  • Discovery
    • allowed Methods
    • phpEggs
    • serverHeader
    • webSpider
  • Output
    • gtkOutput
    • htmlFile
• Save Configuration - button on the plug-in screen

• after the scan completes, select exploit tab. Then right click on the osCommandingShell and select “Exploit all untill successful”. We should see the shell become listed in the right hand window. Double-click on this listed shell opens the shell for us to use it.
• Use the shell
  • Only use non-interactive commands like, id, who and uname -a

• Examine the Results
  • report.html

• http://portswigger.net
• low level access to http protocol, but not as user friendly as WebScarab
• can automatically rewrite requests

• Burp Proxy
  • intercepts http/s connections
• Burp Spider
  • Crawls a web site
• Burp Intruder
  • Attack tool that contains a large number of attack methods
• Burp Repeater
  • Repeats interactions/attacks
• Burp Sequencer
  • Analyzes session tokens
• Burp Decoder
  • Decodes various types of encoding for textual information
• Burp Comparer
  • Compares two pages together, implementing a form of “diff”

• Includes fine-grained rules to determine which requests/responses are intercepted
• Proxy can automatically re-write HTML
  • Can be used to remove client sidefiltering or input limits

• requests sent through the proxy can be used to start the spider (right click in proxy, “send to spider”)
  • By default, it starts with the most recent (check “Spider Running”)
• Handles more difficult client side code
• authenticates using credentials
• stores predetermined answers for forms

• automated attack tool
• send requests from other tools to intruder
• limited in free version – fuzzer is throttled

• resubmits transactions
• shows request and responses
• stops after 10 re-directs to prevent looping
• used to manually modify the request before submitting it

• Analyzes randomness of session tokens

• Encodes and Decodes data
• commonly used to decode base64 data

• looks at two different items (requests or responses) to see the difference
• Byte level or word level
  • It uses whitespace to determine words

• register_globals
• display_errors
• allow_url_fopen