Chapter II Investigation
Gilberto Najera-gutierrez
Translator: Dragon
Protocol: CC BY-NC-SA 4.0
Brief introduction
In each penetration test, there is a set of processes for both the network and the Web application. There are a number of steps that need to be completed to increase our chances of discovering and leveraging every possible vulnerability that affects our goals. For example:
Investigation
Enumeration
Use
Maintain access
Clear the trail.
In a Web test scenario, detection is a level where testers must identify all the possible components of a network, a firewall, and an intrusion detection system. They also collect the greatest information about companies, networks, and employees. In our example, for WEB application penetration testing, this phase focuses on understanding the application, database, user, server, and application and the relationship between us.
Detection is a necessary phase in every penetration test. The more target information we get, the more options we have when we discover and exploit vulnerabilities.
2.1 Using NMAP to scan and identify services
Nmap is probably the most widely used port scanner in the world. He can be used to identify active hosts, scan TCP and UDP open ports, detect firewalls, get service versions running on remote hosts, or even use scripts to discover and exploit vulnerabilities.
In this cheats, we use Nmap to identify all the services running on the target application. For instructional purposes, we will invoke Nmap several times to implement it, but this can be done with a single command.
Get ready
We just need to get the VULNERABLE_VM up and running.
Operation Steps
First, we're going to see if the server responds to the ping, or if the server is open:
nmap192.168.56.102
Now we're up until it's open let's see which ports are open:
nmap192.168.56.102
Now, let Nmap ask the server what version of the service is running and guess the operating system based on it.
-sV-O192.168.56.10
We can see that our VULNERABLE_VM uses the Linux 2.6 kernel with Apache 2.2.14 Web server, PHP 5.3.2, and others.
Working principle
Nmap is a port scanner, which means it can send packets to some TCP or UDP ports that specify IP, and check for responses. If so, this means that the port is open, so the service is running on the port.
In the first name, using -sn
parameters, we let Nmap only check if the server responds to an ICMP request (or ping). Our server responds, so it is active.
The second command is the simplest way to call Nmap, which specifies only the destination IP. The thing to do is to ping the server first, and if it responds, Nmap sends a probe to the list of 1000 TCP ports to see which Port responds and then reports the result of the response port.
The third command adds the following two tasks to the second one:
-sV
Request the banner (head or self-identification) of each discovered open port, which is what it uses as a version.
-O
Tell Nmap to try to guess which operating system is running on the target. Information that is collected using open ports and versions.
More
There are some other useful parameters:
-sT
: Typically, when you run Nmap under the root user, it uses the SYN scan type. With this parameter, we force the scanner to perform a fully connected scan. It is slower and leaves a record in the server's log, but it is unlikely to be detected by the intrusion detection system.
-Pn
: If we already know that the host is active or not responding to ping, we can use this parameter to tell Nmap to skip the ping test and scan all specified targets, assuming they are open.
-v
: This turns on verbose mode. Nmap will show you more information about what it does and how it gets back. Parameters can be repeated multiple times in the same command: the more the number, the more detailed (that is, -vv
or -v -v -v -v
).
-p N1,N2,Nn
: If we are going to test a particular port or some non-standard port, we might want this parameter. N1
to the Nn
port that is intended to let NMAP scan. For example, to scan ports 21,80 to 90, and 137, the parameters should be: -p 21,80-90,137
.
--script=script_name
: Nmap contains a number of useful vulnerability detection, scanning and identification, login testing, command execution, user enumeration, and other scripts. Use this parameter to tell Nmap to run the script on the target's open port. You may want to look at some Nmap scripts, which are in: https://nmap.org/nsedoc/scripts/
.
See Also
Although it is most popular, Nmap is not the only port scanner available, and, depending on the preferences, may not be the best. Here are some of the other alternatives included in the Kali:
- Unicornscan
- Hping3
- Masscan
- Amap
- Metasploit Scanning Module
2.2 Identifying the Web application firewall
A Web application firewall (WAF) is a device or software that can check packets sent to a WEB server to identify and block possible malicious packets, which are typically based on signatures or regular expressions.
If a WAF that is not detected has blocked our request or blocked our IP, we will have to deal with a lot of trouble in our penetration testing. When performing penetration testing, the reconnaissance plane must contain detection and is either a WAF, an intrusion detection system (IDS), or an intrusion prevention system (IPS). This is a must, in order to take the necessary means to prevent being blocked or forbidden.
In this cheats, we will use different methods and cooperate with Kali Linux tools, Ali for detecting and recognizing the existence of the target and the Web application firewall between us.
Operation Steps
-
Nmap contains scripts to test the existence of a WAF. Let's try them on VULNERABLE-VM:
nmap -p 80 , 443 -- Script= http-waf -detect 192.168 .56 .102
OK, no WAF detected. So there is no WAF on this server.
-
Now let's try the same command on the server that really owns the firewall. Here, we'll use example.com
, but you can try it on any protected server.
nmap -p 80 , 443 -- script= http-waf -detect Www Example COM
Imperva is one of the leading brands in the WEB application firewall market. As we see here, there is a device that protects the site.
Here is another Nmap script that can help us identify the devices used and be more precise. The script is below:
-p80,443--script=http-waf-fingerprint www.example.com
Another Kali Linux comes with a tool that can help us detect and be a WAF, which is called waf00f
. Consider www.example.com
a site protected by a WAF:
wafw00f www.example.com
Working principle
The rationale for WAF detection is to analyze the response by sending a specific request to the server. For example, in http-waf-detect
The example, it sends some basic malicious packets and contrasts the response while looking for the identity that the packet was blocked, rejected, or detected. The http-waf-fingerprint
same, but the script also attempts to intercept the response and classify it according to known patterns for different IDS and WAF. wafw00f
It is also true.
2.3 Viewing source code
Viewing the source code of the Web page allows us to understand some of the program's logic, detect obvious vulnerabilities, and have a reference when testing, because we can compare the code before and after the test, and use the comparison results to modify our next attempt.
In this cheats, we look at the source code of the app and draw some conclusions from it.
Get ready
Start VULNERABLE_VM for this cheat.
Operation Steps
Browse http://192.168.56.102.
Select the Wackopicko app.
Right-click on the page and select View Page Source
(View source code). A new window opens with the page source code:
Depending on the source code, we can find the library or external file used by the page, and the whereabouts of the link. At the same time, you can see that this page has some hidden input fields. Selected MAX_FILE_SIZE
, this means that when we upload a file, this field determines the maximum size that the file allows to upload. So, if we modify this value, we may be able to upload a file that is larger than the application expects. This reflects an important security issue.
Working principle
The source code of the Web page is useful for discovering vulnerabilities and analyzing the application's response to the provided input. It also gives us information about how the app works internally and whether it uses any third-party libraries or frameworks.
Some applications also include input checksum, encoding, and encryption functions written in JS or any other scripting language. Since the code is executed in the browser, we can analyze it by looking at the page source code, and once we see the checksum function, we can look into it and find any security flaws that would allow us to bypass it or modify the results.
4.4 Using Firefox to analyze and modify basic behavior
Firebug is a browser plugin that allows us to analyze the internal components of a Web page, such as table elements, cascading style sheets (CSS) classes, frames, and others. It also has the capability to show the request-response communication between the DOM object, the error code, and the browser server.
In the previous cheats, we saw how to view the HTML source code of the Web page and the input fields of the discovery shadow. The hidden fields set some default values for the maximum file size. In this cheats, we will see how to use the browser debugging extension, this is the Firefox or Owasp-mantra on the Firebug.
Get ready
Start VULNERABLE_VM, Access Http://192.168.56.102/WackoPicko.
Operation Steps
Right-click Check this file
(Check this file), then select Inspect Element with Firebug
(use Firebug to view elements).
The first input box for the form has a type="hidden"
parameter, double-click hidden
.
hidden
text
then press ENTER after you change it.
Now double-click 30000 of the parameter value.
Change him to 500000.
Now we see a new text box on the page with a value of 500000. We have just modified the file size limit and added a form field to modify it.
Working principle
Once the page is received by the browser, all elements can be modified to change the way the browser interprets it. If the page is reloaded, the version generated by the server is displayed again.
Firebug allows us to modify the level at which almost every page appears in the browser. So, if there is a control logic built on the client, we can use the tool to manipulate it.
More
Firebug is not just a tool to cancel the hidden or modified values of an input box, it also has some other useful features:
Console
The tabs show errors, warnings, and other messages that are generated when the page is loaded.
HTML
The tab is the page we just used, which presents the HTML in a hierarchical fashion, so allow us to modify its contents.
CSS
Tabs are used to view and modify the CSS style used by the page.
Script
Let's see the full HTML source code that breaks the page load breakpoints, breaks the load when it executes, and checks the value of the variable when the script runs.
DOM
The tabs show us the DOM (Document Object model) objects, their values, and their hierarchies.
Net
Shows the request sent to the server and its response, their type, size, response time, and order on the timeline.
Cookies
Contains the cookies set by the server, as well as their values and parameters, just like its name.
4.5 Obtaining and modifying cookies
Cookies are small pieces of information sent by the server to the browser (client) to store some information locally, which are related to a particular user. In modern WEB applications, cookies are used to store user-specific data, such as theme color configurations, object arrangement preferences, previous activity, and (more important to us) session identifiers.
In this cheats, we use browser tools to view the values of cookies, how they are stored, and how to modify them.
Get ready
Need to run our VULNERABLE_VM. 192.168.56.102
for the IP address of the machine, we use Owasp-mantra as the Web browser.
Operation Steps
Browse Http://192.168.56.102/WackoPicko.
Accessed from the Mantra menu bar Tools | Application Auditing | Cookies Manager +
.
In this, we can see all the cookies stored at that time and all the sites they belong to from this plugin. We can also modify their values, delete them, and add new entries.
192.168.56.102
Select from PHPSESSID
, then click Edit
.
Http Only
change the value to Yes
.
The parameter we just modified ( Http Only
) tells the browser that the cookie cannot allow client script access.
Working principle
The cookie manager+ is a browser plugin that allows us to view, modify or delete existing cookies and add new entries. Because some applications rely on the values stored in these cookies, attackers can use them to enter malicious patterns, may modify page behavior, or provide bogus information to obtain higher-order permissions.
At the same time, in modern Web applications, session cookies are typically used, usually the only orchid court of user identifiers after login is complete. This causes a potentially valid user to impersonate, by replacing the Cookie value with the user of an active session.
2.6 Using Robots.txt
To further investigate, we need to find out whether the site has any page or directory is not linked to the average user to see. For example, a content management system or a login page for an internal network. Looking for a site similar to it will greatly enlarge our test surface and give us some important clues about the application and its structure.
In this cheats, we use robots.txt
files to discover files and directories that may not be linked to the main app anywhere.
Operation Steps
Browse http://192.168.56.102/vicnum/.
Now we add to robots.txt
the URL, and we'll see the following:
This file tells the search engine, jotto
and cgi-bin
the homepage is not allowed to be indexed by any search engine (User Agent).
Let's browse http://192.168.56.102/vicnum/cgi-bin/.
We can directly click and access any Perl script in the directory.
Let's browse http://192.168.56.102/vicnum/jotto/.
Click on jotto
the name of the file and you will see something similar to the following:
Jooto is a game that guesses five characters of words, which will be the list of possible answers? By playing this game to test it, if so, we have already hacked the game.
Working principle
robots.txt
is a file used by the WEB server to tell the search engine information about files or directories that should be indexed or not allowed to be viewed. From the attacker's perspective, this tells us if there is a directory on the server that can be accessed but hidden from the public. This is called "Security with Concealment" (that is, assuming that the user does not notice the existence of something if they are not told).
2.7 Discovering Files and folders using Dirbuster
Dirbuster is a tool for discovering existing files and directories in a WEB server by blasting. We'll use it in this cheats to search for a specific list of files and directories.
Get ready
We'll use a text file that contains a list of words we asked Dirbuster to look for. Create a text file dictionary.txt
that contains the following items:
- Info
- Server-status
- Server-info
- Cgi-bin
- Robots.txt
- phpMyAdmin
- Admin
- Login
Operation Steps
Access Applications | Kali Linux | Web Applications | Web Crawlers | dirbuster
.
In the Dirbuster window, set the destination URL to http://192.168.56.102/.
Set the number of threads to 20.
Select List based brute force
(based on the exploded list) and click Browse
(Browse).
In the Browse window, select the file () that we just created dictionary.txt
.
Deselect Be Recursive
(Recursive).
For this cheat, we'll leave the other options to the default.
Click Start
(Start).
If we look Resuults
at the (Results) tab, we will see that Dirbuster has found at least two files in the directory: cgi-bin
and phpmyadmin
. Response code 200 means that a file or directory exists and can be read. PhpMyAdmin is a WEB-based MySQL database manager, and finding a directory of this name tells us that the DBMS exists in the server and may contain information about the app and its users.
Working principle
Dirbuster is a combination of crawlers and blasters that allow all connections on the page, but simultaneously try different names for the possible files. These names can be saved in a file, similar to the one we use, or can be automatically generated by dirbuster with the "pure brute force" option, and by setting the character set and minimum maximum length for the generated word.
To determine whether a file exists, Dirbuster uses the response code generated by the server. The most common responses are listed below:
200 OK
: File exists and can be read.
404 File not found
: The file does not exist.
301 Moved permanently
: This is a redirect to the given URL.
401 Unauthorized
: Requires permission to access this file.
403 Forbidden
: The request is valid but the server rejects the response.
2.8 using CEWL to analyze passwords
In each penetration test, the search must include an analytic dimension, in which we analyze the name of the application, department or process, and other words that are used by the target organization. When you need to set up a person-related user name or password, this helps us to determine which combinations are likely to be used frequently.
In this cheats, we use CEWL to get the list of words used by the app. and save it for use after the login page brute force hack.
Operation Steps
First, we look at CEWL's help me file to get a better idea of what to do. In the terminal, enter:
cewl--help
We'll use CEWL to get the words Wackopicko applied in the Vulnerable_ VM. We want words with a minimum length of 5, display the number of words, and save the results to cewl_WackoPicko.txt
.
-w cewl_WackoPicko.-c-m5 http://192.168.56.102/ WackoPicko/
Now, we open the file that CEWL just generated and look at the list of "number of words" pairs. This list still requires some filtering to remove the number of words that are not available for passwords, such as "Services", "Content" or "information".
Let's delete some words to form the first version of the word list. After removing some words and numbers, our word list should look something like this:
- Wackopicko
- Users
- Person
- Unauthorized
- Login
- Guestbook
- Admin
- Access
- Password
- Upload
- Agree
- Member
- Posted
- Personal
- Responsible
- Account
- Illegal
- Applications
- Membership
- Profile
Working principle
CEWL is a tool in Kali that crawls a Web site and extracts a list of stand-alone words. He can also provide repeat times for each word, save results to a file, use page metadata, and more.
See Also
Other tools can also be used for similar purposes, some of which generate lists of words based on rules or other word lists, and others can crawl sites to find the most commonly used words.
Crunch: This is based on the user-supplied character set of the generator. It uses this collection to generate all possible combinations. The Crunch is included in the Kali.
Wordlist Maker (WLM): WLM can generate word lists based on character sets, and can extract words from text files and Web pages (http://www.pentestplus.co.uk/wlm.htm).
Common user Password Profiler (Cupp): This tool can use Word lists to analyze possible passwords for common usernames and to download word lists and default passwords (Https://github.com/Mebus/cupp) from the database.
2.9 using John the Ripper to generate a dictionary
John The Ripper is probably the most popular password cracker in the world by most penetration testers and hackers. He has many features, such as automating the identification of common encryption and hashing algorithms, using dictionaries, and blasting attacks. As a result, it allows us to use rules for dictionary words, modify them, and use a richer list of words in a burst instead of storing lists. This last feature is one of the features that we'll use in this cheat book to generate an extended dictionary based on a very simple word list.
Get ready
We will use the word list generated in the previous section to generate a dictionary of possible passwords.
Operation Steps
-
John has the option to show only the password that is used to crack a specific password file. Let's try it using our word list:
john - - stdout - - wordlist=cewl_wackopicko txt
-
Another feature of John is that we use rules to modify each word in a list in a variety of ways to produce a more complex dictionary.
john - - stdout - - wordlist=cewl_wackopicko txt - - rules
You can see in the results that John modifies the words by converting the case, adding suffixes and prefixes, and replacing the letters with numbers and symbols (leetspeak).
Now we need to do the same, but send the list to the file so we can use it later:
john--stdout--wordlist=cewl_WackoPicko.txt--rulesdict_WackoPicko.txt
Now we have a dictionary of 999 words, which will be used later for password guessing attacks on the app login page.
Working principle
Although the goal of John the Ripper is not a dictionary builder, it is efficient to use a word list to crack the password (it also does very well). Its features allow us to extend the list of existing words and create dictionaries that are more consistent with the passwords used by modern users.
In this cheats, we use the default set of rules to modify our words. John's rules are defined in the configuration file, located in the Kali /etc/john/john.conf
.
More
For more information about creating and modifying rules for John the Ripper, see: http://www.openwall.com/john/doc/RULES.shtml.
2.10 using ZAP to discover files and folders
OWASP ZAP (Zed Attack Proxy) is a versatile tool for WEB security testing. He has an agent, passive and active vulnerability scanner, a blur tester, a crawler, and an HTTP request transmitter, along with some other interesting features. In this cheats, we will use the newly added "forced browsing", which is the Disbuster implementation within ZAP.
Get ready
In this cheats, we need to use ZAP as the proxy for the browser.
Open OWASP ZAP, accessed from the app's menu bar Applications | Kali Linux | Web Applications | Web Application Fuzzers | owasp-zap
.
In mantra or Iceweasel, access the main menu Preferences | Advanced | Network
, click in Connection
Settings
.
Option Manual proxy configuration
(manual proxy configuration), and 127.0.0.1
set to HTTP proxy, 8080 set to port. Check the option to use the same proxy for all protocols and click OK
.
Now, we need to tell ZAP which file to get the directory name from. Access from the ZAP's menu Tools | Options | Forced Brows
, then click Select File
.
Kali contains some word lists, and we'll use one of them: select /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3small.txt
the file, then click Open
.
The prompt box will tell us that the file is loaded. Click OK
and then click OK
to leave the Options
dialog box.
Operation Steps
After the agent is properly configured, browse
Working principle
When we configure the browser to use ZAP as a proxy, it does not send the request directly to the server for any page we intend to browse, but instead sends it to the address we define. Here is the address of the ZAP listener. ZAP then forwards the request to the server but does not parse any of the information we send.
ZAP's forced browsing works the same way as Dirbuster, which accepts the dictionary we have configured and sends a request to the server as if it were trying to browse a file in the list. If the file exists, the server responds appropriately. If the file does not exist or is not accessible by our current user, the server returns an error.
See Also
Another very useful agent included in the Kali is Burp Suite. It also has some particularly interesting features. The alternatives that can be used as mandatory browsing are intruder. Although Burp Suite is not specifically intended for this purpose, it is a common tool worth studying.
Kali Linux Web Penetration Test Cheats chapter II investigation