Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Transcription

1 Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you begin to attempt to exploit any system. In order to do this you must create a footprint of your target by analyzing it via a series of tools. After this, you look to exploit possible vulnerabilities within the system by means of known problems or by finding your own zero day vulnerability. SamuraiWTF offers a good variety of tools located in one convenient location to help you through the difficult steps. One set of these tools is an extensive collection of software for the purposes of recon and mapping, one of which is called DirBuster. This program takes the hard work out of locating unknown parts of a website or web application, by simply brute forcing requests to see if the web server returns a directory or file. The Open Web Application Security Project, or OWASP, points out that the tool is useful to help developers understand that pages and information can still be found and accessed even if they are unlinked from any other part of the website("owasp dirbuster project" ). Thus, unlinked administrative portions of a website are not safe just because they are not linked to, and means of authentication checks should still be enforced. Dirbuster is a very versatile tool, allowing its user to change many aspects of the scanning process. Whilst the concept is pretty simple, brute force guessing web pages on a targeted server, it s the fine tuning of the settings which make this tool even more powerful. The user is able to do things such as give login credentials so it may scan an area requiring authentication, change its own http user agent, so web server logs can or can t tell what it was that was guessing url s. As well, settings allow configuring to

2 run through a proxy, allowing it to utilize a service like Tor which would let it hop IP addresses and become completely anonymous. After completion of a scan, DirBuster is able to output the results to an organized text file for potential use. When vulnerability testing web applications, a tool like DirBuster comes in handy in order to find files or even complete web applications which would otherwise be hidden. Another essential method of recon for pen testing is port scanning. Port scanning allows you to see what ports are open on a given target, and using the results a good assumption of services running can be made. The tool available in SamuraiWTF for this is Zenmap, which is the GUI version of the popular scanner nmap. Zenmap allows users to enter a target, and select different scan types which specify the thoroughness of the scan. The hard work of determining which services associate to the open ports is taken care of by the tool as well, as output shows the services. Frequently used scans can be saved as profiles for quick use later. After utilizing this Samurai tool, you can tell if the machine is running a web server for example on port 80 or 443, and from there can begin to target vulnerabilities in the web server itself, or look at what web page is has available to the public to begin your assessment. Another interesting tool available for mining information is called GPScan. Provided in a command line environment, the tool utilizes Google s very own profiles feature to scan for known employee profiles of a given company.

3 This allows a user doing penetration testing to bring up all of the profiles of employees for a company and mine that information for use in potential usernames or password reset questions, for example. While this may not seem like much, it should be noted that Sarah Palin s Yahoo account was overtaken by a young man who guessed her security reset questions solely by finding the answers in public information and profiles posted around the web about her. In this day and age information is a very valuable and sensitive item to protect, and the GPScan tool is very capable of reminding us of this. The usage for this tool in the command line is: ruby gpscan.rb company name, and an example can be seen above searching for Google employees using the tool. All of the exploitation tools located within SamuraiWTF are freely available around the web. However SamuraiWTF combines these tools to provide individuals working with web application security an easy interface to access the most frequently used penetration testing tools. The software provided for exploitation in SamuraiWTF covers a broad range of actions, from XSS and SQL Injections, to man in the middle attacks, and even brute forcing software, all of which are frequently used during penetration testing. One of the powerful tools available in SamuraiWTF is the Web Application Attack and Audit framework, or commonly known as W3AF. This tool is available in both a command line interface and graphical user interface to provide multiple methods to utilize its power. This tool is capable of penetration testing aspects of both exploitation and discovery, and is written completely in Python and extendible with plugins, making it a versatile application (Darknet). As far as exploiting, its top ability which stands out is it s brute force tool, used to quickly attempt many login credentials typically from a database of commonly used usernames and passwords. Upon successful completion of a brute force attempt, W3AF reports back to the user with the credentials which were successful to login to the target as found in the example 1 below where this tool was tested against a content management system with a simple

4 username and password credential setup. It quickly found the login processor and got the password correctly. (Example 1) This tool as with the others should not be taken lightly, as many governments have computer security laws in effect to prevent unauthorized access by such means, to include the State of Michigan (Legislative Council). Cross site scripting is one of the more popular ways to exploit a lack of user validation on input, and another free tool on SamuraiWTF called Durzosploit is a good assistant to deploying these exploitations. The Durzosploit tool itself is more or less a framework for outputting exploitations to use. It has a few built in XSS exploitations on hand, including some to change a targeted users twitter status, or update their facebook, however the developer has made it so you can plug in your own exploits as you find them and wish to use them. It also has a neat feature allowing you to obfuscate the code so that the target has a hard time understanding what they are being targeted with, as it essentially encrypts the javascript. This tool is useful in creating scripts on the fly to help with XSS vulnerability testing, alongside other resources, such as the ha.ckers.org xss examples page (ha.ckers). If a website is found to be XSS

5 vulnerable utilizing either the example codes from a site like ha.ckers.org or by successfully running a script with a tool like Durzosploit, it can then be exploited. The typical means of exploitation are to construct a URL with the actual websites domain, which users trust, and the exploitable code at the end that will then run on the web page once they arrive, such as this example: 28document.cookie%29%3B%3C%2Fscript%3E&Submit=Submit. This code could do something as easy as steal the users cookie and provide valuable session information to the attacker, for use in a replay attack or something similar. Alongside XSS injection attacks, the other huge web vulnerability faced today by developers is SQL Injections. This is the art of finding vulnerable areas of a website where the developers do not properly filter users input, and in doing such the users are then able to modify or create their own sql queries. Where this is dangerous is the hacking user can use that ability to authenticate themselves as a root or administrative user using simple tricks. One of the tools you will find in SamuraiWTF to help in testing for SQL injection vulnerabilities is SQLMap, however there are other tools within samurai for use on databases as well. SQLMap allows you to unleash the script on a web page and it will automatically test if there is an SQL vulnerability located on the targeted page. If it finds potential targeted scripts, it will assume testing procedures by attempting to input known SQL Injection code to confirm or dismay a potential weakness. This tool is also very useful in the fact it can be tweaked to search google results for a given website and script type, using the parameter g site: ext:php which allows a penetration tester to attempt an attack even if a targeted page is not known.

6 SQLMap is an essential tool to locating database injection vulnerabilities without the hassle of hand crafting your own injection tests. As made obvious in the tool examples mentioned prior, SamuraiWTF collaborates the best freeware penetration testing tools available on the internet into an easy to use location. From scanning to attempting exploits on vulnerabilities, any tool or software you need to complete the job can be found in SamuraiWTF s live Linux environment for your use.

7 References: Owasp dirbuster project. (n.d.). Retrieved 2011, March 25 from Darknet,. (n.d.). w3af web application attack and audit framework darknet. Retrieved 2011, March 28 from web application attack and audit framework Legislative Council, State of Michigan. (n.d.). fraudulent access to computers, computer systems, and computer networks (excerpt) act 53 of Retrieved 2011, March 28 from &objectname=mcl ha.ckers, Initials. (n.d.). Xss (cross site scripting) cheat sheat. Retrieved from