WEB APPLICATION HACKING Part 2: Tools of the Trade (and how to use them) Jonathan Eddy September 27, 2013 Last Updated September 27, 2013
MAPPING THE APPLICATION 4 2
ENUMERATING CONTENT AND FUNCTIONALITY Why? Rigorous inspection of content Get a comprehensive record of everything identified Find hidden content in addition to manual browsing 3
WEB SPIDERING Basic tools use the model of request, parse for links to other content, and continue recursively until no new content is discovered Web application spiders also: Parse HTML forms and submit them with random values (fuzzing) Parse client-side JS to extract additional URLs Examples are Paros, BurpSpider (part of Burp Suite), and WebScarab Limitations are: The handling of unusual navigation mechanisms leading to missed content Form submittal usually fails due to the random values used Dynamic content URLs are assumed to have the same content or conversely may contain volatile data such as timers Authentication causes many problems (logouts, session termination due to invalid input, per-page tokens, etc.) 4
USER-DIRECTED SPIDERING More sophisticated and controlled than automated spidering User interacts with the web application normally but the spider acts as a proxy and monitors and captures the requests and responses made The spiders in Burp Suite and WebScarab can be used this way Benefits: Complex navigation can be followed through in a normal way Data validation is not an issue as the user is checking the input Session management is not an issue as the user is handling this All functionality will be included for dynamic content but not all of it has to be carried out (i.e. deleteuser.jsp) 5
HACK STEPS FOR USER-DIRECTED SPIDERING 1. Configure your browser to use the mapping application as a local proxy 2. Browse the entire application with JS/cookies/etc. enabled and disabled 3. Review the site map generated by the proxy/spider tool and see if any additional content needs to be accessed 6
DISCOVERING HIDDEN CONTENT Additional and useful information Test functionality Backup copies of live files Backup archives that contain a full snapshot of files New functionality that has not yet been implemented Old versions of files (vulnerabilities?) Configuration and include files Source files for compiled applications Log files that may contain sensitive information Brute-Force Techniques and their Errors 302 Found may redirect to a login, error page, or other location 400 Bad Request usually invalid syntax 401 Unauthorized / 403 Forbidden something may exist but is not accessible 500 Internal Server Error certain parameters are unexpected 7
HACK STEPS FOR BRUTE FORCE TECHNIQUES 1. Make requests for known valid and invalid resources while identifying how the server handles the invalid resources 2. Use the site map generated from user-directed spidering as a basis for automated discovery of hidden content 3. Make automated requests for common filenames and directories within each directory path known to exist within the application 4. Capture the responses received from the server and review them to ID valid resources 5. Perform the exercise recursively as new content is discovered 8
HACK STEPS FOR INFERENCE FROM PUBLISHED CONTENT 1. Compile lists of all enumerated subdirectories, file stems, and file extensions 2. Review these lists to ID any naming schemes and common extensions in use 3. Check for naming patterns as well 4. Review all client-side code to ID clues about hidden serverside content, especially references to server-side includes 9
HACK STEPS FOR USE OF PUBLIC INFORMATION 1. Use several different search engines / web archives or an aggregate search engine to discover indexed and stored content 2. Use advanced techniques (depending on the search engine) to maximize effectiveness 1. site:www.targetedwebsite.com target a site 2. site:www.targetedwebsite.com login target a site and keyword 3. link:www.targetedwebsite.com return links for other sites that link to the target 4. related:www.targetedwebsite.com returns similar pages 5. Perform these searches in multiple sections of the search engine 6. Repeat the search with omitted results 7. View the cached version of interesting pages 3. Further target users and email addresses as well 10
LEVERAGING THE WEB SERVER Vulnerabilities may exist at the web server layer such as directory listing and source code dumping Nikto can help in discovering these resources (that may or may not be linked within the web application) of interest for formulating an attack Make sure the location you are checking is correct if the server is configured as non-standard Make sure to specify if a custom 404 page is used Always check results returned by Nikto manually as there may be false positives 11
APPLICATION PAGES VS. FUNCTIONAL PATHS Many types of request may be made to just one or two unique URLs that dynamically handle and pass along the content to other portions of the web application Use this knowledge to start at that page / those pages and map the functional paths within the application, showing all of the enumerated functions and the logical paths & dependencies between them Hidden parameters and values such as an additional &debug=true statement may also be guessed to allow for changed functionality in the web application Examples: debug, test, hide, or source along with true, yes, or 1 Burp Intruder along with the cluster bomb attack may be useful Target functions likely to use logic such as logins and uploaders 12
ANALYZING THE APPLICATION Enumerating is only one element of the mapping process Analyzing application functionality, behavior, and technologies to identify key attack surfaces and formulate an approach to probing the application for exploitable vulnerabilities is equally important Areas to investigate include: Core application functionality Peripheral application behavior (logging, links, errors, redirects, etc.) Core security mechanisms (session management, authentication, user registration, password changes, application logic, etc.) Locations where user-supplied input is processed Client-side technologies (Java applets, ActiveX, Flash, cookies, etc.) Server-side technologies (static and dynamic pages, request parameters, SSL [non-]use, DB interaction, email systems, etc.) 13
IDENTIFYING ENTRY POINTS FOR USER INPUT In HTTP requests, look at URL strings (up to the query string marker) Parameters in the URL query string Parameters in the body of a POST request Cookies Other HTTP headers (such as User-Agent, Referer, Accept, Accept- Language, and Host) In URLs, look for nonstandard query string formats Also look for data sent to an application by an out-of-band channel that can be determined by inspecting HTTP traffic This may be able to be manipulated even if the web application is itself not vulnerable Examples include applications that wait for email triggers, changing statuses of other servers, and content from network sniffers 14
IDENTIFYING SERVER-SIDE TECHNOLOGIES Banner grabbing HTTP Server header and others may contain a great deal of information about the web server HTTP fingerprinting Even if masked, specialized tools such as Httprint may be able to determine the web server software File extensions Many extensions will disclose a platform or programming language Example:.aspx is a Microsoft ASP.NET server and.cfm is ColdFusion Directory names Many directory names will disclose the presence of a technology Example: servlet for Java servlets, WebObjects for Apple WebObjects Session Tokens Many web servers and web application platforms generate tokens that provide information about which technology is in use Example: ASPSESSIONID for Microsoft IIS server, PHPSESSID for PHP Also, don t forget about third-party components on the server 15
IDENTIFYING SERVER-SIDE FUNCTIONALITY Dissecting requests Long URLs may contain many of the identifiers previously discussed such as SQL query language or email addresses Check the server for any obfuscation schemes for stored data to see if they are easily reversible (i.e. BASE64) Try to get the server to return verbose debugging messages that may contain additional information about the server 16
MAPPING THE ATTACK SURFACE Function Client-side validation Database interaction File transfer Display of user-supplied data Dynamic redirects Login Exploit These checks may not be replicated on the server SQL injection Path traversal vulnerabilities XSS Redirection and header injection attacks Username enumeration, weak passwords, brute force attacks 17
MAPPING THE ATTACK SURFACE (CONTINUED) Function Multistage login Session state Access controls User impersonation functions Use of cleartext communications Off-site links Exploit Logic flaws Predictable tokens, insecure handling of tokens Horizontal and vertical privilege escalation Privilege escalation Session hijacking, capture of credentials and/or other sensitive data Leakage of query string parameters in the Referer header 18
MAPPING THE ATTACK SURFACE (CONTINUED) Function Interfaces to external systems Error messages Email interaction Native code components or interaction Use of third-party application components Identifiable web server software Exploit Shortcuts in handling of sessions and/or access controls Information leakage Email and/or command injection Buffer overflows Known vulnerabilities Common configuration weaknesses, known bugs 19
A WEB APPLICATION HACKER S TOOLKIT 19 20
WHAT DO I NEED THESE TOOLS FOR? Footprinting Gathering data to map the security profile of a specific organization Results in a unique organizational profile of its systems and networks Includes locating the network range and identifying active machines Fingerprinting The act of identifying systems (specifically, their operating system) This is possible because different vendors implement the TCP stack differently Passive no packets or traffic are injected into the network Active specially crafted packets are injected into the network to see how systems respond Enumeration Active connections to systems and directed queries Includes looking for network shares, users and groups, applications, and banners SNMP Enumeration connecting to devices with SNMP agents running Mapping the attack surface Identifying the various attack surfaces and potential vulnerabilities 21
INFORMATION GATHERING SCANNERS Nmap (GUI Zenmap) http://nmap.org A free and open source (license) utility for network discovery and security auditing Fing http://www.overlooksoft.com/fing Get in seconds a complete picture of the network you are in, including IP and MAC addresses, device vendors and ISP location Angry IP Scanner (ipscan) http://angryip.org Angry IP Scanner (or simply ipscan) is an open-source and crossplatform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features A WiFi-only network scanner WiFite - http://code.google.com/p/wifite/ Kismet - http://www.kismetwireless.net KisMAC (OS X only) - http://trac.kismac-ng.org 22
GENERAL VULNERABILITY SCANNERS Nessus http://www.tenable.com/products/nessus Nessus is the industry s most widely-deployed vulnerability and configuration assessment product. Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis. OpenVAS http://www.openvas.org OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. 23
WEB VULNERABILITY SCANNERS Paros (OS X GUI Andiparos) A Java based HTTP/HTTPS proxy for assessing web application vulnerability. Supports editing/viewing HTTP messages on-the-fly. Other features include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc. Nikto (OS X GUI Yang) A web server scanner which performs comprehensive tests against web servers for multiple items, including files/cgis, outdated server versions, and version specific problems. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Burp Suite An integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Webscarab(-ng) A a framework for analysing applications that communicate using the HTTP and HTTPS protocols. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. Skipfish An active web application security reconnaissance tool Prepares a sitemap which is checked for security flaws and then sent to a final report 24
PASSWORD CRACKERS John the Ripper http://www.openwall.com/john/ A fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. Hydra - http://www.thc.org/thc-hydra/ A fast network logon cracker which supports many different services (see http://www.thc.org/thc-hydra/ network_password_cracker_comparison.html) 25
OTHER USEFUL TOOLS Wireshark http://www.wireshark.org A packet analyzer used for network troubleshooting, analysis, software and communications protocol development Wget http://www.gnu.org/software/wget/ A software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols curl http://curl.haxx.se A command line tool for transferring data with URL syntax Netcat / Ncat http://netcat.sourceforge.net Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol Often used by Metasploit and other toolkits to open shells Stunnel https://www.stunnel.org/index.html Designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. 26
END Questions? 27