mp mutillidae project
DESCRIPTION
IS3230T Access Security ProjectTRANSCRIPT
MP
MPMUTILLIDAE PROJECT
Table of Contents
INTRODUCTION . Page3ATTACK VECTOR: BRUTE FORCE .. Page 4 BRUTE FORCE ... Page 4 DICTIONARY ATTACK ... Page 4 BURP SUITE Page 4 MUTILLIDAE EXAMPLE .. Page 4ATTACK VECTOR: COMMAND EXECUTION INJECTION (HARVESTING)... Page 10 COMMAND EXECUTION INJECTION (HARVESTING) .... Page 10 COMMAND EXECUTION ... Page 10 COMMAND INJECTION ATTACK ..... Page 10 DATABASE INTERROGATION (DATA HARVESTING) ... Page 10 MUTILLIDAE EXAMPLE ..... Page 10 HOW TO PERFORM SHELL AND COMMAND INJECTION ATTACKS . Page 11ATTACK VECTOR: COMMAND EXECUTION INJECTION (LISTENER ATTACKS) . Page 14 PURPOSE .. Page 14ATTACK VECTOR: SQL INJECTION (SINGLE QUOTE PROBLEM) . Page 15 SQL INJECTION . Page 16 LOGIN WITHOUT A PASSWORD .. Page 16 CURL ... Page 17 MAN-IN-THE-MIDDLE-ATTACK . Page 17 COOKIE MANAGER ... Page 17 MUTILLIDAE EXAMPLE ... Page 17ATTACK VECTOR: SQL INJECTION (UNION ATTACK DISPLAY SENSITIVE INFORMATION) Page 19 UNION ATTACKS . Page 19 WEAK PHP PROGRAMMING .. Page 19 MUTILLIDAE EXAMPLE ... Page 19ATTACK VECTOR: SQL INJECTION (UNION ATTACK/CREATE COMMAND EXECUTION
PROGRAM) ..... Page 20 COMMAND EXECUTION ... Page 20 COMMAND EXECUTION LISTENER .... Page 20 NETCAT .... Page 20 MUTILLIDAE EXAMPLE ... Page 20ATTACK VECTOR: SQL INJECTION (UNION ATTACK / CREATE UPLOAD PROGRAM) .... Page 21 UNION ATTACK ..... Page 21 PHP UPLOAD BACKDOOR .... Page 21 C99.PHP ROOT KIT ... Page 21 MUTILLIDAE EXAMPLE ..... Page 21 COUNTER MEASURE ...... Page 22ATTACK VECTOR: FILE UPLOAD ..... Page 22 ATTACK UPLOAD VECTOR ...... Page 23 PAYLOAD ....... Page 23 CREATING A PAYLOAD.... Page 23 EXECUTING A PAYLOAD ...... Page 23 CONNECTING A PAYLOAD BACK TO A MACHINE ...... Page 23 C99.PHP COMPARE AND CONTRAST.... Page 24 C99.PHP MALICIOUS FUNCTIONALITY ...... Page 24 MUTILLIDAE EXAMPLE ..... Page 24 COUNTER MEASURE ...... Page 24ATTACK VECTOR: CROSS SITE SCRIPTING ...... Page25 CROSS SITE SCRIPTING (XSS) ....... Page 25 REFLECTIVE CROSS SITE SCRIPTING ..... Page 25 PERSISTENT CROSS SITE SCRIPTING ....... Page 25 TESTING WEBPAGES FOR VULNERBILITY TO CROSS SITE SCRIPTING ...... Page 25 USING IFRAME TO POINT TO A MALICIOUS WEBSITE .... Page 25 PLANTING A COOKIE HARVESTER INTO A BLOG TO GAIN A VICTIMS COOKIE INFORMATION ..... Page 26 MUTILLIDAE EXAMPLE ..... Page 26 COUNTER MEASURE ...... Page 27CONCLUSION ..... Page 28 THE FUTURE OF ATTACK VECTORS AND GOING FORWARD COUNTER MEASURES ... Page28
JAVASCRIPTING AND CGI INPUT VALIDATION .. Page 28 ONGOING SECURITY TESTING ..... Page 28 PROJECT MEMBERS .. PAGE 29Introduction
Penetration test is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. Mutillidae offers a free open source, deliberately vulnerable web-application providing a target for web-security. Mutillidae has over 35 vulnerabilities and challenges and contains at least one vulnerability for each of the OWASP Top Ten 2007 and 2010. Some of the features include, SSL striping, bubble-hints to help point out vulnerable locations (Bubble-hints automatically give more information as hint level incremented) and Authentication bypass. Mutiilidae provides data capture page and stores captured data in database and file.
Mutillidae was created by Adrian Crenshaw as a web pen testing target for vulnerabilities. It began as a version 1.x and later redesign and develop into Mutillidae 2.x by Jeremy Druin. Mutillidae was develop to aid in the understanding and appreciating the consequences of the vulnerabilities. It helps security instructor avoid having to create custom web application for training and useful to evaluate vendor products against a target with specified, disclosed vulnerabilities. Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. This allows the tester to find the vulnerabilities and fix them before the attacker does. A few reason why it exist, it allows the tester to find holes in a critical computer system before it goes online (which is good security practice) and it gives the IT department at the targeted company and change to respond to an attack.
Attack Vector
Brute Force
Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space.
Dictionary Attack
A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with words that have a higher possibility of being used, such as names and places. The word "dictionary" refers to the attacker exhausting all of the words in a dictionary in an attempt to discover the password. Dictionary attacks are typically done with software instead of an individual manually trying each password.
Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Mutillidae Example:
A great majority of web applications provide a way for users to authenticate themselves. If an attacker has knowledge of a user's identity it's possible to create protected areas or, more generally, to have the application behave differently upon the logon of different users. In general, there are several methods for a user to authenticate to a system. A dictionary file can be tuned and compiled to cover words probably used by the owner of the account that a malicious user is going to attack. Burp Suite will be used to intercept traffic and configure Burp Suite to launch our attack. Using Burp Suite, we can change the values of username and password with each request.
After finding your target, open Mutillidae, then select View Someones Blog
You will see a list of Possible Users, select Please Choose Author
By right clicking on white background, you can view page source
and will allow your to search the source code.
Type admin then enter
You will then insert the IP of the target in the following the parsing source codecurl -L "http://xxx.xxx.xxx.xxx/mutillidae/index.php?page=view-someones-blog.php" 2>/dev/null | grep -i \"admin\" | sed 's/"//g' | awk 'BEGIN{FS=">"}{for (i=1; i
So far, so good. Now the script can be called with various GET parameters to output different files to the user. If we add new files to the directory, the application automatically knows how to read and output them, no matter the output. We can see this with a simple example to understand how the program should work. Assume we have a file in the same directory which a user may want to output. Let's call it my_great_content.txt. It contains some test text like the following:
A user comes to the page with the following URL:
The PHP page shows them the content just as the user expected. For your average user, the page works as expected, and the development team only had to write one line of code.
Unfortunately, as you may have guessed, the code is not secure and is vulnerable to a shell command injection attack. If an attacker comes, they may append a semicolon (;) and another UNIX command to the filename specified in the URL parameter. Perhaps they want to start by listing what files are in the directory:
The page still comes up with the file contents, but since I injected a command (ls), it doesn't end there. The command line continues to execute the following command and shows some special information.
This example code actually offers numerous opportunities for an attacker, including directory traversals. As a quick example, providing a file name like ../../etc/passwd, would have the cat command print out the list of users on the server. Even if shell injection were prevented by limiting input to the cat function, this issue would still need to be addressed.
How to Perform Shell and Command Injection Attacks
Assuming some analysis has found a website function which is likely to be vulnerable to shell injection there are a variety of ways to inject shell commands.
Assume for a moment that you have found the previous examples page, which takes as an argument a filename as input and executes the shell command "cat" against that file. In the previous example, a semicolon was used to separate out one command form another, to indicate that after the cat command completed, another function should be called in the same line. It is reasonable to assume that a more advanced developer might have filtered out some forms of shell injection, such as by removing semicolons, rendering the previous attack ineffective. There are a number of ways to string shell commands together to create new commands. Here are the common operators you can use, as well as examples of how they might be used in an attack:
Redirection Operators
Examples: >, >
These operators redirect either input or output somewhere else on the server. < will make whatever comes after it standard input. Replacing the filename with < filename will not change the output, but could be used to avoid some filters. > redirects command output, and can be used to modify files on the server, or create new ones altogether. Combined with the cat command, it could easily be used to add unix users to the system, or deface the website. Finally, >> appends text to a file and is not much different from the original output modifier, but again can be used to avoid some simplistic detection schemes.
Pipes
Examples: |
Pipes allow the user to chain multiple commands. It will redirect the output of one command into the next. So you can run unlimited commands by chaining them with multiple pipes, such as cat file1 | grep "string".
Inline commands
Examples: ;, $
This is the original example. Putting a semicolon asks the command line to execute everything before the semicolon, then execute everything else as if on a fresh command line.
Logical Operators
Examples: $, &&, ||
These operators perform some logical operation against the data before and after them on the command line.
Common Injection Patterns & Results
Here are the expected results from a number of common injection patterns (appending the below to a given input string, assuming all quotes are correctly paired:
`shell_command` - executes the command
$(shell_command) - executes the command
| shell_command - executes the command and returns the output of the command
|| shell_command - executes the command and returns the output of the command
; shell_command - executes the command and returns the output of the command
&& shell_command executes the command and returns the output of the command
> target_file - overwrites the target file with the output of the previous command
>> target_file - appends the target file with the output of the previous command
< target_file - send contents of target_file to the previous command
- operator - Add additional operations to target command
These examples are only scratching the surface of possible command injection vectors. The full breadth of attack possibilities is dependent upon the underlying function calls. For instance, if an underlying function is using a shell program such as awk, many more attack possibilities arise than laid out here.
Finally, command injection can be more subtle than finding applications which directly call underlying operating system functions. If it is possible to inject code, say PHP code, then you can also perform command injections. Assume you find an application with a PUT vulnerability on a site which is PHP enabled. An attacker could simply upload a PHP file with a single line to have full access to a shell:
Thus, it should be noted that many types of attacks, including SQL Injection, have shell injection as an end primary goal to gaining control of the server.Attack VectorListener AttacksIGMP snooping is the process of listening to Internet Group Management Protocol (IGMP) network traffic. The feature allows a network switch to listen in on the IGMP conversation between hosts and routers. By listening to these conversations the switch maintains a map of which links need which IP multicast streams. Multicasts may be filtered from the links which do not need them and thus controls which ports receive specific multicast traffic.
Purpose
A switch will, by default, flood multicast traffic to all the ports in a broadcast domain (or the VLAN equivalent). Multicast can cause unnecessary load on host devices by requiring them to process packets they have not solicited. When purposefully exploited this is known as one variation of a denial-of-service attack. IGMP snooping is designed to prevent hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. It provides switches with a mechanism to prune multicast traffic from links that do not contain a multicast listener (an IGMP client).
IGMP snooping allows a switch to only forward multicast traffic to the links that have solicited them. Essentially, IGMP snooping is a layer 2 optimization for the layer 3 IGMP. IGMP snooping takes place internally on switches and is not a protocol feature. Snooping is therefore especially useful for bandwidth-intensive IP multicast applications such as IPTV.
Attack VectorSQL Injection (Single Quote Problem)
The Single Quote Problem is that the single quote is a reserved SQL character that breaks the below query by placing it in the Name textbox.The mere fact that the query produces an error means there is a strong possibility that the backend program is susceptible to a SQL Injection.
Logging in without a password by entering the string ' or 1=1--(with a space after the --) allows you to bypass the password authentication.
SQL Injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. The single quote allows the attackers to get the information they are attempting to acquire to be kicked back to them. You can test for this by changing the password box to plain text and entering a single quote into the password box to see what errors you obtain. Depending on what happens will determine how you can exploit the situation. A straightforward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. The manual for an SQL DBMS explains which characters have a special meaning, which allows creating a comprehensive blacklistof characters that need translation. For instance, every occurrence of a single quote (') in a parameter must be replaced by two single quotes ('') to form a valid SQL string literal.SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application'ssoftware. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. cURLcURL stands for "Client URL Request Library". This is a command line tool for getting or sending files using URL syntax. It supports a range of commonInternetprotocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP. The following curl statement provides the blueprint to automate SQL Injection attempts. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login" --location "http://xxx.xxx.xxx.xxx/mutillidae/index.php?page=login.php" > login1.txt. Man-in-the-middle attackThe man-in-the-middle attack in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.Cookies manager Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them. When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers.Mutillidae Example
Burp makes it possible to manipulate data before it is sent to the web server.
This curl statement provides the blueprint to automate SQL Injection attempts. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login" --location "http://xxx.xxx.xxx.xxx/mutillidae/index.php?page=login.php" > login1.txt.The crack_cookies.txt file contains the session cookies including the PHP session ID (PHPSESSID) and the UID of the user admin.
What is happening is that Burp Suite is obtaining the information from someones session by acting as a proxy server and intercepting the traffic going into the website before it reaches its destination and kicks the information back to the hacker. When passing the SQL injection to cURL, it allows you to obtain login information of users and access the websites as users on the targeted website. The attack outputs the session information obtained by cookie manager into text files the can be obtained by the hacker. This information can be used to access websites as the user without the users knowledge. Some countermeasures for SQL injections could be to Use language-specific libraries that avoid problems due to shell commands, Validate the data provided to prevent any malicious content, Structure requests so that all supplied parameters are treated as data, rather than potentially executable content and enact J2EE environments to allow the use of the Java sandbox, which can prevent the execution of system commands. Some countermeasures for cookie managers would be Do not store plain text or weakly encrypted password in a Cookie, Implement cookies timeout, Cookies authentication credentials should be associated with an IP address and Make logout functions available.Attack VectorSQL Injection (Union Attack Display Sensitive Information)A SQL Union attack when added to an existing statement is used to retrieve information from the specified table. It also combines results from multiple statements into one result set. In my research I have found that PHP programming is considered a weak programming because it has many interchangeable integers and strings. This makes it weak because it means that there are very few rules and that in turn leaves it open for more possible and easier attacks.Union AttackAn attacker can use a union attack to display the database table structure by inputting union select null as many times as needed to discover exactly how many columns are in the database. This is a useful tool because then it will be easier to know exactly where to look for the information you are requesting. A counter measure that can be used to combat this type of inquiry would in my opinion be making sure that there are extensive system logs in place. I also feel that implicit deny would be effective because it blocks out any traffic that is not specifically accepted. Weak PHP Programming
PHP uses strings and integers interchangeably so there are less rules. Therefore, PHP is considered a weakly typed language. PHP is also dynamically typed because the rules are applied at run time instead of at compile time since PHP is not compiled and instead interpreted at run time.Mutillidae Example
An attacker can use the Union attack to display sensitive information by inputting union select ccid,ccnumber,ccv,expiration,null from credit_cards -- . This will take the requested information and input it into the results page. A good countermeasure for this type of attack would be the use of stored procedures. This would force the injection to go through a script that can then deny the attacker access.
By inputting curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpiration%2Cnull+from+credit_cards+--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://xxx.xxx.xxx.xxx/mutillidae/index.php" | grep -i "Username=" | awk 'BEGIN{FS="