Upload
netsparker
View
30
Download
2
Embed Size (px)
Citation preview
Exploitation and Manual Testing
In this next section, we will address the following process: • Scope of Engagement
• Information Gathering
• Vulnerability Identification
• Exploitation
• Post Exploitation
• Reporting
2
Exploitation and Manual Testing
In typical Web App pentest scenarios, the Exploitation and Post Exploitation phases consist of gathering vulnerabilities and beginning to see how they can be exploited. Part of that process includes eliminating any of the findings that may be false positives.
Netsparker eliminates a lot of the work by the virtue of their Proof-Based Scanning Technology which actually validates a finding by exploiting it and providing proof-of-exploit or proof-of-concept in the finding details.
3
Exploitation and Manual Testing
Once a vulnerability has been marked as confirmed, depending on the vulnerability type, Netsparker allows us to exploit and perform further operation against the web application.
For example, if a SQL injection is available, Netsparker allows us to run SQL statements on the target application database. Thanks to this feature we will be able to read and edit the entire application database. But this is only one of the features that Netsparker offers.
In the next slides we will see some different exploitation and post-exploitation operations that we can perform on vulnerabilities found in the previous phase.
4
Exploitation and Manual Testing
Selecting a Confirmedvulnerability presents additional options to validate the exploit works.
At the attack menu, we see that the Generate WAF Rules, and Execute SQL Commands button are available.
5
Exploitation and Manual Testing
Selecting the Execute SQL commands option opens the SQL Injection Window below the finding. In this window we can run SQL commands to gain information.
This is the time saving example of Proof-based-scanning technology, as we are actually exploiting the vulnerability through the scanner.
6
Exploitation and Manual Testing
In this example, we entered @@HOSTNAME and click the Run Query button, off to the right, which executes the command on the remote host.
7
Exploitation and Manual Testing
The information returned from the host is displayed in the window below the command line.
We can also see the LFI (Local File Inclusion) and Code Injection tabs available in this window.
8
Exploitation and Manual Testing
In the top bar of the vulnerability section, the Generate WAF Rules button is also available.
If we select it, we can generate Web Application Firewall (WAF) rules to implement blocks for the specific vulnerability.
9
Exploitation and Manual Testing
Selecting the Generate WAF Rules button, we see the ModSecuritypop out below.
Selecting the ModSecurity pop out, we get the option to save the WAF file to a local directory.
10
Exploitation and Manual Testing
The image above shows the Web Application Firewall rules generated by Netsparker for inclusion/import into any WAF deployed at the customer location.
11
Exploitation and Manual Testing
We can explore some of the other vulnerabilities to see the functionality offered by the LFI and Command Injection tab.
Let’s click on the Local File Inclusion vulnerability from the site map on the left, and then we can click the LFI Tab below, in the exploit panel.
12
Exploitation and Manual Testing
On the right we can click the down arrow ( ) to the right of the download button and click download known files.
13
Exploitation and Manual Testing
We can now see the available files from the target host that we can access. By selecting any of the files on the left, such as the windows/system32/etc/hostsfile allows us to see the contents of that specific file.
From the download menu, you can also export those files for local analysis.
14
Exploitation and Manual Testing
The image to the right shows the contents of the remote etc/hosts file which shows another application name that can be possibly scanned named aspnettestsparker.
Now we can take a look at using the code execution tab to gain further information.
15
Exploitation and Manual Testing
To test the code injection, we can select the command injection vulnerability from the site map to the left.
Then, in the Exploitation panel, select the Code Execution tab.
16
Exploitation and Manual Testing
Type in whoami and press the execute command.
We see the results:
=> whoami
ip-0aa6bb64\apacheuser
17
Exploitation and Manual Testing
As another test, we can try the ipconfig command and execute it, we see the results:
=> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : ec2.internal
IPv4 Address. . . . . . . . . . . : 10.166.187.100
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 10.166.187.65
Tunnel adapter isatap.ec2.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ec2.internal
[…]
18