C o n t e n t S i n D e ta i l FOrewOrd by Matt Graeber xii PreFaCe xvii C# CraSH COurSe FuzzinG and exploiting xss and SQL injection

Transcription

1 Foreword by Matt Graeber xii Preface xvii Why Should I Trust Mono?... xviii Who Is This Book For?... xviii Organization of This Book... xix Acknowledgments... xxi A Final Note... xxi 1 C# Crash Course 1 Choosing an IDE... 1 A Simple Example... 2 Introducing Classes and Interfaces Creating a Class... 4 Creating an Interface Subclassing from an Abstract Class and Implementing an Interface... 5 Tying Everything Together with the Main() Method... 7 Running the Main() Method... 8 Anonymous Methods... 9 Assigning a Delegate to a Method... 9 Updating the Firefighter Class Creating Optional Arguments Updating the Main() Method Running the Updated Main() Method Integrating with Native Libraries Conclusion Fuzzing and Exploiting XSS and SQL Injection 15 Setting Up the Virtual Machine Adding a Host-Only Virtual Network Creating the Virtual Machine Booting the Virtual Machine from the BadStore ISO SQL Injections Cross-Site Scripting Fuzzing GET Requests with a Mutational Fuzzer Tainting the Parameters and Testing for Vulnerabilities Building the HTTP Requests Testing the Fuzzing Code Fuzzing POST Requests Writing a POST Request Fuzzer The Fuzzing Begins Fuzzing Parameters... 29

2 Fuzzing JSON Setting Up the Vulnerable Appliance Capturing a Vulnerable JSON Request Creating the JSON Fuzzer Testing the JSON Fuzzer Exploiting SQL Injections Performing a UNION-Based Exploit by Hand Performing a UNION-Based Exploit Programmatically Exploiting Boolean-Blind SQL Vulnerabilities Conclusion Fuzzing SOAP Endpoints 53 Setting Up the Vulnerable Endpoint Parsing the WSDL Creating a Class for the WSDL Document Writing the Initial Parsing Methods Writing a Class for the SOAP Type and Parameters Creating the SoapMessage Class to Define Sent Data Implementing a Class for Message Parts Defining Port Operations with the SoapPortType Class Implementing a Class for Port Operations Defining Protocols Used in SOAP Bindings Compiling a List of Operation Child Nodes Finding the SOAP Services on Ports Automatically Fuzzing the SOAP Endpoint for SQL Injection Vulnerabilities Fuzzing Individual SOAP Services Fuzzing the HTTP POST SOAP Port Fuzzing the SOAP XML Port Running the Fuzzer Conclusion Writing Connect-Back, Binding, and Metasploit Payloads 81 Creating a Connect-Back Payload The Network Stream Running the Command Running the Payload Binding a Payload Accepting Data, Running Commands, and Returning Output Executing Commands from the Stream Using UDP to Attack a Network The Code for the Target s Machine The Attacker s Code Running x86 and x86-64 Metasploit Payloads from C# Setting Up Metasploit Generating Payloads viii

3 Executing Native Windows Payloads as Unmanaged Code Executing Native Linux Payloads Conclusion Automating Nessus 103 REST and the Nessus API The NessusSession Class Making the HTTP Requests Logging Out and Cleaning Up Testing the NessusSession Class The NessusManager Class Performing a Nessus Scan Conclusion Automating Nexpose 115 Installing Nexpose Activation and Testing Some Nexpose Parlance The NexposeSession Class The ExecuteCommand() Method Logging Out and Disposing of Our Session Finding the API Version Driving the Nexpose API The NexposeManager Class Automating a Vulnerability Scan Creating a Site with Assets Starting a Scan Creating a PDF Site Report and Deleting the Site Putting It All Together Starting the Scan Generating a Report and Deleting the Site Running the Automation Conclusion Automating OpenVAS 133 Installing OpenVAS Building the Classes The OpenVASSession Class Authenticating with the OpenVAS Server Creating a Method to Execute OpenVAS Commands Reading the Server Message Setting Up the TCP Stream to Send and Receive Commands Certificate Validation and Garbage Collection Getting the OpenVAS Version ix

4 The OpenVASManager Class Getting Scan Configurations and Creating Targets Wrapping Up the Automation Running the Automation Conclusion Automating Cuckoo Sandbox 147 Setting Up Cuckoo Sandbox Manually Running the Cuckoo Sandbox API Starting the API Checking Cuckoo s Status Creating the CuckooSession Class Writing the ExecuteCommand() Methods to Handle HTTP Requests Creating Multipart HTTP Data with the GetMultipartFormData() Method Processing File Data with the FileParameter Class Testing the CuckooSession and Supporting Classes Writing the CuckooManager Class Writing the CreateTask() Method The Task Details and Reporting Methods Creating the Task Abstract Class Sorting and Creating Different Class Types Putting It Together Testing the Application Conclusion Automating sqlmap 167 Running sqlmap The sqlmap REST API Testing the sqlmap API with curl Creating a Session for sqlmap Creating a Method to Execute a GET Request Executing a POST Request Testing the Session Class The SqlmapManager Class Listing sqlmap Options Making a Method to Perform Scans The New Main() Method Reporting on a Scan Automating a Full sqlmap Scan Integrating sqlmap with the SOAP Fuzzer Adding sqlmap GET Request Support to the SOAP Fuzzer Adding sqlmap POST Request Support Calling the New Methods Conclusion x

5 10 Automating ClamAV 191 Installing ClamAV The ClamAV Native Library vs. the clamd Network Daemon Automating with ClamAV s Native Library Setting Up the Supporting Enumerations and Classes Accessing ClamAV s Native Library Functions Compiling the ClamAV Engine Scanning Files Cleaning Up Testing the Program by Scanning the EICAR File Automating with clamd Installing the clamd Daemon Starting the clamd Daemon Creating a Session Class for clamd Creating a clamd Manager Class Testing with clamd Conclusion Automating Metasploit 207 Running the RPC Server Installing Metasploitable Getting the MSGPACK Library Installing the NuGet Package Manager for MonoDevelop Installing the MSGPACK Library Referencing the MSGPACK Library Writing the MetasploitSession Class Creating the Execute() Method for HTTP Requests and Interacting with MSGPACK Transforming Response Data from MSGPACK Testing the session Class Writing the MetasploitManager Class Putting It All Together Running the Exploit Interacting with the Shell Popping Shells Conclusion Automating Arachni 223 Installing Arachni The Arachni REST API Creating the ArachniHTTPSession Class Creating the ArachniHTTPManager Class Putting the Session and Manager Classes Together xi

6 The Arachni RPC Manually Running the RPC The ArachniRPCSession Class The Supporting Methods for ExecuteCommand() The ExecuteCommand() Method The ArachniRPCManager Class Putting It All Together Conclusion Decompiling and Reversing Managed Assemblies 241 Decompiling Managed Assemblies Testing the Decompiler Using monodis to Analyze an Assembly Conclusion Reading Offline Registry Hives 249 The Registry Hive Structure Getting the Registry Hives Reading the Registry Hive Creating a Class to Parse a Registry Hive File Creating a Class for Node Keys Making a Class to Store Value Keys Testing the Library Dumping the Boot Key The GetBootKey() Method The GetValueKey() Method The GetNodeKey() Method The StringToByteArray() Method Getting the Boot Key Verifying the Boot Key Conclusion Index 265 xii