A framework to 0wn the Web - part I -

Similar documents
Andrés Riancho sec.com H2HC, 1

Web Application Security Payloads. Andrés Riancho SecTor 2010, Toronto, Canada.

w3af - Web application attack and audit framework Documentation

CyberP3i Hands-on Lab Series

w3af - Web application attack and audit framework Documentation

Web Application Payloads

w3af - Web application attack and audit framework Documentation

Penetration Testing with Kali Linux

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

IronWASP (Iron Web application Advanced Security testing Platform)

w3af User Guide Document version: 1.7 Original author: Andres Riancho Reviewed by: Mike Harbison Andy Bach Chris Teodorski

Web Penetration Testing

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Web Application Penetration Testing

3. Apache Server Vulnerability Identification and Analysis

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Web Security. Thierry Sans

Web vulnerability scanning and exploitation tools

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Security Course. WebGoat Lab sessions

CSWAE Certified Secure Web Application Engineer

Securing Your Company s Web Presence

A D V I S O R Y S E R V I C E S. Web Application Assessment

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Certified Secure Web Application Engineer

Certified Vulnerability Assessor

epldt Web Builder Security March 2017

McAfee Certified Assessment Specialist Network

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Lecture Overview. INF5290 Ethical Hacking. Lecture 4: Get in touch with services. Where are we in the process of ethical hacking?

INF5290 Ethical Hacking. Lecture 4: Get in touch with services. Universitetet i Oslo Laszlo Erdödi

Pwn ing you(r) cyber offenders

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Security. DevOps Bootcamp, OSU, Feb 2015 Kees Cook (pronounced Case )

Why Firewalls? Firewall Characteristics

Introduction to Ethical Hacking

C o n t e n t S i n D e ta i l FOrewOrd by Matt Graeber xii PreFaCe xvii C# CraSH COurSe FuzzinG and exploiting xss and SQL injection

TexSaw Penetration Te st in g

Web Application Security Evaluation

Hack in the Box Trends and Tools. H D Moore

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

An analysis of security in a web application development process

CDX REPORT TEAM #8 JACOB CHAPMAN SNEHESH THALAPANENI DEVISHA SRIVASTAVA

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Contents in Detail. Foreword by Peter Van Eeckhoutte

TIBCO Cloud Integration Security Overview

HHC 2017 writeup, by RedTeam611

Curso: Ethical Hacking and Countermeasures

Exam4Free. Free valid exam questions and answers for certification exam prep

Advanced Diploma on Information Security

WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!

Host Website from Home Anonymously

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Security. Outline

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Metasploit. Installation Guide Release 4.4

Who are we? Jonas Zaddach. Andrei Costin. Davide Balzarotti. Aurélien Francillon 2/91

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Securing ArcGIS Services

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

دوره تست نفوذ. Ver.1.2 شما میتوانید آنلاین در این دوره ثبت نام بلافاصله از آن استفاده کنید. Information Gathering. Bash scripting

Lab 5: Web Attacks using Burp Suite

Evaluating Website Security with Penetration Testing Methodology

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Coding for Penetration

Exam Questions MA0-150

GOING WHERE NO WAFS HAVE GONE BEFORE

Maltego Tungsten with Teeth / KingPhisher Creating a collaborative attack platform with Maltego Tungsten

Firewall Identification: Banner Grabbing

Vulnerability Validation Tutorial

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Embedded Device (In)Security: Protecting Your Network From Hidden Threats. Paul Asadoorian Embedded Device (In)Security 1

Tenable.sc-Tenable.io Upgrade Assistant Guide, Version 2.0. Last Revised: January 16, 2019

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Virtually Pwned Pentesting VMware. Claudio

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

One Click Ownage, Adventures of a lazy pen tester... Ferruh Mavituna Mavituna Security Ltd. AppSec DC The OWASP Foundation

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web Exploitation Framework wxf

Scan Report Executive Summary

RiskSense Attack Surface Validation for Web Applications

Transcription:

A framework to 0wn the Web - part I - Andrés Riancho andres@bonsai-sec.com SecTor Toronto, Canada - 2009 Copyright 2008 CYBSEC. All rights reserved.

andres@bonsai-sec:~$ whoami Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion w3af project leader Founder of Bonsai Information Security 2

Raise your hands! Who codes in Python? Who heard about w3af? Who used w3af? Who tried to read w3af's code? 3

w3af w3af stands for Web Application Attack and Audit Framework An Open Source project (GPLv2) A set of scripts that evolved into a serious project A vulnerability scanner An exploitation tool 4

Main features Identifies almost all web application vulnerabilities using more than 130 plugins. Cross platform (written in python). GTK and Console user interface Really easy to extend Uses Tactical exploitation techniques to discover new URLs and vulnerabilities Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more! 5

Synergy among plugins Main features WML Support (WAP) Broken HTML support A smarter fuzzer Manual and automated analysis web applications MITM proxy Manual request editor Fuzzy request generator Least, but not less important: an active community 6

Compressed w3af history 7

Architecture w3af is divided in two main parts, the core and the plugins. The core coordinates the process and provides features that plugins consume. Plugins find the vulnerabilities, and exploit them. Plugins share information with each other using a knowledge base. Design patterns and objects everywhere! 8

Architecture 8 different types of plugins exist: discovery audit grep attack output mangle evasion bruteforce 9

Plugins Discovery They find new URLs, forms, etc. and create a complete sitemap. The findings are saved in the core as fuzzable requests. Examples of discovery plugins are: webspider urlfuzzer googlespider pykto 10

Plugins Discovery They are run in a loop, the output of one discovery plugin is sent as input to the next plugin. This process continues until all plugins fail to find a new resource. This feature increases the code coverage of each scan, allowing the audit plugins to find more vulnerabilities. 11

Plugins Discovery Other discovery plugins try to fingerprint remote httpd, verify if the remote site has an HTTP load balancer installed, etc. halberd hmap afd fingerprint_waf I need some refactoring Crawlers Infrastructure 12

Discovery plugins demo 13

Plugins Bruteforce These plugins bruteforce authentications found by discovery plugins in the process of creating a sitemap. There are two different plugins: formauthbrute basicauthbrute Working on Digest Authentication 14

Plugins Bruteforce If valid credentials are found during the bruteforcing process, they are then used during the rest of the web application scanning. There are some problems with this, because the web spider will (by default) follow all the links, including the Logout one. This means that we ll get logged out after logging in! Solution: The webspider plugin has a way of controlling which links are followed: Ignore regex 15

Tactical Exploitation w3af has the following features related to tactical exploitation: Search virtual hosts in MSN search Search email addresses in Google, MSN search and the MIT Public Key Server. Password profiling Searches archive.org for old versions of the web application, which may now be hidden (not linked). Searches Google, MSN search and Yahoo!. 16

Discovery and Bruteforce use case The following plugins are enabled: discovery.fingergoogle discovery.webspider grep.passwordprofiling bruteforce.formbruteauth The fingergoogle plugin searches Google in order to find email addresses like foo@target.tld. When the target is crawled using webspider, the passwordprofiling plugin identifies the most common words in the website. The bruteforce plugin will use the previously gathered information in the bruteforce process: Usernames: from Google, and default dictionary. Passwords: site (www.domain.com ; domain.com ; domain), most common words from password profiling plugin, default dictionary. 17

Tactical Exploitation Demo 18

Plugins Audit They take the output of discovery plugins and find vulnerabilities like: [blind] SQL injection XSS Buffer overflows Response splitting. Vulnerabilities are identified using different methods, that vary on the type of vulnerability being identified, but when possible, all methods are used: Error based Time delay Creating a new remote file Different responses (AND 1=1, AND 1=2) 19

Plugins Audit The framework also has a generic audit plugin that will send two different strings to each parameter: A syntax breaker: d'kc"z'gj'"**5*(((;-*`) And a simple empty string Working without an error database is a feature that allows the generic audit plugin to identify vulnerabilities that couldn t be identified by any other plugins. This is how it works: Send the original request, save response Send a modified request with one parameter modified and set to the limit. For example: if the original parameter value was 1, set it to randint(length=8), save the response. Send a request with the test strings and compare all responses. 20

Plugins Audit As vulnerabilities are found, they are saved as vuln objects in the knowledge base. These vuln objects are then used as the input for attack plugins, that will exploit the vulnerabilities. 21

Plugins Grep These plugins grep every HTTP request and response to try to find interesting information. Examples of grep plugins are: blankbody passwordprofiling privateip directoryindexing getmails error500 22

Plugins Attack These plugins read the vuln objects from the KB and try to exploit them. Examples of attack plugins are: sql_webshell davshell sqlmap xssbeef remote file include shell OS Commanding shell 23

Discover, audit and attack! 24

Advanced Exploitation w3afagent A reverse VPN that allows you to continue intruding into the target network. How does it work? w3af sends the w3afagent client to the target host using a transfer handler (wget, tftp, echo). To perform this task, w3af needs to have remote command execution. The client connects back to w3af, where the w3afagent server runs a SOCKS daemon. 25

Advanced Exploitation w3afagent How does it work? (contd.): Now the user can use any program that supports a SOCKS proxy to route connections through the compromised target server. All the traffic is forwarded to the w3afagent Client, where a new TCP connection is created. 26

Advanced Exploitation w3afagent w3af w3afagent Client Web Application w3afagent Server Reverse connection w3afagent Client w3afagent Server SSH Client using SOCKS proxy Data forwarded using reverse connection w3afagent Client SSH server in DMZ 27

w3afagent demo 28

Advanced Exploitation Virtual Daemon Ever dreamed about using metasploit payloads to exploit web applications? NOW you can do it! How it works: I coded a metasploit plugin, that connects to a virtual daemon and sends the payload. The virtual daemon is runned by a w3af attack plugin, it receives the payload and creates a tiny ELF / PE executable The attack plugin knows how to exec remote commands, and the virtual daemon knows how to upload the ELF/PE using echo or some other inband method. 29

Advanced Exploitation Virtual Daemon How it works (cont.): A new scheduled task is created to run the payload, and the metasploit plugin is ordered to wait The payload is run on the remote server. Normal communication between metasploit and the exploited service follows. 30

Advanced Exploitation Virtual Daemon Metasploit Framework payload w3af - Virtual daemon exec() w3af Attack plugin Reverse Shell ELF / PE Web Application 31

Virtual daemon demo 32

Plugins Others Output: They write messages to the console, html or text file. Mangle: modify requests and responses based on regular expressions. Evasion: modify the requests to try evade WAF detection. Bruteforce: They bruteforce logins (form and basic authentication) 33

Live scan: from future import * User browses the website through w3af w3af parses the requests, and sends them to audit plugins in order to find vulnerabilities. The user can view findings in real time, while browsing the target website. Better management reporting Enhance the MITM Proxy. Releasing 1.0 in a few days. 34

35

How to Contribute? Project website http://w3af.sf.net/ Two different mailing lists, users and develop. IRC channel, #w3af at Freenode. Project leader contact: andres.riancho@gmail.com 36

Questions? 37

After the break A comparison between Web Application Security Fuzzers: w3af Acunetix AppScan N-Stalker Manual analysis features of w3af Writing a plugin from scratch, live! 38

http://w3af.sf.net/ 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback