All Entries Tagged With: "vulnerability"
OWASP Top Ten
From the OWASP website – I thought it was pertinent to post the OWASP top ten. We all know what they are but there is some great information wrapped in the description. For the full write up and a lot more useful information visit the OWASP website HERE.
The OWASP Top 10 Web Application Security Risks for 2010 are:
–Code Injection
–Cross-Site Scripting (XSS)
–Broken Authentication and Session Management
–Insecure Direct Object References
–Cross-Site Request Forgery (CSRF)
–Security Mis-configuration
–Insecure Cryptographic Storage
–Failure to Restrict URL Access
–Insufficient Transport Layer Protection
–Un-validated Redirects and Forwards
The full descriptions are well worth reading, and further down the page there are “factors” broken out into four headings. Again, there is more information on the OWASP website, but look at the four headings below. This is a really easy way to help you classify the severity of potential threats, and to help you asses your assumption of risk.
Threat factors – skill level, motive, opportunity, size
Vulnerability factors – ease of discovery, ease of exploit, awareness, IDS
Technical impact factors – loss of confidentiality, integrity, availability, accountability
Business impact factors – financial damage, reputation, non-compliance, privacy violation
…worth sharing I thought!
Using Core Impact Pro Modules
Core IMPACT Pro has the ability to do a full on Network Vulnerability Test, or you can do just Information Gathering using the Network RPT tabs. There’s little attention paid to the modules that make up the suite of tools – and there is so much fun to be had in there. Maybe there is a time when you want to write your own exploits and execute them in Core; or you want to do specific types of discovery and attack – well, Core IMPACT Pro gives you that ability, with tremendous flexibility. I’m going to walk you through a couple of scenarios using the “modules” view, just to show how simple yet excruciatingly effective that portion can be.
Firstly, create a new workspace and click on the “Modules View” tab at the bottom, left of the Modules workspace. You will see a list of folders.
Take time to look around; look in all the folders at all the available tools, and note the modules structure. You’ll be pleasantly surprised at what is available there. If you wanted to perform a specific targeted attack, or information gathering using a single method, you can have some serious fun here.
I’m going to start with an ICMP sweep to identify all “live” hosts on a subnet.
– double click on the “Information Gathering” folder in the modules workspace. The folder will expand.
– double click on the “Network Discovery” folder – that folder expands also!
– double click “Network Discovery – ICMP”. Input the subnet details you want to scan as shown in the image below, and hit “OK”.
Core Impact will perform an ICMP sweep to find hosts, and will attempt to resolve the hostnames. One thing to notice – this is lightening fast!
Once the sweep is done, Core Impact displays the discovered hosts. That’s great, but I want more information so I’m going to attempt to identify the operating systems of the discovered hosts. For a mostly Windows based network (assumption), I prefer using SMB information gathering.
In the modules workspace:
– double click the OS Detection folder
– drag “OS Detect by SMB” and drop it onto your network block (where it says “Network: 192.168.100.0.)
The module will then attempt to find the OS of all the hosts listed in that subnet. In my example there is a mix of operating systems. There were a few that didn’t come up in the SMB scan so there’s more information to be had. Isn’t there always?
In the OS Detection folder there is Nmap OS Stack Fingerprinting. Using Nmap OS Stack Fingerprinting the same way I used the SMB module (drag and drop) I can see some Cisco routers – I’m even given the IOS rev – useful information indeed – plus I see some Macs. I’m going to take a look at a Mac.
When I TCP port scan the Mac I see the Windows File Sharing services running. I’m going to try enumerating users on this machine by dragging the SMB information-gathering module and dropping it onto the host. The SAMR Dumper module gives me some useful information.
Module "DCE-RPC SAMR Dumper" (v1.18) started execution on Wed Jun 24 16:46:45 2009
Retrieving endpoint list from 192.168.100.2
Found domain(s):
. STEVE-SHEAD-C
. Builtin
Found user: nobody
Found user: root
Found user: daemon
Found user: unknown
Found user: lp
Found user: uucp
Found user: postfix
Found user: www
Found user: mysql
Found user: sshd
Found user: qtss
Found user: imap
Found user: mailman
Found user: appserver
Found user: clamav
Found user: amavisd
Found user: jabber
Found user: xgridcontroller
Found user: xgridagent
Found user: appowner
Found user: securityagent
Found user: sshead
The anonymous user has NULL SMB password.
Received 23 entries.
-- Module finished execution after 2 secs.
These usernames can be used in a password attack on this machine if you are so inclined – but I’m not interested in that right now.
I’m going to scan the IP 192.168.0.254 machine since it looks like a Windows 2000 machine (don’t worry – it’s a security test machine). After checking the open ports listed on this machine I’m pretty sure it’s vulnerable to an older remote RPC exploit (ms06-040 worked on this in the old days) to gain access.
– double click the “Exploits” folder in the Modules view
– double click the “Remote” folder and drag the “MSRPC SRVSVC NetrpPath Canonicalize (MS06-040) exploit” onto the host.
If the exploit succeeds, you will see the agent installed just below the host. Depending on whether you chose a “bind” shell or a “reverse” shell will dictate how you want to interact. I love reverse shells personally.
We can connect to the agent and continue the attack. By right clicking on the agent we can invoke an encrypted remote command prompt. The “ipconfig” command reveals that this machine is dual homed – that means there’s more fun to be had.
I’d like to explore the newly found network using Core IMPACT – why not right? This is one of the many fancy features of Core IMPACT. I can now set the installed agent as a “Source” (right click on the agent and select “Set as Source) and pivot any attack from this agent to the new network. This feature can be extended and remote networks can be explored using “agent chaining” – but that’s another story.
I will start the information gathering cycle again on the newly discovered network and perhaps exploit a Windows XP machine on the remote network.
Ok – let’s stop there for now. You can see that I could have branched off in a number of different directions, attacks, scans and much more, just from messing around in the modules area. Sometimes it pays to get granular and use individual scans and attacks. Sometimes it pays to have the flexibility to craft your own exploits and be able to incorporate them into your Core IMPACT environment. The moral here is don’t just play with the automated stuff – though that is a ton of fun – you’re missing so much more by leaving out the modules – and the modules can lead you in some pretty interesting directions, that you wouldn’t otherwise see if everything was automated.
Deliberately Insecure Web Apps For Learning Web App Security
If you are setting up a penetration testing lab you might was some insecure web applications for learning web application security. Irongeek has a great list that he is keeping up to date. I have copied a few of them into this post. Don’t forget to visit Irongeek for more information.
BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and MySQL
Install: Meant to run by booting a Live CD, but I’d recommend using my Live CD VMX
Notes: Easy to set up, and it’s nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only).
Damn Vulnerable Web App
Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on.
Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I’ve yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae.
Hacme Series from Foundstone
Foundstone has put out a whole series of venerable web applications you can learn from and test your skills against. Some are harder to install than others since a few are quite old by web standards and the installers require outdated MSSQL services that don’t work the same way as the more up-to-date ones. Still, with a little work you should be able to get them installed on a modern system. I can’t guarantee all of them are designed to only listen to the local loopback, so if you decide to run them on a production network I highly recommend you use a VM set to use the IP addresses that are only available from the local host OS (NAT or Host-only). One of the great things about the Hackme series is the diverse programming platforms they are written in. As I said in the intro paragraph, most web development platforms have similar common vulnerabilities, but it’s nice to know what to look out for on your specific environment. Most of them I have limited install note on, but I’m working on testing them out.
Hacme Travel
Link: http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++
Install:
Notes:
Hacme Bank
Link: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Platform: Windows, IIS, .Net 1.1
Install:
Notes:
Hacme Shipping
Link: http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled)
Install:
Notes:
Hacme Casino
Link: http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Platform: Ruby on Rails
Install: Installer that sets up a built in WEBrick server
Notes:
Hacme Books
Link: http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
Platform: J2EE application, Java Development Kit
Install:
Notes:
Foundstone also hosts video solutions for Hacme Travel v1.0 and Hacme Bank v2.0.
Mutillidae
Link: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux.
Notes: Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It’s designed to be easy to follow and geared towards a classroom environment. Think of it as a noob’s WebGoat.
Stanford SecuriBench
Link: http://suif.stanford.edu/~livshits/securibench/
Platform: J2EE application, Java Development Kit
Install: Looks like it’s another “by hand” install.
Notes: Includes a bunch of venerable J2EE web apps, such as: jboard 0.30, blueblog 1.0, webgoat 0.9, blojsom 1.9.6, personalblog 1.2.6, snipsnap 1.0-BETA-1, road2hibernate 2.1.4, pebble 1.6-beta1 and roller 0.9.9 .
WebGoat
Link: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Platform: J2EE web application
Install: Self contained Tomcat server you can run from a directory under Windows or Linux
Notes: Love the fact it’s so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries.
WebMaven (AKA: Buggy Bank)
Link: http://www.mavensecurity.com/WebMaven.php
Platform: Perl CGI scripts
Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease. Makes sure that you don’t put the server on a production network.
Notes: I’ve not played with this one much. The website for WebMaven says it was the basis for WebGoat v1.
Other Resources
The Heorot forum also has a collection of Live CDs you can use as targets in learning pen-testing. They are not necessarily web app focused, but they may still be useful to you.
