Professional Documents
Culture Documents
MUTILLIDAE
PROJECT
SEPTEMBER 5, 2014
0 |Page
Table of Contents
INTRODUCTION
.
Page3
ATTACK VECTOR: BRUTE FORCE
..
Page 4
BRUTE FORCE
...
Page 4
DICTIONARY ATTACK
..
.
Page 4
BURP SUITE
Page 4
MUTILLIDAE EXAMPLE
.
.
Page 4
ATTACK VECTOR: COMMAND EXECUTION INJECTION (HARVESTING)
...
Page 10
COMMAND EXECUTION INJECTION (HARVESTING)
....
Page 10
COMMAND EXECUTION
.
..
Page 10
COMMAND INJECTION ATTACK .
....
Page 10
DATABASE INTERROGATION (DATA HARVESTING)
...
Page 10
MUTILLIDAE EXAMPLE
...
..
Page 10
HOW TO PERFORM SHELL AND COMMAND INJECTION
ATTACKS .
Page 11
ATTACK VECTOR: COMMAND EXECUTION INJECTION (LISTENER
ATTACKS) .
Page 14
PURPOSE
..
Page 14
1 |Page
.
Page 16
LOGIN WITHOUT A PASSWORD
..
Page 16
CURL
...
Page 17
MAN-IN-THE-MIDDLE-ATTACK
.
Page 17
COOKIE MANAGER
..
.
Page 17
MUTILLIDAE EXAMPLE
..
.
Page 17
ATTACK VECTOR: SQL INJECTION (UNION ATTACK DISPLAY
SENSITIVE INFORMATION)
Page 19
UNION ATTACKS
.
Page 19
WEAK PHP PROGRAMMING
..
Page 19
MUTILLIDAE EXAMPLE
..
.
Page 19
ATTACK VECTOR: SQL INJECTION (UNION ATTACK/CREATE
COMMAND EXECUTION
PROGRAM) ..
...
Page 20
COMMAND EXECUTION
..
.
Page 20
COMMAND EXECUTION LISTENER
....
20
Page
2 |Page
NETCAT
.
...
Page 20
MUTILLIDAE EXAMPLE
..
.
Page 20
ATTACK VECTOR: SQL INJECTION (UNION ATTACK / CREATE UPLOAD
PROGRAM) ....
Page 21
UNION ATTACK
.....
Page 21
PHP UPLOAD BACKDOOR
....
Page 21
C99.PHP ROOT KIT
...
Page 21
MUTILLIDAE EXAMPLE
....
.
Page 21
COUNTER MEASURE
.....
.
Page 22
ATTACK VECTOR: FILE UPLOAD
.....
Page 22
ATTACK UPLOAD VECTOR
......
Page 23
PAYLOAD ..
.....
Page 23
CREATING A
PAYLOAD
....
Page 23
EXECUTING A PAYLOAD ..
....
Page 23
CONNECTING A PAYLOAD BACK TO A MACHINE
......
Page 23
C99.PHP COMPARE AND
CONTRAST....
Page 24
C99.PHP MALICIOUS FUNCTIONALITY
......
Page 24
3 |Page
MUTILLIDAE EXAMPLE
....
.
Page 24
COUNTER MEASURE ..
....
Page 24
ATTACK VECTOR: CROSS SITE SCRIPTING ..
....
Page25
CROSS SITE SCRIPTING (XSS) ..
.....
Page 25
REFLECTIVE CROSS SITE SCRIPTING ..
...
Page 25
PERSISTENT CROSS SITE SCRIPTING ..
.....
Page 25
Page 26
MUTILLIDAE EXAMPLE
....
.
Page 26
COUNTER MEASURE .
.....
Page 27
CONCLUSION ..
...
Page 28
THE FUTURE OF ATTACK VECTORS AND GOING FORWARD
COUNTER MEASURES ...
Page28
JAVASCRIPTING AND CGI INPUT VALIDATION
..
Page 28
ONGOING SECURITY TESTING
.....
Page 28
PROJECT MEMBERS
..
PAGE 29
Introduction
4 |Page
5 |Page
Attack Vector
Brute Force
Brute force (also known as brute force cracking) is a trial and error
method used by application programs to decode encrypted data
such as passwords or Data Encryption Standard (DES) keys,
through exhaustive effort (using brute force) rather than
employing intellectual strategies. It consists of systematically
checking all possible keys or passwords until the correct one is
found. In the worst case, this would involve traversing the entire
search space.
Dictionary Attack
A method used to break security systems, specifically passwordbased security systems, in which the attacker systematically tests
all possible passwords beginning with words that have a higher
possibility of being used, such as names and places. The word
"dictionary" refers to the attacker exhausting all of the words in a
dictionary in an attempt to discover the password. Dictionary
attacks are typically done with software instead of an individual
manually trying each password.
Burp Suite
Burp Suite is an integrated platform for performing security
testing of web applications. Its various tools work seamlessly
together to support the entire testing process, from initial
mapping and analysis of an application's attack surface, through
to finding and exploiting security vulnerabilities.
6 |Page
Mutillidae Example:
A great majority of web applications provide a way for users to
authenticate themselves. If an attacker has knowledge of a user's
identity it's possible to create protected areas or, more generally,
to have the application behave differently upon the logon of
different users. In general, there are several methods for a user to
authenticate to a system. A dictionary file can be tuned and
compiled to cover words probably used by the owner of the
account that a malicious user is going to attack. Burp Suite will be
used to intercept traffic and configure Burp Suite to launch our
attack. Using Burp Suite, we can change the values of username
and password with each request.
After finding your target, open Mutillidae, then select View
Someones Blog
You will see a list of Possible Users, select Please Choose Author
7 |Page
<Ctrl> and <f> will allow your to search the source code.
Type admin then enter
You will then insert the IP of the target in the following the parsing
source code
curl -L "http://xxx.xxx.xxx.xxx/mutillidae/index.php?
page=view-someones-blog.php" 2>/dev/null | grep
-i \"admin\" | sed 's/"//g' | awk 'BEGIN{FS=">"}{for (i=1;
i<=NF; i++) print $i}' | grep -v value | sed s'/<\/option//g'
8 |Page
Open terminal and gedit & to paste error, the <ctrl> and <v> to
display message.
From here, you will then view login.php again and right click white
background to analyze login.php source.
You will notice the naming convention of the username and
password and the value of the submit button.
9 |Page
10 | P a g e
Turn on intercept
11 | P a g e
12 | P a g e
Attack Vector
Command Execution Injection (Harvesting)
Command Execution
One of the most critical vulnerabilities that a penetration
tester can come across in a web application penetration test
is to find an application that it will allow him to execute
system commands.
Command Injection Attack
A command injection is an attack method in which a hacker
alters dynamically generated content on a Web page by
entering HTML code into an input mechanism, such as a
form field that lacks effective validation constraints. A
malevolent hacker (also known as a cracker) can exploit that
vulnerability to gain unauthorized access to data or network
resources. When users visit an affected Web page, their
browsers interpret the code, which may cause malicious
commands to execute in the users' computers and across
their networks.
Database Interrogation (Data Harvesting)
When you interrogate a customer database, you use the
software to ask carefully defined questions. The procedures
vary depending on your software, but the basic logic applies
to any database. Enter one or more items, called fields or
field names, and the values you want to output.
Mutillidae Example:
13 | P a g e
14 | P a g e
16 | P a g e
17 | P a g e
Attack Vector
Listener Attacks
IGMP snooping is the process of listening to Internet Group
Management Protocol (IGMP) network traffic. The feature allows a
network switch to listen in on the IGMP conversation between
hosts and routers. By listening to these conversations the switch
maintains a map of which links need which IP multicast streams.
18 | P a g e
Multicasts may be filtered from the links which do not need them
and thus controls which ports receive specific multicast traffic.
Purpose
A switch will, by default, flood multicast traffic to all the ports in a
broadcast domain (or the VLAN equivalent). Multicast can cause
unnecessary load on host devices by requiring them to process
packets they have not solicited. When purposefully exploited this
is known as one variation of a denial-of-service attack. IGMP
snooping is designed to prevent hosts on a local network from
receiving traffic for a multicast group they have not explicitly
joined. It provides switches with a mechanism to prune multicast
traffic from links that do not contain a multicast listener (an IGMP
client).
IGMP snooping allows a switch to only forward multicast traffic to
the links that have solicited them. Essentially, IGMP snooping is a
layer 2 optimization for the layer 3 IGMP. IGMP snooping takes
place internally on switches and is not a protocol feature.
Snooping is therefore especially useful for bandwidth-intensive IP
multicast applications such as IPTV.
19 | P a g e
Attack Vector
The mere fact that the query produces an error means there is a
strong possibility that the backend program is susceptible to a SQL
Injection.
20 | P a g e
SQL Injection
SQL injection is a code injection technique, used to attack datadriven applications, in which malicious SQL statements are
inserted into an entry field for execution. SQL injection must
exploit a security vulnerability in an application's software, for
example, when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user
input is not strongly typed and unexpectedly executed. SQL
injection is mostly known as an attack vector for websites but can
be used to attack any type of SQL database. The single quote
allows the attackers to get the information they are attempting to
acquire to be kicked back to them. You can test for this by
changing the password box to plain text and entering a single
quote into the password box to see what errors you obtain.
Depending on what happens will determine how you can exploit
the situation. A straightforward, though error-prone, way to
prevent injections is to escape characters that have a special
meaning in SQL. The manual for an SQL DBMS explains which
characters have a special meaning, which allows creating a
comprehensive blacklist of characters that need translation. For
instance, every occurrence of a single quote (') in a parameter
must be replaced by two single quotes ('') to form a valid SQL
string literal.
SQL injection (also known as SQL fishing) is a technique often
used to attack data driven applications. This is done by including
portions of SQL statements in an entry field in an attempt to get
the website to pass a newly formed rogue SQL command to the
database (e.g., dump the database contents to the attacker). SQL
injection is a code injection technique that exploits a security
vulnerability in an application's software. The vulnerability
happens when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user
21 | P a g e
Attack Vector
SQL Injection (Union Attack Display Sensitive
Information)
A SQL Union attack when added to an existing statement is used
to retrieve information from the specified table. It also combines
results from multiple statements into one result set. In my
research I have found that PHP programming is considered a weak
programming because it has many interchangeable integers and
strings. This makes it weak because it means that there are very
few rules and that in turn leaves it open for more possible and
easier attacks.
Union Attack
An attacker can use a union attack to display the database table
structure by inputting union select null as many times as
needed to discover exactly how many columns are in the
database. This is a useful tool because then it will be easier to
know exactly where to look for the information you are requesting.
A counter measure that can be used to combat this type of inquiry
would in my opinion be making sure that there are extensive
24 | P a g e
25 | P a g e
Attack Vector
SQL Injection (Union Attack / Create Command
Execution Program)
Union Attack
A SQL Union attack as explained above is when added to an
existing statement is used to retrieve information from the
specified table. It also combines results from multiple statements
into one result set.
Command Execution
Command execution takes commands and uses said commands to
Dump files and information into separate files.
Command Execution Listener
A command execution listener is a listener to the execution of
commands. This listener will be notified if a command is about to
execute, and when that execution completes. It is not possible for
the listener to prevent the execution, only to respond to it in some
way.
Netcat
Netcat is designed to be a dependable back-end that can be used
directly or easily driven by other programs and scripts
Mutillidae Example
By inputting ' union select null,null,null,null,'<form
action="" method="post" enctype="application/x-wwwform-urlencoded"><input type="text" name="CMD"
size="50"><input type="submit" value="Execute
26 | P a g e
Attack Vector
SQL Injection (Union Attack / Create Upload Program)
Union Attack
Union attack is a specific flavor of SQL injection. It is arguably the most
destructive and allows the attacker to extract extremely large chunks of
data in a very short amount of time. Union attacks are very quick and
Attack Vector
File Upload
Attack Vector
An Upload Attack Vector exists when a website application
provides the ability to upload files. The approach used to assault a
computer system or network. A fancy way of saying "method or
type of attack," the term may refer to a variety of vulnerabilities.
For example, an operating system or Web browser may have a
flaw that is exploited by a Web site. Human shortcomings are also
used to engineer attack vectors. For example, a novice user may
open an e-mail attachment that contains a virus, and most
everyone can be persuaded at least once in their life to reveal a
password for some seemingly relevant reason.
Payload
On the Internet, a payload is either: The essential data that is
being carried within a packet or other transmission unit.
Instead of hard coding the payload in the exploit code, set the
payload option in the setg (set global) and then run the save
command. You can develop your module without configuring the
payload again and again. Off course if you need a separate
payload for any other module, just set it like normally using the
set command and it will override the global one. This is more
flexible than hard coding the payload within the exploit code.
Creating a Payload
Return-oriented programming is an advanced version of a stack
smashing attack. Generally, these types of attacks arise when an
adversary manipulates the call stack by taking advantage of a bug
in the program, often a buffer overrun. In a buffer overrun, a
29 | P a g e
The c99 PHP utility provides functionality for listing files, bruteforcing FTP passwords, updating itself, executing shell commands
and PHP code. It also provides for connecting to MySQL databases,
and initiating a connect-back shell session.
Mutillidae Example
File Upload Flaw allows a remote user can upload arbitrary files to execute
arbitrary code on the target system.
31 | P a g e
Counter Measure
Do not rely on user inputs, use hash-tables, white-list filter,
escape commands, validate file type-format, run AV on
uploaded files, segregate uploads
Attack Vector
Cross Site Scripting
Cross Site Scripting
A form of attack against web applications is called Cross Site
Scripting, also known as XSS. In a cross-site scripting attack, data
is entered into an application which is later written back to
another user. If the application has not taken care to validate the
data correctly, it may simply echo the input back allowing the
insertion of JavaScript code into the HTML page.
Reflective Cross Site Scripting
A reflected cross site scripting attack, the attack is in the request
itself (frequently the URL) and the vulnerability occurs when the
server inserts the attack in the response verbatim or incorrectly
escaped or sanitized. The victim triggers the attack by browsing to
a malicious URL created by the attacker.
Persistent Cross Site Scripting
A persistent cross-site scripting vulnerability is when the attacker
provides malicious data to the web application and is stored
permanently on a database or some other similar storage. The
malicious data is later accessed and executed by the victims
without it being filtered or sanitized. This variant of cross-site
32 | P a g e
34 | P a g e
Counter Measure
The best counter measure approach is always to probe for
vulnerabilities, intrusion detection systems, and blocking attacks
using firewalls. The simplest form of XSS protection is to pass all
external data through a filter.
35 | P a g e
Conclusion
The Future of Attack Vectors and going forward counter
measure
Cybercriminals tend to focus where the weak spots are and use a
technique until it becomes less effective, and then move on to the
next frontier. Protecting data in a world where systems are
changing rapidly, and information flows freely, requires a
coordinated ecosystem of security technologies. Forward going
counter measures must focus on all the key components
enforcement of use policies, data encryption, secure access to
corporate networks, productivity and content filtering,
vulnerability and patch management, and of course threat and
malware protection.
Java Scripting and CGI input validation
When you submit a form to a CGI program that resides on the
server, it is usually programmed to do its own check for errors. If it
finds any it sends the page back to the reader who then has to reenter some data, before submitting again. A JavaScript check is
useful because it stops the form from being submitted if there is a
problem, saving lots of time for your readers.
36 | P a g e
PROJECT MEMBERS
PROJECT MANAGER
Cyuba Thomas
DeMarc
Nathan Green
Gradney
Preston Mendez
Maurice Smith
37 | P a g e
38 | P a g e