Posted in Penetration Testing

Problem solving

pexels-photo-90807

 

Training to be a Pen Tester is very different to doing the job of a Pen Tester. No one, who is in the job can really give a new learner any advice about Pen Testing because each company may do things a little different than another company.

This was a conclusion I came to only after I became a junior tester. Not only that, there’s a ton of information to get through, so your head is pretty much like mush for months, learning new things everyday.

Problem

I came across a time management problem recently. I needed to extract 187 IP addresses from the output of a tool in a HTML document. Why? – I hear you ask! I needed to format the IP addresses so that excel would align them correctly in a cell.

I didn’t have time to copy each IP address individually and paste it into excel in the format required.

Output data (for example)

192.168.0.2 (tcp/443)
Apache Web Server

192.168.0.3 (tcp/443)
Apache Web Server

192.168.0.4 (tcp/443)
Apache Web Server

Excel expected data

192.168.0.2; 192.168.0.3; 192.168.0.4;

Formatting this data by way of copy and paste was not an option.

Solution

The Linux command line interface is probably one, or thee most important tools to a tester (Only just realising this now).

Tasks I needed to perform:

  • Cut the IP address from the text
  • Add a semi-colon to the end of each IP address
  • Produce a long string that could be copied into Excel.

One Liner

Copying all the data from the HTML output and pasting it into a file was a good start. I then, through trial and error, managed to get my output to the point to where it was usable by using this command string.

cat file.txt | grep 192 | cut -f1 -d “(” | sed ‘s/$/;/’ |tr -d ‘ ‘ | xargs

The tr -d ‘ ‘ was only for mac because using the sed substitution command for some reason inserted a space between the end of the IP address and the semi-colon. On Linux this doesn’t happen.

This command string turned my data into the required Excel format.

Simple

Some may wonder why this even a blog post. It’s low level simple data manipulation. Yes, that’s true, however, it’s a side of the job that no one really thinks about. Time sensitive data manipulation on a large scale is required so it’s best to get used to it.

During OSCP, you’re only ever really working on one or two boxes at a time. Think larger, think hundreds of IP addresses and how you would cope with that load.

Posted in Penetration Testing, Thoughts

Don’t skip anything

I’ve been a Junior Security Tester for nearly a month now. It’s been really good.
It was scary to leave the comfort zone of being a hobbyist hacker, however, when opportunity knocks, you need to open the door. Learning new things everyday and a few familiar things I seen in PWK that I have to go over again.

oscp-certs

OSCP has become a strange word in my vocabulary. I am very proud to have achieved it, don’t get me wrong, however, I came out of that exam pass with an odd sense that I had climbed a very hard and long ladder (I did). Somehow at the top, the world I was about to head into would be easier to handle and I could learn anything the world put in front of me.

The last part is true. Instead of having weeks to learn something, I now have a day at best. It’s not a criticism, it’s pretty impressive to be able to do that, and I doubt if it wasn’t for OSCP, I’d probably have struggled. It has, however, made me think about how I approached the Penetration Testing with Kali Linux (PWK) course.

Many people have their own way of starting a learning process. Each is unique to them, and everyone will get something different out of it. I chose to set a time goal on my efforts. I needed to pass OSCP in a set time frame. Not because I had to, but it seemed like a good idea at the time. I think it’s fair to say, I may have missed a few memos along the way. There was times I glanced over some of the material or touched on something pretty cool and used it once, never to see it again.

I’m writing this to tell you, not to do that.

PWK is a great platform to learn everything you want, or nothing. The goal is to root as much as you can, and yes, that might put you high up on the social ladder, but I can assure you now, it won’t help you later.

OK Paul, get to the point!!

I’ve had to learn a few things pretty fast. Obviously I can’t tell you what jobs I’ve been doing because I not only value my position in the company, but I respect our clients anonymity and the hard work of my colleagues. What I can say is, you shouldn’t try to put a time pressure on your journey through PWK. Obviously if financial pressure prevents your progress, I can only sympathise and you should set your own goals.

You have a unique position. A controlled environment where you can do no real damage from your failures. Mess something up? Just revert the server and start again. Offensive Security play the genius card here by making sure you mess it up at least a few times. The learning process here is priceless.

Don’t skip over the small stuff. If you’re new to Linux, here’s some things you really shouldn’t glaze over.

  • File and folder permissions
  • Use of sudo and managing users
  • Learn the relationship between /etc/passwd & /etc/shadow
  • Identify what password hash is being used to encrypt password in the shadow file
  • Using tools like cut, sed and awk to manipulate data in large files (very important)
  • Fix things that go wrong in Linux. Don’t just dump a new VM in place
  • Using MySQL would be a good one too.
  • Learn how to code a simple PHP web app and connect it to MySQL with users

I probably have a few more, that I’ll add, but these were certainly the things I thought I could have spent more time on.

Being a Windows sysadmin for 10 years, I thought I knew a lot in that space. In my PWK journey, I learned more. Where the account hashes are stored, how to get to them, and using accesschk.exe to interrogate file permissions from the shell. You don’t need to do all that in Windows as you have a GUI to handle it all.

Always give yourself options. Learn the GUI side of things, but also learn how to do it all in a shell too. Sometimes all you have is a shell. You need to be able to feel your way around a system and fast.

Speed and Accuracy

Two words that when combined usually end in disaster. The faster you go, the more likely you are to make mistakes. If you try to be more accurate, you will be slower. When you start in a job, you need both. Accuracy is extremely important. You can’t rock up to a client on an external test launching an aggressive nmap scan. Chances are you’ll get rate limited, and waste 7 hours of your day. But that worked in PWK? Sorry, but you need to become more stealthy. Sometimes the slowest scan can yield the fastest results. It’s crazy, but worth investigating. Have a read at the Timing & Performance notes on the site.

Nmap Timing & Performance

The same rule can apply to a lot of things you can do in PWK. Think about your enumeration techniques. I’m not an expert. I’m still learning my own, but you need to be accurate. Do you really trust what an output tells you about the Operating System? Is it accurate? There’s a lot of false positives out there from automated scanning.

Nothing is there by mistake

Offensive Security should probably win an award for how they teach the course. It has a knack of accelerating keen individuals or killing off the people who like the badge of wanting to be a Pen Tester. I nearly died off a few times myself, but I “Tried Harder” (cries)

Nothing they include in the course is there by mistake. It’s not there to pad it out or be used as a filler. It’s important to make sure you go through the materials and enumerate the network and treat it for what it is. A living network. It’s not just vulnerable VM’s with IP addresses that you pick off one at a time and bask in the glory of showing everyone a screenshot with the ID ROOT (guilty). You’ll be doing yourself a grave injustice if you attack it like that.

Vulnerabilities

The whole reason most of us are here. Everything is vulnerable to something. Someone has either found it or hasn’t yet. We live off the idea that we will find whatever the vulnerability is and exploit it (in PWK). This is where I feel a lot can be learned in from the course. Normal practice for most, is to find the vulnerability, exploit it, get shell and move on to Privilege Escalation. At no point did I ever go back and try to understand why a machine was vulnerable, or whether there was any other vulnerabilities. It’s a good idea to expand your vulnerability landscape. A company might be happy you found something for them to fix, but did you find anything else? Think about that as it can prove useful later. Get into the mindset of finding all that you can.

Reporting

My oh my, reporting! Thee single most important part of the process. The client deliverable. The single piece of evidence a client needs to support your claims and their requirement for more staff, funding, systems or whatever. Many people don’t do a Lab Report in PWK. I would stress that it is really important to get it done. It’s going to teach you some of the basics. Lots of companies do their reports in their own way but if you miss this out, you not only lose points, but good experience in writing. Being able to write down everything you find is kind of a big deal. Don’t think for one second you’ll never be asked to do it.

WOW! that was big!

I’m not even sure I covered everything I wanted to talk about. I just started typing. In summary I’d change my advice on how to approach PWK/OSCP. You’re going to need every ounce of data you can pull from that course. Use it as a platform for learning. Don’t just fly in there with an idea to root a loot everything you see. If you want a job as a Pen Tester, use PWK to expand your knowledge base and build confidence in your ability to spot vulnerabilities, navigate Linux and Windows with ease and trust your accuracy in any given task.

Of course, you can do all of that BEFORE you commit to PWK. One thing I wish I did, was just using Ubuntu as a daily driver as a sysadmin. I wish I had linux servers to work on. Web servers to administer and MySQL databases. You can learn all that now. Don’t skip anything!!

Thanks for reading the mindless ramblings of a madman 🙂

 

Posted in Penetration Testing

Privilege Escalation

pexels-photo-127627

I’m probably not qualified enough to do a post on this subject, however, it is my favourite thing about attacking a vulnerable CTF style machine and more often than not it’s the shell part I have trouble with.

I’m not an expert on the method of privilege escalation, but hopefully I can put to bed some ideas that some people may have about it. Based on my experience obviously.

When you start out, you are told to visit a few sites to learn about priv esc. I’ll list them below.

That’s it! – That is all you get told to review.

So what’s the deal?

From my experience of being a sysadmin for 11 years and passing OSCP (recently), there is no stick in the mud method for privilege escalation. It comes in several forms.

  • Old Linux Kernel exploit
  • Old SMB Windows exploits for remote admin access
  • Vulnerable bit of software running as root
  • Some Powershell Windows exploits (few)

To enumerate as much as you can, you’ll want to run something against your target to shave off a bit of time punching in a load of commands. The below script is quite useful for that.

Linuxprivescchecker.py

It’s extremely useful to just glean as much info out of a box locally once you get access. It’s not perfect but it’ll give you a quick glance at what you’re dealing with.

Lately I’ve found a great deal of success where users of the system create files. Remember, a human user will create mistakes when creating files/folders and jobs on a server. I’m a sysadmin, and I’ve made loads of mistakes too. Check home directories for interesting files created by admins for users.

Linux 

  • /home/
  • /tmp
  • ls -al /etc/cron*

Pay extremely close attention to permissions of files. It’s going to be worthless to you if you miss out learning about permissions.

Windows

  • C:/Users/ (check the folders for files)
  • schtasks /query /fo LIST /v (shows list of scheduled tasks)
  • Accesschk.exe to check for files/Services with Authenticated Users write permissions

But why?

Ok, so in order for a standard user to escalate their privileges on a target system, sometimes we need to do some digging into processes running as root/admin. If we can get the system to perform our commands instead of the intended command, the system will execute that command as the root user.

Think outside of the box here. You have checked a windows batch file that just does a check to see if a service is up and running and reports back to the admin in a console prompt on the screen. You’ve checked the permissions and you can edit the file with your limited access. The scheduled tasks runs every 20 mins. That means you have 20 mins to figure out a way to edit the file and have it run your command as root.

Get inventive

The above links merely show you where to get the information you need. Sometimes you might find admin creds in a file, or see creds in .bash_history (but not always) Even if you find a file that you can edit, can you do anything with it?

The first thing a type when I get into a Linux system is;

find / -perm -4000 -exec ls -al -print 2>/dev/null {} \;

What that does is search from the root system ‘/’ for all files where the SUID executable bit is set. That means all the files that run as root. I won’t be able to edit them most of the time, however, sometimes they can lead to other files that you can edit.

For instance if it’s an executable file in Linux, you can run ‘strings’ on it so see if it’s doing anything to any other files on the system.

MySql

A neat trick I learned lately was finding root user creds for MySql on the system in a file I ran strings on. Logged in locally to MySql as root and executed a bash command in MySQL that executed a simple file to give back a shell. Because I was the root user it gave me a root shell. Amazing trick learned on the Pentest Ltd Securi-tay 2017 CTF.

Summary

Like I said, I’m no expert but one thing I know is to pay close attention to the files that human users create. Focus in on that and you’ll likely find something to play with. Even for sysadmins, file and folder permissions can be a nightmare and extremely dangerous if they are not set correctly.

It’s worth going over the above links in detail and have a play around with testing things on your own too. It’s not difficult to set something up to be vulnerable to attack. Privilege Escalation isn’t an exact science and if you’re looking to write down step by step guides on how it’s done you’re going to be chasing unicorns.

Learn how to look out for files that look out of place. Learn permissions like the back of your hand and use the find function in Linux to quickly sift through the files you need. In Windows, you can use a meterpreter shell to get the same permissions your used to in Linux, if Accesschk.exe isn’t an option, however, Accesschk.exe will always give you a ton of information.

 

Posted in Education, Penetration Testing

Penetration Testing Books 2017

book-reading-library-literature-159697

Having spent (wasted) a lot of money on Penetration Testing books that were either not very interesting or just far too advanced for a junior or new learner, I wanted to just put it down in words how I felt about some of the recommended material on offer.

I’ll just list the books in order of usefulness, write a little about them and let you know whether it’s suitable for a new learner in Pen Testing.

Web Application Hackers Handbook V2 – Amazon UK
I read so many great reviews of this book. It’s not called the bible of web testing for nothing. It really is a great reference manual and should feature highly in everyone’s list.

Verdict: Ideal for new learners and experienced people for quick reference. A must!

Penetration Testing: A Hands-On Introduction to Hacking – Amazon UK
I’d say this was a must for any new learner. Especially if you are thinking of taking OSCP. I’d buy this first, get through it and then do OSCP, instead of buying the book halfway through like me.

Verdict: An absolute must for new learners and juniors. Maybe more experienced testers would let it lie on a shelf, not sure.

Hacking Linux Exposed – Amazon UK
I got this book for £4 and it’s been a very worthy addition to my shelf. I’ve used it loads of times as a quick reference during PWK (OSCP) A very worthy addition for the price. It’s old in some cases but still very relevant.

Verdict: Ideal for new learners. Maybe experienced testers will use it from time to time as a refresher.

Network Security Assessment: Know your network – Amazon UK
I found it hard to put this book down when I got it. It’s really easy to read and has a calming effect when you read it. I’d add the newest version of the book even though I have version 3.

Verdict: Ideal for everyone I’d say, and a part of the CREST reading recommendations list.

 

RTFM: Red Team Field Manual – Amazon UK
The first book I ever bought. A baptism of fire if you’ve never tackled hacking before. The book makes a lot of sense to me now. It’s a great book to have a round and I found it really useful at times during OSCP.

Verdict: It’s worth getting as a new learner. Exposes you to a lot but don’t be put off by it. Before you know it, you’ll be able to recognise everything in the book.

Books I’m still not sold on yet

The Hacker Playbook 2: Practical Guide to Penetration Testing – Amazon UK
This was in many people’s recommendations for new people learning Pen Testing, however, I just found it really strange to follow as a book. There’s no quick reference possible as it has no page index as such. The images are hard to make out and I put it down several times. Probably because it’s based on American Football in it’s approach and I don’t like the sports so it took me a while to read it.

Verdict: I’d advise this be bought later. Save your money. It’s good, but for later.

Mastering Modern Web Penetration Testing – Amazon UK
I have just bought this book so it would be unfair to rubbish it or recommend it. Early thoughts are that it’s a bit expensive for the amount you get. It’s about a 3rd of the size of WAHH.

Verdict: I’d say it was ideal for new learners before reading WAHH. Only if you have money to spare.

BlackHat Python – Amazon UK
Violent Python – Amazon UK
Very specialist books (Violent Python is more useful) and I’d advise that you get a foothold into Python first before getting these books.

Verdict: Ideal for more experienced Python programmers. There’s other things to learn first.

Gray Hat Hacking 4th Edition – Amazon UK
My second ever hacking book, and what an eye opener it was. I still don’t understand half its contents. It’s very focussed on certain parts of hacking. To call it a handbook isn’t fair. It’s a big book, heavy in weight and in technical content.

Verdict: I’d steer clear of this one as a new learner. It’s reserved for many smarter than us.

Open Source Intelligence Techniques – Amazon UK
I was glued to this book for about 3 days, then the notion wore off. It’s a good book if you’re interested in OSINT as a way of finding out more info online, however, I can’t really say I’ve ever had a problem finding what I wanted without the book. I haven’t broke the back on the book yet so that shows it doesn’t feature as a desk quick reference manual.

Verdict: I wasn’t sold on it to be honest. It’s an extra if you want it.

Nmap Network Scanning – Amazon UK
Probably the book I’m most disappointed by. It’s just a load of information and no way to find what you are looking for. I want to know what the -sV switch really does. The book can’t tell me. If it does, it’s in the wrong section of the book.

Verdict: I’d avoid it. There’s a ton of resources online to teach you nmap.

Summary

InfoSec/Pen Testing books are expensive. With each of them costing around £30 each in the UK, it adds up to a lot of money you could be using on something else. Training is expensive and when you are starting out you can fall foul to buying the wrong material, hurting your wallet/purse and leaving you feeling deflated at the thought of learning from an advanced book.

I’d also be very wary of books and courses that mention the word ‘advanced’ In my experience (a year into training) there’s not much ‘advanced’ teaching in them. Gray Hat Hacker is advanced, without it mentioning it in the title.

A final note. I’ve written my opinion on these books through my own personal experience with them. I’ve had people rave about a book I’ve hated. To give you a core set to work off I’d stick to the top 5 listed here to get a feel for it. In every case, consolidate your learning by using Vulnhub vulnerable VM’s and Damn Vulnerable Web App.

I hope it helps

Thanks

Posted in Education, Penetration Testing

OSCP – My journey

oscp-certs

It will take time, effort, blood, sweat and tears, but I WILL GET THERE!

It’s with great pleasure that I can say that on the 3rd March 2017, I passed my OSCP. Nope, it still hasn’t sunk in, no matter how many times I say it.

I guess, it’s been an up and down week since passing. I haven’t really had a chance to think about it. I spent so much of my life devoted to success in the labs, sitting several exams and doing extra work on top learning about Windows and Linux Privilege Escalation that I totally forgot to live a little bit and take stock of everything around me.

Fast forward to exam attempt number 4. 

By this point I’m staring down the barrel of a 6 week wait if I fail, and no direction whatsoever and no plan for the future, because lets face it, failing 4 times in a row is not good. The only plan would be to get back to the drawing board in the labs.

Exam Day…

I wasn’t nervous. I felt calm. I hadn’t looked at any hacking for 4 days before. I played my favourite game ‘The Forest’ killed some cannibal tribes and built a massive base, so I was relaxed. On the morning of the exam I lay about the house chilling. Did my normal routine for the day. I didn’t even think about the exam. I cleared my head.

Email comes in…

Kali is fired up. Connection pack downloaded. Particulars read and off I went into the darkness for 24 hours.

I had a 10am start UK time and by 10pm that night I had 80 points. I obviously can’t talk about any aspect of the exam. I had 4 out 5 roots and used the next few hours to makes sure everything worked the way it should. 2am came and I went to bed for a sleep. I woke at 9am and tried the last box but it was pointless by that point. I was already happy with my effort.

I submitted my report before 1pm and after double checking everything I sent it off. I tell you though, that must have been the longest wait for a reply ever. Gladly it came in a couple of days later and I had passed.

Yay!

Numb

I still feel a little numb after it all. I worked my socks off for that OSCP. It’s been the best part of my life for the last 6 months at least. Anyone following my progress (it was hard to miss) cheered me on many times and it’s been great encouragement. Now I don’t really know what I’m doing.

I do have a few ideas up my sleeve, and I very rarely leave myself empty handed with tasks to do. I’m currently creating my own CTF Vuln VM, that I’ll hopefully post on Vulnhub if they let me. I was so taken by it all that I want others to take up the challenge if they are willing. You need all the help you can get.

So who is it for?

I have my own reasons for doing OSCP. Sometimes I think to myself how silly it was to jump into it so fast, spend the amount of money I did, to sell everything I had to do it, and have no plan after it. Yeah well maybe so, however, for those of you how are wondering if you should?

Why not?

If it’s fear that holds you back, just stand up, shake it off and sign up. It’ll teach you more about yourself than you’ll care to imagine. It strikes a maturity in your approach to hacking. You are taught to pay special attention to the information you find, and through sheer repetition you are taught to forge command line parameters you’ll never forget.

It’s more than just a hacking course. You meet new people all on the same journey as you. There’s a great no spoiler mentality even among friends. I’ve had people ask me if I’ve popped a box in the labs, and in the same breath say “Don’t say a word, I want to own it myself”. Not that I could tell them if I wanted to. I wouldn’t want to steal their glory.

But I can’t learn from pages of notes

Neither could I. I hate learning from books. It’s boring. One thing PWK forged into me is learning by reading. To be honest? it’s the best lesson I’ve learned from it. Now I can apply that to anything and learn.

Anyone with a drive to learn and succeed in the InfoSec space can do OSCP. Yeah, it’s a bold statement and I’ve made it before, but it’s true. I’d advise anyone to do it given the time and determination.

Ok so what’s the real deal?

I’m not going to lie to you. Yes knowing some Python helps. Knowing how to read, spot mistakes and fix C files helps, and you better be spot on with enumeration. You’ll get no points for only using linux a few times and expecting to be a 1337 hax0r. Nope, not going to happen. What I will say is that you can be limited in these fields and still get it done. It just takes longer. Would you rather learn all that stuff now then go wit PWK? or waste lab time learning stuff you could learn now?

Work hard, try your best and don’t sit at your computer saying “Shit! I’m not good enough for this, I’m out”

I don’t work in security, I never have. I passed it. Yeah it’s absolutely the hardest thing I’ve ever did in my life, but my god it was the most rewarding. Some say it’s a beginner cert or the tip of the iceberg, and that may be true, but it’s a good tip to start off with.

Special thanks

I can’t put my success down to sitting in my room all alone and pwning the world. There have been people in my life that without their encouragement I probably would have given up a long time ago.

My wife: For putting up with my moods, me being broke and just being a rock star.

Andy Gill (aka ZephrFish): For buying me more lab time when I really needed it, and just giving me the kick up the ass I needed at the right time.

Paul Ritchie (aka cornerpirate): For constantly being a source of enthusiasm and encouragement throughout.

Cheers folks 🙂


 

So I guess it’s back to the review I was meant to write.

I hope by this point you’re all raring to go sign up for PWK and get started on your epic journey. No? Well I guess it’s up to you, however, it’s starting to get very popular so if you want a job in Penetration Testing you’d probably be better getting it sooner than later 🙂

As for me? Ermm I think I’ll keep that one to myself for now if you don’t mind.

At the moment I feel like a part of a big wheel. It’s kind of hard to get off, and I don’t want to.

Don’t let fear rule your life. Do something daring like I did. I work in IT fixing servers and laptop motherboards by day and by night I felt like Batman or something like that. It’s over now and I’ve got to chase the next thing. There’s no time to sit back, you press on and keep learning as much as you can. It does get easier and you may just surprise yourself.

Take care…

 

Posted in Penetration Testing, web app testing

XSS (Reflected) DVWA Med/High

In the last post I ‘tried’ to give an overview of how I understood Cross Site Scripting (XSS). There is still a lot more to learn, however, with the help of Damn Vulnerable Web App and being able to review the source PHP code, you can take bigger steps to understanding how to launch an attack and protect against it.

So for this post I’m going to tackle both medium and high security settings.

DVWA Security: Medium

enter_name
Figure 1 – Default operation of the Web app

It’s always a good idea to test the default state of any web application. The more you understand how something behaves, the more you can spot it’s weaknesses. Much like people. The more you get to know someone… you know the rest.

Anyway! In the medium setting the operation is still the same. You enter a name and it returns it. Only this time when we try our previous malicious payload the web application returns a different output.

testing_med
Figure 2 – Web application strips out the script tags

On review of the source PHP code it seems there is some sanitation going on.

med_source_php
Figure 3 – PHP code removes script tags from submitted data

From the outset it looks like the web developer has prepared well for the next attack. Changing the script tags to a space will prevent the site from executing the javascript code if we use the previously successful malicious URL.

The funny thing about computers is that they will do exactly what you tell them to do. The sanitisation is looking for the script tags in lowercase letters. Browsers aren’t too fussed about upper and lower case to we might get away with using uppercase?

med_script_payload
Figure 4 – Use of uppercase letters for the script tags

On execution the alert box does indeed pop up, bypassing the strict sanitation that was implemented.

xss_popped
Figure 5 – Successful execution of XSS on Medium security

In the real world it’s unlikely you’ll get to review the server side source code of a web application, however it’s worth trying this simple change out if your initial attempt is unsuccessful.

DVWA Security: High

The source PHP code suggests the web developer has taken extra measures to prevent us from running any script tagged malicious javascript code.

source_php
Figure 1 – Further sanitation of submitted inputs in PHP code

*Spent some time looking up regular expressions

And we’re back…

From the code and from testing this out first (remember testing!) Anytime we enter the full word ‘script’ surrounded by <> it gets replaced with just ‘>’. If we put spaces inbetween the letters like this, ‘s c r i p t’ it is also replaced by ‘>’ No matter what  we try, it always gets sanitised (even uppercase).

After playing around with a few things I landed on a method that doesn’t use the ‘script’ tags.

IMG SRC=’#’ onmouseover=”alert(‘xxs’)” (removing the <> so WordPress doesn’t sanitise my inputs)

omnouseover
Figure 2 – Our broken IMG tag that is likely to force the user to try and click on.

This creates a HTML anchor IMG Source point and whenever the mouse is hovered over it, it pops the alert box with the word ‘XSS’ in it. A successful execution of Reflected XSS on the High security setting, despite the strict sanitation of submitted inputs.

Personally I love the ‘onmouseover’ function, and try to use it where needed.

high-_popped
Figure 3 – Successful XSS execution using ‘onmouseover’ 

Completing the low, medium and high security settings on DVWA does teach you a lot. You need to step beyond just googling “XSS quick wins” and running them against a given security level or sanitisation (if you even get to that part). You really should check what is happening if your script is being sanitised. How can you change it and still execute the code?

Also, what works for one web application might not work everywhere.

Posted in Penetration Testing, web app testing

XSS (Reflected) DVWA

I was in two minds on whether to write this up as Cross Site Scripting (XSS) is such a massive subject and this really just touches the foundations, however, I’ll give it a go.

What is Reflected Cross Site Scripting (XSS)? (From the OWASP website)

Reflected Crosssite Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page.

Put simply, the attacker is able to send malicious javascript code to a victim via a crafted  link and on opening the the victim is met with whatever the javascript code was designed to do reflected to the screen. That, it seems, is in its simplest form. I will hopefully explain further below.

Damn Vulnerable Web App

An excellent resource for any new person training in web application security. On clicking the “XSS (Reflected)” link you will see this screen.

xss_low
Figure 1 – Default state of the XSS app

A simple question. What is your name? When a name is entered it will be displayed back to you on the web page.

enter_name
Figure 2 – Any data entered is displayed on the webpage

During testing, it seems that any data we enter is displayed back to us, and is contained in the core HTML code of the site.

html
Figure 3 – Entered data forms part of the web apps html code

If we look at the source PHP code for the app

source
Figure 3 – Source PHP code

The PHP code just uses the GET function to pull the entered ‘data’ and then display it back to the user. This could prove to be dangerous if there is no checking of the submitted data.

Executing XSS

The most common way to test for Cross Site Scripting is to try and pop an alert box to the screen by getting the browser to run your malicious javascript code. This can be done with a simple addition to the URL.

<scrIpt>alert(0);<scrIpt>

*Wordpress removes the script tags from the above code. See real URL below

url
Figure 4 – URL with malicious script added

When the link is executed by the victim, the screen should show a pop up alert with the number zero in it.

xss_popped
Figure 5 – A successful XSS attack

If the attacker sends the above link to anyone it would execute the javascript code unless something was done to prevent this attack. Looking at the PHP source code available to use, there doesn’t seem to be any checking of any kind and because the site is designed to display the entered data into the website again, the javascript code is executed.

html_popped
Figure 6 – Confirmation that the alert box script is a part of the sites code

The browser will execute the code it is given which results in the alert box pop up. There are many uses for this kind of attack. A more common attack is to steal a users session cookie while they are still logged in meaning the attacker can be logged in as that user simultaneously.

How can we protect against this?

DVWA has some added security settings (Medium & High) to show how to protect against this type of attack, however, you will see that this too can be circumvented to still display the pop up alert box. The alert box simply shows that the site is vulnerable to XSS. It shows the site managers that it is possible to run any javascript code in one HTTP request and have it reflect back to the user who is sent the link. This can be very damaging to end users.

The next post will delve a little deeper into how the Medium and High settings try to prevent this attack but we can still get around the measures put in place to stop the attack.

Posted in Penetration Testing, web app testing

DVWA – OS Command Injection low|med|high

I had a recent spell with OS Command Injection that left me feeling raw. Wish I could explain but sadly I can’t. I was glad to see there was some light relief in the form of Damn Vulnerable Web App. OS Command Injection all set up ready and waiting to play with.

I do remember about 6 months ago looking at DVWA Command Injection and embarrassingly not being able to do it. To be fair, I didn’t make any effort to look it up or review the source code. I hadn’t come across it. This industry has a funny way of showing you things you sidelined.

Security Level: Low

DVWA comes out of the box set to ‘Impossible’ security. Yeah ok, let’s get it changed.

low_security
Figure 1 – Low security setting in DVWA

On entering the Command Injection link on DVWA you are given the option to ping a device. For this purposes of speed, I just pinged localhost.

ping_input
Figure 2 – Ping a network device

Entering the localhost IP into the box returns what you might expect.

127.0.0.1

ping_initial
Figure 3 – Result from pinging localhost

In the bottom right of the screen you have the option reviewing the source PHP code of the web application.

low_source
Figure 4 – Source PHP code of the web app on ‘low’

On reviewing the code the web app on the ‘low’ setting;

  • Takes in the requesting IP and passes it to the variable ‘$target’
  • Determines the OS type
  • Executes a direct command on the Operating System using PHP Shell_Exec

There is no sanitisation of any inputs given to the web application. It performs a direct command to the OS via shell_exec.

Given that in any environment you can chain commands together using certain operators it’s worth a try in this instance.

command_low
Figure 5 – Chaining of commands using the ‘AND’ operator in Linux

Chaining commands works as it would in a linux terminal. A successful output of /etc/passwd to the web page.

How did this happen?

The web developer didn’t write any protection measures in place to prevent users from chaining commands together. Due to the direct nature of the way this web app passes commands to the OS, the OS will run anything it is given. The web app is designed to display what is displayed back in the terminal so to speak.

Security Level: Medium

Remember to set the security to ‘Medium’ before trying the next part.

medium
Figure 1 – Security set to Medium

There’s an assumption that the security of the web application will be tighter so it’s worth reviewing the source code before running a previously successful command.

source_medium
Figure 2 – Medium setting PHP source code

Right away there is some differences to the code. Essentially the same as the ‘low’ setting in the way it handles the variables and passes them to the OS.

  • Takes a variable and passes it to ‘$target’
  • Creates an array of blacklisted characters for checking in a ‘$substitutions’ variable
  • Passes the command to the OS using shell_exec removing any blacklisted characters.

The developer has only blacklisted 2 operators. Both ‘&&’ and ‘;’ do similar things. You can read about operators and their functions here

There are several other operators you can use to chain commands together in Linux.

The web application only looks for 2. You can pipe commands together too, as I have done here.

command_medium
Figure 3 – The use of a pipe to chain commands together

Why did this work?

The web developer did not fully sanitise all possible operators. The OS did not ping ‘127.0.0.1’ but instead ran our command ‘cat /etc/passwd’ instead. I’ll no doubt investigate why it did this, but for now it’s good that it returned what I needed.

Security Level: High

This is where it gets interesting. First off, let’s set the security level to High.

high
Figure 1 – Security level set to High

On reviewing the source PHP code the developer has taken our advice about tightening the security and has placed all known operators in their blacklist. This could prove difficult.

php_source
Figure 2 – All available operators have been added to the blacklist variable

For now it seems that there is no way of chaining commands under these new rules.

On the bottom line the developer has blacklisted the double pipe operator ‘||’ the OR statement. In linux this character is called a metacharacter. It is not constrained by spaces on either side. The web application is strictly looking for ‘||’ with no spaces. Once this condition is true the operator will be blacklisted.

In my example inserting spaces between the pipes escapes any checks from the source code.

127.0.0.1|  |cat /etc/passwd

command
Figure 3 – Successful command execution on High

How did this work?

Technically this should not work as it errors on a linux terminal, however, when playing around on the web app it worked everytime. I’m not happy with the discrepancies here so further investigation is needed I think, however, for the purposes of running OS Command Injection on High within DVWA it was a good exercise.

I think I’ve learned a good number of things I do wish I knew before. Working through the problem, reviewing the source code and following the code is really useful. If you can explain to yourself how the simple web app works, then you can bypass it’s security more easily.

Impossible setting?

Erm, I have reviewed the source code. This is what I know so far

  • Splits up the IP address into octets
  • Checks that it’s been passed an integer (a number)
  • Merges the IP address before running the command.

I’m sure I’ll get to that one day. There’s a ton of other things to learn 🙂

Thanks for reading…

Posted in Thoughts, Uncategorized

What I would do differently – PWK

training

Giving back to the InfoSec community is something I’ve always strived towards. Other professionals have always had time for me and it’s only right that if I can, I would relay my experiences to other people.

Penetration Testing with Kali Linux

Some may know that I took up this monumental challenge around 200 days ago. I say monumental because I was a lost lamb with limited knowledge of Pen Testing before I enrolled in PWK.

Like many, I had such a fear of the course. I read so many stories, reviews and some scare mongering from various online resources. I’m a “into the deep end” type of guy and I needed something to focus on. PWK was that focus. It wasn’t plain sailing at the start so to help ease the stress or preconceived ideas about PWK that would otherwise put you off, I’ve put together a few things to help you out.

I’ll break it down into parts.

  • Kali Tips
  • Lab Tips
  • Reporting
  • If you get stuck

This is based on my own experience of what I would do differently, having been on the course for 200 days ( I know, I’m a slow burner at times). Your experience may differ.

Kali Tips

  • Create directories for each target. Dump all exploit scripts, enumeration files and anything related to that target in that directory.
  • Use symbolic names for your exploit code or document it in your notes. For example, 3456.c doesn’t mean anything at a glance. Months later you’ll come across it in your file system and if you didn’t document it’s use or change its name it is useless to you.
  • Create a directory for your ‘fixed’ exploits. Find your own way of doing this. You could use CVE numbers, exploit name or anything that you can call on later. Remember to document any change made to the code and name of the file.
  • Work on your speed of execution and how you can utilise your hardware to execute a task faster. For example, using more threads while using Dirbuster.
  • Don’t be foolish and neglect the use of Metasploit. It’s an amazing tool, and can build confidence.

Lab Tips

  • Don’t jump into the labs instantly if you are new. Read the course materials and watch the videos. The information is extremely useful.
  • Revert each machine before you enumerate it.
  • If a machine was reverted in the last few hours, someone may be working on it. Be kind, and move on.
  • Check the forums for the machine in question to see if it requires frequent reverts.
  • Run the fullest enumeration scan possible, full TCP scan, and UDP scan
  • DO NOT shy away from anything in the labs. Despite any rumours you may have heard about certain targets, try your hand at everything to have a better shot at the challenge.

Reporting

  • Read G0tmilks tutorial on Alpha on the forums. It gives a great insight on how to report. Also this can give a great entry point and feel for how it’s done.
  • Read through the Offsec dummy report –> https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
  • Use the Reporting template from Offsec. It’s a good baseline. No point in reinventing the wheel.
  • I will add that using something like Keepnote is essential. Even more important to that step is keeping good notes. If you don’t, you will have nothing to report. Remember, you will need to explain these steps to someone who can follow them exactly as you did.

If you get stuck

  • Offsec Forums are fantastic for tips
  • Offsec chat function has been really helpful for me at times. Cleverly delivered tips that sometimes show you an answer without even giving you a hint. Great resource.
  • There’s the IRC channel too. Personally I never used it.
  • Refer to the course materials, and videos.

Summary

I could likely add more into this post as time goes on. No matter what stage you are at, you are always learning. Despite me failing the exam challenge twice and rooting 30 of the lab machines, I still have a lot to learn from PWK. The learning never stops. Enjoy the time you have in the labs. It’s an amazing experience.

Posted in Penetration Testing, Thoughts

Good enough?

nature-sky-sunset-man

Writing gives me space to offload things that could be swirling around in my mind. Almost like a program caught in RAM, this blog serves as a Task Manager to clean out any unwanted processes in my head.

One particular annoyance lately, has been an echoing thought of meeting the grade. I have thrown myself into the lions den so to speak, or in a less aggressive manner, thrown myself into the deep end. Training in OSCP has been a challenge, and I feel that with 23 boxes rooted, it’s a modest number for someone who didn’t know anything about hacking only 12 months ago.

OSCP can have you living in a protected bubble. It can lure you into a false sense of security. It’s not a criticism of the course or certification, but merely an observation. You can become so captivated by the lab environment that you lose track of everything else around you. There are other aspects to Penetration Testing, however, your mind is focussed on the task of hacking lab machines. This is great for learning, however, when you speak to other professionals, it can leave you feeling distant if the conversation isn’t about OSCP.

Do you belong here?

I ask myself this question quite regularly. I see amazing things happen on a daily basis in the industry. That’s just from the people I follow on Twitter. Am I putting enough effort in to expand my knowledge past that of the OSCP? Where else should I turn for information?

OSCP hasn’t been a walk in the park for me. It’s often classed as an entry level certification in Penetration Testing. Entry level? Really? I’ll either need to put overtime in or readdress my goals. Don’t be fooled by the notion that this is an entry level certification if you are new to Penetration Testing. I can understand why they say it’s entry level, because it’s such a vast space, however, entry level doesn’t mean easy.

False sense of security

Finding your flow in OSCP can take some time. There is a lot of material to go through and when you start hacking the labs it can be a slow and frustrating process. Once you get more confident with identifying vulnerable services and exploits related to those services, you slowly and surely start believing in your ability. If for some reason you get ahead of yourself, there are some machines in the lab that can bring you back down to earth. This constant fluctuation in feelings can be unnerving at times. One day you’re full of confidence, and other days you just feel like a fake.  Training yourself to look past failure and turn it into success can take some time. The lab teaches you more about yourself than the vulnerabilities you uncover.

So what now?

I’ve broken past the point where training in Penetration Testing is a hobby for me. It’s not a matter of whether I’d like to do this as a career. It will be my career at some point. I love the art of enumeration and the craft of transparently learning everything about your target. There is always room for improvement. OSCP helps engineer your mind into learning. It’s not there to teach you how to hack. It’s function is to show people that you have the ability to learn and apply complex procedures in practice. How that translates to real world testing remains to be seen. Not everything in the world is vulnerable.

Ready, Set, GO!

I was fearful of moving away from my job in IT because of the job security. I knew my bubble and it was safe, but now I feel more confident that I can learn anything. That’s what OSCP teaches you. Work hard, learn, work harder, learn and apply in practice with confidence. It’s a genius concept once it sinks in.

You can do anything in life. Set goals, and if you want it bad enough it will fall into place.