Professional Documents
Culture Documents
with SamuraiWTF
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
Copyright 2012, 2013 Justin Searle!
www.utilisec.com!
www.utilisec.com!
www.utilisec.com!
Justin Searle
Managing Partner UtiliSec
justin@meeas.com // justin@utilisec.com
+1 801 784 2052
Copyright 2012, 2013 Justin Searle!
www.utilisec.com!
CC AWribuLon-ShareAlike
www.utilisec.com!
Course
Contributors
Course
Author
JusLn
Searle
-
jusLn@uLlisec.com
-
@meeas
Course
Contributors
Raul
Siles
-
raul@dinosec.com
-
@dinosec
Kevin
Johnson
-
kevin@secureideas.net
-
@secureideas
Tim
Tomes
-
Lm@blackhillsinfosec.com
-
@lanmaster63
Course
Sponsors
ULliSec
-
hWp://www.uLlisec.com
Secure
Ideas
L.L.C.
-
hWp://www.secureideas.net
DinoSec
S.L.
-
hWp://www.dinsosec.com
Copyright 2012, 2013 Justin Searle!
www.utilisec.com!
Course Outline
IntroducLon
to
SamuraiWTF
TesLng
Methodology
Mapping
ApplicaLons
Discovering
VulnerabiliLes
ExploiLng
VulnerabiliLes
Student
Challenge
Appendix
Materials
(Lme
permiSng)
www.utilisec.com!
SamuraiWTF
Live
tesLng
environment
as
a
bootable
DVD
Based
on
Ubuntu
Linux
Over
100
tools,
extensions,
and
scripts,
included:
recon-ng
w3af
BeEF
Burp
Suite
OWASP
ZAP
Rat
Proxy
DirBuster
Copyright 2012, 2013 Justin Searle!
CeWL
Sqlmap
Maltego
CE
WebScarab
Nmap
Nikto
Metasploit
8
www.utilisec.com!
SamuraiWTF 2.0
www.utilisec.com!
Project
URLs
Main
project
page:
hWp://www.samurai-wi.org
10
www.utilisec.com!
Walkthrough
of
SamuraiWTF
Logging
In
and
Using
sudo/kdesudo/gtksudo
Username:
samurai
Password:
samurai
hWp://whaLsthesamuraipassword.com
11
www.utilisec.com!
Testing Methodology
12
www.utilisec.com!
Types
of
Tests
Black
Box
TesLng
(PenetraLon
TesLng)
LiWle
to
no
informaLon
is
provided
about
the
target
TesLng
techniques
start
with
looking
for
specic
vulnerability
signs
but
quickly
moves
into
unscripted
exploraLon,
trial
and
error
TesLng
focuses
on
manipulaLng
inputs
and
evaluaLng
responses
A
form
of
reverse
engineering
of
exposed
funcLonality
13
www.utilisec.com!
Formal
Methodology
A
simple
methodology:
Recon:
Gathering
informaLon
from
external
sources
about
your
target
Mapping:
Learning
about
the
target
app
from
a
user's
AND
a
developer's
perspecLve
Discovery:
Learning
the
app
from
an
aWacker's
perspecLve
Exploita;on:
AWempLng
to
measure
the
true
risk
of
discovered
vulnerabiliLes
Recon
Exploita;on
Discovery
Mapping
14
www.utilisec.com!
Recon
Exploita;on
Mapping
Discovery
15
www.utilisec.com!
16
www.utilisec.com!
Samurai
Dojo-Basic
Author:
JusLn
Searle
Site:
(currently
only
available
on
SamuraiWTF
2.x)
Purpose:
A
PHP/MySQL
web
applicaLon
that
implements
the
OWASP
Top
10
vulnerabiliLes.
This
project
was
forked
from
Adrian
"Irongeek"
Crenshaw's
the
1.x
branch
of
MuLllidae
Accessing:
hWp://dojo-basic
Features:
Basic
web
app
designed
for
rst
Lme
web
pen-testers
Easy
to
nd
and
exploit
vulnerabiliLes
Includes
learning
hints
Mapped
to
OWASP
Top
10
Copyright 2012, 2013 Justin Searle!
17
www.utilisec.com!
Exploita;on Tools:
Discovery Tools:
Nikto
DirBuster
RaJ
ZAP
Scanner
w3af
iMacro
CeWL
ZAP
Fuzzer
ZAP
TokenGen
Burpsuite
Sequencer
User
Agent
Switcher
18
Cookies
Manager+
sqlmap
Laudanum
BeEF
www.utilisec.com!
Reconnaissance
Gathering information from external sources about your target
The most under utilized steps
19
www.utilisec.com!
Reconnaissance
Recon
is
one
of
the
most
under
uLlized
steps
Findings
here
allow
you
to
start
building
assumpLons
to
test
Provides
key
informaLon
needed
for
later
steps
SelecLon
and
vericaLon
(most
important)
of
targets
InformaLon
about
technologies
used
and
conguraLons
Lists
of
users,
employees,
and
organizaLon
info
Password
reset
informaLon
and
contact
informaLon
Trust
relaLonships
to
exploit
(friends
and
managers)
Even
occasionally
nd
code
snippets
with
vulnerabiliLes
and
authenLcaLon
informaLon
20
www.utilisec.com!
Reconnaissance
Tasks
Whois
Queries
DNS
InterrogaLon
Search
Engine
Digging
Social
Network
HarvesLng
Discovery
Copyright 2012, 2013 Justin Searle!
21
www.utilisec.com!
Examples
to
Try:
whois
whois
whois
whois
secureideas.net
66.135.50.185
"kevin johnson" (should fail, why?)
-h whois.arin.net "kevin johnson"
22
www.utilisec.com!
DNS
InterrogaLon
Common
tools:
host
(default
on
Linux
and
Macs)
dig
(default
on
Linux
and
Macs)
nslookup
(default
on
everything)
Forward
lookups:
host www.samurai-wtf.org
dig www.samurai-wtf.org
nslookup www.samurai-wtf.org
Reverse
lookups:
host 66.135.50.185
dig -x 66.135.50.185
nslookup 66.135.50.185
2013 Justin Searle!
23
Copyright 2012,
www.utilisec.com!
24
www.utilisec.com!
Examples
to
try:
fierce dns secureideas.net
fierce dns meeas.com
fierce dns utilisec.com
Copyright 2012, 2013 Justin Searle!
25
www.utilisec.com!
Examples:
intitle:"Index+of..etc" passwd
intitle:admin intitle:login
intitle:index.of.private
intitle:"ColdFusion Administrator Login"
filetype:asmx OR filetype:jws
inurl:asmx?wsdl OR inurl:jws?wsdl
Copyright 2012, 2013 Justin Searle!
26
www.utilisec.com!
Social
Networks
Precursor
to
Social
Networks
Usenet
(Google
Groups
Deja
News
acquisiLon)
Mailing
lists
Web
Forums
27
www.utilisec.com!
Caveats
Disclosure
of
customer
data
AcLve
vs.
Passive
recon
Not
all
data
is
free.
28
www.utilisec.com!
Recon-ng
Author:
Tim
(LaNMaSteR53)
Tomes
Site:
hWp://recon-ng.com
Purpose:
Completely
modular
reconnaissance
framework.
Automates
full
scope
open
source
reconnaissance.
One-stop
shop
for
recon.
Language:
Python
Recon-ng
Notes:
Modular
Data
driven
Similar
to
Metasploit
Well
documented
AnalyLc
limitaLons
Copyright 2012, 2013 Justin Searle!
29
www.utilisec.com!
Using
Recon-ng
Basic
Recon-ng
interface
and
usage
Major
Recon-ng
features
HarvesLng
contacts
HarvesLng
creds
HarvesLng
hosts
PushPin
integtraLon
CreaLng
reports
30
www.utilisec.com!
Mapping
Learning about the target app from the user's perspective ...
... AND the developer's perspective
31
www.utilisec.com!
Mapping
Tasks
Recon
IdenLfy Technologies
FuncLonal Analysis
Request/Response
Baseline
Discovery
Copyright 2012, 2013 Justin Searle!
32
www.utilisec.com!
Nmap
Author:
Fyodor
(Gordon
Lyon)
and
many
more
Site:
hWp://nmap.org
Purpose:
Premier
TCP/IP
host
and
port
scanning
tool.
Also
provides
excellent
OS
ngerprinLng,
service
ngerprinLng,
and
the
Nmap
ScripLng
Engine
(NSE)
which
provides
advanced
and
customizable
funcLonality
Language:
C/C++
(LUA
for
NSE
scripts)
Syntax:
nmap
[opLons]
<target>
sudo
nmap
[opLons]
<target>
33
Copyright 2012,
2013 Justin Searle!
www.utilisec.com!
Nmap
Basics
nmap
nmap
nmap
sudo
sudo
sudo
sudo
sudo
127.42.84.0/29
Port
scans
top
1000
TCP
ports.
sP 127.42.84.0-7
Ping
sweep
8
localhost
addresses
(actually
does
an
ARP,
ICMP,
then
TCP
80)
-p 80,443 127.42.84.0/29
Port
scans
TCP
ports
80
&
443
nmap -A 127.42.84.0/29
Port
scans
top
1000
TCP
ports,
ngerprints
OS
and
services,
then
runs
NSE
scripts
nmap A p- localhost
Port
scans
all
65535
TCP
ports,
ngerprints
them,
and
runs
NSE
scripts
nmap -sU 127.42.84.0/29
Port
scans
top
1000
UDP
ports
nmap -sU p- localhost
Port
scans
all
65535
UDP
ports.
Find
more
ports?
nmap sU -p- -A localhost
Port
scans
all
65535
UDP
ports,
ngerprints
them,
and
runs
some
NSE
scripts.
WARNING:
Service
scanning
UDP
ports
on
the
Internet
can
be
VERY
slow
34
www.utilisec.com!
Nmap
OpLmizaLon
Finding
the
right
balance
between
speed
and
false
negaLves
Tune
your
opLons
on
a
subset
of
IPs
(rst
/24
of
127.42.0.0/16)
sudo nmap -p 80,443 127.42.0.0/24
sudo nmap -n PN -p 80,443 T5 127.42.0.0/24
sudo nmap -n PN -p 80,443 T5 --max-retries 0 127.42.0.0/24
sudo nmap -n -PN -p 80,443 --max-rtt-timeout 100 --min-rtt-timeout 25
--initial-rtt-timeout 50 --max-retries 0 127.42.0.0/24
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 127.42.0.0/24
Now
we
have
a
nely
tuned
scan,
lets
run
on
the
full
/16
subnet
sudo nmap -n -PN -p 80,443 --min-rate 10000 --min-hostgroup 4096
--max-retries 0 -oN /tmp/AllIPs-WebPorts v --reason 127.42.0.0/16
35
www.utilisec.com!
Zenmap
Author:
Adriano
Monteiro
Marques
and
nmap
project
Site:
hWp://nmap.org/zenmap
Purpose:
Graphical
nmap
interface
to
make
it
easier
for
beginners,
provide
basic
analysis
capabiliLes,
facilitate
rescans,
display
network
topologies,
and
compare
scans
Language:
C/C++
Samurai
Notes:
Since
many
scans
require
root,
Zenmap
when
started
from
the
menu
on
SamuraiWTF
runs
as
root.
To
run
it
as
a
normal
user,
run
"zenmap"
from
the
command
prompt
Copyright 2012, 2013 Justin Searle!
36
www.utilisec.com!
Zenmap Topology
37
www.utilisec.com!
Firefox
Author:
Mozilla
FoundaLon
Site:
hWp://www.mozilla.org
Purpose:
A
full
featured,
cross
plaiorm
web
browser.
Now
includes
a
mobile
version
for
your
smartphone
Language:
C++
Notable
Features:
Extensions
(add-ons)!!!
Caveats:
sLll
thinking
Useful
Pentester
Trick:
Open
a
second
Firefox
process
and
prole:
refox
-P
-no-remote
38
www.utilisec.com!
Error
Console
Determine
if
you
browser
is
properly
rendering
the
page
39
www.utilisec.com!
Wappalyzer
Author:
Elbert
F
Site:
hWp://wappalyzer.com
Purpose:
IdenLes
various
soJware
components
and
technologies
used
on
websites.
Language:
Firefox
add-on
Features:
Fingerprint
OS,
webserver,
web
frameworks,
and
server-side
programming
language
Reports
tracking
Copyright 2012, 2013 Justin Searle!
40
www.utilisec.com!
IntercepLon
Proxies
TesLng
tools
that
"Man-in-the-Middle"
your
own
trac
Provide
a
historic
record
of
all
interacLons
with
the
applicaLon
Provide
ability
to
intercept
and
modify
requests
Provide
addiLonal
tools
to
manipulate
and
interact
with
the
applicaLon
Provide
a
single
locaLon
to
track
all
of
your
notes
and
ndings
Copyright 2012, 2013 Justin Searle!
41
www.utilisec.com!
FoxyProxy
Exercise:
Check
all
opLons/proxies
&
create
a
new
local
proxy
E.g.
ZAP
=
localhost:8081
42
www.utilisec.com!
43
www.utilisec.com!
44
www.utilisec.com!
Firebug
Copyright 2012, 2013 Justin Searle!
45
www.utilisec.com!
46
www.utilisec.com!
2 - Click
3 - Click
47
www.utilisec.com!
Language:
Java
Notable
Features:
Samurai
Notes:
IntercepLon
has
been
disabled
by
default
in
SamuraiWTF.
To
re-enable,
go
to
the
Proxy
OpLons
tab,
under
"intercept
client
requests",
enable
the
check
box
next
to
"intercept
if:
(by
default,
intercepLon
of
server
responses
is
disabled
too)
Copyright 2012, 2013 Justin Searle!
48
www.utilisec.com!
FireFox
Burp
ZAP
49
www.utilisec.com!
Vulnerability Discovery
50
www.utilisec.com!
Discovery
Tasks
Mapping
Client-Side Code
Denial of Service
Session Management
Code InjecLon
Business Logic
Default ConguraLon
AuthenLcaLon
AuthorizaLon
ExploitaLon
Copyright 2012, 2013 Justin Searle!
51
www.utilisec.com!
52
www.utilisec.com!
Nikto
Author:
Sullo
Site:
hWp://cirt.net/nikto2
Purpose:
A
web
server
scanner
that
ngerprints,
correlates
to
known
vulnerabiliLes,
and
looks
for
known
malicious
or
potenLally
dangerous
les/
CGIs
Language:
Perl
Syntax:
nikto
-host
<target>
Copyright 2012, 2013 Justin Searle!
53
www.utilisec.com!
Nikto
Exercise
Use
nikto
to
scan
dojo-basic
Review
the
results
and
visit
the
"interesLng"
pages
54
www.utilisec.com!
nikto
55
www.utilisec.com!
DirBuster
Author:
OWASP
Project
Site:
www.owasp.org/index.php/
Category:OWASP_DirBuster_Project
Purpose:
Brute
force
of
web
directories
and
les
Language:
Java
Pros:
Very
quick
for
what
it
does
Has
one
of
the
most
exhausLve
list
(big
crawler
on
tons
of
websites),
however
they
are
highly
inecient
Caveats:
Scans
can
take
a
VERY
long
Lme
if
you
use
recursion
Can
overwhelm
servers
(connecLons
and
log
disk
storage)
Copyright 2012, 2013 Justin Searle!
56
www.utilisec.com!
57
www.utilisec.com!
RaJ
Author:
RaJ
Team
Site:
hWp://code.google.com/p/raJ
Purpose:
A
suite
of
tools
that
uLlize
common
shared
elements
to
make
tesLng
and
analysis
easier.
The
tool
(framework)
provides
visibility
in
to
areas
that
other
tools
do
not
such
as
various
client
side
storage
Language:
Python
Features:
Some
of
the
best
wordlists
and
newest
word
lists
for
unlinked
les
and
directories
Caveat:
Project
is
only
semi
acLve
and
hasn't
had
a
stable
release
yet
Copyright 2012, 2013 Justin Searle!
58
www.utilisec.com!
59
www.utilisec.com!
60
www.utilisec.com!
61
www.utilisec.com!
62
www.utilisec.com!
w3af
Author:
Andres
Riancho
and
many
others
Site:
w3af.sourceforge.net
Purpose:
One
of
the
most
feature
rich
open
source
web
audiLng
tools
for
both
automated
and
semi-automated
Phases:
Mapping,
discovery,
and
exploitaLon
Language:
Python
Notable
Features:
Choice
of
GUI
and
CLI
interfaces
Very
scriptable
to
re-audit
apps
Includes
most
python
based
web
audiLng
tools
63
www.utilisec.com!
2 - Target
64
www.utilisec.com!
Using
w3af
Choosing
the
plugins
to
test
with
Using
the
webspider
plugin
for
basic
spidering
Using
the
spiderman
plugin
to
get
around
authenLcaLon
and
blacklisLng
issues
Reading
the
results
Using
our
"5
minutes
/
5
aWempts"
rule
to
try
w3af's
exploitaLon
features
65
www.utilisec.com!
Manual
Discovery
Automated
tools
can
only
test
inputs
that
they
can
nd
Do
very
well
nding
injecLon
aws
Some
inputs
must
be
manually
tested
if
the
automated
tools
can't
be
trained
to
nd
them
(think
MVC
architectures
and
web
services)
66
www.utilisec.com!
iMacro
Author:
iOpus
Site:
hWp://www.iopus.com/imacros/refox/
Purpose:
Record,
edit,
and
script
macros
in
Firefox
for
automated
funcLonality
Language:
Firefox
add-on
Features:
Record
your
acLons
and
edit
them
later
Use
looping
and
variables
to
further
customize
Pull
datasets
from
external
sources
(CSV,
DBs,
...)
Wrap
macros
in
scripts
for
advanced
funcLons
Copyright 2012, 2013 Justin Searle!
67
www.utilisec.com!
TesLng
AuthenLcaLon
Does
the
applicaLon
authenLcate
users?
How
do
you
login,
logout,
and
change
your
password?
Can
you
reset
or
recover
an
account?
Are
all
of
these
funcLons
protected
by
encrypLon?
Does
the
applicaLon
reveal
if
a
username
is
valid
or
not?
Does
the
applicaLon
provide
user
lockout?
Can
you
guess
any
of
the
passwords?
68
www.utilisec.com!
CeWL
Author:
DigiNinja
(Robin
Wood)
Site:
hWp://www.digininja.org/projects/cewl.php
Purpose:
A
wordlist
generator
which
collects
words
by
spidering
websites
Language:
Ruby
Features:
Custom
dicts
are
very
useful
Syntax:
cewl
[opLons]
<target>
Copyright 2012, 2013 Justin Searle!
69
www.utilisec.com!
CeWL
Exercise
Review
the
CeWL
opLons
d:
depth
w:
write
to
(dicLonary)
le
e:
e-mail
addresses
a:
metadata
70
www.utilisec.com!
Fuzzing
Logins
Use
ZAP
Fuzzer
to
fuzz
the
login
password
for
"admin"
Use
the
list
generated
by
Cewl
Adjust
ZAP
Fuzzer's
thread
opLons
Use
response
le
size
to
nd
the
successful
fuzz
aWempt
Use
Zap's
search
feature
to
nd
the
successful
fuzz
aWempt
71
www.utilisec.com!
72
www.utilisec.com!
73
www.utilisec.com!
ZAP
TokenGen
Clear
all
cookies
in
your
browser
Visit
the
home
page
of
Dojo-Basic
Find
that
request
in
ZAP
History
Verify
the
request
was
made
without
cookies
and
its
response
has
a
Set-Cookie
for
sessionid"
Right
click
request
in
history
and
"Generate
Tokens..."
Review
results
to
verify
that
session
is
truly
random
(yes,
it
is)
74
www.utilisec.com!
75
www.utilisec.com!
TesLng
AuthorizaLon
Is
post-authenLcaLon
data
or
funcLonality
available
to
unauthenLcated
users?
Can
you
manually
make
requests
of
privileged
funcLonality
or
access
privileged
data
while
logged
in
as
an
user
that
should
not
have
access
to
it?
Can
users
access
data
from
other
users
that
they
should
not
be
able
to
access?
Copyright 2012, 2013 Justin Searle!
76
www.utilisec.com!
77
www.utilisec.com!
78
www.utilisec.com!
JavaScript
/
AJAX
Flash
Java
Applets
Silverlight
79
www.utilisec.com!
Dojo-Basic Exploitation
80
www.utilisec.com!
ExploitaLon
Tasks
Discovery
PrioriLze AWempts
ExploitaLon
Post ExploitaLon
Recon
Copyright 2012, 2013 Justin Searle!
81
www.utilisec.com!
Step
4:
ExploitaLon
Verifying
idenLed
vulnerabiliLes
by
aWacking
and
exploiLng
them
Go
aJer
the
data
or
funcLonality
that
real
aWackers
would
go
aJer
Successful
exploitaLon
is
a
stepping
stone
and
should
open
up
a
new
round
of
mapping
and
discovery
82
www.utilisec.com!
ExploitaLon
Examples
Downloading
the
contents
of
a
database
Uploading
a
malicious
web
page
Gaining
shell
on
the
server
Making
a
target
server
send
data
to
a
remote
host
PivoLng
from
the
DMZ
to
the
internal
network
Leveraging
a
target
users
browser
to
scan
the
internal
network
ExploiLng
target
users
browser
vulnerabiliLes
83
www.utilisec.com!
Cookies
Manager+
Author:
V@no
Site:
addons.mozilla.org/en-US/refox/addon/cookies-
manager-plus/
Purpose:
Add
and
edit
session
and
persistent
cookies,
plus
all
their
properLes
Language:
Firefox
add-on
Features:
Cookie
seSngs
take
priority
over
internal
cookies
Cookie
search
lters
Copyright 2012, 2013 Justin Searle!
84
www.utilisec.com!
Session
Hijacking
Use
Cookies
Manager+
to
log
into
predictable
session
IDs
Use
ZAP
to
intercept
a
request
for
one
of
your
users
Use
ZAP's
Encode/Decode/Hash
tool
to
generate
a
base64
of
another
user's
UID
number
Replace
your
user's
UID
cookie
with
the
new
generated
UID
85
www.utilisec.com!
86
www.utilisec.com!
SQLMap
Author:
Bernardo
Damele
A.
G.
(inquis)
Site:
hWp://sqlmap.sourceforge.net
Purpose:
An
automated
SQL
injecLon
tool
that
both
detects
and
exploits
SQL
injecLon
aws
on
MySQL,
Oracle,
PostgreSQL,
and
MS
SQL
Server
Language:
Python
Features:
Check
the
help
(-h)
Syntax:
sqlmap -u <target> [options]
87
www.utilisec.com!
SQLMap
Exercise
Review
the
opLons
for
sqlmap
(-h)
Run
sqlmap
on
SQL
aw
to
verify
it
can
see
it
(discovery)
Use
sqlmap
to
exploit
the
SQL
aw
EnumeraLon
Commands
--ngerprint
--dbs
--tables
--columns
--count
Pinning
Commands
-D
{database}
-T
{table}
Dumping
tables
--dump
OS
interacLon
Copyright 2012, 2013 Justin Searle!
88
www.utilisec.com!
Laudanum
Authors:
Kevin
Johnson
&
JusLn
Searle
Site:
laudanum.secureideas.net
Purpose:
a
collecLon
of
injectable
les,
designed
to
be
used
in
a
pentest
when
SQL
injecLon
aws
are
found
and
are
in
mulLple
languages
for
dierent
environments
Phases:
exploitaLon
Languages:
asp,
aspx,
cfm,
jsp,
php
Notable
Features:
Security:
AuthenLcaLon
&
IP
address
restricLons
Payloads:
dns,
le,
header,
proxy,
shell
89
www.utilisec.com!
RFI
Exercise
Congure
a
Laudanum
PHP
shell
with
the
appropriate
username
and
IP
Copy
the
new
le
to
your
/var/www
directory
Use
the
RFI
vulnerability
map
to
have
the
dojo-
basic
applicaLon
retrieve
and
execute
your
code
you
should
have
found
and
RFI
aw
during
your
code
injecLon
tesLng
90
www.utilisec.com!
BeEF
Author:
Wade
Alcorn
and
others
Site:
hWp://beefproject.com
Purpose:
A
PHP
(or
Ruby)
web-based
interface
for
command
and
control
of
XSS-ed
zombie
browsers
including
several
exploits
and
modules
Language:
PHP
or
Ruby
Samurai
Notes:
You
can
start
BeEF
from
the
main
menu
or
you
can
just
run
"beef"
from
any
command
prompt.
However,
make
sure
you
use
<CTRL>
<C>
keys
to
stop
before
closing
the
terminal
window.
If
you
forget,
you'll
have
to
do
a
"killall
ruby"
to
stop
BeEF
Copyright 2012, 2013 Justin Searle!
91
www.utilisec.com!
BeEF
Exercise
Start
beef
from
the
main
menu
and
leave
that
new
terminal
window
open
Accessing
the
control
panel
(user/pass
is
beef/beef)
http://localhost:3000/ui/panel
92
www.utilisec.com!
TunnelingProxy
(localhost:6789)
Become
the
vicLm
user
on
the
web-app
Burp
Suite
&
sqlmap
&
(same
domain)
XssRays
Metasploit
integraLon
93
www.utilisec.com!
Student Challenge
Samurai Dojo Scavenger
A dojo (, dj) is a Japanese term which literally means "place of the way".
Initially, dj were adjunct to temples. The term can refer to a formal training
place for any of the Japanese do arts but typically it is considered the formal
gathering place for students of any Japanese martial arts style to conduct
training, examinations and other related encounters. -- Wikipedia
94
www.utilisec.com!
Student
Challenge
You
can
nd
the
challenge
at:
hWp://dojo-scavenger
Bonus
points:
How
were
the
keys
generated?
Can
you
you
calculate
what
the
21st
key
would
be?
Copyright 2012, 2013 Justin Searle!
95
www.utilisec.com!
STOP!!!
96
www.utilisec.com!
STOP NOW!!
I'm not joking this time!
So I lied about the next page containing the answer.
Its really the NEXT page.
(Full Disclosure: I Needed a second stop page because printed versions of these slides
have two slides showing per page...)
97
www.utilisec.com!
Key
01
=
a1d0c6e83f027327d8461063f4ac58a6
in
TRACE
le
in
web
root
(/TRACE)
Key
02
=
68d30a9594728bc39aa24be94b319d21
in
apache
cong
le
for
Dojo-Scavenger:
/etc/apache2/sites-available/dojo-scavenger
Key
03
=
069059b7ef840f0c74a814ec9237b6ec
used
as
your
session
variable
10%
of
the
Lme
Key
04
=
006f52e9102a8d3be2fe5614f42ba989
html
comment
on
index.php
Copyright 2012, 2013 Justin Searle!
98
www.utilisec.com!
Key
06
=
03c6b06952c750899bb03d998e631860
GET
parameter
in
/admin/index.php
form
submit
Key
07
=
6883966fd8f918a4aa29be29d2c386
default
text
for
comment
eld
on
contactus.php
it
is
at
the
boWom
of
the
eld,
so
scroll
down
Key
08
=
6855456e2fe46a9d49d3d3af4f57443d
hidden
eld
on
support.php
Key
09
=
8bf1211fd4b7b94528899de0a43b93
New
HTTP
method
obtained
using
the
SAMPLE
method
Copyright 2012, 2013 Justin Searle!
99
www.utilisec.com!
Key
11
=
51d92be1c60d1db1d2e5e7a07da55b26
in
a
le
called
"key11"
in
the
unlinked
directory
crack
Key
12
=
b337e84de8752b27eda3a12363109e80
DNS
entry
in
a
zone
transfer
Key
13
=
ed265bc903a5a097f61d3ec064d96d2e
hidden
in
database,
use
a
sql
injecLon
exploit
to
nd
Key
14
=
daca41214b39c5dc66674d09081940f0
Response
to
logging
into
partner
user
account
"key"
100
www.utilisec.com!
Key
16
=
2dea61eed4bceec564a00115c4d21334
Allowed
domain
in
crossdomain.xml
Key
17
=
d14220ee66aeec73c49038385428ec4c
new
HTTP
header
response
value
in
all
responses
Key
18
=
2823f4797102ce1a1aec05359cc16dd9
default
directory
in
web
root
Key
19
=
9e3cfc48eccf81a0d57663e129aef3cb
brute
force
password
abc123
on
/admin/index.php
101
www.utilisec.com!
Next
Steps
We
will
all
conLnue
to
learn
...
A
few
things
will
help
us
down
that
path
ConLnue
exploring
the
tools
Build
a
test
lab
Teach
others
Join
projects
102
www.utilisec.com!
Web Services
103
www.utilisec.com!
104
www.utilisec.com!
Web
Services
Author:
SmartBear
Site:
hWp://www.soapui.org
Purpose:
an
open
source
tool
that
allows
you
to
easily
and
rapidly
create
and
execute
automated
funcLonal,
regression,
compliance,
and
load
tests
for
web
services
Language:
Java
Features:
One
of
the
best
tools
for
parsing
WSDLs
and
creaLng
test
cases
for
each
request
Supports
both
SOAP
and
REST
web
services
105
www.utilisec.com!
Current
SamuraiWTF
has
a
broken
menu
item
for
SoapUI,
start
this
way
usr/local/SmartBear/soapUI-4.5.2/bin/soapui.sh
106
www.utilisec.com!
107
www.utilisec.com!
www.utilisec.com!
curl
hWp://dojo-basic
curl
-O
hWp://dojo-basic/index.php
curl
--user-agent
"qualys"
hWp://dojo-basic
curl
-d
"user=admin"
hWp://dojo-basic
N/A
curl
-fO
hWp://localhost/icons/[a-z][a-z].gif
curl
-X
OPTIONS
-v
hWp://dojo-scavenger
curl
-X
SAMPLE
-v
hWp://dojo-scavenger
109
www.utilisec.com!
110
www.utilisec.com!
111
www.utilisec.com!
Creating
a number sequence
112
www.utilisec.com!
113
www.utilisec.com!
114
www.utilisec.com!
115
www.utilisec.com!
Why Python
116
www.utilisec.com!
Python
Shell
Using
an
interacLve
python
shell
type
python
on
your
command
line
type
python
commands
they
execute
when
you
hit
enter
117
www.utilisec.com!
118
www.utilisec.com!
urllib2
hGplib
119
www.utilisec.com!
Using
hWplib
Create a connection object
import
hWplib
Domain only
connecLon
=
hWplib.HTTPConnecLon("secureideas.net")
connecLon.request("TRACE",
"/index.html")
Network request
made here
response
=
connecLon.getresponse()
payload
=
response.read()
Extract reponse
print(payload)
Extract payload
Copyright 2012, 2013 Justin Searle!
120
www.utilisec.com!
Using
urllib2
The
library that does the magic
import
urllib2
Dont for get the http://
request
=
urllib2.Request('hWp://www.uLlisec.com')
This doesnt make the
response
=
urllib2.urlopen(request)
request, it simply
packages the request
payload
=
response.read()
This sends the request,
print(payload)
catches the response,
and extracts out the
response payload
Copyright 2012, 2013 Justin Searle!
121
www.utilisec.com!
POST
Requests
import
urllib2,
urllib
url
=
'hWp://whois.arin.net/ui/query.do'
Add your POST
data
=
{
'ushCache'
:
'false',
data to a dictionary
'queryinput'
:
'198.60.22.2'}
Then urlencode your data
data
=
urllib.urlencode(data)
(dont forget to import urllib)
request
=
urllib2.Request(url,
data)
If you provide urllib2
response
=
urllib2.urlopen(request)
with request data, it will
payload
=
response.read()
assume a POST
print(payload)
Copyright 2012, 2013 Justin Searle!
122
www.utilisec.com!
123
www.utilisec.com!
WriLng
to
a
File
import
urllib2
request
=
urllib2.Request('hWp://www.uLlisec.com')
response
=
urllib2.urlopen(request)
Try opening a file, in
write and binary
payload
=
response.read()
modes (use r for read)
with
open('index.html',
'wb')
as
le:
le.write(payload)
Write the response payload to the file
(to read files, use file.read to read the
whole file or file.readline in a loop)
Copyright 2012, 2013 Justin Searle!
124
www.utilisec.com!
Filtering
Responses
import
urllib2,
re
request
=
urllib2.Request('hWp://inguardians.com/info')
response
=
urllib2.urlopen(request)
Build your regex
payload
=
response.read()
using a raw string,
grouping desired text
regex
=
r'<dt
class="Ltle">(.*)</dt>'
results
=
re.ndall(
regex
,
payload
)
Search payload
for all instances
of your regex
for
result
in
results:
print(result)
Loop through your results printing them
Copyright 2012, 2013 Justin Searle!
125
www.utilisec.com!
Basic
AuthenLcaLon
import
urllib2
url
='hWp://browserspy.dk/password-ok.php'
username
=
'test'
Setup needed variables
password
=
'test'
Setup a password manager
password_mgr
=
urllib2.HTTPPasswordMgrWithDefaultRealm()
password_mgr.add_password(None,
url,
username,
password)
Add passwords
authhandler
=
urllib2.HTTPBasicAuthHandler(password_mgr)
opener
=
urllib2.build_opener(authhandler)
Connect handler
urllib2.install_opener(opener)
Build and install so all
response
=
urllib2.urlopen(url)
requests automatically use
payload
=
response.read()
the password manager
print(
payload
)
Copyright 2012, 2013 Justin Searle!
126
www.utilisec.com!
127
www.utilisec.com!
128
www.utilisec.com!
129
www.utilisec.com!
pyCIT
Python
Commandline
Interface
Templates
hWp://code.google.com/p/pycit
a
collecLon
of
templates
for
creaLng
command
line
tools
great
tool
for
beginners
to
show
how
to
do
the
basics
saves
advanced
users
Lme
by
providing
basic
plus
more
130
www.utilisec.com!
pyCIT
Templates
Completed
Templates
Basic
le
read/write
access
Single-threaded
hWp
requests
(basic
wget/curl
funcLons)
Templates
in
Progress
MulL-threaded
hWp
requests
(basic
wget/curl
funcLons)
Planned
Templates
Binary
le
read/write
access
with
hex
decode
(basic
xxd/
hexdump
funcLons)
Raw
socket
client
and
service
(basic
netcat
funcLons)
Raw
usb
device
access
InteracLve
CLI
interface
Copyright 2012, 2013 Justin Searle!
131
www.utilisec.com!
Upcoming
Classes
Upcoming
Samurai-WTF
courses:
Check
upcoming
BlackHat,
OWASP,
Nullcon,
BruCON,
RootedCON,
NCSC
security
conferences
132
www.utilisec.com!
JusLn
Searle
Managing
Partner
-
ULliSec
jusLn@meeas.com
//
jusLn@uLlisec.com
+1
801
784
2052
@meeas
133
www.utilisec.com!