Web Application Pen-testing Tutorials With Mutillidae
When I started the Mutillidae project it was with the intention of using it as a teaching tool and making easy to understand video demos. Truth be told, I never did as much with it as I intended. However, after Jeremy Druin (@webpwnized) took over the development it really took off. I have since come to find out he has been doing A LOT of YouTube video tutorials with Mutillidae, which he said I could share here. I will be copying his descriptions with slight editing and embedding his videos below:
Index:
Explanation Of HTTPonly Cookies In Presense Of Cross Site Scripting
Demonstration Of Frame Busting Javascript And X-Frame Options Header
Basics Of Web Request And Response Interception Using Burp Suite
Automate SQL Injection Using SQLMap To Dump Credit Cards Table
Command Injection To Dump Files Start Services Disable Firewall
How To Exploit Local File Inclusion Vulnerability Using Burp Suite
HTML Injection To Popup Fake Login Form And Capture Credentials
Two Methods To Steal Session Tokens Using Cross Site Scripting
Basics Of Using SQL Injection To Read Files From Operating System
Basics Of Injecting Cross Site Script Into HTML Onclick Event
Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb
How To Import Nessus Scans Into Metasploit Community Edition
Basics Of Exploiting Vulnerabilities With Metasploit Community Edition
Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin
Quick Start Overview Of Useful Pen-Testing Addons For Firefox
Injecting Cross Site Script Into Logging Pages Via Cookie Injection
Manual Directory Browsing To Reveal Mutillidae Easter Egg File
Creating Reports And Metasploit Db Importable Reports With Nmap Xml Output
Mutillidae How To Use Dradis To Organize Nmap And Nessus Scan Results
Finding Comments And File Metadata Using Multiple Techniques
Using Hydra To Brute Force Web Forms Based Authentication Over Http
Connect To Unreachable Web Site Through Meterpreter Port Forwarding
Using Metasploit Hashdump Post Exploit Module Creds Table And John
Using Metasploit Community Edition To Determine Exploit For Vulnerability
How To Install Metasploitable 2 With Mutillidae On Virtual Box
How To Exploit Metasploitable 2 With Nmap Nexpose Nessus Metasploit
Introduction to Installing, Configuring, and Using Burp-Suite Proxy
Determine Http Methods Using Netcat
Using Mutillidae as a target, we look at discovering the HTTP methods offered by a web server during the discovering phase. First we use netcat to send the HTTP OPTIONS request then use W3AF to automate this process.
Determine Server Banners Using Netcat Nikto And W3af
Using Mutillidae as the target, this video looks at 3 ways to find web server banner information in which may be found the web server type and version along with application server type and version. We use netcat, nikto, and w3af.
Bypass Authentication Using SQL Injection
Using Mutillidae as a target, we look at bypassing
authentication using SQL injection with the only tools being Firefox with the
Firebug add-on. In later videos we can use Burp-Suite to make this easier. Mutillidae is a free web application that has vulnerabilities added on purpose
to act as a training environment for security enthusiast.
This video is an overview of the different settings in Mutillidae plus a look at the menu items. The security levels, hints, database reset, and basic menu layout are covered.
Bypass Authentication Via Authentication Token Manipulation
In this video we bypass authentication by manipulating session
authentication tokens found in cookies. The cookies are found and modified using
the Cookie Manager+ add-on for Firefox. Mutillidae is a web application with a
series of vulnerabilities added on purpose to allow security enthusiast, pen
testers, and students to practice attacking a web application.
Explanation Of Httponly Cookies In Presense Of Cross Site Scripting
Using Mutillidae, we look at the effect HTTPOnly cookies have
when a page is infected with a cross site script. The demonstration is primarily
targetted at developers who wish to understand better why it is a good idea to
set cookies with the HTTPOnly flag. A better solution would be to have all
cookies be HTTPOnly unless the developer overrides.
Closer Look At Cache Control And Pragma No Cache Headers
Using Mutillidae, we look at cache-control headers for HTTP
1.0 and HTTP 1.1.
Demonstration Of Frame Busting Javascript And X-Frame Options Header
Using Mutillidae, we contrast JavaScript frame busting code
and the X-FRAME-OPTIONS header. The two methods are compared on a site being
framed. The site is framed inside of an iframe tag and the two methods prevent
the site from appearing in the iframe. These two methods are useful in helping
with cross site framing and click-jacking.
How To Install And Configure Burp Suite With Firefox
This video discussing installing and configuring Burp Suite.
Download Burp Suite from http://portswigger.net/burp/download.HTML. Unzip the
downloaded file and place Burp Suite into a folder. In this video, Burp is
placed onto a WinXP machine in the Program Files directory. Create a shortcut
for Burp. Configure Firefox to use Burp as the web proxy so that traffic flows
through Burp Suite.
Basics Of Web Request And Response Interception Using Burp Suite
Using Mutillidae as a target, we look at intercepting web
requests and server responses using the interception proxy in Burp Suite. This
allows us to alter the requests before letting the requests proceed to the
server. Burp-Suite is available at portswigger.net.
Brute Force Authentication Using Burp Intruder
Using Mutillidae as a target, we brute force the
authentication. The tool that attempts brute forcing is Burp Suite Intruder set
to "Cluster Bomb" mode. In this short demo, we harvest usernames from the site
itself on the "View Blog" page. We try some sample passwords for demo purposes.
We note how to load much longer password lists from files downloaded with FuzzDB.
Automate SQL Injection Using SQLMap To Dump Credit Cards Table
In this video, we use SQLMap 1.0 from a backtrack 5 machine against the mutillidae view-blog-entries.php page. We automate the attack and make setting up SQLmap easier by taking a request from Burp Suite and feeding it to SQLmap through the -r (request) parameter. We find the names of the databases, then the tables, and finally dump the credit-cards table.
Command Injection To Dump Files Start Services Disable Firewall
Using a vulnerable page in the mutillidae web application, we use command injection to list directories on the servers operating system. After gaining access to web source code files and listing contents, we list the Windows services running, start the telnet service, then disable the server firewall to give us access to the telnet service.
How To Exploit Local File Inclusion Vulnerability Using Burp Suite
Using a defect in the text file viewer page, we show how to read arbitrary files from the web server including the source code. We read files from the Windows operating system using a directory traversal attack combined with the local file include vulnerability.
HTML Injection To Popup Fake Login Form And Capture Credentials
Using the add to your blog page in Mutillidae as a target, we inject HTML. The HTML gets progressively better until it looks basically like a login form that is floating over the screen. We set up a capture page to capture any credentials typed into the login form. The capture page already exists in Mutillidae and is ready for demos. Mutillidae is a web application with vulnerabilities added on purpose to allow pen testers and security enthusiast to practice.
Two Methods To Steal Session Tokens Using Cross Site Scripting
This video covers using cross-site scripting to steal session cookies on the add-to-your-blog.php page in Mutillidae. A basic cross-site script is executed to show the page is vulnerable, then a script to redirect the user to a capture page. Since the redirection is noisy and relatively obvious to the user, we use an XHR (XML HTTP Request) based script to quietly force the user to browse to the capture page in the background while the main page continues to operate normally. Mutillidae is a free, easy to install web application that has vulnerabilities placed on pages to allow security enthusiasts to test.
How To Bypass Maxlength Restrictions On HTML Input Fields
Using the Mutillidae Login page as a target, we review 3 methods to bypass HTML maxlength restrictions on the page. HTML input fields sometimes contain maxlength restrictions and visible length restrictions. These are trivially bypassed using a variety of techniques. The few covered in this video use Firebug, Tamper Data, and Burp-Suite respectively.
Two Methods To Bypass Javascript Validation
Using the Mutillidae login page with level 1 security, we look at two methods to bypass javascript validation. One method is disabling JavaScript but this has consequences for pages which use JavaScript to help render the page correctly. After viewing these limitations, we use Burp-Suite to allow the page to render normally whhile still having control of the HTTP requests and responses.
Three Methods For Viewing Http Request And Response Headers
Using Mutillidae in security level 0 and security level 5, we look at different
methods to view HTTP headers. The cache control headers are used in this video
as examples. Mutillidae will not use cache control in level 0 but shows the
headers in level 5. We use two Firefox add ons, plus Burp Suite.
Basics Of SQL Injection Timing Attacks
Using the Mutillidae login page, we use Burp-Suite Repeater to
look at a basic example of an SQL Injection timing attack. Because Mutillidae
uses a MySQL server database, we use the SLEEP command sent in via a UNION
statement to cause the web application response time to vary.
Basics Of SQL Injection Using Union
Using Mutillidae, we methodically find the number of columns needed to use a UNION SQL Injection and also determine which columns in the web pages query are output onto the resulting web page when a query successfully executes. UNION can be used to extract data but only if the number of columns matches and the datatypes are compatible.
Basics Of Inserting Data With SQL Injection
In this video, inserted data is changed by an SQL injection. While not particuarly practical in this context, the demonstration shows when insert
SQL
injection can be used to change data and when it cannot. The general method for
performing an SQL Injection insert is shown as well.
Inject Root Web Shell Backdoor Via SQL Injection
Using somewhat advanced SQL injection, we inject a new PHP file into the web root of the PHP server using and SQL injection vulnearbility in Mutillidae. The injection is a command shell written in PHP that give root access to the operating system.
Basics Of Using SQL Injection To Read Files From Operating System
Expanding on the UNION SQL Injection discussed in previous videos, we use SQL injection to read files from the operating system. One of the files read is the MySQL error log which contains a great number of items used in reconnaissance of the system. Reading files with SQL injection is somewhat advanced but can be practiced easily using Mutillidae.
How To Locate The Easter Egg File Using Command Injection
Mutillidae has a very large Easter Egg file containing scripts, injections, hacks, and tests used to check the pages over the years. As the developer tests new hacks, the file gets the new scripts added. The file contains SQL injection, command injection, XSS, and other vulnerability exploits. One way to get this file is to use command injection which is the method used in this demonstration.
Injecting Cross Site Script Into Stylesheet Context
In this video we look at injecting cross site script into the stylesheet context. The example comes from the set-background color page in Mutillidae. The example is trivial but the point is that cross site scripting can occur in any context. Developers need to encode all output even when the output is not occurring in the standard HTML context.
Introduction To Http Parameter Pollution
This video introduces HTTP parameter pollution using the user-poll page in Mutillidae. HTTP Parameter Pollution can occur when multiple parameters with the same name but different values are submitted to the application. Depending on the application server type, the parameter used may be the first, second, or a combination of the two. HTTP Parameter Pollution can be used to submit "half" values and have the server recombine them later.
Basics Of Injecting Cross Site Script Into HTML Onclick Event
This video demonstrates injecting cross site scripts into HTML events. The example requires a prefix to close off an existing JavaScript statement in the onclick event targetted. Any script injected into the HTML event will be executed when the user clicks the BACK button on the page.
Basics Of Finding Reflected Cross Site Scripting
This video demonstrates the most basic case of injecting cross site scripts into HTML pages. The example does not require any prefixes, suffixes, or other special characters to be injected. Any script injected into the HTML will be reflected back to the user and executed. For those wishing to see cross site scripting for the first time, this video is a good place to start.
Analyze Session Token Randomness Using Burp Suite Sequencer
Using the Burp Suite Sequencer application, we capture a series of session tokens from the Mutilidae PHP application server, then analyze them using the Burp Suite Sequencer analysis functionality. The beginning of the video covers the basics of how session tokens are passed to the web browser and how to coax the web server to send multiple tokens.
Using Nmap To Fingerprint Http Servers And Web Applications
In this video nmap is used to locate machines with web servers running, then more advanced nmap options are used to fingerprint the web server. The output generated by nmap is sent to an XML file and a stylesheet is used to format the output into a presentable report.
Spidering Web Applications With Burp Suite
Using Burp Suite Spider, we find the target site and set it as the "scope" in Burp Suite. We then tell Burp Suite to spider the site by following the links in the site. We also look at the interactive form helper in Burp Spider. Burp records the pages in the site.
Basics Of Burp Suite Targets Tab And Scope Settings
Most of the functionality in Burp Suite revolves around the
"targets" tab. This basic tab lacks the "sexy" of the other tabs used to perform
testing, but the targets tab has several useful features such as setting scope
and filtering. This video looks at the features in the targets tab more closely.
Brute Force Page Names Using Burp Intruder Sniper
This video is a basic demo of using the Burp Suite Intruder feature. The video shows the simplest case: fuzzing one field in sniper mode in order to examine the resulting responses more quickly. In this video SQL injection vulnerabilities are located by fuzzing and input field and noting that some responses are different when certain characters are sent into the parameters.
Using Burp Intruder Sniper To Fuzz Parameters
This video demonstrates using Burp-Suite Intruder in sniper mode to fuzz page names in Mutillidae in order to discover pages that are not in the menu. The pages are hidden generally and are not linked from other pages. By sending in guesses, some of the secret pages are located. The secret pages are just an Easter Egg that dumps the server configuration to the browser.
Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb
Burp Intruder has several modes of operation. This video compares the sniper, battering ram, pitchfork, and cluster bomb modes against a login page. The context is brute forcing the login page comparing each of the modes. Using the different modes of the intruder is under-utilized in web pen testing. The modes can be very useful to reduce pen tester workload in various situations.
Demo Usage Of Burp Suite Comparer Tool
This video demonstrates using the Burp Suite comparer tool to compare two web responses returned by the web server during a brute force login attempt. The comparer tool is an under-used tool that can help web pen-testers be more productive. The application is Mutillidae which is a free, open source web application design with vulnerabilities to allow pen testers, students, and security enthusiast to practice.
Import Custom Nmap Scans Into Metasploit Community Edition
Nmap allows a large amount of customization when performing network scans including output to XML files. Nmap scans can be performed then imported into the Metasploit Community Edition (available at Rapid7). This video shows an nmap scan intended to locate web servers and identify basic information about the web server and web application. When the scan is done, the results are imported into Metasploit.
Using Metasploit Community Edition To Locate Web Servers
This video shows Metasploit Community Edition being used to run an Nmap scan on a Virtual Box network in order to discover hosts. Metasploit Community is avilable from Rapid7.
XSS DNS Lookup Page Bypassing Javascript Validation
In security level 1, Mutillidae uses JavaScript validation on many pages. Although the dns-recon.php page is intended to give a target to try operating system command injection, the page also contains a cross site scripting flaw. In security level 1, we bypass the javascript validation and locate the flaw in the page. Once found we exploit the flaw with a trivial popup box to show the vulnerability.
Use Burp Suite Sequencer To Compare Csrf Token Strengths
Using burp sequencer we compare the predictability (strength) of the cross site request forgery tokens used in Mutillidae on the add-to-your-blog.php page. The page uses very strong tokens in security level 5, but security level 1 uses non-random tokens. Burp-Sequencer shows the randomness as the number of bits of entropy.
How To Remove PHP Errors After Installing On Windows Xampp
Do errors show at the top of the page after installing
Mutillidae on XAMPP? This video reviews post-installation of Mutillidae on
Windows XP or Windows 7. After installing on some versions of XAMPP, Mutillidae
will show errors at the top of the screen. These are warnings about the OWASP
ESAPI library. On the front page of Mutillidae are detailed instructions about
these errors. This video follows through those instructions to get rid of the
PHP errors by altering the PHP.ini file parameter "error_reporting".
Quickstart Guide To Installing On Windows With Xampp
This video is a basic primer on installing Mutillidae on
Windows using the XAMPP installation of Apache and MySQL. XAMPP makes installing
Mutillidae as easy as possible. The only easier way is to install Mutillidae on
Samurai WTF because it comes preinstalled and only needs to be updated.
Basics Of Running Nessus Scan On Backtrack 5 R1
Using a fully patched Windows XP machine running the latest version of XAMPP (Apache 2.2) as a target, we look at the basics of setting up a Nessus scan. The scan is unauthenticated so this simulates using Nessus to scan a "blackbox" target. The Mutillidae web application is running on the Windows XP box and the Windows firewall is deliberately open on port 80. This gives a service for Nessus to show some results.
How To Import Nessus Scans Into Metasploit Community Edition
A previous video on the Mutillidae YouTube Channel discussed setting up and running Nessus scans on Backtrack 5 R2. This video covers importing the completed Nessus scan into Metasploit Community Edition.
Basics Of Exploiting Vulnerabilities With Metasploit Community Edition
This video covers the basics of launching exploits from Metasploit Community Edition. The exploits were discovered in a previous step both with Nexpose and Nessus. In the case of Nessus the results were exported as a .Nessus file then imported into Metasploit Community Edition. This video picks up right after the vulnerabilities are discovered and imported.
Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin
Using Mutillidae as the target, we look at identifying fields which are output into web logs, then sending a cross site script into the web log in order to capture the cookie of anyone that views the logs. In this example, the username field of the login screen is identified as a target because Mutillidae logs all login attempts.
Quick Start Overview Of Useful Pen-Testing Addons For Firefox
This is a quick overview of using addons in the Firefox browser to aid in web pen testing. Only a few of the top add-ons are reviewed but the concepts apply to any add-on. Putting icons for the add-ons into the Firefox menu bar is covered as well. The add-ons can be found on addons.mozilla.org in a collection named "Web Developers Quality Assurance Pack". Search the "Collections" for this title.
Three Methods For Viewing Javascript Include Files
Developers often include external JavaScript files to use in projects. It may be useful to read this code for various reasons but it will not appear directly on the web page source. Using Mutillidae as a an example target, this video looks at a few ways to view JavaScript which is included in files instead of being written into the HTML page source.
Reading Hidden Values From HTML5 Dom Storage
This video covers reading values from the HTML5 DOM storage. Developers may store items on the browser assuming they are difficult to read. Using Firefox and Firebug (among other techniques) these values can be read.
How To Execute Javascript On The Urlbar In Modern Browsers
A user or pen-tester can execute JavaScript on any web page but this became more difficult after Firefox 6. The URL bar no longer allows execution of JavaScript. The about:config allows the URL bar to be reactivated, but there are other options. In this video, we use Firebug add-on for Firefox to provide a JavaScript command line suitable for pen-testing.
Adding Values To Dom Storage Using Cross Site Scripting
This video explores adding values to DOM storage (also known as HTML5 storage and web storage). In the first example, we add a new value to the local DOM storage in our own browser. This would be used to inject a value into a web application via DOM storage. This type of injection is similar to any other except the vector. Pen-testers regularly inject forms fields, cookies, and URL query parameters but may neglect to inject DOM storage.
Alter Values In HTML5 Web Storage Using Cross Site Script
This video reviews altering HTML 5 Web Storage. After a brief explanation, the HTML 5 Web Storage of our own browser is altered. This might be done to change authorization tokens or other values. Then cross site scripting is used to alter values in another users HTML 5 Web Storage.
Altering HTML 5 Web Storage Values Using Persistent XSS
Using a stored cross-site script aka persistent XSS aka second-order XSS, we alter the values in the HTML 5 web storage of any user that visits the infected page. In security level 0, Mutillidae fails to encode output making it vulnerable to cross site scripting. If the site is placed into security level 5, it will properly encode output rendering the scripts harmless.
Altering HTML 5 Web Storage With A Reflected XSS
Using a reflected cross-site script aka first-order XSS, we alter the values in the HTML 5 web storage of any user that visits the infected page. In security level 0, Mutillidae fails to encode output making it vulnerable to cross site scripting. If the site is placed into security level 5, it will properly encode output rendering the scripts harmless.
Generate Cross Site Scripts With Sql Injection
This video discusses an advanced SQL injection technique. The SQL injection is used to generate cross site scripting. This is useful when cross site scripts cannot be injected into a webpage from a client because web application firewalls or other scanners are in place. When an SQL injection can be snuck past the WAF, it is possible to have the SQL injection generate the Cross Site Script dynamically.
Injecting Cross Site Script Into Logging Pages Via Cookie Injection
By setting the values of browser cookies, then puposely browsing to a web page that logs the value of user cookies, it may be possible to inject cross site scripts into the log files or the log data table of the web site. Later when the logs are reviewed by Administrators, the cross site scripts may execute in the administrators browser. The video uses the Mutillidae capture data pages as an example. In Mutillidae one of the capture the flag events is to poison the attackers browser by purposely exposes the attacker to a cross site script. This can be done by infecting a cookie then "letting" the attacker trick you into visiting the capture data page.
Manual Directory Browsing To Reveal Mutillidae Easter Egg File
This video looks at manual testing for directory browsing misconfiguration vulnerabilities in Mutillidae. For directory browsing brute forcing, OWASP DiRBuster or Burp-Suite Intruder are great tools. However, Mutillidae gives away some of its directory paths when serving PDF and other files. These can be tested manually to reveal the Mutillidae Easter egg file. Also common directory names like "include" and "includes" can be tried quickly just using a browser before firing up the tools.
How To Upgrade To Nessus 5 On Backtrack 5 R2
This video looks at upgrading Nessus 4 to Nessus 5. The operating system used in the video is Backtrack 5 R2. Nessus 4 was successfully registered and running on this OS prior to attempting to upgrade to Nessus 5. If a fresh Nessus install is needed, the process is different.
Creating Reports And Metasploit Db Importable Reports With Nmap Xml Output
Nmap reporting is excellent with the XML option but this is not used in a lot of cases. The XML output from nmap can be imported into other tools such as the Metasploit Community Edition (Import button), metasploit DB, and other tools. Also, the XML format can be opened in a web browser to produce a well-formatted report suitable for attachment to a pen-test.
How To Use Dradis To Organize Nmap And Nessus Scan Results
The latest version of Dradis (2.9) has excellent import speed compared to version 2.7. This video looks at using the import features of Dradis to organize the scan results from an nmap scan and a Nessus 5 scan. Dradis is a tool that allows pen testers, auditors, and vulnerability assessors to organize their work by server or other categories. The Dradis starts a web server which other team members can share information as well.
Finding
Comments And File Metadata Using Multiple Techniques
This video has two related parts. The first part discusses finding the comments
in Mutillidae related to the "comments challenge". This is an easy challenge in
Mutillidae but the techniques can be extended to search entire sites for
comments. The second part of the video looks at finding metadata in general
using a variety of tools.
The tools used are Firefox "View Source", W3AF, grep, wget, Burp Suite, exiftool
and strings. The demo site used is Mutillidae, which is a free open-source fully
functional PHP site with a MySQL database. The site runs on localhost or it can
be run in a virtual network as a practice target or capture the flag target. It
is not a good idea to run Mutillidae publically because it will get hacked.
Mutillidae is available at Sourceforge and Irongeek.com. Along with the project
is several documents and an installation guide for Windows 7.
Detailed Look At Linux Traceroute
This video takes a detailed look at the traceroute program in Linux. The newer traceroute is used (version 2.0.18). The later versions have the ability to send packets of different protocols (i.e. TCP) to the target. This feature was previously found in the LFT (Layer Four Traceroute) tool but not found in the Linux traceroute. While LFT still is more feature-rich than the traceroute built into Linux, the new features in Linux traceroute make the tool very useful and quite capible. It helps to understand how the traceroute tool forms the packets, to what ports the packets are sent, and what protocols can be used to send the packets. This information can be used to get traceroute commands to work through firewalls and HIPS systems when ICMP and/or UDP and/or most TCP ports are blocked.
Introduction To TCPDump Network Sniffer
This video is an introduction to the tcpdump network packet sniffer/capture tool. The video is relatively long because of the demo used required "building up" to the HTTP capture. The video only covers the basics but is meant to be a good introduction to practical use of tcpdump.
Basics Of Using The Maltego Reconnaissance Graphing Tool
This video looks at using Maltego to both gather and organize
information in a customer pen-test. Maltego is a GUI-based tool for Linux which
is included in the Backtrack 5 R2 release. The tool is able to gather
information from public sources on entities. The Community Edition (used in this
video) is free. There is a paid-version with more features. The site used in
this video is irongeek.com and was used with written permission from the owner.
If following along, please use a domain for which you have permission.
Mutillidae Creating Syn Port Scan Manually With Scapy
This video covers creating a port scan by building the packets
manually with Scapy. Scapy makes packet crafting relatively easy compared to the
extensive control the operator has over the construction of the packets. Nearly
any attribute of the packets can be carefully crafted by the user and responses
to sent packets can be captured for examination.
In the video, an IP packet is crafted and set aside to be used repeatedly. A TCP
packet is created for port 80 on the target, which is known to be open. The
packet is sent and the port is confirmed open. To test a closed port, the TCP
packet is set to port 81 which is a port thought to be closed. The packet is
sent and the port status is confirmed. Users new to scapy, tcpdump, and nmap
will receive brief tutorials in the video on getting started.
Contrast Nmap And Amap Service Version Detection Scanning
This video compares the service version detection abilities of
nmap and amap. To start, a host discovery and port scan is performed with nmap.
The results are saved to a file. This file is fed to Amap and service detection
is done. Later, the nmap scan is done again but with -sV option which tells nmap
to perform a service version scan once the host discovery and port scan are
complete.
Users new to amap and nmap will be shown how to operate the tools in the video.
Using Hydra To Brute Force Web Forms Based Authentication Over Http
This video covers using nmap to ping sweep network then discover ports on two
machines to locate a web server on which Mutillidae is running. Once the web
server is running, the site is loaded into Firefox and the login page is
located. Using View-Source, Burp-Suite, and the sites registration, the login
process is studied. Potential usernames are gathered from using Reconnoitter,
CeWL, and the sites own blog page. A password file from john the ripper is used.
With the potential usernames and passwords in hand, hydra is used in
http-post-form mode to search for a username and password which can log into the
site.
Connect To Unreachable Web Site Through Meterpreter Port Forwarding
This video covers accessing a web site that is normally unreachable from our
Backtrack 5 box. However, after gaining a session on a third box, we forward our
web browser through the compromised host in order to browse the website. The
port forwarding is done via a meterpreter session on the compromised host. After
setting up the port forward, the browser is able to use the compromised host as
a relay (almost like a web proxy) in order to browse to the "internal" web
application.
Using Metasploit Hashdump Post Exploit Module Creds Table And John
This video shows how to have the hashdump post exploitation
module automatically populate the creds table in the metasploit database, then
export the credentials to a file suitible to pass to the john the ripper tool in
order to audit the passwords.
Using Metasploit Community Edition To Determine Exploit For Vulnerability
In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in the msfcomsole in order to have metasploit guess the best exploits for a given vulnerability. This video looks at alternative functionality for the depreciated "db_autopwn -t -x" option in older versions of Metasploit's msfconsole. Metasploit Community Edition has similar exploit analysis functionality accessible via the web based GUI.
Gaining Administrative Shell Access Via Command Injection
Using command injection against the Mutillidae web application, we gain a root shell (Administrative Windows cmd shell). The server is fully patched with anti-virus running and a firewall blocking port 23. Additionally the telnet service is disabled. With the command injection vulnerability, this video demonstrates how misconfiguring web services can have serious consequences for security. Additionally we review how to remediate command injection vulnerabilities and discuss some of the defects which expose the server to compromise.
How To Install Metasploitable 2 With Mutillidae On Virtual Box
This video covers installing Rapid7's Metasploitable 2.0 with Mutillidae on a Virtual Box Host Only network. In addition to reviewing how to install Metasploitable 2 on Virtual Box, the configuration of the virtual network card is shown so that the Mutillidae web application running on Metasploitable 2 can be accessed from a separate Backtrack 5 virtual machine running on the same Host Only network.
Using Command Injection To Gain Remote Desktop On Windows
Using command injection, remote desktop access (RDP) is gained
to a Windows web server. The web server is configured with a firewall protecting
the RDP port. Also the RDP service is not running and disabled. Registry
settings are set to keep RDP's underlying service (Terminal Services) from
running. Additionally, there are no users in the Remote Desktop Users group. By
exploiting a command injection vulnerability, the terminal services are enabled
and started, the registry is altered, the firewall is opened, a user is added
(root), and the user is placed in the Remote Desktop Users group. Once the
exploit is complete, grdesktop from Backtrack is used to remote into the Windows
box over an RDP terminal.
The video dicusses the defect and configuration mistakes which allowed the
exploit to take place.
How To Exploit Metasploitable 2 With Nmap Nexpose Nessus Metasploit
This video tutorial covers exploiting Metasploitable-2 to get a root shell
and eventually a terminal via a valid "sudo-able" login over SSH.
Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2)
are set up on a VirtualBox host-only network. With this lab network set up, the
demonstration walks through a practice pen-test using the phases of recon,
scanning, exploitation, post-exploitation, and maintaining access. (Covering
tracks and reporting are not covered. Recon is assumed because Virtual Box runs
a default DHCP server on the 192.168.56/24 network). A video tutorial on
installing Metasploitable-2 on VirtualBox can be found at
https://community.rapid7.com/message/4137#4137.
Initially, nmap is used to locate the Metasploitable-2 machine on the Virtual
Box host only network. In the video the Metasploitable-2 host is running at
192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. Additionally, open
ports are enumerated nmap along with the services running. The nmap default NSE
scripts provide additional information on the services and help nmap discover
the precise version. Some features of nmap are reviewed and an nmap XML report
is generated. This report is viewed in Firefox and imported into Metasploit via
msfconsole and using the Metaspoit Comminity Edition web interface which has the
functionality of db_import built-in. nmap is run a second time with different
options to show how to focus the information in the reports on open services.
With the services listed and versions discovered, it is possible to begin
locating vulnerabilites for services. To make this step easier, both Nessus and
Rapid7 NexPose scanners are used locate potential vulnerabilities for each
service. Eventually an exploit suitible for the outdated samba services running
on Metasploitable-2 is chosen and metasploit msfconsole is used to configure the
samba-usermap exploit. The cmd/unix/bind_netcat payload is selected and sent to
Metasploitable-2 via the samba-usermap exploit. A remote root shell is gained.
For post exploitation, the shell is used to gather the usernames and passwords
for Metasploitable-2 which are copied back to the testing machine and cracked
with john-the-ripper. The two files are "unshadowed" using JTR unshadow and then
cracked with JTR MD5 module. The passwords are stored in the JTR pot file for
retrieval.
Setting User Agent String And Browser Information
Introduction to user-agent switching: This video uses the Firefox add-on "User-Agent Switcher" to modify several settings in the browser that are transmitted in the user agent string inside HTTP requests. Some web applications will show different content depending on the user agent setting making alteration of the settings useful in web pen testing.
Walkthrough Of CBC Bit Flipping Attack With Solution
This video shows a solution to the view-user-privilege-level in Mutillidae. Before viewing, review how XOR works and more importantly that XOR is communicative (If A xor B = C then it must be true that A xor C = B and also true that B xor C = A). The attack in the video takes advantage that the attacker knows the IV (initialization vector) and the plaintext (user ID). The attack works by flipping each byte in the IV to see what effect is produced on the plaintext (User ID). When the correct byte is located, the ciphertext for that byte is recovered followed by a determination of the correct byte to inject. The correct value is injected to cause the User ID to change.
Mutillidae is available for download at http://sourceforge.net/projects/mutillidae/. Updates about Mutillidae are tweeted to @webpwnized along with announcements about video releases.
Installing Latest Mutillidae On Samurai WTM Version 2
Samurai WTF is an excellent platform for web pen testing. A very large number of
tools are already included. An older version of NOWASP Mutillidae comes
pre-installed. This video covers installing the latest version on Samurai WTF
2.0. Installation requires downloading the latest verion of NOWASP Mutillidae,
unzipping the Zip file which contains a single folder named "mutillidae", and
placing the "mutillidae" folder into /var/www directory. Configuration is done
by opening the /var/www/mutillidae/classes/MySQLHandler.php file and changing
the default MySQL password from blank empty string to "samurai". Starting the
project is done by browsing to http://localhost/mutillidae and clicking the
Reset-DB button on the menu bar.
How To Upgrade To Latest Mutillidae On Samurai WTF 2
This video covers upgrading the default version of NOWASP (Mutillidae) which comes with SamuraiWTF 2.0 with the latest available version. On this particular version of SamuraiWTF 2.0, NOWASP (Mutillidae) 2.1.20 was installed in the ISO. The latest version of NOWASP (Mutillidae) available at the time of this video was 2.3.7. In the video, the hosts file responsible for activating the links to the "target" web applications was modified so the default web applications would work. Also, the "samurai" start up script is reviewed to show why the LiveCD version of Samurai includes working web app targets but the installed version requires the targets be "activated". The video then covers how to upgrade the existing default installation of NOWASP (Mutillidae) with the latest available version. Additionally, the video discusses how to run the default version and latest version of NOWASP (Mutillidae) side-by-side or replace the existing installation with the latest version.
Using ettercap and sslstrip to capture login
This video by webpwnized (@webpwnized) reviews how to intercept web communications using ettercap and intercept web traffic that is supposed to be protected with SSL using SSLStrip.
SQL Injection via AJAX request with JSON response
This video by webpwnized (@webpwnized) covers pen-testing an SQL Injection vulnerability that occurs in an AJAX request made in the background. The response from the server is JSON. Since AJAX requests and regular request work the same way (since they both follow the rules of the HTTP protocol), the AJAX request can be pen-tested using the same tools and tecniques used with the more traditional requests. The SQL Injection flaw is first discovered then used to pull a list of the tables in the database along with the columns for the target table. Once the target is identified, the defect is used to pull a list of the username and password fields. The demonstration site is NOWASP Mutillidae available at http://sourceforge.net/projects/mutillidae/files/mutillidae-project/. Updates concerning Mutillidae and these videos are tweeted to @webpwnized.
Introduction to Installing, Configuring, and Using Burp-Suite Proxy
Introduction to Installing, Configuring, and Using Burp-Suite Proxy
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek