 |
| Scene from Disney's Aladdin - Image From Fransisca's Portfolio |
I have been doing an external web assessment for work and let me tell you, I have a lot to learn. Luckily for us, there are a ton of resources out there to help someone learn how to do this!
First assumption to throw out the window: it has to be a complicated hack to gain access :)
So how to start? Well there are tons of 'exploitable' systems out there which can be used. Metasploitable seem like a great one to learn from and it even has some tutorial/howtos on the left to which you can throw against your new vulnerable image. I will probably start here (taking notes as I go!). There is also a free tool from McAfee Foundstone called Hacme Shipping which "demonstrate common web application hacking techniques such as SQL Injection, Cross Site Scripting and Escalation of Privileges as well as Authentication and Authorization flaws and how they are manifested in the code". This sounds impressive, but it requires a bit more setup than Metasploitable (which is a VM). However, there is a guide to setting it all up courtesy of pingtrip.com
OK, we got the victim, now what tools do we use to analyze and hopefully pwn our poor little web services? OWASP has a Security Framework on top of a web browser called Mantra, which looks pretty slick. Like Backtrack, it has Information Gathering tools, editors (which means you can edit inline), tools for pentesting, etc, except its focus is on web based offense/defense. You can get a list of all the tools here. Heck Mantra is actually in Backtrack 5.... so Backtrack would be a good bet!
In addition, I found some other fun websites which may prove useful later on:
- SQLcourse.com - exactly what it sounds like, even has an SQL interpreter
- exploit-db.com - again exactly what is sounds like....
- HTML Code/Text Obfuscator - why not use it with JS as well?
Anyone have any additional hints/pointers/sites/tutorials? I would love to hear them!
P.S. I am working on a Powershell script which will grab a ton of artifacts in Vista/XP (read Temp Internet Files, AutoRun registry settings, Temp directories) where badness generally resides. I sent it to my team for a pass to make sure it works and make any adjustments/comments, then I plan on sharing to the community. I am sure it isn't the best tool, but its flexible and can be added upon as needed. If anything it shows how kickass and powerful Powershell can be.
3 comments:
I am working on a basic pen testing module for Powershell. Let me know if you would interested in working together to put something on codeplex.
Mantra is definitely one of the best webapp pentesting tools. A useful companion to Mantra is some type of proxy, like Burp Suite (there's a free eval version), or OWASP's Web Scarab. (OWASP has a ton of other tools and info as well, besides Mantra and Scarab.) If you're on Windows, take a look at Cain, from www.oxit.it. Don't underestimate nmap, either. It has plenty of output formats, for easy parsing with other tools, and the -sV option will tell you exactly what services are running on whatever hosts you scan. If you know a little about HTTP, netcat is often very valuable as well.
As for victims, you can't beat Damn Vulnerable Linux, which was created for exactly this purpose. Although DVL seems to have practically disappeared off the face if the internet, I'm sure you can find an ISO somewhere. If not, there's always Damn Vulnerable Web App, available on sourceforge. If you don't want to deal with the setup, try the ModSecurity demos, like CrackMeBank.
Finally, resources: Trustwave's Spiderlabs and the Spiderlabs Anterior blog are an excellent place for learning more about SQLi, as well as other DFIR topics and tools. Darknet.org.uk has thousands of articles and links to tools for both pentesting and digifor.
Just for fun, try running Wireshark while you are doing your pentesting. That way, you get to see what artifacts are in the logs, as well as those inside a packet capture. (Which reminds me of a certain reindeer-related test case... ;)
@Will -- sure, just shoot me an email at icanhzblog[at]gmail[dot]com I hope I can contribute!
@Anon-- much mahalo for the additional tips! I do hope I win that SANS challenge! I will definitely link to the answers in my blog, was great fun :)
Post a Comment