[Editor's Note: Here is the fifth in our series of penetrating testing tips drawn from the UltimateSANS Pen Test Poster. This time, our focus is on specific recommendations from Kevin Johnson about web app pen test tips, tools, resources, and other recommendations. Really helpful stuff. Thanks, Kevin!
[Editor's note: In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he provides some good insight into exploiting PHP flaws via a MySQL instance running on a Windows target as well. Nice! --Ed.]
A wee time ago on a pen test not far, far away, I was looking for that first toehold; the first shell that split the test wide open; my entry into the target; the toe in the door; the camel's nose in the tent; the first part of the whatever that gets into there wherever that it shouldn't be in the first place. I kicked off an nmap sweep using the http-enum script, in hopes of finding an interesting web server with an even more interesting set of directories. Here is my command:
$ nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080 ...
[Editor's Note: My goodness, there are a lot of ways to get authentication wrong in the web application world. In this article, my esteemed pants-wearing colleague, Tim Medin, describes a couple of problems we frequently find in web application penetration testing, and how to operationalize attacking them in your pen test projects. --Ed.]
We all know about the Pass-the-Hash technique as it relates to Windows systems, but what about on the web? No, I don't mean Windows web apps either. I'm talking about a different kind of pass-the-hash, one where the web app developer congratulated himself with an ingenious security feature, but almost completely missed the goal in securing the application's authentication.
Let's start off by looking at the normal flow for web app authentication:
- Present authentication form to user
[Editor's Note: Tom Heffron provides some really cool tips for leveraging nslookup in web app command-injection attacks. His ideas for using environment variables is pretty nifty, and his point about how to launch this so that it doesn't require an authoritative DNS server is great. --Ed.]
When I took the recent SANS SEC 560 vLive course (yes, with Smell-O-Vision!) in January and February, I was super pumped to study the Pen Testing Arts under Sensei Skoudis and Sensei Medin. The last half of Day 5 focused on web app attacks (including hands-on exercises for XSRF, XSS, SQLi, and command injection). I took a particular interest in the command injection portion of the class, thinking about how to mix in a little command-line kung fu with nslookup, so that a pen tester may actually gather more information about the target environment in a flexible fashion.
Sometimes when I'm...
[Editor's Note: Here is a delightful little article from my buddy, Tim Medin on recovering Subversion-related files during a penetration test or ethical hacking project. Recently, we've had several projects in which this hot little technique has been vitally important, yielding super cool information for us. --Ed.]
By Tim Medin
Give me a Dot. Give me an S. Give me a V. Give me an N. Give me source code!
I think most Web Application Penetration Testers would agree that source code access can increase the speed and accuracy in finding vulnerabilities. Sadly, many times we don't have access to the source code. Fortunately for us pen testers, admins and developers can inadvertently leave the code around for us.
Many times, when code is moved into production, the source directory will be zipped/tarred/rarred/whatevs-ed and uploaded to the server. Other times, a copy of the code is checked out straight from the repository. If...