Breaking the Application with Shritam Bhowmick – Application Bruteforce Demystified.

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick
Web Application Penetration Tester
Independent Consulting Security Evangelist

Abstract

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it reflects several challenges for web application security researchers to break in a safe environment. This is for Lab practice only and no part of this document were provided by the original authors. Having to pull out my old research on application security, I thought to give back to the community but not all releases are meant to be pushed here. This research is part of my private application security research and proudly serves as an opening opportunities for others to dwell and work further on the same as provided and as long as the original authors are credited.

Contents

Hack.
Method 1: Using Hydra to Brute Force Web Logins
Method 2: Using Burp Suite Intruder to Brute Force Web Logins

Method 3: Using Python to break Web-Form Login
Method 4: Using WebSlayer to Brute Force Web Logins
Method 5: Nmap Script Code to break web form
Contact Information.

Continue reading

Advertisements

Shritam Bhowmick Explains Shell Injection v/s Remote Code Execution v/s Code Injection – Yes, they are Different!

Shell Injection v/s Remote Code Execution v/s Code Injection

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

The Bare Beginning

I promised to deliver yet another quality content on my blog and as promised after this particular post, my true intentions were to go ahead with posting something deep on HTTP Parameter Pollution. Looking at the awareness level (read the comments for a deep approach insight on application security!) of incoming proclaimed security researchers or bug hunters, I recently decided to make my point across and let the info-sec community know the real concepts behind Application Injection vulnerabilities. This post is focused to switch off the ego gap and provide a platform for others to realize core concepts and the necessity of such concepts to be applicable to adaptive application penetration testing!

I quickly realized the core necessity of a distinguished vulnerability levels according to their categorization and be real technical about the application security issue, most focused primarily on this post on Injection level web vulnerabilities which are very common if dug enough into. On a recent conversation with many of ‘elite’ bug hunters, I noticed, there is a huge gap on the technical consciousness level they possess and likely end up only getting T-shirts for the sake of name on Hall of fame (No pun intended!). Money would encircle you girls, knowledge will encircle you girls, cars, super-bikes and alike!

Continue reading

Shritam Bhowmick Explains HTTP Parameter Contamination

HTTP Parameter Contamination

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Earlier on my previous post about Enterprise HTTP Security, I described how HTTP Security is a fine clockwork for an application penetration tester; this post would look into deeper aspect of HTTP Security and how logical manipulation of HTTP could be potentially used by an attacker to manifest the underlying application level vulnerabilities bypassing any security restrictions which were in place originally.

In terms of application development during the standard phases, multi-tier application architecture is prevalent. The multi-tier architecture is a client-server architecture, where the presentation, the application processing and the data management is a complete separate processes. In basic terms, the multi-tier architecture are convenient for developers. The reason they are convenient for developers is the fact that developers have to re-use code and develop applications in which the whole application framework needn’t have to be written all over again. They could only modify parts of the application architecture based on tiers and profit flexibility in the use of such applications. The unfortunate part is the handling of the same data over multiple platform can lead to security breach, or leave the application vulnerable. Logical errors are triggered this way and are completely different from Injection based attacks such as:

  • LDAP/Blind LDAP Injections
  • XML Injection
  • HTML Injection
  • SQL Injection
  • ORM based Injection
  • Spring Injection/nHibernate Injection
  • Xpath Injection
  • Command Injection

All of the above mentioned ‘injection’ variants fall into code level application vulnerabilities and is completely different from ‘logical’ vulnerabilities which still have a greater level of impact on the web applications. During my old research at early phases of dissection behavioral pattern of different platform based application on different web-architectures, I found these led to couple of logical based vulnerabilities which could be used by an attacker for benefits. This lead self-curiosity to further research and I came up concluding something which already existed called ‘HTTP Parameter Contamination or HPC’. During my research at Defencely, I found out this particular attack methodology does not only rely on a specific platform but is widely used across many other different web based platforms, such as PHP on Apache, ASP.NET on IIS, etc.

Continue reading

Enterprise HTTP Security Inspection for Realistic Application Security

The need for HTTP Security Inspection on Application Security

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Application Layer – HTTP from the Security Perspective

An Application Layer is the first layer which need a security check which just goes beyond any other common checks. Somehow, automated scanners might do this as pre-defined in the programmed logic, but most of them fail to find the bugs which passes through the HTTP Handler and hence create critical vulnerabilities for business enterprise. Yes, I had been talking about Hyper Text Transfer Layer Protocol, which is by now the most common, wildly wide used text based protocol around the internet. Web Applications use the text based protocol since it’s easier to implement and handle parallel requests. The Web Server handles these requests which are made by the clients and penetration testers often ignore a variety of checks against HTTP from the security perspective. Once, an application penetration is fairly grown studying HTTP at a deep level, he/she could already understand why a particular request could be manipulated by client side proxy in multiple of ways and produce a critical security bypass.

Before I jump into concluding the security aspects of the Hyper Text Transfer Protocol, my application security research have shown a comprehensive study of where to start from HTTP from the security standpoint. This question has been asked a lot of times and people have failed to come up with an exact method to detail everything in one book or post. This study is more of a guideline for application penetration testers rather than a reference study; but either way it could be used both the ways. I had prepared a standard draft for HTTP Security Research in topic segments which if wished could be sub-categorized but for the sake of the reference and a guide, I have detailed them into modular topics which could be used by any application security researcher, bug hunter, or application security enthusiast for their own analysis.

badlyart

Continue reading

Fine Tuning Adaptive Network Penetration Test – External, Internal and Wireless

Fine Tuning Automation for Network Penetration Test

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Network Penetration Testing

A lot has been discussed earlier related to network penetration test in forums, IRC’s and security conferences but everyone looked for some automated approach to keep network penetration test related task going fast. The fast approach is desired for mass IP scans and lot of IP ranges which have to be tested in a short time. Most of these network nodes have services open which could be further investigated if these services were well known to be exploited in the wild.

networktest

There are various Network Penetration testing which could be referenced below:

  1. External Network Penetration Testing
  2. Internal Network Penetration Testing
  3. Wireless Network Penetration Testing

Now as most of you had already assumed, there could be automated approach to all of them; this however seems easy but is harder if taken from a wide security view-point. The art of choosing a set tools at your disposal for Network Security Audit lies beyond the scope defined since lot of these tools send malicious packets which could deliver stress to the web-server or critical production server costing the clients financially off their services. As a penetration tester I have learned this art from my own lesson and experiences and this would be my own personal methodology for a Network penetration test. Some of the questions which should be asked before-hand to the client before beginning with an engagement would be the major feedback on how one should be preparing for the penetration test.

Continue reading

Adaptive Application Framework Driven Vulnerabilities and the Padding Oracle

Securing Web Applications before Deployment.

An analysis focused on various framework used to deploy web applications.

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

Dedicated vulnerability and bug researchers go deep into the application security aspects while studying application internals and there is a prominent rise in hidden attack vectors which are never common. There is a default common misconception among the developers that deploying applications which are vendor-enabled with 3rd party proprietary framework libraries will add security to the application. Libraries which the developers rely on are themselves vulnerable if properly dissected and studied. This brings business concerns to the business assets. The business assets could be anything from bank details to storing credit card information for customers to easily access such numbers for the ease of the customers. Although data integrity is maintained when storing and is encrypted, it takes a while for an attacker to get in and get out without being really noticed. Contrary to the statements above, there is yet another belief that Open source libraries will be safer since they go revisions by the mass community but the truth is bitter. Again, deep down in the open-source libraries, there exist multiple critical vulnerabilities which needs to be addressed before deploying them as they are. The information given below will detail the vulnerabilities which are deep inside the libraries which are used to deploy rich internet based applications.

open2 open

What Developers see as a convenient way for deploying a web application?

  • Languages used: PHP, JAVA, Ruby, SCALA, Perl, Python, HASKELL, Cold Fusion and more.
  • Framework Used:NET, Zend, CodeIgniter, Spring, Catalyst, Snap, CakePHP, Yii, Fusebox, and more. Even more popular ones are Django, Sinatra, Mason, Pyjamas, Symfony and Grails.

Continue reading

Web Security Threat Prediction

Web Security Threat Prediction

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

The Web Security scene has been much complex than ever known and its time various industry take a deeper look to it to gain an in-depth gravity of the situation which affects them directly or in-directly. This could come at a blow and wouldn’t let you know until it’s too late. This post will take you mind blown from the recent predictions in terms of Web Security and will let you inform on the latest web attacks in rise and how such attacks are bad for business as well as reputation let alone financial losses. When we talk about industry, this doesn’t have to be the retail industry; it aims at stretch from the medical appliances to the car manufacturing industry and too low down to the Electronic Cigarette industry. That been said, we will look how various industrial assets which have had their presence and continue to have a presence in the web world affects them directly or indirectly and why Web Security for them is an absolute important factor too big a risk to ignore and compromise with the same.

Prediction 2015

I have come across and defined a statistical background check on as many application attack vectors and evidently from the statistical approach have come up to a very conclusive set of industries which could go bankruptcy as well as reputation loss if Web Security part is ignored. Here we have thrown out some of the industries which have a direct impact on business ignoring Web Security at their end.

  • Medical Department
  • Web Retail Department and Business Assets
  • Opensource Platforms
  • Mobile Devices

1ta

Continue reading

Knowing the terminologies beyond being an Ignorant.

Terminologies Beyond being an Ignorant.

There is no software that can hack facebook passwords (except key logging and phishing) and this goes same with e-mail account hacking. And these are some of the queries and desires one could start off primitive constructional hacking from, but they often fall off the edge and go destructive blackhat hacking for the curiosity. Curiosity is such an agent which could change and push forward the envelope. But this, if not done the right way will only lead to false reality of what is really not constructional nor is the reality in itself. Every one else seem tired of the questions and yet there really seems to be confusion on what to admire, are the guys who work hard to be on the white side, or the guys who still work hard at the black side of breaking the security. Now when I say ‘security’, strictly it does not have to be application security or network security, think bigger and there is physical security, mobile security, personal security; a person who bypass security or any counter-measures which are in place to prohibit access is known to be generally called as a ‘cracker‘ or a ‘hacker‘.

But don’t get hooked by the terms. They are both very different. It depends on the person on which side he chose to be. That is if a person has chosen the darker side, he would be in a long run be called and termed as a cracker. If not, he belongs to the ‘hacker’ category. And the latter is the category we would be talking about since I have really no interest on the other side of the fence where relatively today or later, things keep getting worse with law enforcement going stricter. Now, a cowboy fro curiosity might just explore both the sides and this is the gray area. Such people would be called as a Gray Hat. Let’s walk straight to the points and see some terminologies which could be mentioned to illuminate some of the people who had been missing a lot of what, why, how and the where’s. Here are some terminologies related to computer science but are inclined on the side of ‘computer hacks’ on a broader scope.

Kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel’s responsibilities include managing the system’s resources (the communication between hardware and software components). Usually as a basic component of an operating system, a kernel can provide the lowest-level abstraction layer for the resources (especially processors and I/O devices) that application software must control to perform its function. It typically makes these facilities available to application processes through inter-process communication mechanisms and system calls.

Linux is a computer operating system which is based on free and open source software. Although many different varieties of Linux exist, all are Unix-like and based on the Linux kernel, an operating system kernel. The Linux was originally a ‘kernel’ where lines of code were added by the community later to make it better and better and now, Linux has so many distributions with 1000’s of lines of code and utilities.

An exploit (from the verb to exploit, in the meaning of using something to one’s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system.

A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. However, the term is also applied very loosely to applications and may include any software that is “built around” a particular component, such as web browsers and email clients that are “shells” for HTML rendering engines. The name shell originates from shells being an outer layer of interface between the user and the internals of the operating system (the kernel).

PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document. It also has evolved to include a command-line interface capability and can be used in standalone graphical applications.

JQuery is a cross-browser JavaScript library designed to simplify the client-side scripting of HTML. It was released in January 2006 at BarCamp NYC by John Resig. Used by over 49% of the 10,000 most visited websites, jQuery is the most popular JavaScript library in use today.

A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address.

Algorithm: In mathematics and computer science an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function Algorithms are used for calculation, data processing, and automated reasoning. In simple words an algorithm is a step-by-step procedure for calculations.

There are many websites that can be searched for vulnerabilities and can be hacked but if you are a real hacker then you should select the website and then try to hack it and this is termed as target hacking.

A router is a device that forwards data packets between computer networks, creating an overlay inter-network. A router is connected to two or more data lines from different networks. When data comes in on one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey. Routers perform the “traffic directing” functions on the Internet.

A data packet is typically forwarded from one router to another through the networks that constitute the inter-network until it gets to its destination node.

In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.

BB5 unlocking in Nokia phones is not possible to install unsigned OS in Nokia (not simlock).

The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database,shell code archive, and security research.

There is not a method to decrypt nokia MCUSW file and change it because if we do it then the check sum is changed than that of phone and its not installed. Symbian can be hacked by using ROM patcher and hello.

Free hosting websites don’t allow to use rapid leech script and other forums.

Unix (officially trademarked as UNIX, sometimes also written as Unix) is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna. The Unix operating system was first developed in assembly language.

A scripting language, script language, or extension language is a programming language that allows control of one or more applications. “Scripts” are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the end-user. Scripts are often interpreted from source code or bytecode

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. This is a Application (Web Application) Security vulnerability and could be classified into different types of Cross Site Scripting attacks such as persistent, non-persistent and DOM-based. There are contexts which are bypassed with using certain characters if not already black-listed or the application isn’t using white-list for allowing only certain legacy characters into the application input. Output encoding is one of the many methods to stop this kind of attack.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely

A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies including Ethernet. Logically, MAC addresses are used in the Media Access Control protocol sub-layer of the OSI reference model.

Social engineering is the art of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Rooting is a process that allows users of mobile phones and other devices running the Android operating system to attain privileged control (known as “root access”) within Android’s Linux subsystem with the goal of overcoming limitations that carriers and manufacturers put on some devices. It is analogous to jailbreaking on devices running the Apple iOS operating system.

Tethering means sharing the Internet connection of an Internet-capable mobile phone with other devices. This sharing can be offered over a wireless LAN (Wi-Fi), or over Bluetooth, or by physical connection using a cable. In the case of tethering over wireless LAN, the feature may be branded as a mobile hotspot. The Internet-connected mobile phone acts as a portable router when providing tethering services to others.

Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

A cache is a component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored elsewhere. If requested data is contained in the cache (cache hit), this request can be served by simply reading the cache, which is comparatively faster. Otherwise (cache miss), the data has to be recomputed or fetched from its original storage location, which is comparatively slower. Hence, the more requests can be served from the cache the faster the overall system performance.

A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.

Overclocking is the process of operating a computer component at a higher clock rate (more clock cycles per second) than it was designed for or was specified by the manufacturer.

The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value., MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity.

An assembly language is a low-level programming language for computers, microprocessors, microcontrollers, and other programmable devices. It implements a symbolic representation of the machine codes and other constants needed to program a given CPU architecture.

A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array (associative array). The values returned by a hash function are called hash values, hash codes,hash sums, check-sums or simply hashes.

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited.

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity.

SQL often referred to as Structured Query Language is a programming language designed for managing data in relational database management systems (RDBMS). Originally based upon relational algebra and tuple relational calculus, its scope includes data insert, query, update and delete, schema creation and modification, and data access control. SQL injection or SQLi is a code injection technique that exploits a security vulnerability in some computer software. An injection occurs at the database level of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. Using well designed query language interpreters can prevent SQL injections.

Here are some tips and factsheets you would love to check since they are mostly universal in the hackerdom culture and people know it by default. If you do not know this by default, you are missing something and need to work on it:

  1. Ankit Fadia’s seminars are crap and its courses too.
  2. Getting access to router doesn’t provide you access to network.
  3. One cannot just press the key and hack-away a system or bring down the SCADA power grids.
  4. There is no powerful software or an antivirus program or utility which could detect all the malware which are existent.

Would add many if there are feedbacks on some ideas and what could be possibly be missing. Leave your feedbacks in the comments and I’d appreciate if you could whip out some original sources. Roger Out.