Nikto – Open Source Web Server Scanner

December 12th, 2013

Nikto is a crucial part of any web penetration test. It sits firmly in both the ‘web application audit’ and ‘web server audit’ camps. Nikto will comprehensively test web servers for a whole range of items. Tests include the presence of dangerous files and CGIs, outdated versions of web server software and specific configuration problems with web servers. So whether you have an open WebDAV setup, outdated Joomla installations or phpinfo test development files lying around – expect Nikto to find them. Nikto publishes regular updates, and so to fetch the latest definitions, just use:

./nikto.pl -update

Once we have the latest version, we can go ahead and run a scan with:

./nikto -host http://www.plzpwn.me/

Read the rest of this entry »

Blind SQL injection with sqlmap

December 11th, 2013

When an SQL injection vulnerability is attacked, the application will often display error messages from the database. We are able to retrieve the data we are trying to retrieve from the database by constructing a query that ensures it ends up in the error message passed back to us. This is the method we used in the previous SQL injection example. This is a very quick and efficient way of mining data through SQL injection vulnerabilities. Sometimes, code is constructed in a way that whilst it is vulnerable to injection, it’s not possible to get the data we want returned by the database. Consider the following code –

<?php
        $link = mysql_connect("localhost", "twl", "XXXX");
        mysql_select_db("twl");

        $sql = "SELECT * FROM wp_posts WHERE ID='" . $_GET['id'] . "';";
        $res = @mysql_query($sql);
        if (@mysql_numrows($res))
        {
                echo "We have rows!\n";
        } else {
                echo "We have no rows.\n";
        }
?>

Read the rest of this entry »

SQL injection with sqlmap

December 10th, 2013

sqlmap is web application & database penetration testing tool that automates detecting and exploiting many types of SQL injection flaw, and then taking over the database server. It’s able to detect a huge range of injection types.

Let’s take the following code –

<?php
        $link = mysql_connect("localhost", "twl", "XXXX");
        mysql_select_db("twl");

        echo "This is a page\n";
        $sql = "SELECT * FROM wp_posts WHERE ID='" . $_GET['id'] . "';";
        $res = mysql_query($sql);
        mysql_free_result($res);
        echo "This is some text\n";
        mysql_close($link);

?>

Read the rest of this entry »

wfuzz – Powerful web asset bruteforcer and vulnerability detector

December 9th, 2013

Brute-forcing is a powerful technique for detecting hidden or mis-configured assets on web servers. One of the most common issues I come across when pen testing web services is temporary, old or other development files left lying around.

Most pen testers I speak to rely on ‘dirb’ as the standard tool for web application directory brute-forcing. dirb is a great tool, although I’ve always favored wfuzz. I’ve found it to be faster and far more configurable.

Using wfuzz, we can specify exactly what part of a URL to fuzz. Here are a couple of examples –

http://www.plzpwn.me/FUZZ
http://www.plzpwn.me/somescript.php?user=FUZZ
http://www.plzpwn.me/FUZZ.txt
http://www.plzpwn.me/somescript.php?FUZZ=admin

wfuzz also allows us to filter matches based on web server response code, as well as number of lines, size of response, and text matched within the response.

Read the rest of this entry »

Enumerating and Hacking NFS

December 4th, 2013

Network File System (NFS) is used to share files and directories over the network through ‘exports’. When a client wants to gain access to a share on the remote server, the client will firstly attempt to mount the share. The list of allowed clients per share is located in /etc/exports on the server. The problem with this approach is that the only credential for access is the client’s IP address. If a trusted machine is taken over or otherwise spoofed, the attacker has full access to the share. All versions of NFS prior to version 4 utilize this same security model. The next issue to take into account is that wildcard ‘*s’ are permitted within the exports file. Site administrators often use wildcards without thinking through the implications to allow a range of hosts access to a share. Future changes to the network or network breaches may allow a user access to a share that the administrator had not intended.

Read the rest of this entry »