Pentesting Tips: Beyond Automated Testing

Beyond Automated Testing

Build | Protect | Learn

Agenda

2

• ~$ whoami• Overview• Testing Methodologies• Soft Skills• Why Go Beyond Automated Testing• Finding Unknown Stuff• Vulnerability Exploitation• Reporting and Automation• Useful Training and Talks


~$ whoami

3

• Security Geek• Pentester @ BreakPoint Labs (0xcc_labs)• Security Researcher at Primal Security (@PrimalSec)• Certification Junkie (OSCE, OSCP, etc.)• Loves Python, CTFs, Pentesting, and Hiking/Camping


Quick Caveat

4

• I am not a master of all things….but I have acquired a particular set of skills…


Overview

5

• Goal: Share my experience with external security assessments

• Motivation: How many of you have heard this?Is the scan done?Can you scan us?

• Quick Note: Automated vs. Manual Testing in the context of this talk

Automated Testing: Kicking off a vulnerability scanner (Nessus, Burp, Acunetix, Webinspect, etc.)

Manual Testing: Everything else you do beyond the scope of the scan


Testing Methodologies

6

• Having an established testing methodology is an important first step

• You do not need to marry a methodology

• Several great methodologies out there:Pentesting Execution Standard (PTES)OWASP Testing Guide (OTG) 4.0Web Application Hackers Handbook Task Checklist

• Good methodologies should include both Automated and Manual testing

http://www.pentest-standard.org/index.php/Main_Page

https://www.owasp.org/index.php/OWASP_Testing_Project

http://mdsec.net/wahh/tasks.html


Soft Skills

7

Build | Protect | Learn 8

Determination

• Pentesting is all about failure….and not giving up


Mindset

• Hunt for what automated tools miss


Focus


Confidence


Automated Testing

12


Automated Testing Will Miss Stuff

• The DHS National NCATS organization reported that 67% of high impact vulnerabilities required manual testing to enumerate.

http://krebsonsecurity.com/wp-content/uploads/2015/11/DHS-NCATS-FY14-Annual-Report.pdf


Automated Testing Can Break Stuff


Automated Testing Can Take a Long Time


Automated Testing Can Have False Positives

• Burp: Right-Click -> [Send to Repeater] [Request in Browser]


Okay, So Now What?

• So we see just running a scan is not the best solution

• The rest of this talk will demonstrate some things I do beyond an automated tool to help me find cool stuff


Some Things To Think About

• What technology is in use?• Ensure you properly map the application• Enumerate all technology features (File upload, Comments, etc.)• Enumerate all areas of user input "Injection Points"• Can you figure what is being done with your input?• Is your input being presented on the screen? -> XSS• Is your input calling on stored data? -> SQLi• Does input generate an action to an external service? -> SSRF• Does your input call on a local or remote file? -> File Inclusion• Does your input end up on the file system? -> File Upload


Think About How Input Is Being Used

• Given the following parameters, what would you attempt to do?

http://example-site.com/index.php?redirect=/contact/contact-us.phphttp://example-site.com/index.php?file=/app/load.phphttp://example-site.com/index.php?name=bobhttp://example-site.com/index.php?search=starwarshttp://example-site.com/index.php?sql=SELECT * FROM USERS


Finding Unknown Stuff

20


Finding Unknown Systems

• Companies are normally quite surprised about what is exposed to the Internet.

• How do you tackle large /8’s, /16’s, how do you even build out this footprint starting with a company name?

- Shodan + Censys.io- Domain + IP Research- Masscan + Nmap- Whatweb + Wapalayzer- Google, Bing, etc.- OSINT: Company Mergers + Acquisitions


Finding Unknown Systems: Recon-ng

• Great tool for helping to automate reconnaissance written by Tim Tomes

• Jason Haddix wrote a script to automate several modules: enumall.sh

https://github.com/jhaddix/domain


Quick Visual: EyeWitness

• EyeWitness is a tool that takes in URLs and creates a report with server headers + Screen shot of the web GUI

• Extremely useful when facing a large scope

https://github.com/ChrisTruncer/EyeWitness

https://github.com/ChrisTruncer/EyeWitness


Quick Visual: Masscan Web GUI

• Offensive Security’s Masscan Web GUI is a great way to get a quick visual of the Masscan results


Don’t Judge a System By It’s IP

• Requesting an application URL by IP might give back different content vs. the domain

• Keep in mind you can have several applications living on the same IP• Pointing an automated tool to “http://ip/” may miss a lot of stuff vs.

“http://ip/AppIsHere/”


Can You Find Source Code?

• Can you deploy the technology in a VM and test?• If you have access to the source code you can enumerate vulnerabilities

more efficiently


Finding Unknown Content

• Unlinked content can be a gold mind of interesting functionality

• Ensure you test for unlinked directories, files, and parameters

• Useful wordlists for brute force content discovery:- FuzzDB and Raft Lists- Burp Suite’s Built-in Lists- SecLists- My Github- Robots Disallowed

Tools: Dirbuster, Papator, Burp’s Intruder, Burp’s Content Discovery

https://github.com/fuzzdb-project/fuzzdb

https://github.com/fuzzdb-project/fuzzdb

https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web_Content

https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web_Content

https://github.com/j0bin/Pentest-Resources

https://github.com/j0bin/Pentest-Resources

https://github.com/danielmiessler/RobotsDisallowed


Vulnerability Exploitation

28


Version Specific Vulnerabilities

• Enumerating the technology and version in use go a long way with finding vulnerabilities (Google + Exploit-db)

• What do I know about the technology and how can I find more information?


Custom Fuzzing

• FuzzDB, Raft Lists, and SecLists provide great lists for customer fuzzing• As you start to understand how your input is being leveraged you can

start your fuzzing• Burp Suite Pro’s Intruder is my go to tool for web application fuzzing


Weak Authentication Mechanism

• Very common finding with web application penetration testing• Often combines several vulnerabilities:

- Username enumeration (Low) +- Lack of Automation Controls (Low) +- Lack of Password Complexity Requirements (Low) =- Account Compromise (Critical)


Weak Authentication: Username Enumeration

• Password Reset Features “Email address not found”• Login Error Messages “Invalid Username”• Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs• User Registration “Username already exists”• Various error messages, and HTML source• Contact Us Features “Which Admin do you want to contact?”• Google Hacking and OSINT• Document Metadata• Sometimes the application tells you


Weak Authentication: Automation Controls

• Pull the authentication request up in Burp’s Repeater and try it a few times

• If you see no sign of automation controls send to Burp’s Intruder for more aggressive testing

- No account lockout- No/Weak CAPTCHA- Main login is strong, but other resources are not

(Mobile Interface, API, etc.)


Weak Authentication: Weak Passwords

• We as humans are bad at passwords…here are some tricks that work for me:

- Password the same as username- Variations of “password”: “p@ssw0rd”…- Month+Year, Season+Year: winter2015…- Company Name + year- Keyboard Walks – PW Generator: “!QAZ2wsx”

• Lots of wordlists out there, consider making a targeted wordlist using CeWL

• Research the targeted user’s interests and build lists around those interests

https://github.com/Rich5/Keyboard-Walk-Generators


File Upload Abuse

• Automated tools do this poorly. They will commonly report that the functionality is there as an Informational finding

• You should leverage a proxy and look at all the details associated with the file upload:

- Can you determine where the file is stored?- What controls are in place (File extension, file

type…)- Can you modify the content-type header?- Can you add code to a legit file and have it run?- Can you change the case to bypass filters?

• Insecure file upload -> RCE, Web Shells, XSS, etc.


SMTP Injection

• Contact Us, and Feedback forms are commonly vulnerable to SMTP Injection

• How excited would you be if the application allowed you to send Emails as the CEO?


SMTP Injection Cont.


Social Engineering: Phishing

• Lots of ways to do this: XSS, Open Redirect, New Domain, etc.

Step 1: Register a domain that closely matches the target organization: breakpoint-labs.com vs. breakpoint-lab.com

Step 2: Social Engineering Toolkit (SET) -> clone site

Step 3: Figure out payload(s): Credential Grabber, Unicorn PowerShell HTA, Java, BeEF Hook, CSRF, Malicious Doc, etc.

Step 4: Send Email modeled off the companies previous communications (HR, Taxes, Pay, etc.) - Check out Gophish open source phishing framework.

https://github.com/trustedsec/social-engineer-toolkit

https://github.com/trustedsec/unicorn



https://getgophish.com/


Social Engineering: Phishing Cont.


File Inclusion to RCE

• File inclusion vulnerabilities can lead to code execution "php include()".

• Sometimes they are just limited file inclusion "php echo()".

• File inclusion can lead to code execution via LFI or RFI.

• LFI's normally require you to get your input somewhere on disk then include that resource.

• RFI's are normally easier to exploit as you can point them to an external resource containing your code.


File Inclusion to RCE: Step 1

• Enumerate an unlinked resource "debug.php" that gives an HTTP 200 OK and blank screen. This is where most automated tools stop.



• Parameters are fuzzed in an attempt to enumerate inputs "page=" gives back a different response "Failed opening 'test' for inclusion".



• Attempt to point the page parameter to local and remote resources and attempt to execute code on the server.



• PHP was running as SYSTEM on the vulnerable application. An attacker could dump password hashes and pivot throughout the organization


Troubleshooting Exploits: Part 1

• Something might be vulnerable, but take some work to successfully exploit

• Many try to exploit stuff and throw complex payloads. When I am working on exploiting something, I try to use very simple payloads at first and then work my way to something more complex

• Webshell Example: Some simple examples, more here

https://twitter.com/brutelogic/status/524010421918113792


Troubleshooting Exploits: Part 2 - WordPress

• Recent pentest I found a WordPress server

• Could access the login panel - Brute Force is in!

• wpscan found some stuff to play with:- Avada Theme with Revslider- Paid Memberships Pro Path Traversal (PHP echo())- Photo Gallery <=1.2.7 - Unauthenticated Blind SQLi


Troubleshooting Exploitation: Part 2 Cont.

• Brute Force: Had a valid username, but very slow :(



• LFI: Paid Memberships Pro Path Traversal: Worked! Sweet LFI (Grabbed wp-config.php)

• Via PHP echo() so no code execution :(



• SQLi: Replicated WP/Plugin in lab environment

• MSF Module worked in lab, caused no impact to system

• Needed to have a valid Photo gallery ID, so I had to dig around on the site to find it

• Attempted MSF module and it failed :(

• Dug through pcap and saw RSTs from server shortly after SQLi string



• Figured out how to replicate with sqlmap:

• Attempted on the application and still blocked, hmmm....

• I added in a "--delay=4" which delayed my SQLi requests by 4 seconds (bypassing the WAF).



• 4 second delay per request, so I am back to this....



• Result? Took a long time, but led to full compromise.• Lots of places I could have stopped. It is always easier to say

something isn't vulnerable.


Remediation Testing

• I could upload a webshell using fileupload.php (client-side MIME type check).

• Developer fixes the issue with server side checks and names the resource: fileupload2.php.

• How would you go about testing this?


Remediation Testing Cont.

• I thought "Hmm, I wonder if fileupload.php is still accessible...."


Reporting and Automation

55


Reporting

• Markdown is awesome. Common Findings Database - Check it out

https://github.com/mubix/cfdb


Start the Fire: Learn Python

• I find it a necessary part of my day to day• Learning a scripting language is not that hard• It is like starting a friction fire


Python


Python: Shodan


Elasticsearch Python + Kibana (EPyK)


Useful Resources• CTFs: Vulnhub, Past CTF Writeups, Pentester Lab• Training: Offensive Security• Book: Web Application Hackers Handbook• Book: Black Hat Python• Talk: How to Shot Web - Jason Haddix• Talk: How to be an InfoSec Geek - Primal Security• Talk: File in the hole! - Soroush Dalili• Talk: Exploiting Deserialization

Vulnerabilities in Java - Matthias Kaiser• Talk: Polyglot Payloads in Practice - Marcus Niemietz• Talk: Running Away From Security - Micah Hoffman

https://www.vulnhub.com/

https://github.com/ctfs

https://github.com/ctfs

https://pentesterlab.com/



https://www.offensive-security.com/

https://www.offensive-security.com/

http://mdsec.net/wahh/

http://mdsec.net/wahh/

https://www.nostarch.com/blackhatpython

https://www.nostarch.com/blackhatpython

https://www.youtube.com/watch?v=VtFuAH19Qz0

https://www.youtube.com/watch?v=VtFuAH19Qz0

http://www.primalsecurity.net/how-to-be-an-infosec-geek/

http://www.primalsecurity.net/how-to-be-an-infosec-geek/

https://www.youtube.com/watch?v=QyPbPGyTPxI




http://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478




https://www.youtube.com/watch?v=EeZDw64YwV0

https://www.youtube.com/watch?v=EeZDw64YwV0

https://www.youtube.com/watch?v=ma_0WHeyHag


Conclusion

Technology

Pentesting Tips: Beyond Automated Testing