80,443,8080 - Recon

Methodology

• Recon/Scanning

  • Profile Target

  • Identify Web Server Components

  • Test DNS

  • Test username enumeration (via OSINT)

• Vulnerability assessment

  • Test default credentials

  • Test Injections

  • Test for session fixation

• Exploitation

• Post-exploitation

Mindmap

HTTP/S

HTTP Request - Status Codes

HTTP Headers

HTTP Request Example

HTTP Response Example

HTTP Request Methods

Safe or unsafe methods

• Safe Methods: GET, HEAD, OPTIONS

• Unsafe Methods: POST, PUT, DELETE

Repeated submissions of an idempotent method yield same end server state

• Idempotent methods: GET, HEAD, PUT, DELETE, OPTIONS

• Non-idempotent methods: POST, PATH

CRUD methods (common in RESTful web services)

Vulnerabilities per available HTTP methods

Knowing the available HTTP methods:

• GET: parameters in teh URI may disclose sensitive information

• Identifies potential vulnerabilities

• Gives clues about how well the system is maintained

• May reveal additional functionality to test

A few examples of how attackers may use Specific HTTP methods:

• GET: paremeters in the URI may disclose sensitive information

• POST: paremeters can be used to exploit vulnerabilities

• PUT: may be able to upload files to the webroot

• TRACE: identify load balancers or other devices in front of the webserver

• DELETE: remove files from the webroot

User-Agent

Used to identify web client. Some tools (sqlmap, nmap) or scripts thjat use Python's urllib3 library may identify themselves via HTTP user-agent. Make sure to customize the user-agent to not allow easy detection.

Referer

Identifies for target server what page the user-agent was viewing when a link was clicked. This can give potential sensitive information being included on the URL.

Cookie and Set-Cookie

Upon sending a Cookie HTTP request header, server will respond with Set-Cookie header. Stealing authenticated cookies can lead to a session hijacking. Secure and HttpOnly flags ensure that transimssion occurs over an HTTPS encrypted channel.

Authorization

Authorization request header is associated with HTTP-based authentication methods. Often times sending Base-64 encoded values via authorization header.

Cacheable and Cache-Control

GET and HEAD requests typically are cacheble. Status codes of 200,203,204,206,300,301,404,405,410,414,501.

If you see a 304: Not Modified, this is because the data was previously cached.

Server

Server field provides HTTP response equivalent to the User-Agent header field. It indicates the web server closest to the end user.

WWW-Authenticate

When server uses built-in authentication method of HTTP Basic or Digest and user authenticates. The server might respond by employing the WWW-Authenticate header.

Structure: WWW-Authenticate: <type> realm=<realm>

<type> identifies the particular authentication method being employed and <realm> describes the "protection space" and indicates the scope of what is protected by this authentication.

Authentication

Web Server Based Authentication

HTTP Basic Authentication

Basic is the simplest built-in authentication scheme defined in RFC 2617. Server sends parameters called Realm, which describes the resource that is protected in in scope. Credentials are stored on the server (.htaccess on Apache). Upon submitting credentials, browser will create a Authorization header, concate credentials with : between and then base 64 encode. Also pads to 3 bytes using the = character.

Issues:

• Without SSL, due to easily decoded base 64 credentials, this can be completely insecure.

• After initial authentication, Authorization header is passed in every subsequent requests (increase attack window)

• There is no log out. Only way to log out is to close browser.

• Depending on server, there is no account lockout

HTTP Digest Authentication

Designed as a fix to Basic Authentication scheme in RFC 2617, Digest authentication does not send encoded password over the network, but adds additional parameters in challenge-response process. Sets Realm, salts (nonces and cnonces), and md5 to calculate response.

Issues:

• Without SSL, password could still be cracked if nonces and cnonce are captured.

• After initial authentication, the WWW-Authorize header is passed on every subsequent request (Increases attack window)

• No log out (unless browser is closed)

• Depending on server there is no account lockout

Tool to crack Digest passwords: https://github.com/eric-conrad/digestive/

Windows Integrated Authentication

Also known as IWA, is a proprietary authentication schema added by Microsoft. Schema uses NTLM, for NTLM (Challenge-Response protocol) and Kerberos (Handled by client with tickets) over HTTP. Mostly seen in intranets, Sharepoint uses, provides SSO, required both client and server to be on same Windows domain.

NTLM over HTTP is a two round authentication protocol. Can be identified with the beginning string in Negotiate Authorization header T1RMTVNTUAAB. (Base64 encoded string NTLMSSP). Kerberos has only one round also uses WWW-Authenticate: NTLM schema

Issues:

• Without SSL, password could still be cracked if network traffic captured

• After initial authentication, the WWW-Authorize header is passed in every subsequent request (Increases attack window)

• There is no log out. As long as user is logged into domain, browser will automatically authenticate. Opens door to CSRF attack vector.

Web Application Based Authentication

Form-based Authentication

This is the most common way of user authentication. Developers create HTML form which is used to perform authentication. Submitted credentials are sent in a POST HTTP request (Can also be GET), must be over SSL otherwise credentials are sent in plain text. Normally back-end authentication is used (SQL databases).

Form based authentication can be broken into 3 important components:

• Authentication Form (page that accepts credentials and submits to server-side processing code)

• Processing Code (Server-side code that verifies credentials, upon success redirects user to target page)

• Protected Resources (Any resources that can be accessed only by authenticated users, needed to be configured correctly by devs)

Issues:

• Secured by dev (Without proper security controls, back-end database could be open to injection attacks: SQL, LDAP, etc)

• Session handled by developer or framework (Typically via cookies) (Session handling needs to ensure log out after inactivity or when logout button is pressed)

• Account lockout depends on dev

• Susceptible to HTML injection attacks (XSS)

• Commonly used in phishing attacks

OpenId/OAuth/SAML Authentication

Allows authentication of users without asking for credentials as authentication is handled by identity provider (3P server). Based on tokens and uses APIs and can allow for SSO.

.

DNS

Get CIDR of target (Can help with reverse DNS Scanning)

Capture all records under a domain

Zone transfer (3 methods)

Incremental zone transfer

DNS brute force (Uses wordlist) for domain names (2 methods)

Simplified PTR (reverse) lookup

Query nameserver's version of BIND

Reverse DNS Scan to discover hidden CNAMEs (3 methods)

Zone transfer using to find internal records

Useful metasploit DNS information-gathering auxiliary modules

• auxiliary/gather/dns_bruteforce

  • Performs brute force dictionary DNS scan

• auxiliary/gather/dns_cache_scraper

  • Queries DNS cache for previously resolved names

• auxiliary/gather/dns_info

  • Gatheres general DNS information

• auxiliary/gather/dns_reverse_lookup

  • Performs a reverse DNS (PTR) scan of a netblock

• auxiliary/gather/dns_srv_enum

  • Enumerates SRV (Server) records

OSINT

Any data collecting where you are not directly scanning an endpoint, but external data collecting.

Search Engines Dorking

What to look for?

• Hardcoded Credentials

• Dependencies

• Versions

• Cached information (Google cache or archive.org)

• Sensitive files

Dictionary Cheat Sheet:

• Google Hacking Database: https://www.exploit-db.com/google-hacking-database

• Bing's Cheat Sheet: https://help.bing.microsoft.com/#apex/18/en-US/10001/-1

• Google's Cheat Sheet: https://support.google.com/websearch/answer/2466433?hl=en

• DuckDuckGo's Ceat Sheet: https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/

Cheat sheet

Look for Directory Browsering via Google

Cached content

Manual testing

• Google's cached pages: cache: test.com

• Wayback Machine: https://archive.org/web/

Automated testing

• waybackurl tool: https://github.com/tomnomnom/waybackurls

Shodan

Shodan is a search engine that enables users to find specific types of devices connected to the internet.

Unlike traditional search engines such as Google or Bing, that are designed to search the Web, Shodan scans and indexes IP addresses, non-HTTP/HTTPS ports, servers, routers, IoT devices, printers and any physical system connected on the internet.

What can be found:

• Routers

• Webcams

• Power Plants

• Refrigerators

• VoIP Phones

• etc

Netcraft

What's that site running?What's that site running? | Netcraft

Similar to Shodan

Censys

Censys | The Authority for Internet Intelligence and InsightsCensys

Similar to Shodan

Social Media

LinkedIn or Twitter

Metadata

Use tool to extract following metadata of files (e.g, pdf, images, etc.) This data can later be used to create wordlist or get additional information of a target:

• Geolocation data

• Software (+version)

• Usernames

• Full File paths

• Code comments

Tools: Tesseract, exiftool, Foca

Virtual Host Discovery

Certificate Transparency reports offer a penetration tester an additional method for discovering hosts and subdomains within a domain. This includes "hidden" virtual hosts that are not linked publicly, but have been issued an x.509 cert.

Use following sites:

• https://crt.sh/

• https://transparencyreport.google.com/https/certificates

Target Profiling

Collect data on what technology supports the web application.

Identify Web Server Components

Capture HTTP Header

Using Nmap Script to capture HTTP Service Information

Testing URI query vs POST parameters

Sensitive data being set via URI query is a finding. Data sent HTTP body via POST request can be encoded/encrypted

Test for Verb Tampering and GET/POST Method Interchange

• Use Burps "Change request method" to see if application allows swapping. This is a finding.

Test for TRACE method

TRACE method allows client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information

Test with OPTIONS method

OPTIONS method allows for asking servers what methods they support. Make sure to test for methods not included.

Test for Server field included in HTTP response

Checking for Security Headers

• Use burp/zap as interpreter and analyze headers

• Use browser add-on Wapalyzer which analyzes headers: https://www.wappalyzer.com/

• Good site to analyze HTTP Headers of external facing sites: https://securityheaders.com/

Analyze cipher strength of HTTPS SSL

External sites:

• Qualys SSL Labs: https://www.ssllabs.com/ssltest/

• Security Headers: https://securityheaders.com/

You can also manually run TestSSLServer.jar: https://github.com/timbo05sec/Tools-n-Stuff/tree/master/4_exploitation (Must use old java as older SSL versions are deprecated on newer Java versions)

Username Harvesting

Per HTML response/visible response

• Typing a username, is it visible if its valid or does respond return username value in response?

  • We can use bash script or burp to send a wordlist as username and random password and based on length of response, it will identify what are valid users.

Timing techniques without HTML differences

• Knowing username formatting (e.g 1 Letter for first name and full last name), create word dictionary of top 100 last names and run a Fuzzer against login and sort response by RTT

Versioning Port Scan

Look at robots.txt

Finding Hidden parameters (Arjun)

AJAX Applications

--

Automated Tools

OSINT

Data mine tools:

• Maltego (Commercial use)

• SpiderFoot (OpenSource)

Warning: May break Privacy Terms for Pentest

Searching domain names and email addresses:

• theHarvester

• AutOSINT (Uses theHarvester and pyFOCA to get OSINT data)

Spidering

• Burp Spider (Commercial)

• Zap Spider

• gospider

Alternative methods to spidering for Single Page Application (SPA) or AJAX applications

• Use an AJAX spider (not reliable)

• Manual clicks + Proxy

Forced Browsing (Directory Brute Forcing)

• dirbuster (Old)

• dirb

• gobuster

• curl

• Nikto

• w3af

• Metasploit's WMAP and msfcrawler auxiliary module

Force Browsing dictionaries

• SecLists

• Dirb

• DirBuster

• FuzzDB

• JBroFuzz

• WMAP

Get Subject Alternative Names (SAN) Certificate

Download and use client SSL certificate

Show SSL certification

Fuzzing

Fuzzing involves replacing normal values with attempted exploits to all available inputs and reviewing responses

What needs to be fuzzed

• Request headers

• POST parameters

• GET parameters

• PUT payloads

• Any input to client-side and server-side code

Input Examples

• SQL Injection ('+or+1=1;%23)

• Password Spraying(Different usernames same password)

• XSS (<script>alert("42")</script>)

• Directory Traversal / Local File inclusion (../../../../../etc/passwrd)

Fuzzing Dictionaries

• SecLists: https://github.com/danielmiessler/seclists

  • Download to /opt/seclists for use

• Google's Fuzzing dictionaries https://github.com/google/fuzzing/tree/master/dictionaries

• ameenmaali's qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities. https://github.com/ameenmaali/qsfuzz

Fuzzing Tools

• ZAP's Fuzzer

• patator

• ffuf

• Wfuzz

VHOST Discovery

SAST

Strenghts: Identifies Security Deficiencies not readily apparent in deployed applications

Weakness: Requires access to source code; might overlook APIs or libraries leveraged by the application; overlooks ops side of apps

DAST

Strengths: Doesn't require source code access; necessarily accounts for ops side of apps; can be automated/integrated into pipeline; scales well for large applications

Weaknesses: Only as good as the tool, its configuration, and the user wielding it; significant incidence of false positive; difficulty with certain types of flaws

Tools

LinkFinder

LinkFinder is an open-source python script used to discover API endpoints, URL resources and query parameters within minified JavaScript files. The script uses a combination of regular expressions to gather hidden URLs and application routes which can then be used by security researchers to further test for vulnerabilities.

Example:

Other Resources

Web App Hacking, Part 15: Web site Fingerprinting with Whatweb https://www.hackers-arise.com/post/2019/05/14/web-app-hacking-part-13-web-site-fingerprinting-and-vulnerability-scan

Arujin - Discover Hidden HTTP Parameters with Arjun https://null-byte.wonderhowto.com/how-to/discover-hidden-http-parameters-with-arjun-0212025/

Create HTTP/s whitenoise in upstream network logs/taps: https://github.com/Relkci/ps-whitenoiseweb

Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League Accounts: https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/