80,443,8080 - Recon
Last updated
Last updated
Recon/Scanning
Profile Target
Identify Web Server Components
Test DNS
Test username enumeration (via OSINT)
Vulnerability assessment
Test default credentials
Test Injections
Test for session fixation
Exploitation
Post-exploitation
Safe or unsafe methods
Safe Methods: GET, HEAD, OPTIONS
Unsafe Methods: POST, PUT, DELETE
Repeated submissions of an idempotent method yield same end server state
Idempotent methods: GET, HEAD, PUT, DELETE, OPTIONS
Non-idempotent methods: POST, PATH
CRUD methods (common in RESTful web services)
Knowing the available HTTP methods:
GET: parameters in teh URI may disclose sensitive information
Identifies potential vulnerabilities
Gives clues about how well the system is maintained
May reveal additional functionality to test
A few examples of how attackers may use Specific HTTP methods:
GET: paremeters in the URI may disclose sensitive information
POST: paremeters can be used to exploit vulnerabilities
PUT: may be able to upload files to the webroot
TRACE: identify load balancers or other devices in front of the webserver
DELETE: remove files from the webroot
Used to identify web client. Some tools (sqlmap, nmap) or scripts thjat use Python's urllib3 library may identify themselves via HTTP user-agent. Make sure to customize the user-agent to not allow easy detection.
Identifies for target server what page the user-agent was viewing when a link was clicked. This can give potential sensitive information being included on the URL.
Upon sending a Cookie HTTP request header, server will respond with Set-Cookie header. Stealing authenticated cookies can lead to a session hijacking. Secure and HttpOnly flags ensure that transimssion occurs over an HTTPS encrypted channel.
Authorization request header is associated with HTTP-based authentication methods. Often times sending Base-64 encoded values via authorization header.
GET and HEAD requests typically are cacheble. Status codes of 200,203,204,206,300,301,404,405,410,414,501.
If you see a 304: Not Modified, this is because the data was previously cached.
Server field provides HTTP response equivalent to the User-Agent header field. It indicates the web server closest to the end user.
When server uses built-in authentication method of HTTP Basic or Digest and user authenticates. The server might respond by employing the WWW-Authenticate header.
Structure: WWW-Authenticate: <type> realm=<realm>
<type> identifies the particular authentication method being employed and <realm> describes the "protection space" and indicates the scope of what is protected by this authentication.
Basic is the simplest built-in authentication scheme defined in RFC 2617. Server sends parameters called Realm, which describes the resource that is protected in in scope. Credentials are stored on the server (.htaccess on Apache). Upon submitting credentials, browser will create a Authorization header, concate credentials with : between and then base 64 encode. Also pads to 3 bytes using the = character.
Issues:
Without SSL, due to easily decoded base 64 credentials, this can be completely insecure.
After initial authentication, Authorization header is passed in every subsequent requests (increase attack window)
There is no log out. Only way to log out is to close browser.
Depending on server, there is no account lockout
Designed as a fix to Basic Authentication scheme in RFC 2617, Digest authentication does not send encoded password over the network, but adds additional parameters in challenge-response process. Sets Realm, salts (nonces and cnonces), and md5 to calculate response.
Issues:
Without SSL, password could still be cracked if nonces and cnonce are captured.
After initial authentication, the WWW-Authorize header is passed on every subsequent request (Increases attack window)
No log out (unless browser is closed)
Depending on server there is no account lockout
Tool to crack Digest passwords: https://github.com/eric-conrad/digestive/
Also known as IWA, is a proprietary authentication schema added by Microsoft. Schema uses NTLM, for NTLM (Challenge-Response protocol) and Kerberos (Handled by client with tickets) over HTTP. Mostly seen in intranets, Sharepoint uses, provides SSO, required both client and server to be on same Windows domain.
NTLM over HTTP is a two round authentication protocol. Can be identified with the beginning string in Negotiate Authorization header T1RMTVNTUAAB. (Base64 encoded string NTLMSSP). Kerberos has only one round also uses WWW-Authenticate: NTLM schema
Issues:
Without SSL, password could still be cracked if network traffic captured
After initial authentication, the WWW-Authorize header is passed in every subsequent request (Increases attack window)
There is no log out. As long as user is logged into domain, browser will automatically authenticate. Opens door to CSRF attack vector.
This is the most common way of user authentication. Developers create HTML form which is used to perform authentication. Submitted credentials are sent in a POST HTTP request (Can also be GET), must be over SSL otherwise credentials are sent in plain text. Normally back-end authentication is used (SQL databases).
Form based authentication can be broken into 3 important components:
Authentication Form (page that accepts credentials and submits to server-side processing code)
Processing Code (Server-side code that verifies credentials, upon success redirects user to target page)
Protected Resources (Any resources that can be accessed only by authenticated users, needed to be configured correctly by devs)
Issues:
Secured by dev (Without proper security controls, back-end database could be open to injection attacks: SQL, LDAP, etc)
Session handled by developer or framework (Typically via cookies) (Session handling needs to ensure log out after inactivity or when logout button is pressed)
Account lockout depends on dev
Susceptible to HTML injection attacks (XSS)
Commonly used in phishing attacks
Allows authentication of users without asking for credentials as authentication is handled by identity provider (3P server). Based on tokens and uses APIs and can allow for SSO.
.
Useful metasploit DNS information-gathering auxiliary modules
auxiliary/gather/dns_bruteforce
Performs brute force dictionary DNS scan
auxiliary/gather/dns_cache_scraper
Queries DNS cache for previously resolved names
auxiliary/gather/dns_info
Gatheres general DNS information
auxiliary/gather/dns_reverse_lookup
Performs a reverse DNS (PTR) scan of a netblock
auxiliary/gather/dns_srv_enum
Enumerates SRV (Server) records
Any data collecting where you are not directly scanning an endpoint, but external data collecting.
What to look for?
Hardcoded Credentials
Dependencies
Versions
Cached information (Google cache or archive.org)
Sensitive files
Dictionary Cheat Sheet:
Google Hacking Database: https://www.exploit-db.com/google-hacking-database
Bing's Cheat Sheet: https://help.bing.microsoft.com/#apex/18/en-US/10001/-1
Google's Cheat Sheet: https://support.google.com/websearch/answer/2466433?hl=en
DuckDuckGo's Ceat Sheet: https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/
Look for Directory Browsering via Google
Manual testing
Google's cached pages: cache: test.com
Wayback Machine: https://archive.org/web/
Automated testing
waybackurl tool: https://github.com/tomnomnom/waybackurls
Shodan is a search engine that enables users to find specific types of devices connected to the internet.
Unlike traditional search engines such as Google or Bing, that are designed to search the Web, Shodan scans and indexes IP addresses, non-HTTP/HTTPS ports, servers, routers, IoT devices, printers and any physical system connected on the internet.
What can be found:
Routers
Webcams
Power Plants
Refrigerators
VoIP Phones
etc
Similar to Shodan
Similar to Shodan
LinkedIn or Twitter
Use tool to extract following metadata of files (e.g, pdf, images, etc.) This data can later be used to create wordlist or get additional information of a target:
Geolocation data
Software (+version)
Usernames
Full File paths
Code comments
Tools: Tesseract, exiftool, Foca
Certificate Transparency reports offer a penetration tester an additional method for discovering hosts and subdomains within a domain. This includes "hidden" virtual hosts that are not linked publicly, but have been issued an x.509 cert.
Use following sites:
Collect data on what technology supports the web application.
Sensitive data being set via URI query is a finding. Data sent HTTP body via POST request can be encoded/encrypted
Test for Verb Tampering and GET/POST Method Interchange
Use Burps "Change request method" to see if application allows swapping. This is a finding.
TRACE method allows client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information
OPTIONS method allows for asking servers what methods they support. Make sure to test for methods not included.
Test for Server field included in HTTP response
Use burp/zap as interpreter and analyze headers
Use browser add-on Wapalyzer which analyzes headers: https://www.wappalyzer.com/
Good site to analyze HTTP Headers of external facing sites: https://securityheaders.com/
External sites:
Qualys SSL Labs: https://www.ssllabs.com/ssltest/
Security Headers: https://securityheaders.com/
You can also manually run TestSSLServer.jar: https://github.com/timbo05sec/Tools-n-Stuff/tree/master/4_exploitation (Must use old java as older SSL versions are deprecated on newer Java versions)
Typing a username, is it visible if its valid or does respond return username value in response?
We can use bash script or burp to send a wordlist as username and random password and based on length of response, it will identify what are valid users.
Knowing username formatting (e.g 1 Letter for first name and full last name), create word dictionary of top 100 last names and run a Fuzzer against login and sort response by RTT
--
Data mine tools:
Maltego (Commercial use)
SpiderFoot (OpenSource)
Warning: May break Privacy Terms for Pentest
Searching domain names and email addresses:
theHarvester
AutOSINT (Uses theHarvester and pyFOCA to get OSINT data)
Burp Spider (Commercial)
Zap Spider
gospider
Use an AJAX spider (not reliable)
Manual clicks + Proxy
dirbuster (Old)
dirb
gobuster
curl
Nikto
w3af
Metasploit's WMAP and msfcrawler auxiliary module
SecLists
Dirb
DirBuster
FuzzDB
JBroFuzz
WMAP
Fuzzing involves replacing normal values with attempted exploits to all available inputs and reviewing responses
What needs to be fuzzed
Request headers
POST parameters
GET parameters
PUT payloads
Any input to client-side and server-side code
Input Examples
SQL Injection ('+or+1=1;%23)
Password Spraying(Different usernames same password)
XSS (<script>alert("42")</script>)
Directory Traversal / Local File inclusion (../../../../../etc/passwrd)
Fuzzing Dictionaries
SecLists: https://github.com/danielmiessler/seclists
Download to /opt/seclists for use
Google's Fuzzing dictionaries https://github.com/google/fuzzing/tree/master/dictionaries
ameenmaali's qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities. https://github.com/ameenmaali/qsfuzz
Fuzzing Tools
ZAP's Fuzzer
Strenghts: Identifies Security Deficiencies not readily apparent in deployed applications
Weakness: Requires access to source code; might overlook APIs or libraries leveraged by the application; overlooks ops side of apps
Strengths: Doesn't require source code access; necessarily accounts for ops side of apps; can be automated/integrated into pipeline; scales well for large applications
Weaknesses: Only as good as the tool, its configuration, and the user wielding it; significant incidence of false positive; difficulty with certain types of flaws
LinkFinder is an open-source python script used to discover API endpoints, URL resources and query parameters within minified JavaScript files. The script uses a combination of regular expressions to gather hidden URLs and application routes which can then be used by security researchers to further test for vulnerabilities.
Example:
Web App Hacking, Part 15: Web site Fingerprinting with Whatweb https://www.hackers-arise.com/post/2019/05/14/web-app-hacking-part-13-web-site-fingerprinting-and-vulnerability-scan
Arujin - Discover Hidden HTTP Parameters with Arjun https://null-byte.wonderhowto.com/how-to/discover-hidden-http-parameters-with-arjun-0212025/
Create HTTP/s whitenoise in upstream network logs/taps: https://github.com/Relkci/ps-whitenoiseweb
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League Accounts: https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/