Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cehv8 Labs - Module14: SQL Injection

1,614 views

Published on

Cehv8 labs
Module14: SQLi

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Published in: Education
  • Be the first to comment

Cehv8 Labs - Module14: SQL Injection

  1. 1. CEH Lab Manual SQL Injection Module 14
  2. 2. Icon KEV E Valuable information M. Test your knowledge E "eb exercise V'orkbook review ; I'_—. _ Tools demonstrated in this lab are available in l): CEl-| - ToolsCEHv8 Module 14 SQL Injection Module 14 — SOL Inloctlon SQL Injection . S;QLi/ y'e1f/ '0// is (I fab/ /iq/ /e oflell / /rm’ fa (If/ ‘rmé (I u'eb. rif(= . I f /5 f/ Je / /1o. rf ro/ /// //on )1'eb. r/"fa L'/ /// Imlbi/ /'3' 0/1 I‘/ Je I/ Ifm/ el‘. Lab Scenario A SQL injection attack is done by including portions of SQL statements in a web form entr_y field in an attempt to get the website to pass a newly’ formed rogue SQL command to the database (e. g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. As an expert ethical hacker, you must use diverse solutions. and prepare statements with bind variables and whitelisting input validation and escaping. Input validation can be used to detect unauthorized input before it is passed to the SQL query. Lab Objectives The objective of this lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include: ' Understanding when and how web application connects to a database server in order to access data Extracting basic SQL injection flaws and vulnerabilities Testing web applications for blind SQL injection vulnerabilities Scanning web servers and analyzing the reports Securing information in web applications and web servers Lab Environment To carry out the lab, you need: ' A computer running Windows Sewer 2012 Vfindow 7 running in virtual machine A web browser with a11 Internet connection Administrative privileges to configure settings and run tools CEH Lab Manual Page 782 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  3. 3. Module 14 — SQL Injection Lab Duration Time: 50 Minutes Overview of SQL Injection SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. _1'AsK 1 ll Overview Recommended labs to assist you in SQL Injection: ' Performing blind SQL injection ' on without valid credentials ' Testing for SQL injection ' Creating your own user account ' Creating your own database ' Directory listing ' Denial-of-service attacks ' Testing for SQL injection using the IBM Security Appscan tool Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. l’l. l£ASl-I 'I‘: l. K T0 Y()I'R lNS'I‘RI'(3T()R IF YOU IIAVIC Ql'l5S’l‘l()NS RI-Zl. A'l‘liI) TO THIS LAB. CEH Lab Marlual Page 783 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. Module 14 — SOL Inloctlon SQL Injection Attacks on MS SQL Database SQL i/ y'm‘/ '0” /3‘ (I bris/2‘ / I/7‘m; é / /mi 2/'1‘/ Jar fo ‘gr: /u / l/lfl/ lf170I‘f: {€(/ (l('('€J‘. f to (I 0'/117111/m or /0 / 'efI7'ez. '€ i/ /for/ //m‘/ ‘0/I / /i/ Pr/ §'fi'0// / / /J? rI'(If(Ib/ Isa C Lab Scenario 3 _V“_““‘b1*~" Today. SQL injection is one of the most common and perilous attacks that yebsite’s mmnmnon software can experience. This attack is performed on SQL databases that have weak xv Test your codes and this vulnerability can be used by an attacker to execute database queries to CS4 collect sensitive information, modify the database entries. or attach a malicious code E --eh exercise resulting in total coniproinise of the most sensitive data. [Q Workbook 1_evie“_ As an Expert penetration tester and security administrator, you need to test web applications running on the MS SQL Sewer database for vulnerabilities and flaws. Lab Objectives The objective of this lab is to provide students with expert knowledge on SQL injection attacks and to analyze web applications for vulnerabilities. In this lab, you will learn how to: ' Log on without valid credentials ' Test for SQL injection ' Create your own user account ___ ' Create your own database . : Tools demonstrated in ' Directory listing this lab are available in "“°E"' Lab Environment ' Execute denial-of-service attacks Too| sCEl-IV8 M°d"'° 14 SQL To carry out the lab. you need: Injection ' ' _ . _ _ ' A computer runnmg Window Server 2012 ( ictun Machine) CEH Lab Marlual Page 734 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. |l[l TASK 1 Log on without Valid Credentials C . X’ Try to log on using code ' or 1=1 -- as login name. r ~t . -‘:5:-. A dynamically generated SQL cpxery is used to retrieve the number of matching rows. Module 14- SQL Injection ' A computer running Window 8 (Attacker Machine) " MS SQL Server must be running under local system privileges " A '€‘l) browser with an Internet connection , . . ~—u-. -73». ; Time: 30 Blinutes .4. - . ..‘~. ?. '‘’-3‘ " 1'. M SQL injection is a basic attack used either to gain unauthorized access to a database or to retrieve information directly from the database. It is a flaw in web applications and not a database or web server issue. Most programmers are still not aware of this threat. -3) I . - wu s': s Blind SQL injection is used when a Web application is vulnerable to SQL injection but the results of the injection are not visible to the attacker. Blind SQL injection is identical to normal SQL injection, except that. when an attacker attempts to exploit an application, rather than seeing a useful error message, a generic custom page displays. TASK1 1 . Run this lab in Firefox. It will not work in Internet Explorer. 2. Open a web browser, type http: l/localhostlrealhome in the address bar, and press Enter. 3. The Home page of Real Home appears. L V . i — 'I N I FIGURE 1.1: Old House Resmurant home page 4. Assume that you are new to this site and have never registered with this website previously. U1 New log in with code: blah‘ or 1=1 CEH Lab Manual Page 785 Ethical Hacking and Countemleasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Module 14 — SQL Injection 6. Enter any password in the Password field or leave the password field e1npt_'. — 7. Click Login or press Enter. : When the attacker enters blah’ or 1=1, than F‘ ’“" " ' _' ' g D‘: the SQL query look like M this: SELECT Count(‘) FROM Users VHERE ‘ UserNa. me= 'blah' Or l= l — »' AND Pass‘ord= ". FIGURE 1.2: Old House Restaurant login page 8. You are logged in to the website with a fake login. Your credentials are not valid, but you are logged in. Now you can browse all the Web pages of the website as :1 registered rneinber. You will get :1 Logout link at the upper- r « corner of the screen. . «:! :«. A user enters a user name and password that ‘ _ ‘ ‘ l ' J‘ I" matches a record in the Users table, v', ‘y. ... .. . -nu--m. ‘t . -P. . .. '.. ..m. . FIGURE 1.}: Old House Restaurant web page You have successfully logged on to the vulnerable site and created your own database. TASK2 1' A 5 “ 3 Create a user account using an SQL injection query. [IL] creating Your 9. Open a Web browser, type httmlllocalhostlrealhome and press Enter. Accoliietr 10. The home page of Real Home appears. Ethical Hacking and Countemleasures Copyiight © by EC-Council CEH Lab Manual Page 786 All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Module 14 — SQL Injection [ . -u -an - u a. n 97 . . X‘ Try to insert a stung A‘ value Where a number is mm expected in the input field. FIGURE 1.4: Old House home page 11. Enter the query blah‘ ; insert into login values (' juggyboy' , 'juggy123‘ ); —— in tlie Login name field and enter any password in the Password field or leave the Password field empty. In this query, juggyboy is the username, and juggy123 is the password. To dflw SQL 12. After executing the query you will be redirected to the login page; this is Iniection. check if the web 1101311121. flPPl. lC5ILlOH COILHCCKS K0 3 _ database sum in order to 13. Try juggyboy as the username, and juggy123 as the password to log in. access some data, 14. Click Login or press Enter. r. « x Error messages are essential for extracting information from the database. Depending on the type of eriots fotmcl. you can vary the attack techniques. FIGURE 1.5: Old House login page 15. If no error message is displayed on the web page, it means that you have successfully created your login using SQL injection query. 16. To verify Whether your login l1as been created successfully, go to the login page, enter juggyboy in the Login Name field and juggy123 in the Password field, and click Login. Understanding the underl_‘ing SQL query allows the attacker to craft mm fiELfl; L,gl. )_NI.1nu: l Page 787 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Module 14 — SQL Injection --I"xfl FIGURE 1.6: Old House Login page 17. You will login successfully with the created login. Now you can access all the features of the website. Go to Start menu apps and launch SQL Sewer Management Studio and login with the credentials. [ rrvn-n, n vINm~Mn'>41'cr4vuv. - . -z - rn Different databases require different SQL syntax. Identify the database engine used by the server. FIGURE 1.7: Old House page l! [] ' T A 3 " 3 TASK3 c"°at° Y°"" ow“ 18. Open a web browser, type http: //Iocalhost/ realhorne in the address bar. Databas° and press Enter. 19. The Home Page of Real Home appears. CEH Lab Mailual Page 788 Ethical Hacking and Countemleasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Module 14 — SQL Injection [ . -.-an - I . I: .>%‘‘-) Most injections land in ‘. the middle of a SELECT statement. In 2 SELECT ‘*"‘"' clause, we almost always , _‘___K end up in the WHERE section. FIGURE 1.8: Old House Home page 20. In the Login Name field, type blah ' ; create database juggyboy; —— and leave the Password field e1npt_'. Click Login. 21. In this query, juggyboy is the name of the database. . . . -'a' . s 6 w ‘I a n- ; sf-: :—_ Mostly the error messages show you what DB engine you us working on with ODBC errors. It displays database type as pan of the driver information. FIGURE 1.9: Old House page 22. No error message or any message displays on the Web page. It means that the site is vulnerable to SQL injection and a database with the name j11gg}’boy has been created at the database server. , . . ~*" Try to replicate an 9 - _ . . mom" umgmon) which -3. hen _ou open Microsoft SQL Sewer Management Studio, under could be as simple as ' and Database You can see the created database, juggyboy. 'l'= 'l Or 'a. nd'l'= '2. ' CEH Lab Manual Page 789 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. E Tune delays are a type of blind SQL Iniection that causes the SQL engine to execute a long-running quay or a time delay statement, depending on the logic Q3 Once you determine the usernames, you can start passwords: Usemame: ' union select password,1,l, l from users where usemame = 'admin'- Q9 The attacker then selects the string from the table, as before: Usuname: ' union select ret, l,l, l from foo- Microsoft OLE DB Provider for ODBC Drivers error '80040c07'. CEH Lab Manual Page 790 <43‘-llallll FIGURE 1.10 Microsoft SQI. ServaMmagunenrStudio 24. Open a Web browser, type httmlllocalllostlroalhomo in the address bar, and press Enter. 25. The Home Page of Real Home is displayed. 3 Real Howie! . . . wv“ I . B -uwiu FIGURE 1.11: OlrlHouseI-Ianepage 26. In the Login name field, type blah'; exec master. .xp_cmdshel1 ‘ping www. certifiedhacker. com -1 65000 —t'; --, and leave the Password field empty, and click Login. 27. In the above query, you are performing a ping for the wwv. certifiedhackercom website using an SQL injection query: 4 is the send buffer size, and -t means to ping the specified host until stopped. Ethical Hacking and Countermeasures Copyright © by EC—Councfl All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Module 14 — SQL Injection [ . , . ---an Z; Use the bulk insert mm statement to read any file on the server. and use bcp to create arbitrary text files on the server. " ' FIGURE 1.12 Old House Login page 28. The SQL injection query starts pinging the host. and the login page shoxvs a Waiting for Iocalhost. .. message at the bottom left side of the vindov. 29. To see Whether the query has successfully executed or not and ping is running. open your Task Manager xvindoxv. 30. In Task Manager, under the Details tab, you see a process called PING. EXE running in the backgroiuid. 31. This process is the result of the SQL injection query that you entered in the login field of the website. r - . ~;»: «. Using the sp_OACreate, "‘ 3”” "' "“‘ sP_OA‘kdl°d and Ptzezses Penovmme Lseu Cum Semres 5p_o, G¢tpmp¢m~ systcm _ . ..“ ( u. .. m. (H _ stored procedures to create " mung Mm mm : _’r: _‘(: ::‘: 'f; ‘"T°'” Old Automation (: ct. iveX) . Runnng F. epc4Sen£l Qeyar. |1g Sen<fl$ir*/141 applications that can do - . . . ‘ Rnnnnu SVSTEM 3, * 3cI. t:aIu(I)lIL(ll= Aw. Cvcrrthing an ASP script _ ; ... ..s. .. . 32:52: if: .'. ‘i. ... - - ' . §‘. '.". d.'. ’WmV'""°' can do. 71 >nzi_: n(>:1tisvax. - Runrmg Lamwma '. mgnn-nu - ; ...5rm¢« Runrmg Admvmsra . . Snzgrl V. F( Hebe: ' sun: H! ’ Rnnrlng SYSTEM . SNVF Sauce II : pl~oA6vl. :xr ' Runrlng Adm mszu . . Mm drw naniorapa-mm; Rum my system 3 Suoulet smsuiu-. Aw Running S‘vSl= M ’ . ' >Q. Servuw rdowskl -045:1 Runrmq SVSTEM A I S5Wvvt: v ' it Bl‘ “. ..”, W. ” ~ . . , . ».w, .;. . w. ... m.g svsram 1 ”. y.a. w: Dutdcp Agent Rnnnng SVSTEM . ‘ " VIn1:NsSer/ wees ' n¢VCO: Luc V Runrlng NE“/ /ORK. 'ovWInd3~‘.3tH¢€: ' . «rlv. I.Lu: Rum mu LOCAL SE. ‘ ‘Ln! ?u. rs. ’vvV/ I1>J. v-r. Stmres v -. .mm. .. v >mm. m, xvxm/1 < » . -«v. vvr-v»<-. >mvm»1s~<umen ' nL'VJ)LEA: . Rum mu LOCAL [DEM , ’ bx! Vva. rn "In Vlldaws inner) - . .m». u.. . Nnnrmg mlwnm ~w. vvwe<-. -mvm1a~: IH(PK - . .<>. ¢.u. = Vltmrmg LOCAL st“ , ' an Frau): :. .v1.. i.~. ;u. i.-t. ' SKIDSLQE Runrmq SYSTEM ' ‘Oil Pl31¢£3'0lWl13A(. 3¢| ‘JlC€3 :3» rue um” noun: 1.13; Task iL'1nager 32. To manually kill this process, right—click the PINGEXE process and select End Process. This stops pinging of the host. -7 3 if '7 Y3 3 Analize and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. CEH Lab Mailual Page 791 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Mo&IO14—SOLIn]0c1Ion T001/l Vtilily Information Collected/ ()hjccti’cs Achieved SQL Injection ' id: 1003, 1004 Attacks on MS ' Username: juggyboy SQL Database ' Password: ju. ggy123 PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED. Internet Connection Required [1 Yes Platform Supported IZI Classroom CEH Lab Manual Page 792 Ethical Hacking and Countermeasures Copyright © by EC—Councfl All Rights Reserved. Reproduction is Strictly Prohibited
  13. 13. ICON KEY E Valuable information J‘) Test your knoxvlek U "eb exercise [1111 "orkbook reviexv E Tools demonstrated in this lab are available I): CEH- TooIscE| -IV8 Module 14 SQL Injection Module 14—80l. Inloctlon Testing for SQL Injection Using IBM Security Appscan Tool IBZVI . S‘er/ //7'g'/ lpp. S'rrI/ / /3 (1 )1 P1) app/ imf/0/I rer/ /rig’ farfi/ {g foo/1‘/ Jm‘ (I/ /f0/)l(If(’. f L’/ /// Ielnbi/ /iy (l. '. ‘€. l'. l‘Ill(’lIf. ‘, p/ ‘eve/ /I‘: SQL ilyerfioil rI#/ méi‘ 01/ Ilrbsifes, (I/1// ml/ /.t 11 'eb. rifet for 9// /bedded / /// I/Imre. Lab Scenario By now, you are familiar with the types of SQL injection attacks an attacker can perform and the impact caused due to these attacks. Attackers can use the folloxving types of SQL injection attacks: authentication bypass, information disclosure, compromised data integrity, compromised availability of data, and remote code execution, which allows them to spoof identity, damage existing data, execute system—level commands to cause denial of service of tl1e application, etc. In the previous lab you learned to test SQL iniection attacks on MS SQL database for website vulnerabilities. As an expert security professional and penetration tester of an organization, your job responsibility is to test the company’s xveb applications and web services for vulnerabilities. You need to find various Ways to extend security tests and analyze web applications, and employ multiple testing techniques. Moving further, in this lab you will learn to test for SQL injection attacks using IBM Security Appscan tool. Lab Objectives The objective of this lab is to help students learn how to test web applications for SQL injection threats and vulnerabilities. I11 this lab, you will learn to: ' Perform xvebsite scans for vulnerabilities ' Analyze scanned results ' Fix vulnerabilities in web applications CEH Lab Manual Page 793 Ethical Hacking and Conntenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  14. 14. Q You can download IBl. I AppScan from http: //www401.ibmrcom. EQ Supported operating systems (both 32-bit and 64-bit editions): I Wmdou's 2003: Smndard and Enterprise, SP1 and SP2 I Windows Server 2008: Smndard and Enterprise, SP1 and SP2 El TASK 1 Testing Web Application Q A personal firewall nmuiug on the same computer as Rational AppScau can block communication and result in inaccurate findings and reduced performance. For best results, do not run a personal firewall on the computer that runs Rational Appscan. Module 14 — SQL Injection Generate reports for scanned web applications Lab Environment To carry out the lab, you need: Security Appscan located at I): CEl-I-ToolsCEHv8 Module 14 SQL InjectionSO. |. Injection Detection Too| sIBM Security Appscan A computer running W'indow Server 2012 Double—click on SEC_APPS_STD_V8.1_EVAL_WIN. exe to install You can also download the latest version of Security Appscan from the link http: { {www- Ol. ibm. com software awdtools a scan standard A web browser with Internet access lIicrosoft . NET Framework Version 4.0 or later Lab Duration Time: 20 Minutes Overview of Testing Web Applications Web applications are tested for implementing security and automating vulnerability assessments. Doing so prevents SQL injection attacks on web servers and web applications. "ebsites are tested for embedded malware and to employ a multiple of testing techniques. Lab Tasks [0 Follow the wizard—driven installation steps and install the IBM Security AppScan too]. To launch IBM Security Appscan move your mouse cursor to the lower- left corner of your desktop and click Start. M3 rrvlon vlmuwri u . » mm. rm yaw mm" nu mm m Hm| Na'm wm n ‘ asnuu H / /inflame <mumon19 FIGURE 21: Windows Server 20l2 Deslnopview CEH Lab Manual Page 794 Ethical Hacking and Conntenneasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited
  15. 15. Module 14 - SQL Injection 3. Click the IBM Security Appscan Standard app from Start menu apps. fijgjfii 4!. -‘I-:1!-1,11-«.1:-.1-I 3‘ ‘, —.-x ‘; -.= -. You can configure _ fl , Scan Expert to perform its , “ , _ __ . V‘ . , : ._ . _ = _ 7 analysis and apply some of 1' its recommendations A1 I‘ automatically, when you 7 ' " “B” _V ‘ _ start the scan. ~ : _ l 5' ‘xi ". .. ‘ 'w FIGURE 2.2: Windows Server 2012 Desktop View 4. The main window of IBM Security Appscan — appears; click Create New Scan. .. to start tl1e scanning. r Vv| --1‘M‘em’-. i,S: ‘- . ‘ '-'a‘I~ ‘L. ’ r‘ if : ppScan can scan both Web applications and _ web services. ‘ ‘ n. . 1 » ‘-"V ~---- . «~-— in . . . u . v»-. «-- -4->-tr-'-'u'~"-‘v-' ; FIGURE 23: IBM Rational : ppScan main window 3. In the New Scan wizard, click the demo. testfire. net hyperlink Note: In the e'alu21tio11 version We cannot scan other websites. r. LA; -:4. Malware test uses data gathered during the explore stage of a regular scan, so you must have some explore results for it to function. CEH Lab Manual Page 795 Ethical Hacking and Counlemieasures Copyright © by EC»Counci1 All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. J“. i§! Q One of the options in the scan configuration wizard is for Scan Expert to run a short scan to evaluate the efficiency of the new configuration for your particular site. . : There are some changes that Scan Expert can only apply with hu. ma. n intervention, so When you select the automatic option, some changes may not he applied. CEH Lab Manual Page 796 Module 14- SQL Injection New Scan Ret&>1ItTeIvI[)| .its*s Pft‘(l0‘lllt‘(l T(-‘Iup| .ales 7" Browse. .. Regular Scan 3;] Q. ck rd Light Scar‘ Cc"‘Dreter-s we Scar ; 'J F‘a'a"eter~Ba5eda» ; a: :1 H! {J . ‘.‘ebSp¢‘e'e cawerce ‘. '.‘ebSD*ere Ports :1] Hat": Back {vi Latrch Scan Corflgurauon ‘Jfizard Qancel flein FIGURE 2.4: IBM Rational : ppScau — New window In the Scan configuration Wizard, select Web Application Scan, and click Next. Stan mr; ..v. —:r on Wvzar‘. Welcome to the Conflgirallon Wlzani ll*4L: MyltIhor"i: Iv1 AV 1 r. ; "Oi. :u+; u. us my hinder m. .mx. npm d-rv~: lu1u rw sum no uw at-. -an yru win It mm FIGURE 2.5: IBM Rational AppScan — Scan Coufigumtion Wizard In URL and Sewers options, leave the settings as their defaults and click Next. ' x Sum <‘. m). .v. «.i uwwum: 0! unmlnonll am his mnlmm. URL mm mm. “ v o J ‘ran my hrlvs m ma mu. m: -m-«w 9; Casesendfiwe vau- 1] maanipims iS"§§24?I§lm= i ht r 7. =1’! tg Annnmnul Sewer: and Dalian: lrdueehuinl-airs mam. nerve-1 mi turn n 11 . :a- 1. C-= -I-IV-sh Meabe<: n'v7uema3zr.4'd : :*mee‘. z.'t, u-mg: 3 er, 4 L. trmux. a Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Module 14 - SQL Injection FIGURE 2.6: IBM Rational Appscan — Scan Configuration Vi2a. rd 8. In Login Management, select option Automatic and enter the user name details as Username: jsmith and Password: Demo1234 and click Next. r S: an Cnn"I'_). vr: | on V'vIav : ‘i 2"‘ V -- v‘ 6;‘ lonlnnellol Iliszhelallvmngmedno-1:: cgnte tvszaineazor Lt: n | -1 }< uatunm nAunah(dv usinu 9-: Mama Rammed nm. m.= m;» uwhs P Jaw k: o:A. The total number of tests to be sent. or URLs to be visited, may increase dmmg 3 3cm“ as "cw lmks mmm kvzum cetdlu. LIA ‘. .. , mx- uble-. :M. | mum 14¢. - ate discovered. ll G= --I-It--I: ' m. .,wg. ..x. .s«, ..: .4.m. um 1 A». ~n- ; . u. » -, rm 1 next: Lance FIGURE 2.7: IBIVI Rational Appscan Sum Configuration Window 9. In Test Policy options, click Next to continue. mu Fnn"I)| .v. =.l nnwmu: ‘ ‘ "¢ ' -- * t_m mu nhq nelaufl . .r umm Io|1P(w| c)‘b'4II: new -I-. . pole; lrducll mun: um: N. .. m M_, ... , . —_ «my. -.r-«. ... ._ Security Issues view -«. ..: rum. shows the actual issues : ; RU, discovered, from overview 3 p U level down to individual : - . hukllnd mun requests/ responses. This is the default view. ' '= ‘“‘ -» .1 = , L . Genenltnh ‘ fl5°f= |=¢1°r~=9r W090-ruse: W Clc: '3c. :| I*:1Ie: rVh‘Ir; ': ban knvg ogr ma FIGURE 23: IBM Rational : ppScan Full Scan winders‘ 10. Click Finish to complete the Scan Configuration Wizard. Scan Con’Ig| .vat on Wnzar: ‘ *" ‘ - ‘ 01 cAIIu| e|eSu: I(mvl| n1-Llnlvllurl m. we suce: :iAJ| ( e: -«view! L9: 3:» : m<, .-gm ~s: .». : ; ice: -. Results can display in Hwmywwmmm, three views: Security Issues, Remediation Tasks, and B, W mm‘ Ex‘, M M, Application Data. The View Stir van Mama‘ mm is selected by clicking a -I mam scan etc: button in the View selector. The data displayed in all 2] 321‘. 5:au iL3eu»Al’Ie5(a cmouaxu ‘/2:1-: .u-use three panes varies with the ‘iCW selected. Gnu-Huh CEH Lab Manual Page 797 Ethical Hacking and Countemleasutes Copyright © by EC»Council All Rights Reserved. Reptoduction is St. Lict. ly Prohibited.
  18. 18. ‘r —» s: -is. Remediation Tasks view provides a To Do list of specific remediation tasks to fix the issues found by the scan. . _r The Result List displays the issues for whatever item is selected in the application tree, These can be for". I Root level: All site issues display I Page level: All issues for the page I Parameter level: All issues for a particular request to a particular Page . : You can export the complete scan results as an XlII. file or as a relational database. (The database option exports the results into a Firebird database structure. This is open source and follows ODBC and JDBC sta. nda. rds. ). Module 14 - SQL Injection FIGURE 29: IBM Rational : ppS<an Full Scan window 11. "hen the Auto Save Wi11(lO‘ prompts you to save automatically during scan, click Yes to save the tile and proceed to scan. Auto Save 9 The scan needs to be saved now because Aooscan IS set to Adar! ‘-a‘. ca| |-,4 save dutlng scar» 0/ . ',‘ot. |: you like to save the scan now? ‘ Click ‘(es to save the scan now. Click Me to dcsable ‘Autornatically save dwr; scar lo! ths scar orly Clack Disable to ousable »'«. Iovra1:caH», ‘ save cwrg scar lav this are ltlute scans Yes No Disable FIGURE 2.10 Auto Save winclow 12. Security Appscan starts scanning the provided URL for vulnerabilities. p 'alImv‘”'V,1 -wvxfi l "1 gun ‘I FIGURE 2.1 1: IBM Rational Appscan Scanning Web Applicatiori window Note: It will take a lot of time to scan the complete site; in this lab we have stopped before scanning is complete. 13. After the scan is complete, the application lists all the security issues and vulnerabilities in the Website. 14. Results can be displayed in three views: Data, Issues, and Tasks. 15. To View the vulnerabilities and security issues in particular website click the Issues tab. J cmwsim Srr ntmg .4; __. ,.. .. ... . . ~m_. ... -.. t. A. _.---, .,. , , . _i. ... ... . . i.. ... ,.. .». .,. .,, .., CEH Lab Manual Page 798 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Q. TASK 2 Analyze Result . _ The severity level assigned to any issue can be changed manually by right- clicking on the node. Result Expert consists of various modules that are used to process scan results. The processed results are added to the Issue Information tab of the Detail pane, making the information displayed there more comprehensive and detailed, including screen shots where relevant. , —.-. 4:4:-. The Security Report reports security issues found during the scan. Security information may be very extensive and can be filtered depending on your requirements. Six standard templates are included, but each can easily be tailored to include or exclude categories of information. Module 14- SQL Injection FIGURE 2.12: IBM Rational AppScan Scanning Web Application Result window 16. To analyze the scan results, click any of the results, such as SQL Injection, to list all the links that are vulnerable to SQL injection. p Fr»Jv| vI<(/ VH1‘ ‘. ..« - FT ~ _. .., . --. . FIGURE 2.13: IBM Rational Appscan Scanning Web Application Result window A . -.. .. ,, H . . _. ... .- . ... ... .., ... ... ,,e, 17. Click the Advisory tab in the bottom pane of the Window to see the severity of that particular link. gs > ~. .‘«»v: r:. .‘ w-. T-‘: ;,/ . t. '4 . e x . >. , o L: . - fitfl 0 -w—- . “ . ,_. ,._ -. =¥ - £'—a-5"? ’ at . . _. .,. r.. 3. , _. L , _.. ,.- . ... ... ... _t. ..n, .,, la‘ FIGURE 2.14: IBM Rational AppScan Scanning Web Applicatzion Result window 18. To tix these threats and vulnerabilities, click Fix Recommendation to 'le‘ 21 list of advice for fixing these Vulnerabilities. p my-Mn. -.r . . 4 . -s-n l) _. _.. -1.. .‘ . -_ . ... .,. .w , ..s. ... .. , , ‘ . . , .—. ... . . -i. ... ... ».. ... ,.. i, FIGURE 2.15: IBM Rational AppScan Scanning Web . ‘ppliC1Li0Il Result window CEH Lab Manual Page 799 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Q task 3 E9 The Industry Standard Report reports the compliance (or non- compliance) of your application with a selected industry committee or your own custom standards checklist. Q The Template Based Report is a custom report oontaining user-defined data and user-defined document in Microsoft Word . doc format. Q The Delta Analysis report compares two sets of scan results and shows the difference in URLs and/ or security issues discovered. Q The Regulatory Compliance Report: It reports on the compliance (or non-compliance) of your applimtion with a large choice of regulations or legal standards or with your own custom template). CEH Lab Manual Page 300 uo¢u| o14—snLInpcuon 19. After Rational Appscan assesses your site's vulnerability, you can generate customized reports configured for the various personnel in your organization. 20. You can open and View the reports from Within Security AppScan, and you can salvo a report as a file to be opened with a third—party application. 21. To generate a report, select Tools —) Report. .. The Create Report window appears. . ..-. .o~« -. ... .. . ... .- C-. -u—. Om. 4.5.. .. o-. .a—. -. sm njr-(tmn (mm: vm . . . ... ----u an. .. u. . 1.. ... . . ... .. -. ... .. v. u-u-: wmu~nw-mwummn. -no-nuuu uuvmuuwuum-nu . ... “- mc. .. u. n-o-u. ,.. ., . - »oo. ... ..m : yum -u-». .u. .». ... ¢.. ..u. u-«. m-u :1 mm: -. ... -‘. .. . ... .. . ..”. ..-. .c. ... ..n. . . ..n.4.. o.. -o. .t. w.. ... a.. ..u«. .u. x.t. ... ... u. .. . ... ”-. »-y-. ..”-. u-. ..-. .--. ..-u . ..». -. :.. ..w. ... ... .--. . . ... »- . ... ‘.. y.. ..-. —uw. .—u. ... -up---~. ... .uw. .,. ... ... : an. -.. -4.. ... .-. ... q . .., -.. ... —uv. ... .p~¢-u---~. ..4.. ..~. u.m. ... .—. u.. p. .., ,a. ..__. , r, ... ...7.. .., —_4,y. —«. .., ... ... ... ... ... ,..4.. ~.. .., .., .., . . .._. ... .u-ac-—. ... .,. ... ... ... -. an-. ..--. ..-. ... ..w . ... ..-. ..“. -.. .». ..--. r.. ... ... _xw. ... -m. ,.. ... .. ~.. «.. v<. «.. w. -. .uo. ... a:&. a.—. ..a. ... ..§. «.. ... .». ... ... .. . .., .«. m.. ..a. ..». ... . FIGURE Z16:lBMRaI: iomlAppSmnRcportOptionwindow 22. Select the type of report to generate, check options, and click Save Roport. .. L» _9 a : nmtnqmmn uquuuyummm nauumn mu-nu- Yuvvhn -an Sens! /' '3 up ms, : n_. .r, .. cum . _nn-. .e. u:V. ... m—. ... u. .v. ..«. '_l , hflIweb-wanna-ct-| uue(PWJ FIGURE 217:IBMRationalAppSanCn: ateReportwindow 23. Save the report to the desired location. The saved report will be helpful for future guidance. Lab Analysis Anal 'ze and document the results related to the lab exercise. Give 'our 0 inion on 3 3 P your target’s security posture and exposure. Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Resaved. Reproduction is Strictly Prohibited
  21. 21. Moddo14-SQLIn| oct| on Tool/ l 'tilit_' lnfnrmailinn Collected/ ()hjeeti'es Achieved IBM S ' . . county ' SQL I! .1]6Ct10l1 attack detected AppScan PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how to speed up the scanning process and reduce the number of pages that IBM Rational AppScai1 Ends. 2. Evaluate Whether it is possible to perform scans against live production environments with BM Rational Appscan. Will that cause damage or hurt the site? 3. Analyze how variables can be implemented in a multi-step sequence with IBM Rational AppScan. Internet Connection Required IZI Yes Platform Supported Classroom CEH Lab Manual Page 801 Ethicnl Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  22. 22. ICON KEY E Valuable information a J’ Test your knowledge Q V'eb exercise all Workbook review Module 14—soL lnloetlon Testing for SQL Injection Using Webcruiser Tool IVebC/ '// /'m' — IV: >b V/ /// Iembi/ /gt S m/ /119/' ix rm gflerfiw m1(/ pou'e/ fl// 21 ab peilefmfioll farfi/ {g fool I/ ml‘ 11 'i/ / air)’ you ill (I/ /11'/ '1‘/ //gyo/ //‘ Ilrbsife. If bar /1 V/ /// mrlbi/ /'0' . S'm/ //M/ ‘(I/ I17’ (I re/ fer of rm/ I7'§' foo/ r. Lab Scenario A deeper understanding of detecting SQL injection attacks using the IBM Security AppScan too was examined in the previous lab. In this lab we will have a look at a real case scenario where SQL injection attacks were implemented to steal confidential information from banks. Albert Gonzalez, an indicted hacker, stole 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. He used SQL injection attacks to install sniffer softxvare on the coinpanies' servers to intercept credit card data as it was being processed. He was charged for many different cases in which the methods of hacking utilized xvere: Structured Query Language (“SQL”) was a computer programming language designed to retrieve ai1d manage data on computer databases. “SQL Injection Attacks” were methods of hacking into and gaining unauthorized access to computers connected to the Internet. “SQL Injection Strings” were a series of instructions to computers used by hackers in furtherance of SQL Ii1jection Attacks. “Malvare” was malicious computer software programmed to, among other things, identify, store, and export information on computers that were hacked, including information such as credit and debit card numbers and corresponding personal identification information of cardholders (“Card Data”), as well as to evade detection by anti—virus programs running on those computers. As an expert security professional and penetration tester you should have a complete understanding of SQL injection attack scenarios and list high= risk CEH Lab Manual Page 802 Ethical Hacking and Countenneasures Copyright © by EC-Councfl All Rights Reserved. Reproduction is Stdctly Prohibited.
  23. 23. '_—. _. ; Tools demonstrated in this lab are available D: CEH- ToolsCEHv8 Module 14 SQL Injection You can download Y'ebCruiser from http: / / sec4app. com/ down] cad To produce time» consuming SQL sentence and get infomuation from the response time | lLl TASK 1 Testing Web Application Module 14—soL Injection components and note entry points to start testing and exploring. Hence. as another aspect in SQL Injection testing. in this lab you will be guided to test for SQL injection using the "ebCruiser Tool. Lab Objectives The objective of this lab is to help students learn how to test Web applications for SQL injection tl1reats and vulnerabilities. In this lab. you will learn to: ' Perform website scans for vuli1erabil. ities ' : nal_vze scanned results ' Fix vulnerabilities in web applications ' Generate reports for scanned web applications Lab Environment To carry out the lab, you need: Webcruiser located at D: CEl-I-ToolsCEHv8 Module 14 SQL InjectionSQL Injection Detection TooIsWebCruiser Run this tool in V'indov Server 2012 You can also download the latest version of Webcruiser trom the link htt : sec-la . con1 dovnload. htn1 A web browser with Internet access lIicrosoft . NET Framexvork Version 4.0 or later Lab Duration Time: 20 Minutes Overview of Testing Web Applications Web applications are tested for implementing security and automating vu1i1erabilit§' assessments. Doing so prevents SQL injection attacks on web servers and web applications. "ebsites are tested for embedded malware and to employ multiple testing techniques. Lab Tasks 1. To launch V'ebCruiser in your "indovs Server 2012 host machine, navigate to D: CEI-I-TooIsCEHv8 Module 14 SQL InjectionSQL Injection Detection 'l'ooIsWebCruiser. 0 Double—click WebCruiserWVS. exe to launch it. CEH Lab Manual Page 803 Ethical Hacking and Conntenneasures Copyright © by EC»Council All Rights Reserved. Reproduction is Sttictly Prohibited
  24. 24. ‘. <2,: ._ Scanning is not necessary for SQL Injection POC. you can launch POC by input the URI. directly. or launch from the Scanner. V'ebCruiser support: ‘ GET/ Post/ Cookie Injection; “ SQL Server: PlainText/ FieldEcho(Unio n) / Blind Injection; * MySQL/ DB2 / Access: FieldEcl1o(Union) / Blind Injection; * Oracle: FieldEcl1o(U nion) / Blind/ C rossSite Injection: ' V'ebCruiser V'eb Vulnerability Scanner for iOS, an effective and convenient web penetration testing tool that will aid you in auditing your website! VebCruiser can find the following web vulnerabilities currently: * GET SQL Inject: ion(Int, String. Search) “ POST SQL Injection(Int, String. Search) * Cross Site Scripting(XSS) 1- — _. -;, c._ It can support scanning website as well as POC (Proof of concept) for web vul. nerabiliv: ies: SQL Injection, Cross Site Scripting, XPath Injection etc. So, VebCruiser is also an automatic SQL injection tool. an XPath injection tool. and a Cross Site Scripting tool! Module 14- SQL Injection -) an Ituls VII J 4 A . ".EIOw£eI IJR . TV‘ I J. renb| t3ScaNva — __ PJC| Fmd31CtrKeC 2- S(iLru<: no1 Q CNS! Se saw = avrnra: mEr1m — 7 5¢§sIToo ' FleoaeTuol i , locioeloi cudaooi . - S| I"9T>o WEDCIUISEFZ ‘iIet: vunevabn Hwiscir nerE1teip'Ise Edition ZJ7‘ tantgunmn Help Scanner ? SO. JXS5 Feserrd : ,Coou¢ Revert Setmg Scan Site l jS(ar LRL an 'sL. |LI rs List Rnvaser Hound 'ebCmiser — Web 'iinembilit_v Srzmer rm s6c«l: |:Q (Om HIIP lh'E2d: U FIGURE 3.1: VebCruiscri: nainwiudov~' 3. Enter the URL that you want to scan; in this lab we are scanning http: II10.0.0.2IrealhomeI (this IP address is where the realhome website is hosted) . 0 an Ttols V. " v 1 Webcnnser ~ Web Vu‘n-zrabmtv Scarner E'ueIp'nse Eamon ' E X Cantgummn Help _: ,' A Hirowser _ASunner :50. JXKS Feserd 1 Coon: «pm Setting l_jSurLRl UR F-FT - {I it « - FT] (5 vmnm. .. p, ,., ,., Jitvaclfltyficavvcv umoa Jvuncer : sm um-m J 3.» :1: saw -wvvusrmml-_ntr — 3 S/ so-«Too , ms. ‘-mu . , mmrox ~«i. na , amgrso , _ -‘om “eb(‘miu-r — Veh 'iim-nlility S: -an-u-1 lmj uuLe1 )lIl mutt HTTP Thezd‘ 0 FIGURE 3.2: VebCruiser Scanning a site 4. A software disclaimer pop—up will appear; click . OK to continue. CEH Lab Manual Page 804 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. lag; System Requirement: .NET Framework V2.0 or higher, you can Download . NET Framework V2.0 From iIicrosoft. .1‘ ~. L: .i. :_ SQL iniection is a code injection technique that exploits a security vulnerability occurring in the database layer of an applica rion. . ~ The vul. nerability is piesent when user input is either incorrectly filtered foi String literal escape characters embedded in SQL SKRICKIXCIIKS O1 HSCI lllplll 35 not strongly typed and thereby unexpectedly executed. Module 14 - SQL Injection ' Software Disclaimer: ’ Authorization must be obtained from the web application owner; ‘ This program will try to get each link and post any data when scanning; ' Backup the database before scanning so as to avoid disastei; ' Using this software at your own risk. ' Login as a legal user will help you find vulnerabilities to the most extent. ‘ But not login is better if you intend to scan the login/ authentication page. ' Continue? FIGURE 3.3: WcbCruiser Software Disclaimer pop-up 5. ‘C'ebCruiser starts with the URL scan as shown in the following screenshot. It shows Site Structure, and the following table is vulnerabilities. 331' 9 Webcruiser - Web Vulnerability Scarnar E'nerp'i5e Edition = iL- Trck View. rorvfigunmn Help _} A‘ A esmmi fsranner 'Esr) Qxss Fesehd : _,i-Ootlé tepui ' <91-mg : ‘iranSit¢ [jsmtm up wtlp "'W‘l.7i'rIahorr'pr on - :1 L. _A , "~M*w<-I 7 S(arCurrent5Ite tnncimm URL Seanh/ ulti-Site use/ ciuisminu lmport Export Jievabltykavva ‘ — ; ‘‘J(. ll‘wd Jvi. :ncec """" """ : W "__m DD_beul-. -d"? ~C_0D5amiip . , ‘, W - -(eelHo1e ’ """ : r‘; ;:m vi»ii= ..i. .i—. axdM-Il«7Wyw(lrNlurK5mAvli}’1Rl'9Qvwwnlwi'7|F; iXPwFT'lqlPhAVplh(lVl§i gi-nyiiiwmiqz Vleofesruuv Old . S41~iiTrin rkxmraei L"'7""°‘ lo)‘ rdn Ill" ‘mnmi " N 5,_, q,, ° M487! 999'l5 “W . r-Mruldrr W ‘H Mm Nuulyluu )' I 5oo. - ‘ URL WJUURL , N1'lD. ' ll[D2/'Bal7ImTE/ Lflglnflal-51.'lD'l2-l_'| Taisarz-3 Jmn I)i'0Z/ Heal-lam/ loqiriasnx‘B11v2=l Tmor2=‘i i rim. )t: IonURL uInoiabilnv POST sill. wet FDST SQL lME(‘ < ll HTTP Thread: 3 HIIP lh'e2d: -l -, aerlring rum Vlll‘ ht‘. p,r'; ‘1C.0.U. lrlZe| |Ho'rIe‘prop! m'. isox FIGURE 3.4: WebCmiser Scanning Vulnerabflities 6. Right-click each of the Vuliierabilities displayed in the scan result, and then you can launch SQL Injection POC (Proof of Concept). CEH Lab Manual Page 805 Ethical Hacking and Countemteasnres Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. EQ Itisaninstanceofa more general dass of vulnerabilities that can occur whenever one programming or scn'i>u'ng language is embedded inside another. SQL Injection is one of the most common application layer attack techniques used today. Q There are many mefliods to data in SQL Injection, but not all these methods are supported in an actual penetration test. CEH Lab Manual Page 306 MOIIIO14-$. Ilt]oclloII file tools View Corltgiiiation Help -Iiiici Scaiicuireiitsitelscinciirienliu. kannatrsae laavclearscaiina amt-iit upon ruaylunriu , DD_bdaiaa= uG_oo. a.iiai; . 3. nuiium - wainamwnaai-iumyaiiuaeioukusnmmmuxaoanoeunrkiiiuwuwmmmgnoa — waaiiaoimemi iuiavlflswii El eadudidar i-may suuiiro-i asi- <1 URL / Hdar URL i HTTP time o l HTTP Thrud ll FIGURE 3.5: V7ebCruiser SQLIi: ijectionPOC (Proof of Concept) 7. This will launch the SQL injection and fill the relevant fields. Click Get Ernrironrnent Information. He leols View (ovlgunbon Help ‘Bruits flStarlierlflSQL loXSS [Retard ‘(coin filtaaon flSchrIg S(anSite Stlnllflll = um Mun’/ l0.0.ll. Z/rulhomr/ Lnuin. as: IK POST - In 0 E DUE IIItm2=l. .onaA_IVlII'l'lIfiI"l= (_lVIHAlfiUllIT= _VIlISTATI= /IBDalIII'hIz| llI'§fi'lIlInlT7ehkW/ JHfijhi1im: BA_flVl'I ) 8 names: umim - Kwua llout riiuiiairm String - Reset Ma-uiinysan. E. ,., ,q, ._, ,°, D,__, flaw-uniwi fln¢I. .|'En. —u[l: I]n. iLu-[oiaiiiiiiana-| 'bs-i. ai. ui. |3na. ig SQ-it-$0" swim. -a va- can-nsnsauin m|5% E°5!IlliTool J HnmdTool Icoaunoa iuieeraui 4:9nl: Tnol say {but —°Nnn « u ) < u » out. Get Eiwiioiiniznt Manama H119 thug 0 FIGURE 3.6: Webcniha SQL Injection POC Tool 8. It will display the environment information where the site is hosted. Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. 'li()()l/ lilllll_' ll1f()l'l11’. lll()l1 (inllcctcd/ ()hjccti'cs / cl1ii: 'cd VebCruiser ' SQL Injection Detected Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Resaved. Reproduction is Strictly Prohibited
  27. 27. Mo&lo14-SU. llIocIlon PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how to speed up the scanning process and reduce the number of pages the IBM Rational AppSca. n Ends. 2. Evaluate Whether it is possible to perform scans against live production environments with IBM Rational Appscan. Vill that cause damage or hurt the site? 3. Analyze how variables can be implemented in a multi-step sequence with IBM Rational Appscan. Internet Connection Required [I Yes Platform Supported Classroom CEH Lab Manual Page 807 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Resuved. Reproduction is Strictly Prohibited
  28. 28. ICON KEY E Valuable information 9*‘ Test your knowledge E V'eb exercise [EQ "orl~: book re'iev E" Tools demonstrated in this lab are available I): OEI-| - Too| sCEHv8 Module 14 SQL Injection CEH Lab Manual Page 808 Module 14 — SOL Inloctlon Testing for SQL Injection Using N- Stalker Tool N -5 fr: /ker IVeb App/ iraf/ '0” . S'er/ /rig’ Smm/ er 2012 ix (1 sop/ Jixfirnferl lVeb Set/ /r/ '0' z4.l‘. l‘€J‘J‘/ l1€Il/ .60// /f/ on fa/ ‘J10// r 11 ‘Rb app/ /raf/0// .r. I/ /r0/pom)‘/ '/{g f/ ye 1) 'e/ /—, éI/01) 7/ ‘TV- . S'fm/1‘/ J HTTP Set/ //7'9’ Sm/ //Ie/ "’ 0111/ / '1‘; 39,000 ll7rb A/ fzmé . S'{g/ ml/ /re / /afrlllrm (I/0I{g Ir/ '1‘/ J (1 pair/ /f—pe/ /r/ i// kg ro/ /5120// e// M/7?/ lied Wéb Applimfioil Set/ //7'9 / l.f. f(’. f.l'/ l/(’lI/ fer/ J//0/ogy, N—SI‘(I/ km‘ / Ir (I “/ /// /sf / Jaw” yer/ //7:1)! I‘00/ /0 I/ we/ ope/ zr, grxfe/ /// xer/ //fyr (Ir/ /// /// /Zrf/ nfori; IT (I/ /r/ ifo/3; (I/ /1/sfzfl Lab Scenario In the previous lab you examined how to use the V'ebcruiser tool to scan a website as vell as POC (Proof Of Concept) for web vulnerabilities: SQL injection. Few attackers perform SQL injection attacks based on an “error message” received from the server. If a11 error is responded from the application, the attacker can determine the entire structure of the database, and read any value that can be read by the account the ASP application is using to connect to the SQL Server. Hovever, if an error message is returned from the database server complaining that the SQL Query’s syntax is incorrect, an attacker tries all possible True and False questions through SQL statements to steal data. As an expert security professional and penetration tester you should be familiar with the tips and tricks used in SQL injection detection. You must also be aware of all the tools that can be used to detect SQL injection flaxvs. In this lab you will learn to use the tool N—Stalker to detect SQL injection attacks in websites. Lab Objectives The objective of this lab is to help students learn how to test web applications for SQL Injection threats and vulnerabilities. In this lab. you will learn to: ' Perform website scans for vulnerabilities Ethical Hacking and Counterrneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Q You can download N- Stalker from http: //www. nstalker. com/ products/ editions/ free/ do wnload Q Founded upon the US. Patent Registered Technology of Component-oriented Web Applimtion Security Scanning, N-Stalker Enterprise Edition allows for assessment of Web Applications . =. TASK 1 Testingweb Application Q N»StaIker Web Applitztion Security Scanner 2012 Enterprise Edition provides the most complete and effective suite of Web Security assesent checks to enhance the overall security of your Web Applications against A wide range of vulnerabilities and sophisticated hacker attacks. CEH Lab Manual Page 809 Mod. le14-S0.Lln)ectlon Analyze scanned results Fix vulnerabilities in web applications Generate reports for scanned web applications Lab Environment To carry out the lab, you need: Nstnllter located at D: CEH-ToolsCEHv8 Module 14 SQL lnjectionSOL Injection Detection TooIsN-Stalker Web Application Security Scanner Run this tool in Window Server 2012 You can also download the latest version of N-Stalker from the link htt : vww. nstalker. coin roducts editions free download A web browser with Internet access Microsoft . NET Framework Version 4.0 or later Lab Duration Time: 20 l-Iinutes Overview of Testing Web Applications Veb applications are tested for implementing security and automating vulnerability assessments. Doing so prevents SQL injection attacks on web servers and web applications. Websites are tested for embedded malware and to employ multiple testing techniques. Lab Tasks 1. To launch N—Stalker move your mouse cursor to the lower—left corner of your desktop and click Start. FIGURE 4.1:Wmdawssuv= x2o12Dcshopview Click the N-Stalker Free 2012 app to launch it. Ethical Hacking and Countermeasures Copyright © by EC—Counx: il All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. ." 99 N4Stalker also allows you to create your own assessment policies and requirements, enabling an effective way to manage your application's SDLC, including the ability to control information exposure, development flaws. infrastructure issues and real security vulnerabilities that can be explored by external agents. Web Security ence Service (‘€'SIS) is provided by ’. "Sl Labs and will ensure you always get the latest updates available for N-Stalker Web Application Security Scaruier as well as for its attack signature database. New 0-day exploits and common vulnerabilities will be added on daily or weekly basis, giving you the ability to scan you Web Server infrastructure periodically against the latest threats. 2‘ ‘ 22:: System Requirement: . NET Framework V2.0 or higher, you can Download . NET Framework V2.0 From Microsoft. 3. 4. Module 14- SQL Injection : tc‘lulIil7~1Irl(-it : _ FIGURE 4.2 Windows Server 2012 Start menu Apps Click the Update button to update the N—Stalker dambase in the main window of N—Stalker as shown in the following screenshot. v'_Tu 'T' -l I in-. Q N FIGURE 4.3; N-Stalker Mainwindow A software disclaimer pop—up will appear. Click OK to continue. «V w o 'u--‘- ii--. (.3~ . 'i: 'x1' FIGURE 4.4: N—Stalker Free Edition pop-up N-Stalker will start updating the database; it will take some time to update. CEH Lab Manual Page 810 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. r. w To run N—Stalker Web Application Security Scanner appropriately, there are minimum requirements to be met: ‘ 128333 RALI (available to N-Stalker) ‘ At least 500ifB Hard Disk free space (caching purposes) ‘ V'in32 Platform (7C"in 3000. XP, 2003 or Vista and later) - Internet connection to download N-Stalker database/ software updates r n ‘. -z_s: «. You may modify N- Stalker's cache options to avoid Web pages from being permanently stored in your hard disk. This might be useful to preserve disk space on large assessments 8. Module 14 - SQL Injection .4.. . 5.. -.. . : ... .., ... .. .. FIGURE 4.5: N~Sta1l; er database updating status After updating is complete, click Start to start a new scanning session. l_[n x FIGURE 4.6: N—Stalker database updated In N-Stalker Scan Wizard, enter the URL as http: lI10.0.0.2lreaIhomeI (this IP address is Where the realhoine V€l)SitE is hosted). Set the Scan Policy as OWASP Policy, and click Next. CEH Lab Manual Page 811 Ethical Hacking and Countemleasures Copyiight © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Module 14- SQL lnjoctlon N»Stalker Scan Wizard " Start Web Application Security Scan Session Vou must enler an URL and choose pohc, Scan SEYMVQS may be configured 7‘ Enter Web Application URL r. ' ‘gg To run N—Stalker 41 "fin / /10 0 0 realhomel Scannex from Command f it; run ‘-an eumvel. At. " -' ~1.aC’eClDFy er: line. you will need a scan CHM" 50" PDNCY ‘"‘‘°“ ‘’°“‘‘ ‘““'“’m . contain policies, host information and specific configurations needed to Renew Summary run the entire session. °”’'‘" 5‘''‘"9’ Load Scan scum sun Scan Sessrcr °‘ . .., 5.. ,3. , ,,, .;, .. - 9. u-9: | :a' surocr Load Spnder Dala »o. Way on Iraq’ am "3" t'r. e.I‘, u. .: 1:! ’ Mile? ! FIGURE 4.7: N—Stalker Choosing URL and Policy 9. Click . Yes in the URI Restriction Found pop—up to continue. r. ‘ggs N—Stalker HTTP Brute Force tool does what the name says. It is an HTTP authentication brute force tool that works by taking a web macro and attempting to run a series of authentication requests to obtain valid credentials (you may provide your own user and password list). URI Restriction Found Vou have provided the following pageldirectory pattenu ! I/ realhome/ ] Do you want to restrict your scan to the above directory only? FIGURE 4. 8: N -Stalker URI Restriction Found pop-up 10. In Optimize Settings, click Next to continue. N—Stalker Scan Wizard Start Web Application Security Scan Session Vou must enler an URL and choose policy Scan Semngs may be configured opummng Setting! cmme um i 9cIlcy opt-mlwlon Pwafeu Optxmrzeflesulls Lgtreafiicaricr Fa2sePcs‘. .e Engce Mxsceflaneous 1- — . s;. <.. N-Stalker Web Proxy is a combination ofweb proxy and HTTP Rev-ew Swwmry 5“5P“C'-3°“ ‘°°L 1‘ 3“C1“d°5 sun Scan Sass-cr opmmuuan Reaulla a full V'eb Proxy support (for external browsers) along with an event»dtiven interception mechanism, that allows you to inspect HTTP communicaliorrs (even SSL) based on keyword matching. scan semngs >(1erRnIe Aug Response Conn mm: FIGURE 4.9; N. sm1r-:1 Optimize Settings 1 1. Click Yes in the Optimize Settings pop—up. CEH Lab Manual Page 812 Ethical Hacking and Counremreasures Copyright © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Module 14- SQL Injection Settings Not Optimized , 2 The term "GHDB" was allegedly coined by Johnny Long, which started to maintain a number of "google-based" queries that would eventually reveal security flaws in Websites (without one having to scan the site directly for that . You haven't optimiled your scan settings yet J but we strongly recommend you to do that. Do you want to continue anyway? vulnerability). flo FIGURE 4.10: I'AS(: dk: r pop-up 12. On the Review Summary tab, click Start Session to continue. N—Stalker Scan Wizard X Start Web Application Security Scan Session P Vou must enter an URL and choose pohcr Scan Settings may be COVWQUIEG ’ " A _ , Review Summary lc-4:. This 15 a string encoding tool which is " ’ useful to encode/ decode i data on multiple formats s“""''‘9 5'"‘"9' used by Web A lications. — — - PP Choose um 5 Pchcy 5", . 5,. ,,, .q W. .. O: :'. ": e Se. ".i'i9s Nusl rnrnrnucron P [rc n c 2; vor. 12:; ss. [nu] Reslricted Drremry / realmme Policy Name omsv Percy S-rm Scan Seas-er‘ False-Fastwe Setimgs {named Vcr l. 'u1c| ¢ Extersons Enabled rm 404 pages ur new Server Dncmery Erma-ea xrecammenced m mos! cues» saucer Engme l. 'ax URLs 15cc; '-‘ax Per node [30] mix Depth 10] HTML Farser JS rtxecmwarsej External JS [Der-yj JS Events [Execute Server Technologies I. .~. Alowed Hosts up adctonal hosts configured Scan Settings u Back Cancel Stun Session FIGURE 4.11: N—Stalker Review Summary 13. The N-Stalker Free Edition pop—up displays 2 message. Click OK to continue. N-Stalker Free Edition X x: a,: —_ This is a V"cb Server Discovery tool which will attempt to discover HTTP servers and tiiigerptinr them to obtain their platform version. It might run based on a tile list or II’ N-Stalker Free Edrtron has I restriction to (rawl only the first ‘ 5(1) pages wrthrn the same Kan session. For more rniorrnation about our Commercial Edition, please Contact us: E-mail: sa| es@nstaIk2r. (om Phone: + 55-113675-7093 (GMT~03(X)) range. FIGURE 4.12: N—Stalker Free Edition pop-up 14. Click Start Scan after completing the contiguration of N—Stalker. CEH Lab Manual Page 813 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is St. rict. ly Prohibited.
  34. 34. .‘ .441 Google Hacking Database (GHDB) Tool is a unique application that will allow you to search for "google-like" queries within a saved spider data. N— Stalker, GHDB Tool can be invoked by clicking on "GHDE Tool" button under "lliscellaneous Tools": . ” £9 HTTP Load Tester is a performance tester tool. It will run a Web Macro on a concurrent basis (up to you to decide how many instances) and will provide a report on number of connection failures and success. . » Macro Recorder is a tool to manage "Web Macros" within N—Stalker Web Application Security Scaimer. Module 14 - SQL Injection FIGURE 4.13: N~Stalker Start Sean wizard 15. You can 'i6V scanning details as shown in the following screenshot. . v- u um um . ... .. . ... FIGURE 4.14: N~StaIkm Start Scan Status 16. N—Stalker will scan the site with four different methods. -on him I-nnonh FIGURE 4. l 5: Nsstalker Scanning methods 17. In the left pane, the Website tree displays the pages of the website. CEH Lab Manual Page 814 Ethical Hacking and Countemieasures Copyiight © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Module 14- SQL Injection "Web Macro" is a usebprovided navigation script that is usually recorded using a web browser and a web proxy tool. rIacro Recorder allows you to insert manual URLs as well and you must choose between an authentication or navigation macro. FIGURE 4.16: N-Stalker V'ebsite Tree 18. In Results Wizard, select the relevant options as shown in the following ,1‘ screenshot and click Next. ‘£2:-. An authentication Web Macro is used to authenticate N—Stalker's against Web Forms or any other of user interaction based authentication. Results Wizard " Scan Session has finished successfully. r N—Stalker found 12 vL. .'nerab. J.tves Session Management ODIIOTIS 0 Save scan results i Discard scan results Next Steps Total Scan Time Close scan session and relurn to mam screen 0 Nouns; 4 Lnnuleqsl Total Vulnerabilities Hugh 0 ‘t Medmm 0 Low 2 H10 10 FIGURE 4.17: N-Stalker Results Wmrd r w 19. N—Stalker displays the SllI]1.l11flf_' of vulnerabilities. Click Done. As applications provide both a mean to login and logoff. Authentication Macros have a "logout detection" control that can be configured to prevent accidental logoff. CEH Lab Manual Page 815 Ethical Hacking and Countemieasures Copyiight © by EC»Council All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. . A navigation Web Macro is used to provide a specific path within the application to be followed by N-Stalker's spider engine. F“ . <.-4: When you are generating reports, N- Stalker allows you to customize template and data that will be used to generate the final report. Both executive and technical reports allow for that customization. -W. £9 These macros can use any URLs and will not be prevented from calling external services within N- Stalker's spider engine. Module 14 - SQL Injection Results Wlzard X Scan Session has finished successfully. N-Sralkerfound 12 vul'nera: ;ll. tles Summary ApDllCfliI0|' Olzlects Total Web Pages Hugh Vulnerabllmes Lledmrn Vulnerab ‘mes Low Vulnerabnlmes In In Vulneruonlmes Total Hosts Found Total HTTP Coolles Total Durectones Found Total Web Forms Found Total Password Forms Total E-malls Found Total Clrenl Scrlpls ; . 0 — Your request has been successlulty processed. f Total Scan Time 0 Hounsl t Munutelsl Total Vulnerabilities mgr: 0 lrlflfllum 0 Low 2 Into 10 FIGURE 4.18: N—Stalker Summary 20. You can View the complete scan results of tlie URL in the main dashboard of the N-Stalker. Gown mama D-in-u lcunfi) smuun Found . /.—. —.. ... . 4.»: Hit . ».. ... ... FIGURE 4.19: N~Sta]1~: er Dashboard -: ) -* = -. ~':3'3 - - . ‘ , ‘_ Analyze and document the results related to the lab exercise. Give your opinion on your targe-t’s S€C11[il‘_' posture and exposure. Scan session successfully processed with 12 N—Stalker vulnerabilities detected CEH Lab Manual Page 816 Ethical Hacking and Countemieasures Copyright © by EC»Council All Rights Reserved. Reproduction is Stizictly Prohibited.
  37. 37. uoau| o14—soLmocuon PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Analyze how to speed up the scanning process and reduce the number of pages the IBM Rational Appscan finds. 2. Evaluate whether it is possible to perform scans against live production environments with IBM Rational Appscan. V1ll that cause damage or hurt the site? 3. Analyze how variables can be implemented in a multi-step sequence with IBM Rational Appscan. Internet Connection Required [I Yes Platform Supported Classroom CEH Lab Manual Page 317 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Resuved. Reproduction is Strictly Prohibited

×