3. Gaining access
The next step is gaining access to the web application, database or the server itself, using a selection of the following attacks: cross-site scripting XSS, SQL injections, command injections, cookie/session poisoning, parameter/form tampering, buffer overflow, authentication hijacking, obfuscation attack, platform exploits, application exploits, brute force attacks and web services exploits.
Step 1: Software exploits
Ethical hacker: "As I'm focusing on information leaks and unauthorised access, I'll concentrate on application exploits, SQL injections, form manipulation and XSS. I'll start with the software I know has been installed and check for exploits.
● Vbulletin 3.8.6 exploit – lots of them, XSS, remote execution and SQL injections.
● phpmyadmin 3.2.5 exploit – nothing there but I could try a brute force if all else fails.
● Joomla 1.5 – lots of different exploits available.
Let's have a look at the websites on the server. I identify five hosts and two subdomains.
"Nothing special on the first two, just static pages. There are a couple of forms on the others that I'll check later. Then there are the subdomains, Shop and Chat. Shop is an ecommerce application. I can't identify it, so it must be written in-house.
Chat takes me to a login page for Crafty Syntax Live Help Login version 2.12.6. I've never heard of this one, so I Google it. Okay, looks genuine: the latest version is 2.16.8! I look at the change log. Version 2.12.6 was released on 16 November 2005. I can see from the installation notes that the default user is admin and a quick search lists SQL injections that can reveal the username and passwords."
SECURITY BASICS: The General Security guidelines of open source info site dev.mysql.com are a good place to start for the basics of securing your site
Countermeasures: Your main defence here is keeping installed software up to date. This may not always be easy if you've made modifications from the default installation. However, it's a necessity. Removing all traces of the version number will help to deter the hacker, but not necessarily prevent an attack.
Another measure worth considering is restricting access to administration logins by IP address. This can be done with Apache by the htaccess and on IIS in the Internet Services Manager. If you can't do this, you could write a script that blocks an IP address after three failed login attempts.
Step 2: Form manipulation
Ethical hacker: "I'm now ready to move on to form manipulation, XSS and SQL injection. I'll concentrate on the custom-built ecommerce software. I'm going to use Paros Proxy to intercept the forms I fill in and discover hidden fields.
I register first: it all seems basic, so I'll check for SQL injections next. Now it's time to buy something. I choose the red one at £159 and click through to the checkout. The fields I've got include product name, code, description, quantity and cost.
There's also a hidden field called promo. I reckon this will be used for some discount when called from another script. I change it to a 1 and the cost to £99, then submit it. It goes to a third-party payment provider and I have a 10 per cent discount from £99. Result!"
Countermeasures: Any form submitted from the browser can be tampered with. Even JavaScript that does input validation can be bypassed once the data is submitted. To prevent this, all form validation should be done on the server. Use a standard input validation mechanism to validate all input data for length, type, syntax and business rules before accepting the data to be displayed or stored.
Step 3: SQL injections
Ethical hacker: "Now let me check the registration page and login for SQL injections. First I log in, entering my email address and password. There's a bit of JavaScript that's checking for a valid email address, so I'll have to use Paros Proxy again to bypass this. I don't have any luck, so I move on to the registration page. I'll use SQLMAP for this as there are six fields to check.
I get an error code: 'Microsoft OLE DB Provider for OBDC Drivers error. [MySQL][ODBC 3.51 Driver][mysqld-5.0.67- community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1','2/5/2010 11:00:49 AM',''','','yes','yes')' at line 1'.
"Interesting – MySQL on Windows. This is the server I scanned earlier with a filtered 3306 port. It looks like the input validation hasn't detected the single quotes correctly. Now I can craft a SQL select statement to gather the table structure and some database content. I can see that the MySQL user is called mysql and that they don't have FILE permissions, which means I can't read or write files."
Countermeasures: SQL injections are number two on OWASP's top 10 application vulnerabilities. This is because there are many ways to use them.
SQL injection is a method of running SQL code that's appended to user input and run against the SQL server (for example MSSQL, MySQL or Oracle). As web applications are becoming more complex, the scope for SQL injections is increasing.
A simple test to try is to put a single quote (') character in the input. Single quotes are interpreted as field delimiters, between code and data. By inputting a single quote you're testing for the correct handling of invalid input. However, simply validating input for single quotes isn't enough. Attackers can also manipulate HTTP requests and substitute values using a proxy server.
Error messages can also provide a wealth of information if the developers haven't written the code to handle this correctly. By manipulating input, error messages can be generated that give away column names and table names. Even drop-down lists can be manipulated by the use of a proxy.
And finally, insecure database configurations such as default usernames, passwords, privileges and permissions all help an attacker. When creating new database users, it's easy to just grant all privileges. This should be avoided. Only grant the minimum necessary for the user to perform their tasks.
Change the default username from root. Most attackers look for the root user as it's the most powerful user. If you rename it to some innocuous user, it will be more difficult for the attacker to gain full privileges.
IN THE FRAME: Open source penetration testing framework Metasploit is the ethical hacker's best friend
Step 4: XSS
Ethical hacker: "Now for some XSS. The forum software was old and vulnerable to some XSS. Let me investigate a little further. Okay, I can inject some code so that when someone reads my post it will execute JavaScript that will email me their cookies. Hopefully it will be the administrator so that I can log in as him."
Countermeasures: Start by assuming that all input is malicious. You must check for input type, length, format and range. Remember that this must be done on the server, as the attached can alter any data sent to the server.
Step 5: Exploiting vulnerabilities
Ethical hacker: "I know the major version numbers of Apache, Sendmail, MySQL and IIS. There's not been a major exploit for Apache, Sendmail or MySQL for a while now. But IIS is version 6 and that will be my target. I'll use Metasploit, as that comes with all the vulnerability checks built in.
I give it the IP, select the exploit for IIS6 and then select the payload. I'll go for a command prompt. Launch and result! CMD.EXE on the Windows server. Easy. Now that I'm on the Windows server, I'll be able to connect to the Linux server from the internal trusted network and try a few more attacks."
Hopefully I haven't scared you too much here, but given you an insight into how straightforward it is to exploit unprotected sites and servers. There are numerous resources to help you understand the risks and protect yourself, so check these out. Forewarned is forearmed!
