Hacklab Security Solutions - Jameswoodsadaptingblog.files.wordpress
Hacklab Security SolutionsWEB APPLICATION PENETRATION TESTJames WoodCMP319: Ethical Hacking 2BSc Ethical Hacking Year 32020/21CMP319 – Coursework 1: You should include Introduction, Procedure andResults, References Part 1 and Appendices part 1.CMP319 – Coursework 2: You should include Abstract, Discussion, ReferencesPart 2 and Appendixes part 2Note that Information contained in this document is for educational purposes.
AbstractHacklab Security Solutions has requested for a Penetration test to be conducted on their webapplication which is used to sell security surveillance hardware to companies and clients. The websitehas been getting used and is currently active, a virtual version was supplied to the pen tester to avoidany interruption to the website while active online.Using the OWASP web application penetration testing methodology, it will be used to probe the webapplication for the integrity of the security of the website. These tests will be documented anddisplayed throughout the document to show the processes used and to displays the results receivedand countermeasures that should be implemented.After the web application was tested it was discovered that the website has some serious issues andmust be taken down immediately to avoid any risk of customer and employee data beingcompromised. Countermeasures must be considered and implemented before the website would befit to be online again.
Contents12Introduction . 11.1Background . 11.2Aim . 1Procedure and Results . 22.1Overview of Procedure . 22.2Information Gathering . 22.3Configuration and Deployment Management Testing . 32.3.1Fingerprint Web Server . 32.3.2Review Webserver Metafiles for Information Leakage . 32.3.3Enumerate Web Applications on Web Server . 42.3.4Review Webpage Comments and Metadata for Information Leakage . 42.3.5Identify Application Entry Points . 52.3.6Map Execution Paths Through Application . 52.3.7Fingerprint Web Application Framework . 62.42.4.1Test Network/Network Configuration . 62.4.2Test Application Platform Configuration . 62.4.3Testing the File Extensions for Sensitive Information. 72.4.4Review Old Backup and Unreferenced Files for Sensitive Information . 72.4.5Enumerate Infrastructure and Admin Interfaces . 72.4.6Test HTTP Methods . 82.4.7Test File Permissions . 82.5Authentication Testing . 92.5.1Test Role Definitions . 92.5.2Test User Registration Process. 92.5.3Test Account Provisioning Access . 102.5.4Testing for Account Enumeration and Guessable User Account . 102.5.5Testing for Weak or Unenforced Username Policy. 112.6.Identity Management Testing . 6Authorization Testing . 112.6.1Testing for Credentials Transported over an Encrypted Channel . 112.6.2Testing for Default Credentials . 11
2.6.3Testing for Weak Lockout Mechanism. 112.6.4Testing for Bypassing Mechanism Schema . 112.6.5Testing for Vulnerable Remember Password . 122.6.6Testing for Browser Cache Weaknesses . 122.6.7Testing for Weak Password Policy . 132.6.8Testing for Weak Security Question Answer . 132.6.9 . 142.6.102.7Session Management testing . 142.7.1Testing for Bypassing Authorization Schema . 142.7.2Testing for bypassing session management schema . 142.7.3Testing for Cookies Attributes . 142.7.4Testing for Session Fixation. 142.7.5Logout functionality . 152.7.6Test Session Timeout . 152.7.7Testing for Session Puzzling . 152.7.8Testing for Stored Cross Site Scripting . 152.7.9Testing for SQL Injection . 162.7.10Testing for Local File Inclusion . 172.7.114.7.8 Testing for Incubated Vulnerability. 182.8Input Validation Testing . 192.8.12.92.104.8 Error Handling . 19Testing For Weak Cryptography . 202.9.13Testing for Weak Password Change or Reset Functionalities . 144.9 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection . 20Business Logic Testing . 202.10.1Test Upload of Unexpected File Types . 202.10.2Test Upload of Malicious Files . 21General Discussion . 223.1Countermeasures . 243.2Future Work . 25References part 1 . 26References part 2 . 28Appendices part 1 . 29.
Appendix A- Info.php . 29APPENDIX B- Spider of Website . 87APPENDIX C – TLS Scan . 92APPENDIX C– SQLMAP Console . 99APPENDIX D– TLS Scan . 105APPENDIX E– Reverse Shell Screenshots . 1093.2.1Appendice E1: Reverse shell (Shell.php) Contents. . 1103.2.2Appendice E2: Reverse Shell location in Products.php. 1103.2.3Appendice E3: Location of shell on Server. 1113.2.4Appendice E4: shell located on website. . 1113.2.5Appendice E5: Burpsuite setup . 1123.2.6Appendice E6: Shell Working on server. . 113APPENDIX F– Out of Scope Databases . 113APPENDIX G– Reverse Shell ls dump . 114Appendices part 2 . 117.
1 INTRODUCTION1.1 BACKGROUNDHacklab Security Solutions is a Dundee based surveillance and security company where their targetmarket is selling and installing Cameras for the protection of property. Operating online with afunctioning login system allows clients to be able to message store staff as well as seeing liveannouncements, being able to browse products while seeing more in-depth information on productsallows a lot of the client’s needs when buying surveillance.The test is being carried out to decipher if there are any security risks associated with the website’sstandard functionality as well and all the backend configurations, this will allow the client to secure theirwebsite for customers as well as their colleagues.A study from Agnes Talalaev of WebARX describes the condition of the climate of online hacking from2019 by saying “there is an attack every 39 seconds on average on the web and the non-secureusernames and passwords that are being used give attackers more chance of success.” This post is aprime example of how important website integrity is when attacks and success rates of hackers areconstantly causing problems for the world of the web. The internet allows everything to be stored in oneplace but the use of this has led to people manipulating information for their own gain in this modernworld of IT.It is important that world is aware of these issues before more people fall victim to any of the forms ofcyber-attacks.1.2 AIMThis paper aims to convey and demonstrate any present security issues currently on the HacklabSecurity Solutions website. By following through with a web App Penetration test, the tester will be ableto analyses and find any vulnerabilities and report them with countermeasures in this report.The tester was supplied with a Virtual Machine State of the website which allows the client andcustomers to be able to operate the website without issue. This method will not create less errors thanthe live website but allows the hacker to work in a controlled state with a snapshot of the website justbefore testing had begun.Using the OWASP Web Application Security Testing Methodology and a standard account provided fromthe client, A series of tests were conducted following the methodology structure to prevent the hackermissing any steps. This report will display the impact of the tests and how they were carried out.1 Page
2 PROCEDURE AND RESULTS2.1 OVERVIEW OF PROCEDUREUsing the OWASP Web Application Methodology made it possible to cover all points that should betested on the website in an effective and structured manner. Because of the OWASP methodologydetail, some of the parts of the methodology was missed due to the testing conditions the client hadgiven. Non-Applicable sections have been marked “N/A”.The OWASP Web Application Methodology covers the following sections:1. Information Gathering- Mapping the website Architecture and Spidering while discovering entrypoints.2. Configuration and Deployment Management Testing- Testing network Configuration as well asunreferenced files and http methods3. Identity Management Testing- Testing Role definitions and account functions/features4. Authentication Testing- Testing login screen mechanisms and functionality.5. Authorization Testing- Testing the Authorization of the website and privilege escalation.6. Session Management Testing- Testing session Management and Cookies7. Input Validation Testing- Testing the Input Validation on Key features of the website and using SQLInjection8. Error Handling- testing how the website handled errors9. Testing for weak Cryptography- Testing the TLS certificate and weak encryption.10. Business Logic Testing- testing the logic of the website structures through unidimensional means11. Client-Side testing- N/A2.2 INFORMATION GATHERINGFollowing the OWASP methodology. The first area covered was doing active reconnaissance bydiscovering and spidering/mapping the website of all pages available I could access even if they areunreachable by the mapping of the website.2 Page
2.3 CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING2.3.1 Fingerprint Web ServerUsing HTTPrint we discovered that the web server being run is Apache 2.4.29 and this is what is used forour all storage purposes of the website.HTTPrint is a tool that allows users to be able to fingerprint the web server and discover the currentversion of the web server the target is using. This is used to discover weaknesses in the version of theweb server a target is using but for also documentation reasons.Figure 1 Httprint input for 192.168.1.20Figure 2 Httprint Output of server type for the website2.3.2 Review Webserver Metafiles for Information LeakageRobots.txt is a page used by web crawlers to inform them on what pages can and cannot be accessed.This is a common place where a target could have file paths not visible on the actual live version of thewebsite. It’s a common place for attackers to start looking to allow possibilities of finding vulnerabilities3 Page
and abusing them. From the targets website it was only displaying an Info.php file containing standardinfo about the website including server versions, system and the document root path of /opt/lamp/htdocs/studentsite.Figure 3 Robots.txt2.3.3 Enumerate Web Applications on Web ServerNmap is an open source network scanner that allows the user to enumerate the targets serverconfiguration as well as displaying details like Open ports and what ports are for and database hostsdepending on the websites configuration. This tool is very common to give back end info that can play amassive role to finding vulnerabilities and giving the data to the user. After reviewing the clients Nmapscan it was discovered what ports where open and all the versions of the hosts the website is using.Figure 4 Nmap scan for 192.168.1.20 showing details of the site.2.3.4 Review Webpage Comments and Metadata for Information LeakageChecking the webpage comments on website pages can sometimes lead to finding leaked sensitiveinformation leading to a breach in open comments on the website. Comments are often left bydevelopers for reference when making changes to the old code so a data breach through commentingcan be common. From the clients website it was discovered there were no breaches of data through thecomments of the code.4 Page
2.3.5 Identify Application Entry PointsGET and POST requests are what websites use request and send data between the server and the client.GET is usually used to request data from the target source the client wants the data from whereas aPOST is where the client can input data and send it to the server. We check these requests to see if wecan possibly manipulate the POST system to send data to the server that can give us information orcontrol from the backend of the website.The GET processes are present on all pages. The POST pages are the ones that allow the user to inputand change data to the site, such as a password, profile picture exc. these are apparent on the accountpages and login screens for client and user pages for admins.2.3.6 Map Execution Paths Through ApplicationMapping the application is a common method of web app pen testing as it allows the user to gather allthe web pages that the website offers, and it allows the user to see paths that would be unknownwithout guessing common paths.From the Spidering software Owasp Zap, we discovered a few new pages that were interesting as well asdiscovering a loophole into the backend of the website with access to users, details of the users, emailsand password hashes and private messages from an admin account. A website wireframe was made toallow easy navigation of the website.Figure 5 Website map diagram5 Page
2.3.7 Fingerprint Web Application FrameworkFingerprinting the web app framework allows the tester to identify key components of the website. Thecommand used here was the curl command.Figure 6 Curl Output2.4 IDENTITY MANAGEMENT TESTING2.4.1 Test Network/Network ConfigurationLooking at the network we discovered that its running on Apache 2.4.29 and this is what is used for allstorage purposes of the site. Although this is relevant there is not really any vulnerabilities that can beused for access.The server after research on the current version is known to have vulnerabilities to1. Scripting2. Overflow stack buffer3. DoS (Denial of Service)2.4.2 Test Application Platform ConfigurationPlatform configuration is important to the website as it allows the company to see when users arelogging out of the system and is common on most websites. Attackers may check these files to find out ifthe logs give any leak of information.SQLMAP is a tool that is commonly used to look at Databases and looking at tables associated with awebsite. It also can enumerate hashes of passwords associated with the tables if needed. This causesthe tool to commonly use with consent to allow the user to test security of the website.Looking at comment review it was discovered earlier that there was nothing of relevant review on thecomments but the system logs discovered through SQLMAP displayed when the users logged in and outof the website with dates and times in the database called logout History and Logoutserver history.6 Page
2.4.3 Testing the File Extensions for Sensitive InformationLooking at the file extensions the .sql files were found from using SQLMAP and outputted into files forviewing and any file validation was used on some POST points of the server. An Admin could post anyfile to the Products.php page as well as clients with through comments page which allowed us to do areverse shell which I will cover later.2.4.4 Review Old Backup and Unreferenced Files for Sensitive InformationNikto is a command line vulnerability scanner that will scan the website for old versions of software,data breaches in configurations of databases and prints all cookies received.Using Nikto I was able to scan for old or unreleased files and discovered multiple things. First, the webserver has multi view enabled with allows attackers to brute force filenames with no risks attached.After even further investigation it was also discovered a lot of the applications being used are all out ofdate which allows attackers to utilized now patched attacks on old versions and cause serious issues.Furthermore, the website is also displaying database IDs and passwords in plaintext in theadmin/config.php. other issues were found that suggests that the site is also vulnerable to XSS.Figure 7 Nikto output2.4.5 Enumerate Infrastructure and Admin InterfacesEnumerating the infrastructure and admin interfaces is the process of checking the way the admin pageconfiguration is set up. Looking at the design and layout could there be any sort of data manipulationfrom these parts? This is also the process of testing the website to see if unauthorized access isavailable.From the spidering file done earlier I discovered a loophole into the backend of the website by justinputting the html path as ./admin/ADMIN and this allows access to the dashboard for admins andother pages containing sensitive info about the company as well as client info. Apart from this if youwanted to edit anything it will in fact send you back to the admin login.7 Page
2.4.6 Test HTTP MethodsTesting the HTTP methods allows the tester to check what functions can be performed on the server.by using the "nmap -p 80 --script http-methods 192.168.1.20" it allowed me to get an output of the httpmethods enabled on the website and they are GET, HEAD, POST and OPTION methods.Figure 8 HTTP Method output2.4.7 Test File PermissionsAfter looking at the file permissions it appears that the backend has receipt functionality that allows theclient to look at an e receipt after an order, but it is only available to them. On the admin dashboardthere is an orders spreadsheet as well as a assets table that are supposed to be only accessed by adminsbut can be seen through the loophole discussed earlier. From what I’ve gathered there are the two rolesof customer and admin but there are 4 levels of admin privileges which are:1. Advertising Admin2. Asset Admin3. Online Ordering Admin4. Super Admin8 Page
Figure 9 Roles of Access2.5 AUTHENTICATION TESTING2.5.1 Test Role DefinitionsChecking the role definitions allows the tester to check what levels of roles are present on the server.Checking that there were 4 different levels of admin on the server as well as a standard client role forpeople who register and join the website through the registration process.2.5.2 Test User Registration ProcessChecking the user registration process allows the tester to see the sort of information the website isstoring as well as checking how complicated the website make the passwords for any methods of bruteforcing.After testing the registration process, it is not great. the website doesn’t check for a proper structuredpassword and there is no email format other than putting a @ in the email. This can allow anyone toaccess the website. The only validation on this site other than the email having an @ in it and thepassword being between 7-14 characters is that it makes you put something into the other boxes andwants to put a date that makes you over the age of 18.9 Page
Figure 10 Registration Page2.5.3 Test Account Provisioning AccessAs for the provisioning of users, the admins are only able to add, edit and delete users and have no wayto verify users. The admin also cannot alter with other admins. During the registering process there is nosigns of verification that would lead me to think that there is enough provisioning to stop hackers tryingto manipulate the system.2.5.4 Testing for Account Enumeration and Guessable User AccountAfter looking at the user validation it allows us to check whether you can decipher any usernames orpasswords from this screen, and these are the results:Login screenFrom playing with the user login screen the errors you get given are just the standard "incorrectusername and password" error.Admin LoginOn the admin login screen the errors you get are also just the standard "Please check your username orpassword".10 P a g e
2.5.5 Testing for Weak or Unenforced Username PolicyAfter looking at the website I've discovered that the clients can only have their email displayed whereasthe Admins have usernames for the website like Benjie OOS and Admin as their usernames. This alwaysallows the client accounts to be displaying their user email when logged into the website.2.6 AUTHORIZATION TESTING2.6.1 Testing for Credentials Transported over an Encrypted ChannelUsing OWASP ZAP we discovered that the hashes are encrypted under Rot13(Base64 encode) and usingzap. We now also know that if we want to craft our own cookie, we would need to use this encryptionmethod.Figure 11 Cookie Encryption2.6.2 Testing for Default CredentialsTesting the default credentials through the login system we actually find out that you can enumeratethe usernames by brute forcing the username bar because the incorrect usernames give back the result"Username not found" whereas the correct username gives back the error "incorrect username orpassword" using the usernames we discovered earlier we also found out that the other client accountswe can see on the admin Customer management page are in fact active accounts that can be accessed ifwe wanted to do so.2.6.3 Testing for Weak Lockout MechanismTesting the website there is no lockout mechanism present. The reason this is bad is because theattacker can then brute force a password at will if they have a valid email allowing a attacker withmalicious intent into any account they can get into.2.6.4 Testing for Bypassing Mechanism Schemaso as described earlier we can get into the admin index page by putting in the ./admin/ADMIN path inbut if you try to edit anything you will then be prompted to sign in at the admin page. From this page wecan access the Customer management, Assets and Ordering pages.11 P a g e
Figure 12 ./admin/ADMIN path That Allows Back End Access to the Website2.6.5 Testing for Vulnerable Remember PasswordMy website does not have a remember me function but I’m aware that cookies are containing thehashed usernames and password in rot13(64) and md5 and could be made so we can use our owncookie.Figure 13 No Remember Login Function2.6.6 Testing for Browser Cache WeaknessesAfter testing the login caches of the website, we discovered they’re using the correct headers ofmaxage 0 which revalidates the response from the server but does NOT cache the data inputted. Foradmin.php the header is the same.12 P a g e
Figure 14 Browser Cache Config2.6.7 Testing for Weak Password PolicySo, testing the weak password policy we discovered that the users must have a password between 7-14characters but they’re is not symbol or number requirement which would be bad as it would encouragecustomers to put weak passwords which could be easily encrypted on the hashing system being used.Figure 15 Password Complexity Measure2.6.8 Testing for Weak Security Question AnswerSecurity question testing is usually used to prevent hacker access to sensitive information like bankdetails or many processes of changing account details in case of any malicious intent and stop themreaching anything extremely sensitive. After testing the website there appears to be no securityquestion functionality which means if an attacker breaks in they will not be stopped from accessing anysensitive information stored through the website.13 P a g e
2.6.92.6.10 Testing for Weak Password Change or Reset FunctionalitiesThere is a change password reset functionality but it’s on the signup page only. if you know yourpassword you can change it. This is a poor design idea as it allows hackers to lock users out of theiraccounts if they figure out the password.Figure 16 Change Password Page2.7 SESSION MANAGEMENT TESTING2.7.1 Testing for Bypassing Authorization SchemaAs stated earlier the loophole at ./admin/ADMIN is still a blatant breach of authorization. Although thisis apparent if you try and edit anything on the page you
and countermeasures that should be implemented. After the web application was tested it was discovered that the website has some serious issues and must be taken down immediately to avoid any risk of customer and employee data being compromised. Countermeasures must be considered and implemented before the website would be fit to be online again. .
District Office Administration Marketing files Service Delivery files VR policy and partnerships Fiscal and Administrative Services Team Fiscal files Contract files Vendor files Case Procurement files Social security/Ticket to Work files Social Security Unit – General Administrative
2 P a g e 2 MAPPING THE NETWORK 2.1 NETWORK MAP 2.2 NETWORK MAPPING PROCESS Nmap is an open source scanner that allows the user to scan for IP addresses on a network by analyzing responses from packets sent to the IP inputted.
WebEx Recording Format (WRF) files Video files, including files that play in Windows Media Player and Apple QuickTime Player Audio files, including files that play in Windows Media Player Flash movie and interactive Flash files Web pages When you play the media files
January monthly files – March 15th February monthly files – April 15th March monthly files – May 15th April monthly files – June 15th May monthly files – July 15th June monthly files – August 15th July monthly files – September 15
Searching for deleted files over the entire drive is a very fast process. Recover My Files reads the file index for all files on the drive in less than 1 minute. Run a "Recover Files" search "Deleted Files (Recommended)" and then look in the "Deleted" view to see only deleted files, or switch to "Folder" .
security challenges that are on the forefront of 5G and need prompt security measures. We further discuss the security solutions for the threats described in this paper. The rest of the paper is organized as follows: Section II describes the key security challenges followed by security solutions for the highlighted security challenges in .
Quantum Security is a North American company that supplies and installs high quality physical security barriers across the United States, Canada and Mexico. We provide access control solutions - ranging from security gates and burglar bar doors to roll down window security and hallway security gates - to a wide range of
additif alimentaire, exprimée sur la base du poids corporel, qui peut être ingérée chaque jour pendant toute une vie sans risque appréciable pour la santé.5 c) L’expression dose journalière admissible « non spécifiée » (NS)6 est utilisée dans le cas d’une substance alimentaire de très faible toxicité lorsque, au vu des données disponibles (chimiques, biochimiques .
