In this chapter, we will explore various methods of testing web applications using freely available tools such as your web browser, w3af, WebScarab, and others. We will also discuss methods of bypassing web application firewalls and IDSs, and how to determine if your targets are being load balanced or filtered. This chapter does require significant lab preparation. If you are not following the examples, you may want to bypass these portions.
Businesses will typically use a risk-based approach when deciding on where the security dollars should be spent, and decisions made while under time and budget constraints can sometime lead to unintentional mistakes that have a profound impact on the entire security posture of the environment. A penetration tester must be able to imitate the types of attacks that the client will be likely to face in the wild and provide accurate information about how the vulnerabilities that are found can be mitigated. At times, these applications will even allow an attacker to easily bypass all of the security controls in place. Not only will the business be at risk of losing critical information, but all funds spent on securing the other aspects of the architecture will have been completely wasted.
As with the other chapters, we begin by quickly reviewing the basics of our chosen tools and then moving on to some of the more interesting techniques.
In this chapter, the following topics will be covered:
- Practice makes perfect
- Configuring pfSense
- Detecting load balancers
- Detecting web application firewalls (WAF)
- Taking on Level 3 – Kioptrix
- Web Application Attack and Audit Framework (w3af)
- Introduction to browser plugin HackBar
- Reader challenge
Penetration testing requires the use of skills that take time and practice to perfect. To encourage the absorption of the material within this chapter, we will be adding a load balanced instance of an intentionally vulnerable Linux distribution to our lab. We will also use our Ubuntu virtual machine to host Mutillidae (provided to the community at http://www.irongeek.com/), which is a web-based application with intentional security flaws which we will then exploit.
If you worked your way through the chapters of this book, you will already be familiar with Kioptrix Level 1. We now move on to a more advanced Kioptrix distribution, that has been made available to the community by Steven McElrea (aka loneferret) and Richard Dinelle (aka haken29a ) of the www.kioptrix.com team.
In order to follow along with the examples in this chapter, the virtual lab will need to be configured as follows:
- Kali Linux: This has to be connected to internal network
VMnet9 - KioptrixVM Level 3: This has to be connected to internal network
VMnet9 - KioptrixVM Level 3 Clone: This has to be connected to internal network
VMnet9 - Ubuntu_TestMachine_1 with Mutillidae installed: This has to be connected to internal network
VMnet9 - PFSenseVM: This has to be connected to internal network
VMnet9. This will provide our load balancing
After the configuration has been completed, an example of this is shown in the following image:
We will be using a virtual load balancer to ensure that we are accurately emulating the types of technologies that are most likely to be found in secured environments. To this end, we will need to create another instance of the KioptrixVM. You could easily follow the steps previously outlined to accomplish this task, or you could take advantage of the cloning feature included with VMware Workstation.
To clone the machine, perform the following steps:
- Open the VMware Workstation tool.
- Navigate to the folder that contains the Kioptrix virtual machine, and do not power it on.
- Once you have opened the virtual machine folder, click on VM | Manage | Clone.
- In the wizard that comes up, click on Next.
- When the clone source window comes up, accept the default and click on Next.
- In the clone type window, select the radio button to Create a full clone.
- In the window that comes up, you can leave the default name of Clone of KioptrixVM3.
- You can change the location if desired; once you have completed the settings, click on Finish.
- Once the cloning operations has completed, you should see a message as shown in the following image:
Mutillidae is a collection of scripts created by Adrian "Irongeek" Crenshaw and Jeremy Druin that are intentionally vulnerable to the OWASP top 10. Detailed information about the release can be found at http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasptop-10.
We will be using these scripts to practice some of the techniques that you should become familiar with in order to take on the challenge of performing penetration testing on a secured environment.
As we have previously mentioned, web applications make a very fine target and are often found to be unsecured, due to an assortment of reasons, including unplanned software updates, a general lack of good coding practices, and so on. Let's perform the steps to install Mutillidae on our Ubuntu virtual machine:
- To begin, we will need to configure your
Ubuntu_TestMachine_1to use two network adapters, one for NAT and one for internal networkVMnet9. This process should be familiar by now, so we will forego reviewing the steps required to perform this task. - Boot up
Ubuntu_TestMachine_1and verify the connectivity to the Internet. This would be the perfect time to grab any software updates that are needed as well. - Once you are logged in, we need to install the git software and enter the following command:
# apt-get install git - The next thing we need to do is download the source code from the Internet. First, we need to place ourselves in the right directory, and then enter the following command:
# cd /var/www/html # git clone git://git.code.sf.net/p/mutillidae/gitmutillidae
- Once the download and install has completed, we have to enter the configuration details in the program. Open the file by entering the following command:
# sudo nano mutillidae/classes/MySQLHandler.phpWhen the file opens, enter the password that you configured on the Ubuntu machine in the
$mMySQLDatabasePassword= "1easyPassword"variable.Tip
Do you remember the MySQL root password you used in Chapter 2, Preparing a Test Environment? If not, then you can probably identify with the reason that so many passwords are reused by administrators out in the real world! Proper password management is critical in large environments with many machines. There are tools available that can be used to provide one time use passwords as well as other mechanisms that improve authentication methodologies.
- Access the program by entering
http://localhost/mutillidae. - Click on the Reset DB option to reset the database. An example of this is shown in the following image:
That's it! Now we need to shutdown the machine and change the NAT connection to disconnected so that it is not accessible via the Internet. These pages should NOT be made available to malicious users on the Internet. Enter the following command:
# sudo poweroff
Once the machine is off, click on Edit virtual machine settings | Network Adapter and remove the checkmark in Connect at power on.
Once this has been done, then power the machine back on and login.