by Brett Thomas on December 20, 2012 in Editorials & Interviews, Security
Many sysadmins understand how to set up and maintain a network, but the concept of auditing is an entirely different world. In the first part of a series on auditing and penetration testing (pentesting), we introduce the concepts and tools for putting all that security to the test. We’ll also talk about our pentest platform of choice, the Pwn Plug.
Web Service Testing
What you should use for the backend of a webservice can be a hotly contested topic. Everyone seems to have his or her individual favorite backend, and each has a reason for it. From databases to CMS software to webservers, everyone has an opinion.
Though W3AF covers a lot of vulnerabilities that can exist in webapps, there are a few other gems hidden in the Pwn Plug’s toolbox that you should familiarize yourself with.
In the process of truly understanding and examining Web services, it’s important to get a good idea of what you have publicly available. There are two important tools for this purpose that we will touch on in-depth in later articles.
The first of these tools is great for general reconnaissance, called theHarvester. This uses publicly available information to give you a “map” of what’s registered to the outside world, including email addresses, Web addresses, IP addresses, server enumeration and a variety of other useful bits and bobs that would clue you in on where an attacker may begin the push through your outermost perimeter.
The second is particularly useful for website owners who publish through CMS services like WordPress, Joomla or Drupal. Each of these has become a common backend that is widely extensible with plugins (read: points of vulnerability). For this, cms-explorer spiders through the service and identifies the currently active CMS, its plugins and themes. Knowing what versions of the main service and what plugins are running can give you a great insight into potential vulnerabilities.
For each of the different DB flavors, there is a tool designed to break it. For MySQL, there’s DarkMySQLi. SQLBrute is designed to attack either an Oracle or MSSQL backend, while SQLNinja is very specifically designed to be the last thing an MS-SQL admin wants to see. SQLNinja is even integrated into the Metasploit framework, and (when coupled with a VNC-server injection) is even capable of phoning home with a complete GUI access to the server.
Of course, for those who want to test a variety of vulnerabilities on a variety of platforms, there is the well-loved sqlmap. sqlmap contains features to poke at just about every commercial and open-source database that is commonly used, in a variety of ways. From “blind injection” (where the true results of the query are never shown to the attacker) to table dumping to shell-spawning to password cracking, it covers it all. We’ll be taking a look at it in detail nearer to the end of our series of tutorials.
File inclusion bugs can be just as dangerous as, if not more than, SQL injection in webapps. As the app calls up files to display or parse through the include statement in PHP, it is possible to elicit a number of nasty effects. The tricky part is, these bugs (Called LFI and RFI bugs, for “local file” and “remote file” inclusion) are getting harder and harder to find. Because of their severity, however, they are worth scouring your webapps (both internal and external) for!
The program fimap (named in honor of sqlmap) aims to automate this process by going through your webapp link-by-visible-link and attempting a variety of techniques against them, in hopes of making your webapp accept/load an incorrect file and thus spawn a shell or upload/execute a more complex (and permanent) payload.
Though pentesting is often considered a “dark art,” it has an important place in the role of any well-trained sysadmin. It is the only way to actually understand which vulnerabilities can lead to what levels of access, and to prepare and protect your systems accordingly. If you don’t understand the process of or tools used in an attack, how can you reasonably expect to be secured against one?
Some may look at the choice of the Pwn Plug as a platform and shy away or argue for whatever platform they use. However, I have simply not found a platform that is as thorough and well-designed when it comes to actually using it day-to-day, especially for longer-term testing. The amount of features you can test and the time it will save you once you’ve become familiar with the tools is well worth the cost.
I would like to remind you that all of these tools are open-source and can be installed independently on your system of choice (many are even available for Windows!) if you would like to follow along with our future tutorials, though some features or output may be different on your platform.
For those interested in dipping a toe into the water of security auditing, I hope that this article has been a good primer on the theory and some of the tools we’ll see. As we move forward into the tutorials, the articles will offer a brief intro on the basic networking theory (which you may or may not already know), how to use the tools themselves (as well as how not to) and how you should expect to see those tools in your network monitoring setup.
Part 2 of this series will revisit some of our basic networking theory as we explore basic reconnaissance techniques and how they interact with common internal protections like the Snort IDS. We’ll see you then!