Introduction to Penetration Testing
-
Upload
andrew-mcnicol -
Category
Technology
-
view
1.155 -
download
3
Transcript of Introduction to Penetration Testing
Introduction to Penetration Testing
Table of Contents
• Overview• Enumeration• Tool Output• Do We Stop Here?• Custom Scripts• Wpscan• Online Research• Testing Exploitation• PHP LFI• Code Execution, Yes Please!
Overview
• This session will cover the mindset I follow when approaching a web application
• I am going to show where many might stop, and what happens when you push further
• These types of techniques can be applied to any web application
Overview Cont.
• Tools Leveraged:
– Nmap
– Whatweb
– Wpscan
– Wget
– Custom scripts
– Burp Suite
– Netcat
Methodology Overview
• Pre-Engagement Activities – Hammer out all the details to conduct the test (Schedule,
Scoping, Rules of Engagement, Formal Permission, etc.)
• Information Gathering and Reconnaissance– Depends on type of test and information you are given
(Organization name, CIDR, list of URLs, source code, etc.)
• Automated Testing
• Manual Testing and Validation
• Reporting
• Remediation Support
Methodologies Cont.
• Penetration Testing Execution Standard (PTES):
– http://www.pentest-standard.org/index.php/Main_Page
Mindset is Key
• Think like an attacker and see things through a different lens:
– Upload an avatar? Hmmm add code?
– Download a report? Hmm directory traversal for another file?
• Confidence
– Without it you’ll very easily hit a wall and stop
– I tell myself a vulnerability is here I just need to find it
Enumeration
• Nmap:
• WhatWeb:
Do We Stop Here?
• Hmmm?
Custom Scripts
• Web Application testing requires custom scripting….really no way getting around it:
Custom Scripts Cont.
• Making web requests with a scripting language isn’t too difficult
• Check out tutorials online and try to automate web requests
• Making a tool for CVE-2012-1823 is a good use case because you need to make a POST request and modify several header values– If you can write a tool for this CVE, it demonstrates
concepts that can be applied to many different CVEs
Wpscan
• Wpscan:
Wpscan
• Do we stop here?
Wpscan : Plugin Enumeration
• Wpscan: --enumerate p
Online Research
Online Research Cont.
• Hmm, our web server doesn’t respond when we request “/wordpress/wp/wp-content/”
• Do we stop here?
Testing Exploitation
• Yea, lets grap “/etc/passwd”
PHP LFI
• Cool, so we can LFI, do we stop now?
PHP LFI…Now What?
• What can be done with a PHP LFI?
• It depends on what function is leading to the LFI vulnerability (include(), readfile(), etc.)
• PHP functions like include() will execute PHP code in the included file– Yay code execution through php snippets!
• PHP functions like readfile() will only display output– We have more work to do
Code Execution? Yes, Please!
Code Execution? Yes, Please!
• Request:
Demo
Summary
• Tools may not give you the answer
• Very easy to hit a hurdle and quit
• You need to be curious/creative and constantly push to get more information
• Confidence and mindset goes a long way