BURP Suite for Penetration Testing : Introduction

Intro

Environment

Ubuntu 14.04, PHP7.0, Apache

Objective

Manually do penetration test on web app using Burb Suite

Components

NOWASP Mutillidae

NOWASP Mutiliadae is a purposely vulnerable web application containing more than 40 vulnerabilities. It includes all of the OWASP top 10 vulnerabilities. NOWASP will be used as target for penetration test.

Burp Suite

This is an interception proxy tool that interacts between the client (a browser application, e.g., Firefox or Chrome) and the website or server. It will be running on my local machine and it will intercept inbound and outbound traffic between the browser and the target host. BURP Suite available in free and premium edition.

Preparation

Download & Install NOWASP

Download & Install BURP Suite

Set BURP Suite as Network Proxy

To enable BURP to intercept our web request, set your network proxy to http://127.0.0.1:8080.

Intercept with Burb

Forward or Drop

Go to Proxy > Intercept tab. Make sure Intercept is on (on button). Once request get intercepted, you may click Forward or Drop the request by clicking the corresponding button.

Examine Request / Response Parameters

Examine the parameters for both request and response.

Edit Request Parameters

Change GET request to POST request

Reference

1. http://resources.infosecinstitute.com/manual-web-application-penetration-testing-introduction/

OWASP Mutillidae 2

OWASP Mutillidae 2

Introduction

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. Read more about OWASP on www.owasp.org

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Installation

Environment : Ubuntu 14.04 TLS, Apache, PHP 7.0.5-2+deb.sury.org~trusty+1 (cli) ( NTS ).

1. Download latest version at sourceforge.
2. Extract and Move to your web directory
3. Set permission on mutillidae folder

Problems found

Call to undefined function mb_convert_encoding()

Server returns 500 Internal Server Error, with error log : Call to undefined function mb_convert_encoding().

Install mbstring module & reload Apache

sudo apt-get install php7.0-mbstring
sudo service apache2 reload

The database server at localhost appears to be offline

Mutillidae local web page shows message : The database server at localhost appears to be offline. The solution is to change db configuration in /mutillidae/classes/MySQLHandler.php. Then click link to reset DB. This will create database named nowasp (default).

Reference

• Instructional videos : webpwnized YouTube channel.

Base 64 encoding, what is it used for?

Motivation

Problem

Some system only expect string data. Example: url, mail, ...

Related to legacy system ?

Base64

The idea is to safely transport data by encode the data to safely data, i.e.:string, transfer over the network in form of bits, then redo the process backward of the recipient end.

How to it works

• Each 3 bytes of data are concatenated.
• The concatenated data then split to groups of 6 bits data (2^6=64,hence it's called base64)
• Encode the bits using base64 lookup table. Yielded in a string of alphanumeric, +, and / characters.
• Add padding characters
• Send the data over the network. The data will be encoded to bits (using ASCII encoding ?). Since the data only contain safe characters (alphanumeric, +, /) it willsafely received on the destination. The receiving end will repeat the process backward.

Example 1: send text

Let's say we want to transfer data :

Hello
world!

It will be sent as ASCII (or UTF-8) as like this :

72 101 108 108 111 10 119 111 114 108 100 33

The byte 10 is corrupted in some systems so we can base 64 encode these bytes as a Base64 string:

SGVsbG8sCndvcmxkIQ==

Which when encoded using ASCII looks like this:

83 71 86 115 98 71 56 115 67 110 100 118 99 109 120 107 73 61 61

All the bytes here are known safe bytes, so there is very little chance that any system will corrupt this message. I can send this instead of my original message and let the receiver reverse the process to recover the original message.

Drawback

It will increase the size of data to 4 [n/3]

Reffs

• en.wikipedia.org/wiki/Base64
• stackoverflow.com/questions/3538021/why-do-we-use-base64

Chrome's settings, configuration, and all

Chome (Web Browser) internal setting, configuration, and everything else

---

Clear / flush DNS cache

Navigate to chrome://net-internals/#dns and press the "Clear host cache" button.

WiFi Authentication Attack

Gaining WiFi access with password dictionary attach

Post status : on going

---

Deauth with airreplay-ng

airmon-ng : Unable to start interface with specific channel

solution: stop the wireless card, then airmon-ng start

root@local:/# airmon-ng stop wlan0
. . .
root@local: airmon-ng start wlan0

DNS Spoofing and Man-in-the-Middle Attack on WiFi

Steps of DNS Spoofing and MITM Attack on WiFi. Problems and solutions found are included

---

ARP

view or alter the contents of the kernel's ARP tables, for example when you suspect a duplicate Internet address is the cause for some intermittent network problem.

# arp -a IP address HW type HW address 172.16.1.3 10Mbps Ethernet 00:00:C0:5A:42:C1 172.16.1.2 10Mbps Ethernet 00:00:C0:90:B3:42 172.16.2.4 10Mbps Ethernet 00:00:C0:04:69:AA

DNS Spoofing

ARP Spoof

Install dsniff to run arpspoof

root@local:/# apt-get install dsniff

arpspoof: couldn't arp for host 192.168.1.121

Error found when arpspoof

root@local:/# arpspoof -i wlan0 -t 192.168.1.121 192.168.1.1
arpspoof: couldn't arp for host 192.168.1.121

Solution add -i <wireless interface> parameter

root@local:/# arpspoof -t 192.168.1.121 192.168.1.1
arpspoof: couldn't arp for host 192.168.1.121

dnsspoof: eth0: no IPv4 address assigned

Error found below

root@local:/# dnsspoof -f /home/hosts-spoff.txt host 192.168.1.121 and udp port 53
dnsspoof: eth0: no IPv4 address assigned
dnsspoof: couldn't initialize sniffing

Solution: add -i <wireless interface> parameter

root@local:/# dnsspoof -i wlan0 -f /home/hosts-spoff.txt host 192.168.1.121 and udp port 53

Scanning connected devices

Scan connected devices in the network to obtain IP and MAC address

root@local:/# nmap -sP 192.168.1.0/24

Preferences

• https://www.youtube.com/watch?v=i_eOLTuyx2A

Learning Nginx (2) : Add & enable new virtual hosts

Objective

Add and enable new virtual hosts

Environment

Ubuntu 14.04 TLS

---

Default

Default configuration file

cat /etc/nginx/sites-available/default

The server block configuration are : listen 80, server_name localhost. The location handler mechanism : try to handle request as file, then as directory, then fall back displaying 404 file (try_files $uri $uri/ =404)

Reference :

Learning Nginx (1) : Understanding Nginx Server and Location Block Selection Algorithms

Objective : Understanding Nginx Server and Location Block Selection Algorithms with Examples.

Environment : Ubuntu 14.04 LTS.

Installation

Open terminal, type :

$ sudo apt-get update
$ sudo apt-get install nginx

Nginx Configuration Blocks

Nginx logically divides the configurations meant to serve different content into blocks, which live in a hierarchical structure. The main blocks that we will be discussing are the server block and the location block

A server block is a subset of Nginx's configuration that defines a virtual server used to handle requests of a defined type. Often based on the requested domain name, port, and IP address.

A location block lives within a server block and is used to define how Nginx should handle requests for different resources and URIs for the parent server. Extremely flexible model.

Server Block

Server Block Selection Algorithm

Nginx allows to define multiple server blocks that function as separate virtual web server instances, through a defined system of checks that are used to find the best possible match.

To decide which server block will handle the request Nginx will parse listen Directive first then server_name Directive (only if needed).

Parsing the "listen" Directive to Find Possible Matches

Nginx default value is 0.0.0.0:80 (or 0.0.0.0:8080)

The listen directive typically defines which IP address & port that the server block will respond to. Listen directive can be set to :

1. An IP address/port combo, e.g.: 192.168.0.11:8080
2. A lone IP address, e.g.:192.168.0.11
3. A lone port which will listen to every interface on that port, e.g.:*:8080
4. The path to a Unix socket(generally only have implications when passing requests between different servers).

To determine which server block to send a request to, Nginx will first try to decide based on the specificity of the listen directive using the following rules:

1. Nginx translates all "incomplete" listen directives by substituting missing values with their default values so that each block can be evaluated by its IP address and port, e.q. : A block with no listen directive uses the value 0.0.0.0:80.
2. Nginx then attempts to collect a list of the server blocks that match the request most specifically based on the IP address and port. Block that is functionally using 0.0.0.0 as its IP address (to match any interface), will not be selected if there are matching blocks that list a specific IP address.
3. If there is only one most specific match, that server block will be used to serve the request. If there are multiple server blocks with the samex level of specificity matching -> begin to evaluate the server_name directive of each server block.

Nginx will only evaluate the server_name directive, if server blocks has same level of specificity of listen directive.

Parsing the "server_name" Directive to Choose a Match

To evaluate requests that have equally specific listen directives, Nginx checks the request's "Host" header. This value holds the domain or IP address that the client was actually trying to reach.

Nginx will find best match of server_name directive within each selected server blocks with following rules in order :

1. If multiple exact matches of server_name(s) are found, the first one is used.
2. If no match found, Nginx find a server block with a server_name that matches using a leading wildcard (indicated by a * at the beginning of the name in the config).
3. If no match is found, Nginx uses a trailing wildcard.
4. If no match is found, uses regular expressions (indicated by a ~ before the name)
5. If none are able to satisfy the request, the request will be passed to the default server for the matching IP address and port.

Example :

server {
    listen 80;
    server_name example.com;
    . . .
}

Location Block

Location Block Syntax

Location blocks live within server blocks (or other location blocks), used to decide how to process the request URI (the part of the request that comes after the domain name or IP address/port).

The location_match in the example below defines what Nginx should check the request URI against :

location optional_modifier location_match {
	...
}

Location Block Selection Algorithm

• (none) : Prefix matching.If no modifiers are present, the location is interpreted as a prefix match. This means that the location given will be matched against the beginning of the request URI to determine a match. Example: location block below may be selected to respond for request URIs : /site, /site/page1/index.html, or /site/index.html

  location /site {
      . . .
  }

• = : Exact matching. If an equal sign is used, this block will be considered a match if the request URI exactly matches the location given. Example : block below will always be used to respond to : /page1. Will not be used to respond : /page1/index.html request URI. Keep in mind that if this block is selected and the request is fulfilled using an index page, an internal redirect will take place to another location that will be the actual handler of the request.

  location = /page1 {
      . . .
  }

• ~ : Case-sensitive regex matching, if a tilde modifier is present. Block below could be used to handle requests for /tortoise.jpg, but not for /FLOWER.PNG.

  location ~ \.(jpe?g|png|gif|ico)$ {
      . . .
  }

• ~* : Case-insensitive regex matching, if a tilde and asterisk modifier is used. Both /tortoise.jpg and /FLOWER.PNG could be handled by this block :

  location ~* \.(jpe?g|png|gif|ico)$ {
      . . .
  }

• ^~: If a carat and tilde modifier is present, and if this block is selected as the best non-regular expression match, regular expression matching will not take place.

Source : 

• https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms

Linux terminal 101

List of commonly used (yet forgotten) Linux terminal commands:

---

• Prints certain LSB (Linux Standard Base) and Distribution information.

  lsb_release -a

• command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files. Example below will restores a hard disk drive (or an SD card, for example) from a previously created image.

  dd if=system.img of=/dev/sdc bs=4096 conv=noerror 

• Print certain system information

  uname

• Queries, installs, removes, and maintains Debian software packages and their dependencies.

  dpkg

  The primary and more user-friendly front-end for dpkg is aptitude. dpkg itself is controlled entirely via command line parameters, which consist of exactly one action and zero or more options. The action-parameter tells dpkg what to do and options control the behavior of the action in some way. dpkg can also be used as a front-end to dpkg-deb and dpkg-query. The list of supported actions is below (in the "Actions" section). If any such action is encountered dpkg just runs dpkg-deb or dpkg-query with the parameters given to it, but no specific options are currently passed to them, to use any such option the back-ends need to be called directly.

Hands on Android Development

First touch on Android development. 

First series of Android Development log.

Desktop Environment : Ubuntu 12.04 LTS, Android Development Tools 22.6.3, Android Developer Tools 22.3.0.
Device : HTC Butterfly, Android 4.3 (Jelly Bean).

Unable to update sites on ADT

Solution : remove sl4j.jar related from <java library>

Device not detected in ADT

Enable debug mode on device. Quote from android developer official site :

Note: On Android 4.2 and newer, Developer options is hidden by default. To make it available, go to Settings > About phone and tap Build number seven times. Return to the previous screen to find Developer options.

Ubuntu 12.04 : how to set up an NTP server

http://ubuntuforums.org/showthread.php?t=862620

Development Setup Ubuntu 12.04 TLS

Install MySQL Workbench

http://dev.mysql.com/downloads/workbench/5.2.ahtml

Install Ubuntu 12.04 LTS on HP Envy preloaded Win 8

Objective : Install Freedom Fone (Ubuntu 12.04 LTS based) to HP Envy preloaded with Win 8.

Create empty partition in existing Windows 8

• Disable UEFI in BIOS, enable legacy boot
• Run

  compmgmt.msc

  . Select something like 'device' or 'partition'
• Shrink existing partition
• Create empty partition

Install Ubuntu

• Run Disk Utility
• Make sure the install target partition has label like Create New Partition
• Run system from liveDVD / live USB, not directly install
• Run Install to Hardisk. This icon already appears on desktop
• Restart computer

Troubleshooting

DNS does not work

Can't nslookup, but able to ping external IP address. Solution: sudo service network-manager restart

Solution #2 : Configure name server lookup

ubuntuforums.org or tldp.org

Unavailable wireless card

Fixed from http://ubuntuforums.org/showthread.php?t=2035902&page=2. Download from http://linuxwireless.org/en/users/Download#Directly_downloading_the_tarball, then cd Desktop/compat-wireless-2012-05-10 &ls;––or whatever version was extracted, if not 2012-05-10 sudo su ./scripts/driver-select ath9k make make install exit

Booting from Ubuntu

• Press escape immediately after turning computer on
• Press F9 for Booting Options
• Select something boot from hardisk
• Select Ubuntu :D

Finish

Development Setup on Fedora 16

Install Apache Web Server

yum groupinstall "Web Server"

Apache Configuration

Install graphical interface for Apache configuration

yum install system-config-httpd

System configuration tool then need to be ran as root :

/usr/bin/system-config-httpd

or you can configure Apache server manualy :

vim /etc/httpd/conf/httpd.conf
vim /etc/httpd/conf.d/README

source : http://hacktux.com/fedora/apache

Troubleshooting

On Fedora you can run the following command which should give you the full error message :

/usr/sbin/httpd -t

The -t flag runs a syntax check on the configuration files so if there are any syntax errors there then this should help.

Fedora 16 installation on Dell Inspiron N5030

Objective : troubleshoot all hardware & configurations problems occured when installting Fedora 16 on Dell Inspiron N5030 laptop.

Environment : Fedora 16 64 bit on Dell Inspiron N5030

Wireless Network

problem : wireless connection is not detected
solution : Find wireless network card specification & download driver.

Install Repository

Enable repository access using command line for Fedora 15 & 16 :

su -c 'yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm'

source : http://developify.wordpress.com/2011/08/12/activate-broadcom-sta-wireless-driver-in-fedora-14
http://rpmfusion.org/Configuration

install broadcom-wl and the appropriate kmods all at the same time in a single yum or rpm command.

Activate Broadcom STA wireless driver

Touchpad Setting

problem : tap on touchpad as mouse click is not working

Keyboard Layout

problem : wrong keyboard layout, displayed characters not exactly matched the clicked keys.
solution : change Keyboard layout based on prefered layout.
System>Preferences>Keyboard>Layouts, "Add", "Choose a Layout" select "By Language" tab, Language: "English (US)".

Problem with MySQL - socket error

Problem : cant connect to mysql.
Error message : "Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'"

Failed Attemps :
1. restart mysql service
2.

sudo mkdir /var/run/mysqld/
//Create the file by “touching” it.
sudo touch /var/run/mysqld/mysqld.sock
//Set the ownership of the mysqld.sock file and folder to mysql.
sudo chown -R mysql /var/run/mysqld/

source : http://anthologyoi.com/computers/cant-connect-to-local-mysql-server-through-socketerror.html

solution :
source : http://bikramkawan.com.np/error-2002-hy000-cant-connect-to-local-mysql-server-through-socket-varrunmysqldmysqld-sock-2/

SSH on Ubuntu

Location : ASEAN Foundation
Objective : set up SSH server on 192.1681.8, so it can be accessed from 10.0.0.126.

Process

check :
iptables configuration
file : /etc/ssh/ssh_config

Solution : use port 2222, not 22

#ssh localhost -p 2222

additional

Log in as root in ubuntu :

# sudo passwd

install tomcat6 on ubuntu 11.04 - the Natty Narwhal

sudo apt-get install tomcat6

source : https://help.ubuntu.com/11.04/serverguide/C/tomcat.html

httpd SELinux Policy documentation

SELinux policies, especially for httpd service, is still a delicate thing for me :(
Found a good site explaining the 8 policies in FedoraProject.

We will discuss the SELinux policies someday :D

Apache PHP deployment in Ubuntu

Environment : Linux Ubuntu 11.04 Natty Narwhal

php.ini-s packaged : development and production

php.ini-development and php.ini-production, which come with the PHP 5.3 package, are really just examples of recommended settings. You should review the settings and make sure that they apply to your use and copy them to the regular php.ini file location. On my Ubuntu 10.04.1 LTS (lucid) server, here’s where I find mine:

# locate php.ini-development
/usr/share/doc/php5-common/examples/php.ini-development

The alternative example, php.ini-production, is in the same directory.

source : http://serverfault.com/questions/178270/where-is-php-ini-development-on-ubuntu-lamp

Enable mod_rewrite

what is mod_rewrite?
mod_rewrite is a part of Apache server that can rewrite requested urls on the fly.

To enable mod_rewrite in Ubuntu, you just need to write this command in terminal

sudo a2enmod rewrite

Next thing is Apache needs to be restarted

sudo service apache2 restart

source : http://mahmudahsan.wordpress.com/2008/07/06/ubuntu-enable-mod_rewrite-in-apache-server/

Install - enable mcrypt

Also on Ubuntu, make sure you actually have php5-mcrypt installed. You can install it with:

sudo apt-get install php5-mcrypt

If you get any errors, you may need to enable the 'universe' repository, explained here:
https://help.ubuntu.com/community/Repositories/Ubuntu

source : http://php.net/manual/en/mcrypt.setup.php

Unable to lock the administration directory

After execute command :

sudo apt-get install php5-mcrypt

Error message appear :

E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

Answer :
As per the other answers there is a package management app holding the lock. When unsure do not manually remove the lock, first run:

sudo fuser -cuk /var/lib/dpkg/lock; sudo rm -f /var/lib/dpkg/lock

This will kill any processes opening the file before removing it.

source : http://askubuntu.com/questions/15433/fixing-could-not-get-lock-var-lib-dpkg-lock

Install PEAR

PEAR is PHP’s equivalent of Perl’s CPAN. It offers hundreds of ready-to-use code modules that can make projects go much more quickly than having to hand code everything. However, it never seems like PEAR is easy to get running.
Installing the Needed Software

In Ubuntu, installing the following packages will quickly get you started with PEAR: php5-cli, php5-dev, and php-pear.

Make sure that you read the next section about problems with using PEAR to install PEAR packages if you are running 9.10, Karmic Kaola.

Here’s an example of how to quickly install those packages from the terminal.

$ sudo apt-get install php5-cli php5-dev php-pear
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
autoconf autoconf2.13 automake automake1.4 autotools-dev libltdl-dev libssl-dev libtool m4 php5-common shtool zlib1g-dev
Suggested packages:
autobook autoconf-archive gnu-standards autoconf-doc gettext libtool-doc automaken gfortran fortran95-compiler gcj php5-suhosin
The following NEW packages will be installed:
autoconf autoconf2.13 automake automake1.4 autotools-dev libltdl-dev libssl-dev libtool m4 php-pear php5-cli php5-common php5-dev shtool zlib1g-dev
0 upgraded, 15 newly installed, 0 to remove and 5 not upgraded.
Need to get 0B/8,690kB of archives.
After this operation, 27.7MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Selecting previously deselected package m4.
(Reading database ... 127272 files and directories currently installed.)
Unpacking m4 (from .../archives/m4_1.4.13-2_i386.deb) ...
...

source : http://chrisjean.com/2009/11/02/use-php-pear-with-ubuntu/

XSL with PHP in Ubuntu

XSL support in php5 is deactivated by default. Go to Synaptic Package Manager and search for php5-xsl. Mark the package for installation, apply the changes and once it’s finished, don’t forget to restart the server!

sudo /usr/sbin/apache2 -k restart

More XSL stories later on… time to experiment :)

source : http://soledadpenades.com/2006/12/09/xsl-with-php-in-ubuntu/