Ethical Hacking NETLAB+ 10 - Web Pentesting w/ Nikto and Burp Suite

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome this is barrett from the c4 cyber club here at cypress college and in this video today we're going to cover the ethical hacking lab series for web pen testing so this lab is all about using nicto for web application vulnerability scanning and also we'll be looking at burp suites and using this as an interception proxy and we'll do some brute force attacks on a login okay so let's go and get started i know other labs that we've worked on also worked with nicto but we'll go ahead and run run through this again very good practice to keep working with these tools so i'm logged into the cali machine the topology on this lab is fairly straightforward we have our cali attacker machine and will also be accessing the owasp bwa website and this is what we're going to be scanning as well using nicto and also working with burp suite so for nicto remember this is a command line only tool and we can get help by typing necto dash h so you see all of our different options here and let's just go ahead and do a standard scan with no particular options so we type in nicto-host to specify the host and remember the os bwa machine is at 192 168 68. so the dot 12 is the host ip okay go ahead and add that in and you can see we get we get a pretty quick response and it's running through pretty much all of the various tests and utilizing all the all of the different plugins that nikto has available right so before we like go into detail about what all of this a large part of this lab is also pointing out how we can kind of drill down into more specific scans we can actually take a look at what plugins are available and then do very specific scans so i'm going to go ahead and clear the screen ctrl l by the way is a nice shortcut to clear the screen so let's type in nikto dash list dash plugins so what this returns is all of the different plugins that are available in a description of what they do right so it's general good practice when you're doing scans especially scans that are more active they're actually connecting to a host you only want to scan for what you need if you know what you need right so in this case if we want to just look for particular outdated versions we can use the outdated plug-in okay and then some of these other ones um i know we're going to be working with tests um there's we're gonna we're gonna do a scan on messages we're gonna check the server version against known issues trying to find specific vulnerabilities okay so let's go ahead and do let me clear the screen let's do a very specific scan so well we're going to say i want to choose a very specific plugin and that's called outdated and then i specify the host again 192.168.68.12. and now you can see our scan return back much quickly much quicker sorry and we are only getting outdated versions okay now moving on to the next part there is a plug-in for http options and essentially this is just going to return back what kind of http method methods does this web server allow and we see that here now a lot of these are i i was going to say harmless but essentially necessary because i mean git head and post these are necessary methods for a web server to allow and to enable right to interact with a website you need to be able to send it get and post requests now options here this is kind of interesting because this is technically because this was enabled this is why we were able to do this scan in the first place we were able to check the options on the server so this could potentially be disabled to attempt to stop attackers from you know gathering this information and notice here we have the notes http trace method is active suggesting the host is vulnerable to xst so xst is cross site tracing and this is essentially how you could use the trace method to retrieve http only cookies um or potentially authorization headers um so this is something that should definitely be disabled okay and then uh moving on we have the messages plugin okay and remember the messages plugin that's checking for the current server version and any known issues so we notice that we do have an issue here potentially vulnerable to a remote buffer overflow and that could actually give give a remote shell so that's definitely a pretty big vulnerability there and now we can also run um just more general tests by using the tests plugin and this is very similar to the original default scan that we ran but i think it will run a little bit quicker and you notice here that um it's finding these directories and this is kind of um very common in web app pen testing looking for vulnerabilities and you're you're doing like a directory traversal um you're finding maybe hidden directories and even here we see um what is potentially an administrator login so yeah right here phpmyadmin directory found and just to show what this means so remember we're scanning let's look at the topology we're scanning this the website that is on this web server and if we just visit that from the cali machine in in firefox you know this is the website that we're scanning right now and if we're finding uh potentially hidden directories so okay we know that there is this directory test let's let's check it out what is there okay now we have this directory test output you know these are things that are potentially should not be publicly available they might assume well we don't have a link to them so nobody knows that that's there but that's not the case because you can see how we're able to scan for these directories and let's take a look at this php at phpmyadmin and now we have the administrator login page so you know this is something we could potentially do a brute force attack on and attempt to get the login credentials all right and then finally we can send all this to a report if if you're not a fan of going through the command line reporting we can specify an output to a report.html okay so it's re-running the the full scan and then it's going to send all of that to an html file okay so that scan is done it's reported to that html file so we can come up here go to file manager making sure that we're in the root directory we see that report.html one thing i'll note the lab states that it may not work with the chromium web browser but we can right click on that choose open with and open with firefox esr so you can see a much nicer report as compared to the command line so if this is something you prefer obviously you can maybe even also print this out if you need a physical copy to look over so that's that so that concludes the section on nicto and like i said this should be review because we did cover nicto in another lab as well but always good to kind of go back over that okay so i'm going to close this and go back to the main os bwa sites let's go ahead and clear the screen we'll get started in the next section all right so we're moving on to burp suite so burp suite is uh definitely one of the more popular interception proxies um used for web application pen testing and uh very largely used by the bug bounty community which bug bounty work is when you are attempting to find vulnerabilities and websites and you could potentially earn money for that as well but it's very important that as you do that you understand what is in scope and this is something we're going to touch on as we set up burp suite because it's important that as you do these kind of scans you're only scanning where you're allowed and what you're um you know you've been given permission to do right because you never want to do these um against this random website so as as you learn these tools you have to be careful about when and where you use them the first thing we want to do is we can launch burp suite straight from the command line just type in burp suite no space and you'll see that it'll start launching here okay there we go um the j your jre appears to be version outdated uh not been fully tested just press ok here we have a few random command prompts to get through okay terms and conditions i accept we can just go ahead and launch a temporary project that's fine press next use burp defaults also okay and then we'll start burp and burp suite is out of date also okay no worries unfortunately we can't update it here on the on the lab because it we're sandbox no internet connection but that is fine so we've got a whole bunch of information here um we're only going to be focusing on a couple different aspects so try not to get too overwhelmed by everything we actually really won't even be diving into the dashboard here we're mainly going to be looking at the target tab and later we're going to be sending some things to the intruder to do brute force attacks okay um but first things first we need to set um we need to set up burp suite to be our interception proxy in terms of our web browser so in terms of firefox so within firefox and remember this is the firefox you have open in the lab not your own personal one although the setup would be the same if you chose to use burp suite at home so in firefox you will choose open menu in the top right corner those three dashes and you will want to come to preferences and if you scroll all the way to the very bottom we see network settings and we'll choose settings and we'll select manual proxy configuration and we're going to add 127.0.0.1 and you may recognize recognize this by now this is our loopback interface we're basically interacting with ourselves here and we're going to use port 8080 and we want to set this uh use this proxy server for all protocols okay so that is it that's set up so i can close out of the preferences now if we go back to burp suite and we go to the proxy tab here we're going to see that we have a request to detect portal firefox.com so this is where we can keep intercepting communication that comes through the web browser like whenever you request a website whenever you um submit maybe like a form or in a lot of cases you're submitting a password you want to intercept that request but in this case we're going to turn intercept off so you see right now intercept is on we're going to click that to intercept this off okay and now next up if we come back to our web browser and just revisit the owass bwa page so i'm going to click refresh that's that will work and now when you come back to burp suite and you go to the target tab that we talked about earlier you notice that the ip address of the web server is on in the left menu here and we notice various get requests here we see images basically this is from the website loading and we start to build what's called a site map okay but we talked about earlier about scope and knowing what's in scope what's out of scope when it comes to doing these kinds of web application pen testing you will always know what you'll basically be told what is in scope and so for the purpose of this lab let's say that this entire website is in scope we are we have been given permission to do tests on this so let's go and right click and let's choose add to scope and now this is important it says you have added an item to target scope do you want burp proxy to stop sending out a scope items to the history or other burp tools and say yes so we will not accumulate project data for out of scope items okay so that means that we will only be collecting on this web server and then one final addition to that if we go to proxy click options under intercept client requests we also want to check this box here and url is in target scope okay so that takes care of essentially just the setup right that's setting up burp suite to be used as the proxy and it's also making sure that we're doing it safely and we've set our target that is in scope so that we know that we're not collecting a bunch of other random information if we happen to visit a different website or on a totally different server okay and that brings us to part three so building a site map with burp suite you notice that since we visited the site you can expand this here and you notice that we've already started collecting information you could also right click that and choose expand branch and let's see what happens if we visit more of the site so if we scroll down a bit and we visit this page here then when we come back we notice okay we get this folder now because we visited the dvwa we now see a login php here so all of this sitemap keeps getting updated as you you know visit other areas of the website and so now that we've visited this login page the lab just wants us to go ahead and log into it so we'll type in admin and then admin for the password okay so we have logged in but now let's see what kind of information that shows us over burp suite so we have the original get request which was just us displaying that page now finally we have the post so that remember the post is when we're actually sending something to the server get is just getting from the server but here we have the post and you can see that the params column here is checked meaning that parameters were passed so we can see that information here so username equals admin and password equals admin and if we click on the parameters tab here we also see the various parameters that were set we also see session id we see parts of actually all of the cookie as well okay so moving on to part four uh brute forcing a web application so we're gonna go to proxy let's go to the http history and we can right click anywhere here and we're just going to go ahead and clear history and let's head back to our web browser and let's click over to where it says brute force remember this dvwa is essentially a web app that's designed for us to practice these things so they have a brute force section here set up for us to practice this right so let's um type in admin and then for the password the lab is recommended we just type in pass and we get a response back username and or password is incorrect okay so channel challenge accepted right so let's see if we can brute force and figure out what this password is so we will head back over to burp suite and we can see we're already looking at the http history and we had just recently cleared it so we see here this request that we just made okay we we see the parameters check box here we click on parameters we can see those here but what we could do is right click on this request and send to intruder so we do have other types of [Music] options here like repeater sequencer decoder compare there's a lot of things you could do in burp suite but in this lab we're just going to be working with intruder which is definitely most useful for these kind of brute force attacks so the target tab here auto populates it knows what the web server is of course it's working through port 80. now if we click on positions the first thing that we want to choose is the attack type and now you see we have four different attack types here these basically each specify how the payloads are used and set and you notice right now it's setting multiple payloads so pretty much everything that's in between this special character is currently set as a different payload so there's like one two three four five six there's like seven different payloads set here and this is going a little bit more detailed than what the lab talks about but i figured i'd mention these different attack types and what they do so sniper essentially uses only one payload set and replaces one position at a time whereas battering ram this places the same payload in all positions so you choose one payload and then it's gonna try it in every one of these now pitchfork [Music] this this uses one set one payload for each payload type so payload one is going to go into this position payload two is specified for this position payload 3 would be specified because this position it's very specific now we're going to select cluster bomb for the lab and this is definitely definitely very useful for brute force attacks it's it's similar to um the pitchfork style where it will have it will use the first payload for the first designation here or position and then the second payload for the second position but it will as it loops if a something wasn't found um it will try the different combinations so it will definitely capture the most area for the various payloads that you set so anyways like i said that was a little bit deeper detail but i thought it would be useful to know how these different attack types work in in burp suite so now that we've selected cluster bomb let's go ahead and clear the payloads that it auto set the the payload positions and we want to basically do brute force attacks on the username and the pass so i'm going to double click admin and then click add and you notice it adds those special characters in between and then the same for the pass we're going to double click that choose add so we basically just set two different payload positions now we have to move over to the payloads tab and this is where we set our payload sets so we have two positions which means we have two different payload sets to consider the first payload set for this lab we're going to keep it really simple and this is where we could and remember that the first payload position is related to the username so let's just assume that we know for sure that the username is admin now we could potentially put other things here we could put root we could put administrator you know we could add as many different options here but for the sake of the lab i know it just wants to keep it simple we'll keep it to just admin we know that it's going to be a match now moving over to payload set 2 this is where we're going to do something a little bit different we want to pull from a word list so our payload type we're going to change this to runtime file and you notice this now gives us a new option and we can select file we'll go back to the slash forward slash folder at the very root level we're going to select user share word lists which is down here and we'll go into the meta split folder and select unix passwords okay so this is basically just a text file filled with words that are potential passwords and so that is that is about it now we are ready to oh no i'm sorry there is another part um this will be this will help in the reporting when we get our results from the scan we want to know very clearly which ones are incorrect and you notice that back at the web portal we got the message username and or password incorrect so we're going to actually grep or search for the word incorrect in the responses so if we click on options and scroll down to the grep match section let's go ahead and clear the currents list and instead let's just add incorrect and you'll see here in just a second when we run this scan how how this this helps in determining uh what the correct match is so now if we scroll all the way to the top in any of these tabs we see the start attack so it doesn't matter where you're at but we'll go ahead and click start attack so we've set our attack type we set our payload positions we set our two different payload sets and we are grepping for ready to go here we go we're grepping for the word incorrect so let's go ahead and start the attack demo version yeah that's fine press ok and off it goes so you can see it going through the word list payload one we set that to only attempt the username of admin but for password it is trying everything in that text file right and it's still going but you can see here on the right side we have a tab which is based on that grep match list that we created and what do we see here most of these are all checked as incorrect except for this one here so not a very clever password it is in fact just admin but we can tell that we did not get that incorrect response so that must be it and in fact we could come back to the website and let's go ahead and try admin admin welcome to the password protected area admin all rights and that concludes the lab you can see it's still going down here too 53 of 1002 so there's a thousand and two entries in that text file but we can go ahead and just close out of that this will exit the current attack that's okay all right so that concludes this lab ethical hacking lab series lab 10 web pen testing and this was covering nicto for command line web app vulnerability scanning and burp suite interception proxy thanks for watching and catch you in the next one

Info

Channel: Cypress College Cyber Club C4

Views: 433

Rating: 5 out of 5

Keywords: ethical hacking, kali linux, web pentesting, nikto, burp suite, interception proxy, ethical hacking lab, penetration testing, web app hacking, vulnerability scan, cypress college, c4cyberclub

Id: LwZcMbOwA7Y

Channel Id: undefined

Length: 31min 30sec (1890 seconds)

Published: Mon Mar 22 2021