AWEM IT Security Testing Workshop

# AWEM IT Security Testing Workshop ## Kali Linux In this lab, we would be using kali-linux-2023.2-vmware-amd64 to perform most of the tests. The virtual machine image could be downloaded [here](https://www.kali.org/get-kali/#kali-virtual-machines). :::info The default login credential is `kali | kali`. ::: ## IT Infrastructure Penetration Test ### Task 1 Cracking WiFi Password In this task, WiFi traffics were captured and provided to you for password cracking. The files are located at `/home/kali/Desktop/WiFi/` #### Task 1.1 Cracking WEP Using AirCrack-NG A capture file `wep.cap` is provided to you, crack the password of the WiFi Network using the `aircrack-ng` command. ::: success Question: What is the WiFi password? ::: #### Task 1.2 Cracking WPA Using AirCrack-NG A capture file `wpa.cap` is provided to you, crack the password of the WiFi Network using the `aircrack-ng` command. You could use a password list `/usr/share/wordlist/rockyou.txt` in Kali Linux ::: success Question: What is the WiFi password? ::: ### Task 2 Metasploit :::info Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. In this task we are using it to attack a vulnerable host "Metasploitable 2". This host comes with many vulnerable services. ::: Open a terminal, start `Metasploitable 2` using the following command in Kali Linux ``` sudo docker run --name metasploitable2 -it --rm tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash" ``` :::danger After starting Metasploitable 2, DO NOT CLOSE the terminal and use a NEW terminal in Kali Linux for the remaining Labs. ::: #### Task 2.1 Host Discovery Ping sweep is a method used to discover live hosts by sending ICMP echo request to multiple targets. If a given address is live, ICMP echo reply would be returned. This could be performed using `nmap` command. ::: success Question: In the `docker0` network interface, what is the IP address of your Kali Linux? ::: The vulnerable host `Metasploitable 2` is also located in the same network, discover the IP address of `Metasploitable 2` using `nmap` Ping Scan. ::: success Question: What is the IP address of `Metasploitable 2`? ::: ::: warning Bonus Questions: What techniques are used by `nmap` Ping Scan to discover live hosts? ::: #### Task 2.2 Service Discovery After identifying live hosts, we could further enumerate available services on the targets. Port scanning could be performed using network scanning tools, such as `nmap`. To discover open TCP ports, you could use SYN scan or TCP connect scan: ``` # nmap -sS <IP> -oA syn # nmap -sT <IP> -oA tcp # nmap -sS -iL <hostListFile> -oA syn ``` Discover opened TCP port on `Metasploitable 2` using nmap. ::: success **Questions:** 1. List the opened TCP port below. 2. With reference to the `nmap` help menu, which option allowes you to a) Perform version detection b) Perform script scanning ::: #### Task 2.3 Use of Weak Password Sometimes, default or simple passwords (e.g. admin:admin) are used in various services. In this task, we would attempt to access a database service using weak password. ::: success Question: Which TCP port is mysql running on? ::: Connect to the mysql service from Kali Linux using the `mysql` command-line tool. Try to login the mysql service using a well known username and guess the weak password in use. ::: success **Questions:** 1. How many databases are there in the mysql service? 2. From database tikiwiki, locate sensitive information, what is the password of 'admin'? ::: #### Task 2.3 Missing Security Patches If services with known vulnerabilities are used, an attacker could look for exploits available in the public to attack the service. ::: success Question: What service is running on port 21? ::: Using `nmap` with version detection scanning, discover the version of the service in use. Afterwards, perform a search in google search and check if there exist any known vulnerabilities in the service. ::: success Question: What vulnerability have you discovered? ::: To attack the service, we could look for exploits available in the public. In this lab, we would attack the service with the help of Metasploit. Metasploit is a commonly used penetration testing software, it contained a lot of exploits which aid the tester to compromise the target host. Metasploit is already installed in the Kali Linux, we could launch Metasploit by typing ``` # msfconsole ``` To list the available command options in Metasploit, type ``` # msf > help ``` In this task, we would try to locate the exploit related to the vulnerable service in Metasploit ``` # msf > search "<vulnerable service>" ``` To use the module, type ``` # msf > use "full name of module" (without double quote) ``` After selecting the module, to learn more about it, type ``` # show info ``` In order to launch the attack, several information need to be provided to the module, to view the required information and available options, type ``` # show options ``` Set the required options in the module by typing ``` # set <OPTION NAME> <VALUE> ``` After filling in all the required options, execute the module by typing ``` # exploit or # run ``` ![](https://hackmd.io/_uploads/HJIPmmJPh.png) :::success Question: What privilege have you obtained on the host after running the exploit? ::: ::: warning Bonus Question: Attack a service using similar technique running on 6667/tcp. ::: ## Web Application Penetration Test In this section, we are going to setup and perform attack on the Damn Vulnerable Web Application (DVWA). DVWA is a web application that has a extremely vulnerable configuration setup of PHP/MYSQL. It is used for practicing most common web vulnerabilities and gain more information regarding to web security. To check if the necessary is running, open terminal and type `sudo service apache2 status` & `sudo service mysql status`. It should look like this: ![](https://hackmd.io/_uploads/SkpJp0ALh.png) ![](https://hackmd.io/_uploads/r15NaCC8n.png) :::info If it is inactive, type in `sudo service apache2 start` or `sudo service mysql start`. ::: ### Task 3 Burp Suites Burp Suite is a free web debugging proxy which logs all Hypertext Transfer Protocol (HTTP) or HTTPS traffic between your computer and the Internet. Use it to debug traffic from virtually any application that supports a proxy like IE, Edge, Chrome, Safari, Firefox, Opera and more. You can download Burp suite from https://portswigger.net/burp/communitydownload **Brup Suite Community Edition is installed on Kali Linux by default** ### Task 3.1 Configure Burp Suite - In Kali Linux, launch "Burp Suite" application from the applications menu. - Choose Temporay project - Choose Use Brup defaults and Start Brup ![](https://i.imgur.com/sFbxSIe.png) - Click `Intercept` Tab and `Open Browser` to open a new broswer ![](https://i.imgur.com/curZ9wS.png) - A new broswer using Burp Suite as proxy server will be launched. - Alternatively, you could launch firefox in Kali Linux - Turn off intercept - Go to any website you like (e.g. http://localhost/dvwa) - The HTTP request and response history could be found in `Proxy` -> `HTTP history` tab ### Task 4 Broken Access Control #### Task 4.1 Broken Access Control In this task, we would attempt to make direct request to an administrative API without any authentication. - Login DVWA (i.e. http://localhost/dvwa/) as `admin` user :::info The default login credential is `admin | password`. ::: - Navigate to DVWA Security, set Security Level to Low - Navigate to Atuehtnication Bypass and update a record :::info If you cannot find Authentication Bypass exercise in the panal, logout and login again as admin ::: - In Burp, right click the request and sent the reques to repeater ![](https://hackmd.io/_uploads/HkSGEuyDh.png) - In Burp -> Repeater, verify if the you could update the record without authentication. ### Task 5 SQL Injection SQL injection is a web security vulnerability allowing the attacker to perform malicious SQL queries to the application's database. #### Task 5.1 SQL Injection - Navigate to SQL Injection - You will see there is a input area for you to input userID ![](https://hackmd.io/_uploads/SybaqyJvh.png) - The First Name and Surname of the admin user would be returned if value 1 is provided. ![](https://hackmd.io/_uploads/S1u7o1Jwh.png) - Enumerate the information of other users Suppose the SQL query used by the API is: `SELECT first_name, last_name FROM users WHERE user_id = '<input>';` - Attempt to trigger an Internal Server Error by providing a specific character :::success Question: What input have you used to trigger the server error? ::: - Carefully craft a payload such that all records in the same table is returned. Apart from retrieving the data in the same table, we could also query for other information, such as database user and database version. :::success **Questions:** 1. Retrieve the information of **Database Version**. 2. Retrieve the information of current **Database User**. 3. Retrieve the information of current **Database Name**. :::spoiler **Tips** 1. Most of them require to use "UNION SELECT". 2. version(), user(), database() ::: ::: warning **Bonus Questions:** Blind SQL injection is a type of SQL Injection attack that relys on asking the database some true/false questions and observe the difference in server response to enumerate the data. Navigate to SQL Injection (Blind) and perform SQL Injection attack to enuemrate the current **Database Name**. How do you enumerate such informaiton? :::spoiler **Tips** 1. Construct a query such that you could check the length of the database name. 2. Construct another query such that you could check if the first character of database name is equal to 'a'. ::: #### Task 5.2 SQL Injection with SQLMAP SQLmap is a tool that are used to perform penetration test on web applications for SQL Injection vulnerabilities. SQLmap is preinstalled on Kali Linux. To start with, open the terminal and type `sqlmap -h` with give you some basic ideas about the tool. Before start using SQLmap, in order to make it work, we need to get the cookie from the browser first. Please press "F12", go to console tab and type in "console.log(document.cookie);" and it will output the cookie, which is "security=low". ![](https://hackmd.io/_uploads/H1hLyfkP3.png) Now we are all prepared, now open the terminal, type in: `sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low"` And it will fetch out the database name. ![](https://hackmd.io/_uploads/B1ZXxzJD2.png) :::success **Questions:** 1. Retrieve the database name using sqlmap. 2. Retrieve the tables of the database using sqlmap. 3. Retrieve the users info in the table using sqlmap. Bonus: Crack all user's password using SQLmap. :::spoiler Tips Use sqlmap -h to see more about what parameter you can make use of. ::: ## Bonus Challenge Execute the following command to launch the final challenge ```shell sudo service apache2 stop /home/kali/Desktop/runBonus.sh ``` In this challenge, your objective is to obtain root access on the target host. - Discover the host and exploit a vulnerability in a service to gain unauthorized access. - After obtaining the access, abuse the feature observed and gain system access to the target host. - After obtaining system access, discover interesting files in the system. - Finally, obtain root access to the system.