CIS 76 - Lesson 12: Rich's Lesson Module Checklist
CIS 76 - Lesson 12: Rich's Lesson Module Checklist
Flash cards
Properties
Page numbers
1st minute quiz
Web Calendar summary
Web book pages
Commands
1
CIS 76 - Lesson 12
Evading Network
TCP/IP
Devices
Cryptography Network and
Computer Attacks
Embedded Operating
Enumeration
Systems
Desktop and Server Scripting and
Vulnerabilities Programming
1. Browse to:
http://simms-teach.com
2. Click the CIS 76 link.
3. Click the Calendar link.
4. Locate today’s lesson.
5. Find the Presentation slides for
the lesson and download for
easier viewing.
6. Click the Enter virtual classroom
link to join CCC Confer.
7. Log into Opus-II with Putty or ssh
command.
4
CIS 76 - Lesson 12
3) Click OK button.
[ ] Is recording on?
Should change
Red dot means recording from phone
handset icon to
little Microphone
[ ] Use teleconferencing, not mic icon and the
Teleconferencing …
Should be grayed out message displayed
7
CIS 76 - Lesson 12
vSphere Client
putty
[ ] Video (webcam)
[ ] Make Video Follow Moderator Focus
9
CIS 76 - Lesson 12
Quite interesting
that they consider
you to be an
Elmo rotated down to view side table
"expert" in order to
use this button!
Rotate
image
button Elmo rotated up to view white board
Rotate
image
button
Control Panel (small icons) General Tab > Settings… 500MB cache size Delete these
11
CIS 76 - Lesson 12
Start
12
CIS 76 - Lesson 12
Sound Check
Students that dial-in should mute their line
using *6 to prevent unintended noises
distracting the web conference.
Volume
*4 - increase conference volume.
*7 - decrease conference volume.
*5 - increase your voice volume.
*8 - decrease your voice volume.
13
CIS 76 - Lesson 12
Email me ([email protected]) a relatively current photo of your face for 3 points extra credit
CIS 76 - Lesson 12
16
CIS 76 - Lesson 12
Admonition
17
Shared from cis76-newModules.pptx
CIS 76 - Lesson 12
Questions
19
CIS 76 - Lesson 12
Questions
How this course works?
Previous labs?
他問一個問題,五分鐘是個傻子,他不問一個問題仍然是一個
Chinese 傻瓜永遠。
Proverb He who asks a question is a fool for five minutes; he who does not ask a question
remains a fool forever.
20
CIS 76 - Lesson 12
In the
news
21
CIS 76 - Lesson 12
http://digg.com/2017/re-scam-ai-scammer
https://www.theatlantic.com/technology/archive/2016/08/the-twitter-
bot-that-sounds-just-like-me/496340/
Recent News
Phishing helps hackers hijack accounts, says Google study
BBC News 10 November 2017
http://www.bbc.com/news/technology-41940838
Recent News
Data Breaches, Phishing, or Malware?
Understanding the Risks of Stolen Credentials
Joint study between Google and UC Berkeley
https://static.googleusercont
ent.com/media/research.goo
gle.com/en//pubs/archive/4
6437.pdf
35
CIS 76 - Lesson 12
Recent News
Data Breaches, Phishing, or Malware?
Understanding the Risks of Stolen Credentials
Joint study between Google and UC Berkeley
https://static.googleuser
content.com/media/rese
arch.google.com/en//pu
bs/archive/46437.pdf
36
CIS 76 - Lesson 12
Recent News
Data Breaches, Phishing, or Malware?
Understanding the Risks of Stolen Credentials
Joint study between Google and UC Berkeley
https://static.googleusercontent.com/media/research.google.com/e 37
n//pubs/archive/46437.pdf
CIS 76 - Lesson 12
Recent News
Data Breaches, Phishing, or Malware?
Understanding the Risks of Stolen Credentials
Joint study between Google and UC Berkeley
https://static.googleusercontent.com/media/research.google.com/e
n//pubs/archive/46437.pdf 38
CIS 76 - Lesson 12
Best
Practices
39
CIS 76 - Lesson 12
http://www.welivesecurity.com/2016/11/08/secure-router-help-
prevent-next-internet-takedown/
43
CIS 76 - Lesson 12
Housekeeping
44
CIS 76 - Lesson 12
Housekeeping
45
CIS 76 - Lesson 12
Housekeeping
Last Withdraw:
11/18/17
Students who are no longer participating in the class
(turning in assignments, posting on the forum,
tasking quizzes or tests) may be dropped by the
instructor
46
CIS 76 - Lesson 12
https://simms-
teach.com/docs/cis76/cis76final-
project.pdf
47
CIS 76 - Lesson 12
Awesome Repositories:
Awesome InfoSec Awesome Static Analysis
Awesome AppSec Awesome IoT Hacks Awesome Threat Intelligence
Awesome Bug Bounty Awesome Malware Analysis Awesome Vehicle Security
Awesome CTF Awesome Pcaptools Awesome Web Hacking
Awesome DevSecOps Awesome Pentest Awesome Windows Exploitation
Awesome Exploit Development Awesome PHP Security Awesome WiFi Arsenal
Awesome Fuzzing Awesome Reversing Awesome Android Security
Awesome Hacking One Awesome Sec Talks Awesome OSX and iOS Security
Awesome Honeypots Awesome SecLists
Awesome Incident Response Awesome Security
48
CIS 76 - Lesson 12
Extra credit
labs and
final posts
Tue due by
11:59PM
• All students will take the test at the same time. The test must be
completed by 6:50PM.
• Working and long distance students can take the test online via
CCC Confer and Canvas.
• Working students will need to plan ahead to arrange time off from
work for the test.
49
• Test #3 is mandatory (even if you have all the points you want)
CIS 76 - Lesson 12
50
CIS 76 - Lesson 12
Where to find your grades
Send me your survey to get your LOR code name.
Web
Applications
56
CIS 76 - Lesson 12
https://news.netcraft.com/archives/2017/10/26/october-2017-web-server-survey-13.html 58
CIS 76 - Lesson 12
https://news.netcraft.com/archives/2017/10/26/october-2017-web-server-survey-13.html 59
CIS 76 - Lesson 12
https://news.netcraft.com/archives/2017/10/26/october-2017-web-server-survey-13.html 60
CIS 76 - Lesson 12
OWASP
Top Ten
61
CIS 76 - Lesson 12
https://www.ow
asp.org/index.ph
p/Main_Page
Core Purpose
"Be the thriving global community that drives visibility and
evolution in the safety and security of the world’s software." 62
CIS 76 - Lesson 12
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013 63
CIS 76 - Lesson 12
OWASP Top 10
A1-Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent
to an interpreter as part of a command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands or accessing data without proper
authorization.
A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and platform.
Secure settings should be defined, implemented, and maintained, as defaults are often
insecure. Additionally, software should be kept up to date.
64
https://www.owasp.org/index.php/Top_10_2013-Top_10
CIS 76 - Lesson 12
https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
66
CIS 76 - Lesson 12
A3
Cross-Site
Scripting (XSS)
67
CIS 76 - Lesson 12
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 68
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=L5l9lSnNMxg
69
CIS 76 - Lesson 12
70
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
CIS 76 - Lesson 12
Reflected
Cross-Site
Scripting (XSS)
Example 72
CIS 76 - Lesson 12
https://en.wikipedia.org/wiki/Cross-site_scripting
73
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=dFci82qwXA0
Example Overview:
75
CIS 76 - Lesson 12
cd /var/www
mkdir lesson12 Copy the DRAPS TV
index.php file to your
cd lesson12/
OWASP VM
mkdir xss01
cd xss01/
scp xxxxxx76@opus-ii:/home/cis76/depot/lesson12/xss01/* .
76
CIS 76 - Lesson 12
[WinXP] http://10.76.xx.101/lesson12/xss01/index.php
From your WinXP VM, browse to the new website on your OWASP VM 78
CIS 76 - Lesson 12
http://10.76.xx.101/lesson12/xss01/index.php?search=Star+Wars
79
CIS 76 - Lesson 12
http://10.76.xx.101/lesson12/xss01/index.php?search=%3Cfont+color%3D%22green%22%3E
Encoding used:
%3C is <
%3D is =
%22 is "
%3E is >
80
CIS 76 - Lesson 12
Encoding used:
%22 is "
%3C is <
%3D is =
%3E is >
81
CIS 76 - Lesson 12
http://10.76.xx.101/lesson12/xss01/index.php?search=%3Cfont+color%3D%22red%22%3E
Firefox
Internet Explorer
Copy and paste the
URL into a different
browser and the
JavaScript is still
executed.
82
CIS 76 - Lesson 12
http://10.76.xx.101/lesson12/xss01/index.php?search=Uh+Oh%3Cscript%3Ealert%28
%22You%27ve+been+hacked%21%22%29%3C%2Fscript%3E
83
CIS 76 - Lesson 12
Activity
Search for:
<img src="http://www.simms-teach.com/images/b.jpg"></img>
Put who you see in the search results in the chat window
84
CIS 76 - Lesson 12
Stored
Cross-Site
Scripting (XSS)
Example 85
CIS 76 - Lesson 12
https://en.wikipedia.org/wiki/Cross-site_scripting
86
CIS 76 - Lesson 12
http://10.76.xx.101/WebGoat/source?solution=true
Example Overview:
Any victims that read the infected message post will get the
annoying message.
88
CIS 76 - Lesson 12
Scroll
down a
little
We are
using Pod
5 for this
example
89
From your WinXP VM, browse to your OWASP VM and head to WebGoat
CIS 76 - Lesson 12
90
Login to WebGoat with both username and password = guest
CIS 76 - Lesson 12
91
Start OWASP WebGoat Training
CIS 76 - Lesson 12
92
Navigate to Stored XSS Attacks on left panel
CIS 76 - Lesson 12
http://10.76.xx.101/WebGoat/attack?Screen=374&menu=900
http://10.76.xx.101/WebGoat/attack?Screen=374&menu=900
94
CIS 76 - Lesson 12
http://10.76.xx.101/WebGoat/attack?Screen=374&menu=900
http://10.76.xx.101/WebGoat/attack?Screen=374&menu=900
Select a "good" message from Message list to retrieve from the database
96
CIS 76 - Lesson 12
http://10.76.xx.101/WebGoat/attack?Screen=374&menu=900
Message
contents are
displayed here
Next select the malicious message from Message list to retrieve from the database
97
CIS 76 - Lesson 12
98
When the malicious message is retrieved the stored javascript is executed
CIS 76 - Lesson 12
Stealing
Cookies with
XSS
(work in progress)
99
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=T1QEs3mdJoc
100
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=3tRSJwuDBKg
http://danscourses.com/xss-with-a-vulnerable-webapp/
Example Overview:
For this example we will use DVWA web app on the EH-OWASP
VM to show how XSS commands can be used to steal a session
cookie.
The attacker on EH-Kali will login to the DVWA app adding a post
with a malicious script that steals the current cookie and sends it
to a netcat listener on EH-Kali.
The victim on EH-WinXP next logs into the DVWA app and views
the post which sends the session cookie to the attacker.
102
CIS 76 - Lesson 12
OWASP Setup
Login as root
cd /var/www/dvwa/vulnerabilities/xss_s/
vi index.php
On line 49 modify maxlength=\"50\" to maxlength=\"200\"
103
CIS 76 - Lesson 12
Login as root
1. Start in Workspace 1
2. Run Firefox, search for the Tamper Data Add-On and install it.
3. Restart Firefox
4. Pancakes stack icon > Customize > Show/Hide Toolbars button > Check Menu Bar
5. Open a terminal in Workspace 2
6. systemctl stop apache2
104
CIS 76 - Lesson 12
[Kali] http://10.76.xx.101/
[Kali] http://10.76.xx.101/
Scroll down and click on the Damn Vulnerable Web Application 106
CIS 76 - Lesson 12
[Kali] http://10.76.xx.101/dvwa/login.php
[Kali] http://10.76.xx.101/dvwa/index.php
Click on Setup
108
CIS 76 - Lesson 12
[Kali] http://10.76.xx.101/dvwa/setup.php
[Kali] http://10.76.xx.101/dvwa/index.php
[Kali] http://10.76.xx.101/dvwa/vulnerabilities/xss_s/
Mu Ha Ha
To lay the trap, fill in the form and click the Sign Guestbook button 111
CIS 76 - Lesson 12
[Kali] http://10.76.xx.101/dvwa/vulnerabilities/xss_s/
[Kali] http://10.76.xx.101/dvwa/vulnerabilities/xss_s/
[WinXP] http://10.76.xx.101
[WinXP] http://10.76.xx.101
[WinXP] http://10.76.xx.101
[WinXP] http://10.76.xx.101/dvwa/index.php
[WinXP] http://10.76.xx.101/dvwa/index.php
[WinXP] http://10.76.xx.101/dvwa/vulnerabilities/xss_s/
When the browser renders this page the malicious script is executed 120
CIS 76 - Lesson 12
security=low;%20PHPSESSID=chhba9fpi8m1pcapu08g0t2mp5;%20acope
ndivids=swingset,jotto,phpbb2,redmine;%20acgroupswithpersist=nada
The attacker now can see and copy the victims session cookie 121
CIS 76 - Lesson 12
122
CIS 76 - Lesson 12
http://10.76.xx.101/dvwa/vulnerabilities/xss_s/
Start tampering, update the URL then press Enter (do not click Login button) 123
CIS 76 - Lesson 12
Voila! We have "logged in" using the victims session cookie 127
CIS 76 - Lesson 12
128
And we have full admin rights
CIS 76 - Lesson 12
A1
Injection
(SQL)
130
CIS 76 - Lesson 12
SQL Injection
https://en.wikipedia.org/wiki/SQL_injection
https://www.owasp.org/index.php/SQL_Injection
131
CIS 76 - Lesson 12
Injection
https://www.owasp.org/index.php/Top_10_2013-A1-Injection 132
CIS 76 - Lesson 12
SQL Injection
https://www.youtube.com/watch?v=_jKylhJtPmI
1. The preferred option is to use a safe API which avoids the use of
the interpreter entirely or provides a parameterized interface. Be
careful with APIs, such as stored procedures, that are
parameterized, but can still introduce injection under the hood.
2. If a parameterized API is not available, you should carefully
escape special characters using the specific escape syntax for
that interpreter. OWASP’s ESAPI provides many of these escaping
routines.
3. Positive or "white list" input validation is also recommended, but
is not a complete defense as many applications require special
characters in their input. If special characters are required, only
approaches 1. and 2. above will make their use safe. OWASP’s
ESAPI has an extensible library of white list input validation
routines.
https://www.owasp.org/index.php/Top_10_2013-A1-Injection 134
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=RtN8tlR7q-M
SQL Injection
Example Overview:
The attacker will browse from EH-Kali to the web server on the
EH-OWASP VM.
The EH-Kali browser does not use the Burp Suite proxy in this
example so the proxy configuration in the last example can be
undone ("Pancakes" icon > Preferences > Advanced > Network
> Settings... > Select "No proxy").
136
CIS 76 - Lesson 12
SQL Injection
Example Overview:
The attacker will browse from EH-Kali to the web server on the
EH-OWASP VM.
137
CIS 76 - Lesson 12
OWASP Mutillidae II
[EH-Kali] http://10.76.xx.101
Disable web
proxy if
configured
138
On your Kali VM, browse to your OWASP VM and head to Mutillidae II
CIS 76 - Lesson 12
OWASP Mutillidae II
OWASP Mutillidae II
OWASP 2013 > A1 Injection (SQL) > SQLi - Extract Data > User Info (SQL)
OWASP Mutillidae II
141
Click the link to register a new account for yourself
CIS 76 - Lesson 12
OWASP Mutillidae II
142
Add username, password of your choice and any text for the signature
CIS 76 - Lesson 12
OWASP Mutillidae II
143
Account has been created
CIS 76 - Lesson 12
OWASP Mutillidae II
Now that we have created a new user, lets start over and login
144
CIS 76 - Lesson 12
OWASP Mutillidae II
145
Login using your new account
CIS 76 - Lesson 12
OWASP Mutillidae II
146
If successful your account details will be display below
CIS 76 - Lesson 12
OWASP Mutillidae II
Applications >
Usual applications >
Accessories >
Text Editor
147
Record the URL in a text editor so you can examine the fields
CIS 76 - Lesson 12
OWASP Mutillidae II
Tamper with the password portion of the URL to see if you can get an error 148
CIS 76 - Lesson 12
OWASP Mutillidae II
single quote added
149
Fix the password and add a single quote after it. Try it and observe what happens.
CIS 76 - Lesson 12
OWASP Mutillidae II
Lots off useful information is shown. Log the URL and SQL query in the text editor 150
CIS 76 - Lesson 12
OWASP Mutillidae II
OWASP Mutillidae II
That results is a SQL query to dump all the data in the database! 152
CIS 76 - Lesson 12
OWASP Mutillidae II
153
CIS 76 - Lesson 12
OWASP Mutillidae II
154
CIS 76 - Lesson 12
OWASP Mutillidae II
simben76' OR 1='1
You can now login without a
password!
155
CIS 76 - Lesson 12
OWASP Mutillidae II
156
CIS 76 - Lesson 12
A8
Cross-Site
Request
Forgery (CSRF)
157
CIS 76 - Lesson 12
https://en.wikipedia.org/wiki/Cross-site_request_forgery
158
CIS 76 - Lesson 12
https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) 159
CIS 76 - Lesson 12
https://www.youtube.com/watch?v=vRBihr41JTo
160
CIS 76 - Lesson 12
161
https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
CIS 76 - Lesson 12
162
CIS 76 - Lesson 12
Example Overview:
163
CIS 76 - Lesson 12
Select "Use Burp defaults" and click the Start Burp button 166
CIS 76 - Lesson 12
168
Click the Options tab and verify Burp Suite is listening on port 8080
CIS 76 - Lesson 12
169
Click the Intercept tab to monitor browser requests
CIS 76 - Lesson 12
170
Switch to Workspace 2 and run Firefox
CIS 76 - Lesson 12
171
Select Preferences
CIS 76 - Lesson 12
172
Advanced > Network > Settings...
CIS 76 - Lesson 12
173
Configure the proxy service as shown above
CIS 76 - Lesson 12
Scroll
down a
little
We are
using Pod
5 for this
example
From your Kali VM, browse to your OWASP VM and head to WebGoat
174
CIS 76 - Lesson 12
Scroll
down a
bit
178
In workspace 1 start WebGoat
CIS 76 - Lesson 12
179
Click Forward on Burp Suite to continue
CIS 76 - Lesson 12
Scroll
down a
little
180
Navigate on the left panel to Cross Site Request Forgery (CSRF)
CIS 76 - Lesson 12
181
Click Forward on Burp Suite to continue
CIS 76 - Lesson 12
182
Fill out the form and click the Submit button
CIS 76 - Lesson 12
183
Click Forward on Burp Suite to continue
CIS 76 - Lesson 12
184
In workspace 3 open a terminal and copy the payload file on Opus-II
CIS 76 - Lesson 12
Update to your
pod number
Create new message using the malicious HTML payload (copy an paste
from terminal) to transfer bank funds 185
CIS 76 - Lesson 12
Note the GET request containing the malicious URL which 190
requests the transfer the bank funds to attacker
CIS 76 - Lesson 12
"Pancakes" icon
> Preferences
> Advanced
> Network
> Settings...
> Select "No proxy"
191
CIS 76 - Lesson 12
Assignment
192
CIS 76 - Lesson 12
193
CIS 76 - Lesson 12
Wrap up
194
CIS 76 - Lesson 12
Next Class
Assignment: Check the Calendar Page on the web site to
see what is due next week.
• Using ' OR 1='1 as the password to log into a web application is what
kind of attack?
195
CIS 76 - Lesson 12
Backup
196