Lab 4a 1077561
Lab 4a 1077561
Lab-4(A)
Objectives
In this part, you will complete the following objectives:
• Task 1.1: Write a Bash Script to Automate an Nmap Scan and Store the Results.
• Task 1.2: Differentiate between Scripts Written in Bash, Python, Ruby, and PowerShell.
Background / Scenario
Penetration testing often requires repetitive tasks that use various tools to perform reconnaissance,
analyze, and exploit vulnerable systems. Creating scripts to automate these tasks reduces the time
necessary to complete the penetration testing project.
Required Resources
• Kali VM customized for the Ethical Hacker course
Instructions
Task 1.1: Bash Script to Automate an Nmap Scan and Store the Results.
Step 1.1.1: Create a basic Bash script.
The Bash shell has a built-in script interpreter. Bash scripts can be written in any text editor and require
minimal programming experience. The scripts can then be run from the Bash shell prompt. The syntax and
structure of Bash scripts is similar to what you would type at the command prompt if you were doing the
task manually. In this step, you will write a short script named recon.sh to perform a simple Nmap scan.
a. We need first to change the prompt to include the date and time, and your student ID. Run the
command: PS1=”\d \@ [Your_Student-ID]”. Use your own student ID. The prompt will change as
shown below.
b. To begin your first script, log in to Kali, with the username kali and password kali. Open a terminal
window and ping the target host at 10.6.6.23 to ensure that it is available on the network.
┌──(kali㉿Kali)-[~]
└─$ ping -c5 10.6.6.23
c. Open the Mousepad text editor from the Applications menu. (Any text editor can be used to create
the file.) The first line in the Bash script is a special kind of comment line that indicates the location
of the interpreter to be used to run the code. This line is called a "shebang" and is common to most
Linux scripts. Enter the shebang #!/bin/bash on line 1 this identifies the language of the script to
the command interpreter.
Line numbers are added automatically in Mousepad, do not type them. They should not appear in
the script itself.
1 #!/bin/bash
d. In this script, the user will enter the IP address of the target as a command line option. If no option
is entered, the user will receive an error message showing the proper command syntax. Enter the
if/then sequence as shown.
2 # Check if IP of target is entered
3 if [ -z "$1" ]
4 then
5 echo "Correct usage is ./recon.sh <IP>"
6 exit 1
7 else
8 echo "Target IP $1"
9 fi
Analyzing script code is an important skill for a penetration tester. Not only will you write automation
code, you will often need to determine what an existing script does. The meaning of each line of is
as follows:
• Line 2 is a comment line that begins with a hash tag #. Lines starting with # are used to
document the script. Comment lines are ignored by the command interpreter.
• Line 3 starts a test to determine if the input option variable $1 exists. By default, Bash scripts
accept command line options into variables numbered by their position in the command. The
-z returns "true" if the value of $1 is null. Bash requires a space after the first bracket [ and a
space before the last bracket ].
• Line 4 indicates what to do if the option variable does not exist (is null). Lines 5 and 6 are
indented to indicate that they are part of the then clause.
• Line 5 prints a message to the screen. Bash uses the echo command to print what is in the
double quotes to the screen.
• Line 6 will cause the script execution to stop and exit to the CLI if the condition is met.
• Line 7 indicates what to do if the if condition is false.
• Line 8 prints a message with the input value that was supplied and stored in the $1 variable.
Note that further work is required to validate that the input was actually a valid IP address.
This is beyond the scope of this lab.
• Line 9 indicates that the if/then clauses are complete.
┌──(kali㉿Kali)-[~]
└─$ chmod +x recon.sh
g. Test your script by running it first with the IP address of the target (10.6.6.23) specified.
┌──(kali㉿Kali)-[~]
└─$ ./recon.sh 10.6.6.23
Target IP 10.6.6.23
The purpose of the script is to automate Nmap scanning using the target IP address value that is
supplied to the script. What do you think will happen if the value is not a legal IP address?
Answer below and include screenshots.
1
Mousepad file
With no input after script name and incoreect IP address. It gives error.
i. Now edit the script file to enter the commands that will run the Nmap scan. Use the variable $1 to
indicate the IP address of the target device you want to scan. The results of the Nmap scan will be
written to a file named scan_results.txt in the current directory.
8 echo "Running Nmap…"
9 # Run Nmap scan on target and save results to file
10 nmap -sV $1 > scan_results.txt
10 echo "Scan complete – results written to scan_results.txt"
The script will run probe open ports to determine service/version info 2
┌──(kali㉿kali)-[~]
└─$ ./recon.sh 10.6.6.23
Target IP 10.6.6.23
Running Nmap....
Scan complete -- results written to scan_results.txt
l. Use the cat command to view the contents of the scan_results.txt file that you created with the
script.
The presence of port 139/tcp and 445/tcp indicates that a samba server is
running.
4
a. Open the recon.sh file in the text editor. Add the following commands.
13 # If the Samba port 445 is found and open, run enum4linux.
14 if grep 445 scan_results.txt | grep -iq open
15 then
16 enum4linux -U -S $1 >> scan_results.txt
17 echo "Samba found. Enumeration complete."
18 echo "Results added to scan_results.txt."
19 echo "To view the results, cat the file."
20 else
21 echo "Open SMB share ports not found."
22 fi
┌──(kali㉿kali)-[~]
└─$ ./recon.sh 10.6.6.23
Running Nmap....
Scan complete -- results written to scan_results.txt
Samba found. Enumeration complete.
Results added to scan_results.txt.
To view the results, cat the file.
e. Use the cat command to view the results contained in the scan_results.txt file.
6
Answer below and include screenshots.
Sharename Type Comment
--------- ---- -------
homes Disk All home directories
workfiles Disk Confidential Workfiles
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
d. After a brief delay, you should see Nmap output the scan reports for each host that was specified
in the to_scan.txt file.
Note: The to_scan.txt file does not require executable permissions because it is serving as a data
file, not as a script file.
Variables read in as options from CLI Cannot begin with number or capital
are assigned $1, $2, ..., $n letter.
Calling Variables variableName $variableName #variableName $varibleName
Using the information from the chart, what shebang should be the first line of code?
Answer below.
#!/usr/bin/python3
Will be the first line 7
10
c. Review the code sample shown. Use the syntax characteristics to determine which scripting
language is used to interpret the code.
1 $nmapExe = "Program Files (x86)Nmap
map.exe"
2 #define nmap targets
3 $target = "10.6.6.0/24", "172.17.0.0/29"
4 #run nmap scan for each target
5 foreach ($target in $target)
6 {
7 $filename = "nmap_results"
8 $nmapfile = ". emp" + $filename + $target +".xml"
9 cmd.exe /c "$nmapExe -p 20-25,80,443,3389,8080 -oX $nmapfile -A -v $target"
10 }
Using the information from the chart, what scripting language interpreter will be used to run this
code?
Answer below and include screenshots.
The code is intended to be run using pwershell which is used in windows. 11
What options will Nmap use for the scan and what do those options mean?
Answer below and include screenshots.
9:
The options used for the Nmap scan in the provided PowerShell script are specified in line
Objectives
In this part, you will perform Reflected XSS and Stored XSS attacks against the DVWA (Damn Vulnerable
Web Application!) at low, medium, and high security levels.
• Task 2.1: Perform Reflective Cross Site Scripting Exploits
• Task 2.2: Perform Stored Cross Site Scripting Exploits
Background / Scenario
In this lab, you will perform penetration tests of a web application to determine if it has been securely
designed. DVWA (Damn Vulnerable Web Application!) is a PHP/MySQL web application. It is designed to
be vulnerable to common attacks to allow security professionals to test their skills and tools and students
and teachers to learn and understand web application security in a legal environment.
DVWA provides four levels of security: Low, Medium, High, and Impossible. Each security level requires
different skills to perform exploits. The security levels reflect different levels of security that developers may
code into their applications. In this lab, you will perform exploits against three of the security levels, Low,
Medium, and High, allowing you to adjust your attacks to compromise them.
Required Resources
• Kali VM customized for the Ethical Hacker course
• Internet access
Instructions
In Kali Linux, the default web browser is usually Iceweasel, which is based on Firefox. To change
the title of a tab in Iceweasel or any other browser, you would typically need to use JavaScript. The
below simple script can do that:
The tab title should now be changed to "Your New Title". Remember that this change only affects
your local view of the webpage and won't change the title for other users or when you refresh the
page.
c. Navigate to the DVWA application and enter the following URL into the browser http://10.6.6.13.
d. At the login prompt, enter the credentials: admin/password.
d. Enter CTRL+U on the keyboard to view the source code of the page.
e. Search for the string Hello Reflected_Test by entering CTRL+F to open a search box.
f. Close the source code window and return to the Reflected XSS Vulnerability page.
g. Enter the following payload in the What’s your name? box and click Submit.
<script>alert("You are hacked!")</script>
An alert popup box will appear with the words You are hacked!. This means the site is vulnerable
to Reflected XSS attacks and we have successfully exploited the vulnerability.
h. Select and copy the URL for the compromised page. Open a new browser tab and paste the URL
into the URL field and press <Enter>.
You should see the same web page appear displaying the You are hacked! popup box. This means
that if a user opens the URL a malicious script will execute. The alert box is used to simulate a
malicious script in this lab.
In an ethical hacking engagement, you would try inserting a simple test script into input fields to see
if the script executes. If so, the website is vulnerable to reflected XSS attacks. You could then
distribute the link in a phishing attack to determine the level of security awareness among your
customers’ employees.
You will see a Hello response, but this time no pop up will appear. This indicates that the script did
not execute. Note that the script is displayed as literal text.
We can analyze the code in the backend of the web site to investigate the reason.
d. Click the View Source button on the bottom right of the page and review the PHP code.
Note: On a real web server, we would not have access to this backend source code, but here on
DVWS we do.
This source code creates a filter, with str_replace() function, that removes the <script> tag in our
payload and replaces it with a null value. This renders the payload script ineffective, so the attack
failed, and no popup window is displayed. Because this script is only filtering out <script> in lower
case, we can try and get around the filter by using a different tag in the payload. We will use
<ScRipt>.
14
Step 2.1.4: Perform a Reflective XSS attack at High security level.
The same attack will be attempted, but this time the security level of the website will be High.
a. Select DVWA Security in the left menu and select High in the Security Level dropdown. Click
Submit.
b. Select XSS (Reflected) in the left menu.
c. Enter the following payload in the What's your name? box and click Submit. (Note the use of
underscores to replace spaces.)
<ScRipt>alert("You_are_hacked!")</ScRipt>
There is a Hello message and no alert pop up box. Again, we can analyze the backend source code
to investigate.
d. Click the View Source button and review the PHP code.
In this code, the developer used a regular expression to replace any form of the <script> tag, no
matter what case of the characters is used, with a null value.
Which character in the script was omitted from the regular expression? How do you know?
Answer below.
15
e. To bypass this filter, we must use another HTML tag instead of <script> to attack the site.
Close the source code window and return to the Reflected XSS Vulnerability page.
f. Enter the following payload in the What's your name? box and click Submit. (Note the use of
underscores to replace spaces.)
Review the text that you input into the web form. How did it work?
Answer below.
16
Task 2.2: Perform Stored Cross Site Scripting Exploits
With the stored XSS exploit, you enter a malicious script through user input and the script is stored on the
target server in a message forum, database, visitor log, or comment field. When a user visits the target, the
server exposes the user to the malicious code.
Both strings, Test#1 and Stored XSS Test, will be in the page source code indicating that the two
input fields may be vulnerable to a Stored XSS attack.
e. Close the source code window and return to the Stored XSS Vulnerability page.
f. Enter Test#1 in the Name * box and enter the following payload in the Message * field and click
Sign Guestbook.
<script>alert("You are hacked!")</script>
An XSS alert popup box will appear with the words You are hacked!. This means the site was
vulnerable to stored XSS attacks and we have successfully exploited the vulnerability.
g. Refresh the page. If alerted, click Resend to display the page. The XSS alert popup box will appear
again.
Because the XSS payload is stored in the guestbook, the alert popup box will appear each time the
page is refreshed.
h. Before proceeding to the next step, clear the XSS payload from the page. Click Setup / Reset DB
in the left menu then click Create / Reset Database.
17
Step 2.2.2: Perform a Stored XSS attack at Medium security level.
The same attack will be attempted, but this time the security level of the Web site will be changed to
Medium.
Exploiting reflected XSS at medium level security is not difficult. Using <script> will be rejected but changing
it to a different case such as <ScRipt> will bypass the security and achieve the exploit.
a. Select DVWA Security in the left menu and select Medium in the Security Level options dropdown.
Click Submit.
b. Select XSS (Stored) in the left menu.
c. Type the string XSS Test#1 in the Name* field and type Stored XSS Test in the Message * field.
click Sign Guestbook.
d. Enter CTRL+U on the keyboard to view the page source code. Enter CTRL+F to search for the
Test#1 and Stored XSS Test strings.
Both strings will be in the page source code indicating that the two input fields may be vulnerable to
a Stored XSS attack.
e. Close the source code window and return to the Vulnerability page.
f. Enter Test#1 in the Name * box and enter the following payload in the Message * box and click
Sign Guestbook.
<script>alert("You are hacked!")</script>
No popup box should appear. Refreshing the page should not cause the alert popup box to appear
either.
This means that there is code in the backend that is sanitizing the user input from the Message *
field to prevent scripts from being submitted. You can see the modified input in the last rectangle
message box below the input fields.
18
g. Click the View Source button and review the PHP source code and investigate.
You will see two blocks of code with the word Sanitize. The first block of code, under // Sanitize
message input, contains two PHP functions for performing input sanitization. The strip_tags()
function removes all html tags from the message field before storing them in the database. The
htmlspecialchars() function converts all special characters into equivalent HTML entities so they
are not reflected back in the browser.
Research the PHP addslashes() function on the internet. How did it change the input?
19
The second block of code, under // Sanitize name input, performs input sanitation on the Name *
field. It contains the str_replace() function which replaces any occurrence of the <script> tag with
a null value. This disables the script completely.
We can attempt to bypass the security on the Name * field by using some other payload that does
not contain <script> tags.
With the maxlength restriction changed, the XSS payload can now be entered into the Name * field.
Note: Changing the maxlength parameter does not persist. If you refresh the page, for example,
the setting needs to be changed again.
j. Return to the Vulnerability page and enter the following payload in the Name * field.
<ScRipt>alert("You are hacked!")</ScRipt>
k. In the Message * field you can type any text you like and then click Sign Guestbook.
An XSS alert popup box will appear with the words You are hacked!.
Because the XSS payload is stored in the guestbook, the alert popup box will appear each time the
page is refreshed or each time other users visit the page.
The popup confirms you have successfully exploited Stored XSS vulnerability at the Medium level
of security.
l. Before proceeding to the next step, clear the XSS payload from the page. Click Setup / Reset DB
in the left menu then click Create / Reset Database.
20
Both Test#1 and XSS Test should be in the page source code indicating that the two input fields
may be vulnerable to a Stored XSS attack.
e. Close the page source code tab and return to the Vulnerability page.
f. Enter Test#1 in the Name * box and enter the following payload in the Message * box and click
Sign Guestbook.
<ScRipt>alert("You are hacked!")</ScRipt>
No popup box will appear. Refreshing the page will not cause the alert popup box to appear either.
This means that there is code in the site backend that is sanitizing the user input from the Message
* field.
g. Click the View Source button and review the PHP source code and investigate.
You will see two blocks of code. As before with the Medium security, the first block of code, under //
Sanitize message input, contains two php functions for performing input sanitization. The
strip_tags() function removes all html tags from the message field before storing them in the
database. The htmlspecialchars() function converts all special characters into equivalent HTML
characters so they are not reflected back in the browser.
The second block of code, under // Sanitize name input, is performing input sanitation on the Name
* field. It contains the preg_replace() function. This function uses a regular expression to replace
any occurrence of the <script> tag, regardless of character case, with a null value.
We can attempt to bypass the security on the Name * field by using some other payload that does
not contain <script> tags.
h. Before entering any payload into the Name * field, it will be necessary to change the max character
length restriction on the field, as was done above.
With the maxlength restriction changed, the XSS payload can now be entered into the Name * field.
i. Return to the Vulnerability page and enter the following payload in the Name *
field. (Note the use of underscores to replace spaces.)
An XSS alert popup box will appear with the message "You_are_hacked!".
Because the XSS payload is stored in the guestbook, the alert popup box will appear each time the
page is refreshed.
The popup confirms you have successfully exploited a Stored XSS vulnerability at High security
level.
j. Before proceeding to the next step, clear the XSS payload from the page. Click Setup / Reset DB
in the left menu then click Create / Reset Database.
The H4cker website should now be displayed under the iframe test message.
This is a powerful exploit because the threat actor could send the browser to a malicious website.
d. Before proceeding to the next step, clear the XSS payload from the page. Click Setup / Reset DB
in the left menu then click Create / Reset Database.
Stealing the cookies of website visitors has security implications. Cookies contain information about how
and when users visit a web site and sometimes authentication information, such as usernames and
passwords. Without proper security measures, a threat actor can capture cookies and use them to
impersonate specific users and gain access to their information and accounts.
<script>alert(document.cookie)</script>
A popup box with the cookie will be presented. This is a cookie that PHP uses to keep of track of
running sessions.
An exploit could modify the XSS script to have the cookie sent to another destination rather than just
displaying it.
23
Step Max
Part 1- Code Automation 1
Part 2- Cross-Site Scripting 1.5
Total marks: 2.5 marks