Introduction to web hacking

Web applications are where majority of attacks are occuring now a days. Since past decade, we have seen an upward progression in the layers of insecurities where the attacks moving from Physical layer up to application layer of the OSI model ,we will talk about some of the most common web application attacks, along with some server-side attacking techniques and strategies. Let’s talk about web application attacks first. Almost every web application attack is due to unvalidated input: failure to validate input upon authentication, on form fields, or other inputs such as http headers and cookies. Web application hacking happens because either developers aren’t taught to validate inputs or they don’t pay much attention to it.

ATTACKING THE AUTHENTICATION

Authentication in web security is an application to verify if it’s the correct user that accesses the private/protected information. In this section, we will talk about authentication-based attacks.
Some of the common vulnerabilities against authentication are as follows:
 Credentials sent over HTTP. Since they are unencrypted, an attacker on LAN/WLAN can
launch an MITM attack.
 Default passwords.
 Weak or simple credentials that can be cracked with brute force or dictionary attacks.
 Bypassing authentication by using various vulnerabilities.
 Abusing reset forgotten password functionality.
 Passwords being stored in local storage, making it easy for an attacker to extract them by
using XSS vulnerability.

In this section, most of our focus would be on some of the commonly used vulnerabilities to
bypass authentication such as SQL injection and Xpath injection. But before that, let’s talk about some low-profile attacks.

USERNAME ENUMERATION

Sometimes it’s possible to check if a current user exists in the database or not based upon the error messages that the application displays. This could be very helpful in cases where you want to conduct a brute force attack or an attack against a particular user. It could also aid you when exploiting the password reset feature. Let’s take a look at an example of how this works.

INVALID USERNAME WITH INVALID PASSWORD

We have a popular website xyz.com. When we enter an invalid username with an invalid password, the following error is displayed:
“Username is invalid,” indicating that the particular username was not found in the website’s database.

VALID USERNAME WITH INVALID PASSWORD

When we enter a valid username with invalid password, the following error is displayed:
“Password is incorrect.” Not to mention, the website provided is well known; however, this isn’t a big issue for them because most of their usernames are already public in their forums, listings, and market places, but certainly, this can still be an issue in several other applications.

ENABLING BROWSER CACHE TO STORE PASSWORDS

Another bad security practice that is often followed is developers using autocomplete function for password fields, which enables the passwords to be saved in browser cache allowing an attacker to access the password if he can somehow access the browser cache.
We can check if autocomplete is enabled with the following command:
<input type=”text” name=”foo” autocomplete=”on”/>
To protect against this issue, it’s recommended that the autocomplete be disabled.

BRUTE FORCE AND DICTIONARY ATTACKS

In the Remote Exploitation post, we discussed how we can use brute force or dic-
tionary attacks to crack various services such as ftp, SSH, and RDP by using various tools such as hydra, Medusa, and ncrack.

TYPES OF AUTHENTICATION

Let’s talk about some of the authentication mechanisms and their insecurities before looking at brute force attacks. There are three types of HTTP-based authentication schemes used primarily:

HTTP BASIC AUTHENTICATION

HTTP basic authentication is one of the first authentication mechanisms that were introduced. It works as follows:
When we send a GET request to the protected resource, the webserver would respond with a
log-in screen, which would set a “WWW-Authenticate” header also known as the authorization header. Our credentials are then sent to the server via the authorization header in the base64- encoded form. Upon receiving the header, the server would decode the base64 string to plain text and compare it with the information stored in the authorization file.

Upon submitting a correct username and password, the client would get access to the protected storage, and a “401” “Unauthorized” response from the server if an incorrect username/password is submitted.

Now, obviously, the problem with this type of authentication is that an attacker could launch a man in the middle attack and easily decode the encoded base64 string containing the username and the password.
Let’s try analyzing it in our favorite web proxy called “burp suite.”

As we can see, a base64 string is being sent to the server, which the server would decode and match with the password set in .htaccess in case you are on an apache webserver. Let’s try sending the string to burp’s decoder.
In the decoder, you would see a drop-down menu, which would ask you for the type of string that is submitted as an input. We will select base64.

It would successfully decode the contents of the base64 string, which happen to be
admin:password in this case, where “admin” is the username and “password” is the password.

Setting up fake access point

The next attack we would talk about is setting up a rogue or fake access point. Our goal would be to make the victim connect to it, and since we will have control of the access point, we can redirect traffic as we want. We will use the SET to raise a fake access point. Though there are other tools that can be used here, such as airbase, gerrix, etc., I found SET to be the simplest.

Step 1—From the “Social Engineering Attacks” menu, select the “Wireless Access Point attack Vector.”

Step 2—We can see from the description that we require four utilities to launch this attack
vector, namely, Air-Base-NG, AirMon-NG, DNSSpoof, and dhcp3. Except for dhcp3, the
other tools come preinstalled with BackTrack 5. Therefore, we would need to install dhcp3
in order to launch this attack vector.

Step 3—We would use “apt-get install dhcp3-server” command to install dhcp3 inside of
BackTrack. It’s listed in the image, since I have already installed it. If you face any problems
while installing the dhcp3 server, I would recommend you to consult the backtrack-linux.
org forum.

Step 4—After you have installed the dhcp3 server, from the SET choose the first option to start setting the fake access point. Next, the SET will take you to the /etc/default/dhcp3-server file where you would need to specify the interface on which you would like the dhcp server to serve the dhcp requests. We would now add our wireless interface “wlan0” for serving dhcp requests.

Step 5—Next, it will ask you for the dhcp range to assign to the clients that would connect to our access points. I would prefer choosing 192.168.10.100-254, since it’s used more often.

Step 6—Finally, we would enter our wireless network interface, which would be wlan0; yours might be different, you can do iwconfig to check for your wireless interfaces.

Now, we are all set and done and the SET will launch our fake access point with the SSID
“linksys”, which is its name by default. It will have no encryption set.

As a side note, if we would like to change the name of our wireless access point, we can do it
by modifying the value of ACCESS_POINT_SSID parameter located inside the SET config file
in the /pentest/exploits/set/config directory.

ATTACK SCENARIO

Once the victim connects to our fake access point, we can perform various types of attacks against him. We can either perform an ARP poisoning attack or a phishing attack or just set up a malicious webserver to redirect all the traffic to our webserver, whenever the victim browses websites such asfacebook.com or google.com. This can be easily done by editing the contents of the /etc/ hosts file. Since we are in control of the access point, we can manipulate things that would be presented to the victim.

127.0.0.1 is our home address, so we would edit the /etc/hosts file to and we would point
the hosts that we want to target say Facebook, Google, twitter etc to our Home address. So this means that the next time when victim would enter the target url in his browser say facebook.com. he would be redirected to our address where we could launch different types of client side attacks. The following screenshot explains how the edits would look like:

After you have manipulated the records, whenever the victim browses his favorite websites,
say google.com, facebook.com, or yahoo.com, he will be redirected to our local IP address, where we would host our malicious SET webserver or a phishing page.

Reaver attack

Reaver is the penetration tester’s ultimate choice, this tool can help you crack WPA/WPA2 keys within a matter of hours. Reaver does not directly perform a brute force attack against the WPA/ WPA2 keys, but it performs a brute force attack against the WPS pins. The WPS pins are eight digits in length, and as most routers use default pins, they can easily be compromised.
Once reaver compromises the pins by either using the default pins or by using a brute force
attack, which won’t take much long since eight-digit pins would have 10,000,000 (10^7) and the last digit can be calculated by using the first seven pins according to official documentation.
As reaver compromises the pins, it gets authenticated as a valid external registrar. A registrar has access to all the configurations of the access point, which would include the WPA/WPA2 keys. For this attack to work, the access point should have WPS enabled. The good thing is that we would have it enabled in most of the access points we encounter. Let’s see how we can use reaver to crack WPS-enabled wireless networks.

Step 1—Make sure that your wireless card is in the monitor mode.
Step 2—Next, we would use airodump-ng to select our target we want to attack.
In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49.
We will copy the BSSID, since this will be the only input required for reaver to work.

Step 3—Now, we will use reaver to attack our access point. The command would be as follows:
reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv
The –i parameter was used to specify the interface, which is mon0, followed by the –b parameter used to define the bssid and –vv for the verbosity. The verbosity is set to twice, which means that it will display each pin’s number as it’s tried against the access point.

REDUCING THE DELAY

We can tweak reaver into reducing the delay between the pins. The default delay is 1 s, but we can reduce it to 0 by specifying a –d parameter.
Command:
reaver –i mon0 –b ≤bssid≥ –d 0
reaver –i mon0 –b ≤bssid≥ –d 0

FURTHER READING

For further hints, tips, and usage guide, I’d recommend you to take a look at the official wiki of reaver:
https://code.google.com/p/reaver-wps/wiki/HintsAndTips
http://www.amazon.com/ALFA-Network-AWUS036H-Wireless-802-11g/dp/B000WXSO76

Cracking wpa/wpa2

As WEP has been deprecated since early 2001, WPA was introduced as an industry standard,
which used TKIP for encryption of data. Later, WPA2 became an industry standard since it
introduced AES encryption, which is more powerful  than TKIP; however, it also supports TKIP encryption. The WPA/WPA2 key that we would use to authenticate on a wireless network is used to generate another unique key. Five additional parameters would be added to our key to generate a unique key. The parameters are the SSID of the network authenticator, Nounce (ANounce), supplicant Nounce (SNounce), authenticator MAC address (access point MAC), and suppliant MAC address (Wi-Fi client MAC).

From a hacker’s perspective, we can use a brute force or dictionary attack or rainbow tables to crack a WPA/WPA2 network, obviously a dictionary attack is much less time consuming than other attacks; therefore it should be your first preference. The success rate of this attack depends upon the wordlist you would use. Another requirement for this attack to work is the four-way handshake, which takes place between a client and an access point, which we will capture using the deauthentication attack.

Let’s see how we can use aircrack-ng to crack a WPA/WPA2 network:

Step 1—First of all, ensure that your network card is inside the monitoring mode.
Step2—Next, we would listen on the mon0 interfaces for other access points having encryption set to either wpa or wpa2. We would use the “airmon-ng mon0” command to do it.

Our target AP would be Shaxter, which uses WPA as their encryption type. We will take a
note of its BSSID and the channel that it’s on, this information would be useful in the upcoming steps.
BSSID: F4:3E:61:92:68:D7
Channel: 6

CAPTURING PACKETS

Step 3—Next, we need to save the data associated with our access point to a specific file. The inputs we need to specify are the channel, the bssid, and the file name to write.
Command:
airodump-ng –c 1 –w rhawap –bssid F4:3E:61:92:68:D7 mon0
 –w—File to write
 –c—Channel

CAPTURING THE FOUR-WAY HANDSHAKE

Step 4—In order to successfully crack WAP, we would need to capture the four-way handshake. As mentioned, to achieve this we could use a deauthentication attack to force clients to disconnect and reconnect with the access point.

STRUCTURE

aireplay-ng –deauth 10 –a ≤Target AP≥ –c ≤Mac address of Mon0≥mon0
Command:
aireplay-ng –deauth 10 –a F4:3E:61:92:68:D7 –c 94:39:E5:EA:85:31 mon0

After we have successfully performed a deauthentication attack, we will be able to capture the four-way handshake.

CRACKING WPA/WAP2

Now that we have all the inputs required for cracking the WPA/WPA PSK, we will use aircrack-ng and specify a wordlist that would be used against the rhawap.cap file that was generated earlier.
Remember that in order for us to successfully crack the WPA/WPA2 PSK, we need to make sure that our file contains the four-way handshake.

STRUCTURE

aircrack-ng –w Wordlist ‘capture_file’.cap
Command:
aircrack-ng rhawap.cap –w/pentest/passwords/wordlists/darkc0de.lst

So, now this will start the dictionary attack against the rhawap.cap file, and if the key is found.Itwill reveal it to us as above.

Cracking a wep network

WEP (Wired Equivalent Privacy) was one of the first authentication and encryption used for wireless networks; it’s been known to be insecure for a decade due to some cryptographic weaknesses related to initialization vectors, key management, etc., which we won’t discuss in this post, since it’s a completely different topic.
Though it’s deprecated and should never be used, we still see it being used in lots of home
networks, one of the reasons being the usage of very old routers that don’t support WPA, WPA2 encryption, the other reason being lack of awareness.
So in this section, we will use aircrack-ng to demonstrate how easy it is to crack a WEP key no matter how complex it is.

PLACING YOUR WIRELESS ADAPTER IN MONITOR MODE

Step 1—First things first: we need to make sure that our network card is placed into monitor mode, we have already learnt that we can use the “airmon-ng start wlan0” command to accomplish this task. We can use “iwconfig” to verify that our wireless adapter is now able to sniff in monitor mode.

DETERMINING THE TARGET WITH AIRODUMP-NG

Step 2—Next, we will use airodump-ng to discover our neighbor networks with WEP encryption enabled. We can see our target with an essid (same as ssid) of “Linksys” and with BSSID of 98:FC:11:C9:14:22 and it’s on the channel 6. We should make a note of the essid, bssid, and channel because we will need them in future.
Command:
airodump-ng mon0

ATTACKING THE TARGET

Step 3—In order to crack the WEP key, we would need to capture of the contents of the data
file and write it to a file which we can analyze later. To accomplish this task, we would use
airodump and restrict our monitoring only to the access point (ap) we are targeting.

STRUCTURE

airodump-ng mon0 –bssid –c (channel) –w (file name to save)
Command:
airodump-ng mon0 –bssid 98:fc:11:c9:14:22 –channel 6 –write RHAWEP

We had to specify the bssid of the target that we learnt from the previous step, followed by the channel that the access point is on, which we also learnt from previous step (channel 6). The reason we want to restrict it to channel 6 is that we don’t want our wireless card to switch channels. Then we instruct it to write the results to a file called RHAWEP. The file would be in several formats, such as kismet, cap, etc., so that we can analyze it using different tools. What we are interested in is the contents of the cap file.

SPEEDING UP THE CRACKING PROCESS

Step 4—In order to decrypt the wep key, we would need data packets, but waiting to collect
them would be time consuming. To speed up this process, we can use a fake authentication
attack which will associate our MAC address with the access point. This attack is only useful
in the case where we have no clients associated with the access point.

STRUCTURE

aireplay-ng – 1 3 –a (bssid of the target) (interface)
Command:
aireplay-ng -1 3 –a 98:fc:11:c9:14:22 mon0

The –1 parameter specifies that we want to use a fake authentication attack followed by the
number of times we want to send the authentication request, then the –a parameter followed by the BSSID of the target and the interface, which is mon0.

INJECTING ARP PACKETS

Step 5—The success rate of our attack depends upon the number of initialization vectors we
gather. A fake authentication attack does not generate ARP packets, therefore, we would
need to use the attack number 3—“ARP Request Replay”—which is the most effective way
of generating initialization vectors.

STRUCTURE

aireplay-ng 3 –b (bssid of target) –h (Mac address of mon0) (interface)
Command:
aireplay-ng -3 –b 98:fc:11:c9:14:22 –h 00:c0:ca:50:f8:32 mon0

The –3 stands for the “ARP Request REPLAY”, followed by the –b parameter, which would
be the BSSID of the target. The –h parameter is new parameter that we haven’t used before, this would be the MAC address of the mon0 interface.
Now, we will wait for the number of data packets to reach at least 20,000; the more packets
the more quickly the key can be decrypted.

CRACKING THE WEP

Step 6—Finally, it’s the time to decrypt the contents of the RHAWEP-0.1-cap file. We will use aircrack-ng to do this.
Command:
aircrack-ng RHAWEP-0.1-cap

So, we have successfully managed to decrypt the key, which is C3:6E:E8:F7:82. Just remove
the colons from the output and you will be left with the original wep key, which in this case is C36EE8F782.

Aircrack -ng

In case we don’t want to wait for the client to disconnect and then reconnect, we can perform a deauthentication attack as explained earlier to force all the clients associated with that access point (which we want to target) to disconnect and then reconnect to the access point.
Command:
aireplay-ng -0 3 –a <macaddress of the ap> mon0

The –0 stands for the deauthentication attack followed by the number 3, which would send
exactly three deauthentication packets. The –a parameter is used to specify the MAC address of the target access point, which in this case would be 64:70:02:8A:12:94, followed by our interface mon0.

BYPASSING MAC FILTERS ON WIRELESS NETWORKS

Apart from hiding the SSID, it’s also a common practice for network administrators to apply MAC filtering on the access point so that only white-listed hosts with MAC addresses would be able to connect to the access point. This is done in colleges and universities where they only want registered students to have access to the Internet. MAC filtering is also a part of low-level security along with hiding the SSID; however, just like the hidden SSID, this security measure terribly fails in the real world, since an attacker can spoof a legitimate MAC address to connect to the access point. Here is how this attack would be carried out:

1.The attacker would scan the access point for the hosts that are already connected to the
access point.
2.    Next, the attacker would note down the MAC address of the legitimate client that is connected to the access point and spoof the MAC address to get into the white list and would be able to connect and use the access point.

So here is how we would combine airodump-ng and macchanger to bypass MAC filtering
restrictions:
Note: Make sure that you already have monitor mode enabled before performing the following steps.
Step 1—The first command we would use is “airodump-ng” to scan for all the neighbor networks. To demonstrate this attack, we would assume that the access point with ESSID
“ROMEO” having a BSSID of “F4:3E:61:9c:77:3B” has enabled MAC filtering and only a
set of allowed MAC addresses are able to connect to this access point.

Step 2—The next step would be to find a client that is already associated with the access point.
We will use airodump to find it for us.
Command:
airodump-ng –c 1 –a –bssid F4:3E:61:9C:77:3B mon0

Since the access point is on channel 1, we would type –c 1; the “–a” parameter would display clients that are currently associated with the access point.
The output shows us that two stations are currently up with MAC addresses
B0:D0:9C:5C:EF:86 and 48:DC:FB:B1:F3:7D.
Step 3—The final step would be to spoof our MAC address and change it to one of the client’s. We can use a neat program in BackTrack called macchanger, but for that, we would need to disable the monitor mode first.
Command:
airmon-ng stop wlan0

Next, we would use the following command to spoof our current MAC address.
macchanger –m B0:D0:9C:5C:EF:86 wlan0

The MAC address of the client, B0:D0:9C:5C:EF:86, is already associated with the access
point. Finally, we would issue the following command to bring the wlan0 interface up.
Command:
ifconfig wlan0 up

We can verify that our MAC address has been spoofed by executing “iwconfig” command
and matching the HWaddr field.

Introduction to Aircrack-ng

Aircrack-ng is the heart of this post; it is a set of tools widely used to crack/recover WEP/WPA/WPA2-PSK. It supports various attacks such as PTW, which can be used to decrypt WEP key with a less number of initialization vectors, and dictionary/brute force attacks, which can be used against WPA/WPA2-PSK. It includes a wide variety of tools such as packet sniffer and packet injector. The most common ones are airodump-ng, aireply-ng, and airmon-ng.

UNCOVERING HIDDEN SSIDS

It’s common practice for network administrators to disable broadcasting SSID. Normally,
the SSIDs are sent in the form of beacon frames, but this does not happen when a network
administrator disables an SSID. This is said to be a good security practice according to many network administrators; however, this terribly fails in real-world situations. The reason being that anytime a client reassociates with the access point, it will send the SSID parameter in plain text, which will reveal the real SSID.
Now, we have two methods to do this: the first one is that we keep analyzing beacon frames
and wait for the client to disconnect and reconnect to the access point; the second option is that we send disassociation packets by using a deauthentication attack, which will force everyone on the network to disconnect and then reconnect to the access point revealing to us the SSID. So let’s see this in action.

TURNING ON THE MONITOR MODE

The next thing we want to do is switch our network card into monitor mode. As mentioned in the “Network Sniffing” chapter (Chapter 6), to sniff on wired networks, we need to switch our network card into promiscous mode. However, to sniff on wireless networks, we need to make sure that our network card is in the monitor mode. One of the advantages of the Alpha card is that it allows us to sniff in the monitor mode, so you need to make sure that your network card is allowed to sniff in the montior mode for this work.
We can use the following command to change the network card to the monitor mode:
airmon-ng start wlan0

So now we can see that we have succesfully enabled monitor mode on the mon0 interface.
We can use the iwconfig command to confirm all the interfaces that have monitor mode
enabled.

MONITORING BEACON FRAMES ON WIRESHARK

Now that we have the monitor mode enabled, we will sniff on the mon0 network interfaces, which will bring us beacon frames containing the SSID that is being broadcasted. If the SSID is not broadcasted, it won’t show up.

We selected the appropriate interface to sniff on, and we are now able to see beacon frames
from other access points, which we are not associated with. Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.

MONITORING WITH AIRODUMP-NG

The easy way around is to use airodump-ng to start monitoring the traffic; as soon as the client authenticates, the SSID will be revealed.
Command:
airodump-ng mon0

The access point that is not broadcasting it’s ESSID would appear with the names such as
“<length: 0>”, as soon as the client would re-authenticate the hidden SSID would appear.