Saturday, 6 January 2018

Web Services/ API Penetration Testing Part - 1


Hi Readers, today we will learn about another interesting part of Penetration Testing, this revolves around Security assessments of web services.

To start with let’s take a look at what web services are made of:

A web service is software composed of standardized XML messaging system.

The benefit of web services are since all of its communication is in XML, they are not restricted to any  operating system or programming languages

They are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.

Anatomy of Web Services

In simple language, any basic web services platform is a combination of XML and HTTP.
They can be of:
  • ·         SOAP (Simple Object Access Protocol)
  • ·         UDDI (Universal Description, Discovery and Integration)
  • ·         WSDL (Web Services Description Language)


How does a Web Service Work

Web services depends on
•             XML to tag the data ( as markup and syntax)
•             SOAP to transfer a message
•             WSDL to describe the availability of service.



Penetration Testing on Web Services:

To begin penetration testing WebServices, we always require the following as preliminary:
1)            Sample API file ( WSDL/ SOAP etc)
2)            Sample request/ response ( to understand the values and data passing)
3)            Entry points/ URLs

Tools for performing web services penetration testing:
  • ·         Fiddler
  • ·         Burp Suite
  • ·         Acunetix/IBM Security AppScan
  • ·         ZAP Proxy
  •          Curl
  •           SOAP UI

Exploiting Browsers using PasteJacking and XSSJacking Vulnerability


Hi Readers, in the field of penetration testing, we all know attacks such as Clickjacking, Cross Site Scripting etc. These are attacks from most  OWASP Top 10 test cases.

Today we will look into some advanced attack vectors which have been lately around sometime but not all are aware of.

Pastejacking. The art of changing what you copy from web pages.

What is pastejacking?

• Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and change its content to something harmful without your knowledge.

• This feature can allow malicious websites to take over your computers’ clipboard.

• When you copy something and paste it to your clipboard, the website can run one or more commands using your browser.

• The method can be used to change the Clipboard contents.

• If you paste something directly to the Terminals!? Result: Lethal Commands Executed

To avoid paste jacking:

• Windows users need to check what is placed into your computers’ clipboard.

• Paste the contents into the Notepad. It pastes clipboard as text only and lets you see what is there in the clipboard.

• Result: An additional step to prevent getting Pastejacked.

Attack scenario:

Here we have a sample page which shows a text: “who am i?” as bait for copying. Once this text is selected, it will automatically get replaced in the clipboard with echo ” I @// H4k3r” .




What is XSSJacking

XSS jacking is yet another attack which chains together three different attacks: It combines Clickjacking, Pastejacking, and Self-XSS.

For those who may not be aware, here’s a quick intro :

Self-XSS is a type of XSS that typically can only be triggered by a user typing in an XSS payload which triggers on themselves. This can be DOM based, or set in a field only settable and viewable by the one user.

Clickjacking, is an attack that frames a website of a logged in user, typically sets the opacity of the frame to 0, and forces a victim to interact with their account, on a different website, unknown to them.

Pastejacking is the secret adding of malicious text at the end of copy-pasted data ( as seen above)

Practical scenario how it can be exploited:

You’re a malicious hacker and you set up a messaging forum to interact with users.
In the forum registration page, you place an “Enter your name” field and a “Reenter your name” field.

You place a hidden iframe on top of the “Reenter your name” field, where you load a form field from a Innocent page.

When a user wants to register on your forum, he’ll write his name, and most likely copy-paste it in the second field.

The malicious website will append the malicious code after his copy-pasted text and insert it into his The innocent Website

Attack possibilities:

The innocent website being vulnerable to XSS flaws via its form fields, the attack code can perform malicious actions, and the victim account can get compromised.
Impact: XSSJacking attacks can dump cookies, steal user data

Attack scenario:

Here in first screen shot we can see, a page with two simple text fields, enter your name and enter your name again.


As to be expected a user will type his name first and then use the copy paste function for the second field. The moment he does so the xss alert will be triggered as an abuse of pastejacking method. The victim unknowingly ended up executing the self-XSS in the second field upon  which the clickjacking exploit code was set.



So three attacks got executed in a jiffy!

Output page.

Result:  The above two exploits are not really something having a patch!

Since it’s a mix of luck, feasibility and social engineering attacks, needing user intervention, make sure whenever you copy some content from unknown sites, its safe to first copy the content and paste it into a harmless place such as notepad to see what the content in the clipboard is.

References:

The above code for web pages is modified with a shortened form from the original sources of:

• https://github.com/dxa4481/Pastejacking
• https://github.com/dxa4481/XSSJacking

Note: The above article has also been published in Hakin9 https://hakin9.org/download/burp-suite-compendium/

Dark Web: Accessing the hidden content Part- 2


I2P Intro:

According to Wikipedia, The Invisible Internet Project (I2P) is an anonymous network layer that allows for  peer to peer communication via encrypting the user’s traffic and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world.

The software that implements this layer is called an “I2P router” and a computer running I2P is called an “I2P node“. I2P is free and open source.

I2P can be run both on Pc as well as android, here is a screeshot of I2P running on android device.


Image source: https://en.wikipedia.org/wiki/File:I2PAndroid-console-0.9.20.png

While tor lets you being anonymous and open sites hosted either publicly or dark sites ( with .onion) I2P’s focus on the other hand is creating its own internal internet is that the network isn’t accessible from a regular computer.

By installing the requisite I2P software, your computer can join I2P and begin routing traffic, just like a Tor middle relay as it creates distributed, dynamic, and decentralized network that allows secure and anonymous communications between individuals.

Features of I2P

Email/Messaging
There are a few messaging services on I2P, with a couple of them being I2P’s built in email application and I2P Bots. Its security features include stripping parts of mail headers and delaying outgoing messages to reduce any correlations that could de-anonymize you.

IRC (Internet Relay Chat)
I2P has an IRC service that allows users to chat anonymously. I2P’s anonymity offers a near-perfect sense of freedom of speech

Eepsites
Eepsites are the I2P equivalent of a Tor Hidden Service: they are websites hosted on the I2P network, whose operators can be anonymous.

Torrents
I2P offers the Postman Tracker and I2PSnark. The tracker is essentially the Pirate Bay, and I2PSnark is essentially uTorrent. I2P offers improved overall anonymity. On I2P torrenting is secure and anonymous,

Configuring and installing I2P:

Download the I2P installer ( both available for windows/ linux)
Configure the browser to work with I2P is with add-on called FoxyProxy.
Using the Tor Browser, navigate to the FoxyProxy page on Mozilla’s website and install the add-on.

Download the configuration file for FoxyProxy.
Link: https://thetinhat.com/tutorials/darknets/foxyproxy.xml

Once downloaded, press CTRL+SHIFT+A, and open the preferences for FoxyProxy. Go to File > Import Settings, on the Preferences panel and import the configuration file.

Start I2P with Tor running in background. For Windows simply click the icon. For Linux, cd into the i2p folder and type into your terminal i2prouter start.
Now, in the Tor Browser navigate to http://127.0.0.1:7657/
Check the left-hand sidebar. If it says “Network: OK”, you’re ready to start using I2P. If it says otherwise, then click on it. This will bring you to a page describing the problems it may be having.
Here is a screenshot for the I2P router console.


From here you are good to go , experiment and play with:

Finally some tips while browsing dark sites:

1. Never open “.onion” websites on a browser other than TOR (The Onion Router).

2. Try to use TOR with a VPN ( since even TOR has been cracked)

3. Never enable Macros and Scripts.

4. Never download Files off untrusted or unknown sites.

5. Never assume everything is “Legal” in dark web.

6. Consider 100 times before buying any type of “Service” or “Item” from a darknet market.

7. Never buy things with a Credit/Debit card.

8.  Be wary of making the wrong friends and wrong enemies.

More reference and further reading: https://thetinhat.com/tutorials/darknets/i2p.html





Dark Web: Accessing the hidden content Part- 1


Curiosity towards hidden and unknown things is natural to people.

For the general folks, Internet is existence of websites indexed via popular search engines like Google, however the Deep Dark web is beyond the traditional search engines which are hidden and inaccessible through standard web browsers.

It is an interesting fact to know that hardly only 4% of the internet is visible to the common people. That makes 96% of the internet is made up of “The Deep Web”!

The Deep Web hosts the “Dark Web,” a series of networks called “darknets” that overlay the public Internet but require specific software or authorization to access. As users can operate Darknets anonymously, it’s not hard to guess that these are the abode of various criminal activities. In fact, Darknet hosts a worldwide marketplace of illicit goods and services.

Top darkweb searches include child pornography followed by drug dealing, software hacking, currency counterfeit, stolen information from sensitive sources, weapon market and many other illegal activities.


How to access Dark Web?

Dark Web as its name suggests is behind the open web as a huge chamber of secrets which is locked away to the common world for most.

Among the many techniques, lies the prime method of Tor networks which opens the door to accesss .onion links.


Another niche yet feasible concept is I2P (Invisible Internet Project”)

In order to access the Dark Web:

Download the Tor bundle ( which is a modded version of firefox)
Once downloaded fire up the Tor Browser


How does TOR work?

A high level approach:


Image source: https://thenextweb.com/insider/2013/10/08/what-is-tor-and-why-does-it-matter/


Tor as its logo shows is like a onion, building up multiple layers of encrypted connections with random relays.

Accessing dark websites:

To begin with directories like OnionDir and TheHiddenWiki provides a list of sites with diverse categories

While there are multiple references here is a short list

https://thehiddenwiki.org/





Thick Client Penetration Testing Tutorials - Part 5

For carrying out penetration testing assessments, our main aim has been to resolve the actual domain to the loopback IP address, by adding an entry to the hosts file.

Let us know consider a situation where the thick Client application does not send the request to a domain or a host name, then what happens?

We are stuck since it becomes impossible to make a host file entry.

Consider a thick client url like http://172.32.23.23:891/login. It cannot be mapped in hosts file without a valid pointing domain.

So lets do a workaround via configuring burp with the concept of Microsoft Loopback Adapter.

Prerequisites:

Two machines residing in the same network ,both having Burp Suite tool running
One machine (the testing machine) should have Microsoft Loopback Adapter configured.
The second machine acts as a gateway that forwards the requests to the internet.
The loopback adapter helps deceiving the local machine. In absence of a real domain, all the application requests fired to the actual server are redirected to the Loopback adapter by setting the same IP address of the Microsoft Loopback adapter as the actual server’s IP address.

Those not aware with the concept of the loopback adapter, Microsoft Loopback Adapter is a dummy network setup.

It is a kind of hidden easter egg feature of windows, which you can enable by the following steps:



Run cmd as Admin.
Enter “hdwwiz.exe”.
Welcome to the Add Hardware Wizard”, click Next.
Install the hardware manually
Network adapters
Select “Microsoft” as the Manufacturer and then select the Network Adapter “Microsoft Loopback Adapter” and click Next.


Setting up loopback adapter_1

In network connections tab, you can see it:





Machine 1 (xx.xx.xx.x1):

This is the testing machine where the Thick Client application is running.

We configure the below settings to make it ready:

Microsoft Loopback adapter is installed with the TCP/IP address of the actual server ( in our example: 172.32.23.23:891)
Burp Suite is configured to listen on the Loopback adapters IP address.
Burp Suite is configured to forward the requests to Machine 2
Once we fire an actual request, the below execution happens:


Scenario:

IP address of the Loopback adapter is of the actual server, the Thick Client application sends an HTTP  request, which first goes to the loopback adapter.

The listener setup on Burp Suite hooke to the same IP address, capturing it.

What do to next?

Since the request meant for the actual server is stuck in machine one with the loopback adapter and burp, we need to forward it to  Machine 2 (xx.xx.xx.x2), so that the request can reach the actual destination server.

Setting up IP details on loopback adapter.

Let’s see how the logic works by a simple diagram:




High level working

The following screenshots show the Burp Suite configuration in Machine 1.

Assumption: The actual server IP is 172.32.23.23:891


We now need to forward the request to the second machine ( xx.xx.xx.x2)



Machine 1

Burp setting with loopbackMachine 2 (xx.xx.xx.x2):

This machine will be configured to route the requests from machine 1 to the actual server.gateway that sends the requests forwarded by Machine 1(xx.xx.xx.x1) to the destination server.

Configuration checklist to be setup for machine 2:

Set up a Burp Suite Listener on the adapter with the IP address xx.xx.xx.x2
Configure redirection of  traffic to the actual server ( in our case, the actual ip of the server (172.32.23.23:891)
Burp listener on loopback IP moderates the requests for  capture
Finally the redirect to host configuration forwards those requests to the destination server.
The following screenshots show the configuration:



Requests via burp to actual server ( machine 2 burp)That’s it. Once done, the application will start intercepting as well as redirect the requests to the IP which does not have domain name mapped!

Happy hacking!

Hacking into Block Chain Technology:Part 2

Security Testing on Block Chain: By- Samrat Das Now since we have our fundamentals clear on block chain, let’s proceed for un...