Introduction

Websites are used daily by a large part of the world’s population to carry sensitive data from a person to an entity with online-based presence. In websites containing materials that are shown after authentication only, forms transfer data containing user credentials to server-side scripts. Users store their credit card details in their online accounts and use forms to buy items online, so it is crucial to keep the integrity, confidentiality and availability of this data intact.

This article is written merely with penetration testing and website security in mind. Any attempts to penetrate into live systems on your behalf and without consent may lead to criminal proceedings.

To try the training files that come along with this article, you would need a local server such as XAMPP or WAMPP with Apache and preferably MySQL turned on. If you are on Windows, to install Hydra you would need to install make, gcc and ssl libraries of Cygwin. Therafter, you would need to start it with the Cygwin Terminal. John the Ripper, on the other hand, can be started from the Command Prompt.

Fill out the form below to download the code associated with this article.

Exercise 1: Deep Data Hiding

In the past, and even today, some people have used security through obscurity. This means that they have unprotected directories and files with the sole protection being that they do not have any backlinks and no links to them in the main site. Thus, if one knew the URL of the directory or file – he could readily access it. A common way to reveal obscure directories is to check the publicly visible robots.txt and see what is disallowed to be indexed by search engines.

Now open the DeepDataHiding folder through your localhost and try to find the hidden directory where uploaded .doc files from “users” are stored, then access it. If you upload a .doc file to test this out, in the main page of the directory – it won’t leave your computer.

Exercise 2: Populating a Dictionary

To populate a dictionary, we will be using John the Ripper. Open the PopulatingDictionary folder.

You can populate a dictionary in John the Ripper and cut the output size by knowing the type of password (its maximum length, whether it should be only digits, contain special characters, etc.).

To create a simple dictionary and save it to a file, you can browse to the directory of the john the ripper installation in CMD and use: john-mmx –incremental=alpha –stdout > filename whereas filename is the name and location of the file in which the words should be saved to.

There are various options in the incremental mode, such as Digit (only digits), Lanman (letters, numbers and some special characters), Alpha (only letters) and All (all characters). Thus, you can also use john-mmx –incremental=lanman –stdout > wordlist.txt, etc.

Be aware that the size of the text file would probably get really big in just a couple of seconds, depending on your machine’s abilities.

Exercise 3: Acquiring user and password list for dictionary attacks

Querying Google for passwords and user lists is usually pretty straightforward.

You use something like filetype:lst password for passwords and filetype:lst user for username lists.

We have included a sample username list and a password list downloaded from the Internet along with the attachment files to this article.

Exercise 4: Breaking HTTPAuth

For this exercise, we will be using Hydra and the user/pass lists included in the attachment files.

When calling Hydra ($ hydra.exe) the parameter –L usrlistpath serves the purpose of supplying the program a path to a username list file whose usernames will be tested along with all the passwords until a match is found. –l username gives Hydra a single username, which option can be used if you know the username you are trying to break into but do not know the particular password.

-P loads a password list while –p loads a single password.

Next, you specify the host to attack (localhost or 127.0.0.1) followed by http-get (request a directory/page), followed by the path to the particular directory or file you are trying to access (path excluding the host which is already given). It will most likely look something like this:

hydra.exe -L HD:/WebsiteHacking/FormCracking/usrnames.txt -P HD:/WebsiteHacking/FormCracking/passwords.txt localhost http-get /HTTPSecurity/

Figure 1: the HTTPAuth seeking credentials. Get them!

To establish a simple HTTPAuth mechanism yourself, you need to create your password by browsing to htpasswd.exe in your Apache bin folder, starting it in Command Prompt, and creating it. You can move the user account list file to any directory you want and start the mechanism by editing your .htaccess file:

AuthType Basic

AuthName "Admin Area"

AuthUserFile pathauthorized.htpasswd

Require user …

You can select only particular users to be able to access the page, and you can set different username lists for different parts of the website, but this mechanism for protection remains basic. To test cracking the example from the files, change the path of AuthUserFile to the current location of the HTTPSecurity directory.

Exercise 5: Breaking a POST login form

The password and usernames list are in the FormCracking folder. They have not been changed, but the correct login credentials are easy enough.

The following statement might work:

hydra –L path/FormCracking/usrnames.txt -P path/FormCracking/passwords.txt 127.0.0.1 http-post-form

“/FormCracking/index.php:username=^USER^&passwd=^PASS^:Oops”

The difference between this statement and when we cracked the HTTPAuth mechanism is that here we include the parameters that the form sends to the server-side script, in this case username and password. Those are the “name” attributes of the relevant input tags that we want to test.

Figure 2: viewing the POST fields.

Another difference is that after the address that we want to crack we include separated by a colon ( : ) the text that shows when the login submission is incorrect. Basically, we are telling the program to repeat until it gets a different output. In our case, we have “Oops” as a part of the login error string we receive.

We also include ^USER^ and ^PASS^ after each POST field that must be filled with the data from the username and password lists by the program.

Then, we wait and the job is done.

Exercise 6: Modifying Parameters

The next exercise is in the folder ParameterTampering. Open ParameterTampering/login.php with your browser. Your task is to bypass authorization or login with wrong credentials without viewing the server-side code and accessing members.php message and members2.php without the “Error!”. You do not have to crack the user details. For one of the methods, you must see what logging in looks like – use john/123

The first manner in which you can do this is by modifying an element in the page, the second involves a change in the URL.

The other task is to enter in members2.php without the server echoing “Error”. To do this, you should tamper with the HTTP Headers and add a referrer. I would recommend a plugin such as Tamper Data for Firefox or Request Maker for Chrome.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Answers:

1st possibility:

Figure 3: modifying the values of hidden inputs.

It might seem weird at first, but many sites actually have hidden inputs in which they store important data. An example is PayPal shopping carts on third-party websites where you can change fields such as name of the product directly by changing the value of a hidden input. There are some outdated shopping carts which still use price as a hidden input which means that if you don’t use their API and verify the amount that was paid to you through a server-side script – the user can easily pay as much as he wants for the product!

Figure 4: an example of a shopping cart which sets the price of the item on the client-side.

Figure 5: changing the name of the product in stores using PayPal as a payment method can still do some harm.

2nd possibility:

Setting a loggedin GET request, that’s probably not something you would meet somewhere today though.

3rd possibility, members2.php:

Install and start Tamper Data with alt+T when the page is opened. Add a new Header…

Called Referer and with value the path to login.php, it would look like you were redirected from login.php. There are developers out there who think HTTP_REFERER proves that the user is legitimate despite that it’s just a header sent through HTTP requests, and this is a point of exploitation in some sites even today.

Exercise 7: Exploiting Account Lockout

If you have a simple lockout mechanism like this (PHP/MySQL (AccountLockout1 folder)):

// Connecting to the MySQL database
mysql_connect("localhost", "root", "") or die(mysql_error());
 mysql_select_db("userdb") or die(mysql_error());
// Loading the current number of attempts that the user have used
$attempts = mysql_fetch_array(mysql_query("SELECT attempts FROM users WHERE username = '" . $_POST['username'] .  "'"))[0];

//If the login credentials are incorrect – add 1 to attempts variable
else if ($_POST['pass'] != $info['password']) {
 		$attempts +=1;
 		echo "This is your " . $attempts . " attempt!
";

//Stop the rest of the code from executing if the user have attempted to login with incorrect details at least three times
if ($attempts > 2) {
	die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com</h1>
<pre>
");
 		}

// Update the attempts column of the particular user in the database

mysql_query("UPDATE users SET attempts=" . $attempts . " WHERE username = '" . $_POST['username'] .  "'");

If we have such a login form and we are relying on a plugin from WordPress or Joomla and we are not aware of that – then malicious people can block an account just by knowing the username. In many sites, the username is readily available such as in comments to articles, message boards, social media likes, etc.

A solution is both to block only the offending IP address and to provide the block only for a limited duration.

A sample solution of adding a duration for the account lockout In PHP/MySQL could look something like this:

//folder AccountLockout2

// Inject SQL code
CREATE TABLE users(
ID MEDIUMINT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
username VARCHAR( 60 ) ,
passwordVARCHAR( 60 ) ,
attempts TINYINT,
time TINYINT)

Adding a user to the database could look like:

$insert = "INSERT INTO users (username, password, attempts, time)
 VALUES ('".$_POST['username']."', '".$_POST['pass']."', '" . "0'"  . " , '-1'" . ")";					                                                                            //attempts             //time when lockout was set

We use the number -1 to indicate that there is no lockout.
Then we change a bit the old code:

if ($attempts > 2) {
// If there no lockout, create one and notify when the account is going to be active
if ($info["time"] == "-1" ) {
 		$expectedRelease  = date("H") + 1;
mysql_query("UPDATE users SET time=" . date("H") . " WHERE username = '" . $_POST['username'] .  "'");
		die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com"
. ". It is going to be active at: ". $expectedRelease . " o' clock</h1>
<pre>
");
 		   		}
// Otherwise, remove lockout
 		 else if ($info["time"] != -1 && date("H") > intval($info["time"])) {
 		mysql_query("UPDATE users SET time='-1' WHERE username = '" . $_POST['username'] .  "'");
 		 	$attempts = 0;
 		 	}
else {
//If the account already has locked out and one hour has not passed, just say it is locked and quit
 			die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com</h1>
<pre>
");
 		}

This simple script will lockout the account after 3 attempts for different periods of time – until a full hour has passed since the lockout. It can be found in the AccLockoutDuration folder.

It is yet even better to create an IP ban and implement a better version of the above script as it serves demonstrative purposes only.

Exercise 8: yet to come…

Conclusion

We have barely covered the topic of website hacking and web security, as this is a vast field to touch upon. Yet, I hope future articles would reveal more and more of this field, as the leakage of data could not only harm the reputation of your business, the trust of your clients, the well-being of clients, but also can put you in front of serious legal proceedings.