Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: web app

SANS Web App Penetration Testing and Ethical Hacking Class – DAY 2

SANS Web App Penetration Testing and Ethical Hacking Class – DAY 2

DAY 2:

Well after a evening drinking on a Thames riverboat, it’s time for day 2 of the Web App course. We begin by covering the usual suspects in recon. A few slides on Google hacking (even stuff I’ve not seen on G groups hacking) and then onto whois, DNS and fingerprinting the remote server. This is all pretty much basic stuff. It seems these topics end up in every class on penetration testing, as the content was covered in SEC:560 as well.

The afternoon covered a little more in-depth stuff, including the use of transparent proxies, and the comparison between the various proxy tools available. Some more information on the RATSPROXY would have been nice, but I guess we can’t cover them all. It’s the small gems that make the course worthwhile for me though. The w3m tool for example. Using it with the -dump command allows you to strip out the HTML tags from a page. This is great for forming wordlists from spidered sites.

w3m -dump index.html > index.txt

Second gem for the day, Wireshark display filters for HTTP content. I’ve not had much call to play with these in the past, another thing on the list as always. Things like “http.content_type contains “jpeg”” “http.response.code == 404” and “http.user_agent contains Wget” are great (incase you wondered, jpeg is a reserved word in Wireshark, so needs to be in quotes). If you’re using the contains option though, it’s case sensitive. To make things easier you can use “lower(http.user_agent) contains wget” to make everything lowercase for the matching process. This kind of thing makes me want to play with Wireshark and TCPDUMP filters some more. Sad, but true….

These kinds of display filtering would come in handy for large captures, like those you make when performing a penetration test. After all, we all capture all traffic while we’re doing a penetration test, right 😉

A quick look at the session and cookie analysis of WebScarab and day 2 is over. I’d like to have seen Burp Suite as the analysis tool of choice personally. The Burp analysis of cookie values is so much more in-depth than the single spread chart provided by WebScarab. Still, each to their own.

Things are warming up. Start slow and end fast, that’s what I say 😉

SANS Web App Penetration Testing and Ethical Hacking Class – DAY 1

SANS Web App Penetration Testing and Ethical Hacking Class – DAY 1

DAY 1:

The first day on most classes of this type seems to be a basic outline day. As usual everybody needs to be at the same level for the remaining 3 days of the course, this is a must. Overall the first day covered things that most people who work as a penetration tester will already know. Then again, there are others moving into this area that need the review. A review on the HTTP METHODS was interesting, especially the section on the CONNECT method. The real benefit for me though was the detailed run-through of the authentication options. I managed to get a few minutes to read through the RFC on Digest Authentication and reenact the challenge response process at the command line (using openssl with the MD5 option). It’s always good to understand how it works behind the scenes.

Raul Siles has a good teaching style (as I learned in the VoIP Security class) so I’m looking forward to the next 3 days. I’m hoping for a couple of nuggets of pure gold from the course. We’ll see how days 2,3 and 4 go.

Update: From comments on Twitter it looks like Ed Skoudis is working on an update to the class. From what I’ve heard it looks like it will be a 6 day class in the future, so should cover some more in-depth topics in later versions of the class.