Friday, April 22, 2016

Installing Bro Network Security Monitor

This is the first of a two part series. In part two I'll be demonstrating how to use Bro as well as use cases.

Installation:

This installation was done on Debian. Use the appropriate package manager for your Linux distribution to install the following packages.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

sudo apt-get install libgeoip-dev

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz


sudo mv /home/<username>/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz

tar zxvf bro-2.4.1.tar.gz

cd bro-2.4.1

sudo ./configure --prefix=/opt/bro2

make

make install

export PATH=/opt/bro2/bin:$PATH

nano ~/.profile
    PATH=/opt/bro2/bin:$PATH



  • In /opt/bro2/etc/node.cfg, set the right interface to monitor.
  • In /opt/bro2/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
  • In /opt/bro2/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.


broctl

install

start

stop

Usage:


bro -C -r pcap.pcap

Stay tuned for more Bro goodness!

Saturday, April 16, 2016

Web application pentesting on Seattle vm

In my spare time I like to sharpen my skills by pentesting vulnerable virtual machines, usually from vulnhub.com. This is my review of "Seattle". This wasn't a thorough pentest of the web application, it was what I was able to knock out in a couple of hours one afternoon for fun.

I found an LFI at the URL "/details.php?prod=1&type=1&lang=USD".


The "My Account" page is vulnerable to SQL injection. The email address must be a valid email address. It wouldn't accept foo@foo.com.


On the Blog page, I clicked on "Admin" and arrived at this page which includes admin's email address.


Back on the "My Account" page, I logged in with admin@seattlesounds.net and a password of "' or 1=1 -- ".

After multiple tests, I was able to exploit stored XSS on the site with "<a onmouseover=alert(document.cookie)>xxs link</a>". Any requests containing SCRIPT were filtered on the blog form. OWASP has an excellent cheat sheet on XSS filter evasion at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.


I was able to use sqlmap to exploit SQL injection with any of the product pages, using URL "/details.php?prod=1" for example. This was a blind SQL injection vulnerability, meaning that my usual methods of manually pulling info from the database to be displayed on the page didn't work, so I let sqlmap do the heavy lifting as blind SQL injection can be very difficult to exploit.

 

I pasted the hash into crackstation.net and found the root password. Had it not been found on crackstation I would have run it through oclhashcat which uses the GPU to run through very large password lists in a few minutes.

Game over:

 

This wasn't the most difficult web app that I've worked through. It did provide a couple of hours of fun on an afternoon off from work.