Pentesting

Giang L. Nguyen

April 1, 2020

PenTesting

PenTesting is short for “Penetration Testing”, also called “Ethical Hacking”, is used for testing your defence against attacks. The test could reveal vulnerabilities that we weren’t aware of and is easily exploited by an attacker.

The pentesting that is done by different companies, doesn’t often involves alot of the trending vulnerability, as the tests are automated by the companies and usually takes the most common issues. Pentesting does also involve applications that is being used, known and official lists such as OWASP Top10 Application Security List or SANS CWE List is being referred and used occasionaly.

OWASP

OWASP stands for the Open Web Application Security Project and is a community that provides knowledge and papers about security and provides basics way to protect against those vulnerabilities. They have since 2003 provided a top ten list over the most critical risks gathered by these high skilled members of the community.

SANS CWE

SANS is an insitute who shares and do research and having educations and provides certifications in information security. They also cooperate between corporations, government agencies and universities to do research and share the knowledge. SANS provides a Top CWE(Common Weakness Enumeration) list based on polls and feedbacks, but for year 2019 they have provided a list based on feedback in the NVD(National Vulnerability Database).

DVWA - Damn Vulnerable Web Application

To test out these exploits, you could try out DVWA, short for Damn Vulnerable Web Application. This is a website full of vulnerability to test for brute force, command injection, file inclusion and upload, sql inections, cross site scripting and bypasses.

You can set this up by either download the files and edit the config file at dvwa\config\config.inc.php, if it doesnt exist, just copy the dvwa\config\config.inc.php.dist and edit it as need.

Config

<?php

# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
#   Thanks to @digininja for the fix.

# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled

# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'user';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';

# Only used with PostgreSQL/PGSQL database selection.
$_DVWA[ 'db_port '] = '5432';

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '';
$_DVWA[ 'recaptcha_private_key' ] = '';

# Default security level
#   Default value for the security level with each session.
#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'low';

# Default PHPIDS status
#   PHPIDS status with each session.
#   The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
$_DVWA[ 'default_phpids_level' ] = 'disabled';

# Verbose PHPIDS messages
#   Enabling this will show why the WAF blocked the request on the blocked request.
#   The default is 'disabled'. You can set this to be either 'true' or 'false'.
$_DVWA[ 'default_phpids_verbose' ] = 'false';

?>

Changes

I’ve setup this on my Kali 2020.1 and I did only a few tweaks to get it up and running.

Config

$_DVWA[ 'default_security_level' ] = 'low';
$_DVWA[ 'db_user' ]     = 'user';

You can see that im setting it as user in the setting for the database, you’ll need to create this too if you’re using MariaDB, then give access to the user to be able to create the tables for you later on. If it has been MySQL, I would’ve set the user to root.

MariaDB

Connect to your MariaDB, create database dvwa and add your user called user and grant all access to the database dvwa

CREATE DATABASE dvwa;  
CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY 'p@ssw0rd';
grant all on dvwa.* to 'user'@'127.0.0.1';
flush privileges;

If you are interested in their development, you can also take a look at their github page and give your support.

CTF - Capture the flag

To be a good pentester, you need to sharpen your claws and grasp all the knowledge of the security world. CTF is a way to improving your skills and there is a huge community out there.

Three known types of CTF is jeopardy, attack-defence and mixed.

I’ll quote this from a well known webpage, ctftime.org:

Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.

Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.

Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (e.g. UCSB iCTF).

I’ve tried CTF only once in 2019, with Jeopardy style, can’t say I got any far so I won’t merit it her 🙂, but I’ll be back and brag about it 😜​

Comments

We are continously developing new applications everyday and adding new features, but the developers doesn’t think much about the security(rather than what they know and have experiencing), either because they don’t have time for it, or their bosses is pushing for it and want it released asap. Either way, they should be considering pentesting their work towards at least the top10 of OWASP. If we can automate our codes to be piped and verified through jenkins, we should also be able to test our codes for pentests. And the test itself need to be updated accordingly.