A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Web Application Pen-testing Tutorials With Mutillidae (Hacking Illustrated Series InfoSec Tutorial Videos)

Web Application Pen-testing Tutorials With Mutillidae

When I started the Mutillidae project it was with the intention of using it as a teaching tool and making easy to understand video demos. Truth be told, I never did as much with it as I intended. However, after Jeremy Druin (@webpwnized) took over the development it really took off. I have since come to find out he has been doing A LOT of YouTube video tutorials with Mutillidae, which he said I could share here. I will be copying his descriptions with slight editing and embedding his videos below:

Index:

  1. Determine Http Methods Using Netcat

  2. Determine Server Banners Using Netcat Nikto And W3af

  3. Bypass Authentication Using SQL Injection

  4. Using Menus

  5. Bypass Authentication Via Authentication Token Manipulation

  6. Explanation Of HTTPonly Cookies In Presense Of Cross Site Scripting

  7. Closer Look At Cache Control And Pragma No Cache Headers

  8. Demonstration Of Frame Busting Javascript And X-Frame Options Header

  9. How To Install And Configure Burp Suite With Firefox

  10. Basics Of Web Request And Response Interception Using Burp Suite

  11. Brute Force Authentication Using Burp Intruder

  12. Automate SQL Injection Using SQLMap To Dump Credit Cards Table

  13. Command Injection To Dump Files Start Services Disable Firewall

  14. How To Exploit Local File Inclusion Vulnerability Using Burp Suite

  15. HTML Injection To Popup Fake Login Form And Capture Credentials

  16. Two Methods To Steal Session Tokens Using Cross Site Scripting

  17. How To Bypass Maxlength Restrictions On HTML Input Fields

  18. Two Methods To Bypass Javascript Validation

  19. Three Methods For Viewing Http Request And Response Headers

  20. Basics Of SQL Injection Timing Attacks

  21. Basics Of SQL Injection Using Union

  22. Basics Of Inserting Data With SQL Injection

  23. Inject Root Web Shell Backdoor Via SQL Injection

  24. Basics Of Using SQL Injection To Read Files From Operating System

  25. How To Locate The Easter Egg File Using Command Injection

  26. Injecting Cross Site Script Into Stylesheet Context

  27. Introduction To Http Parameter Pollution

  28. Basics Of Injecting Cross Site Script Into HTML Onclick Event

  29. Basics Of Finding Reflected Cross Site Scripting

  30. Analyze Session Token Randomness Using Burp Suite Sequencer

  31. Using Nmap To Fingerprint Http Servers And Web Applications

  32. Spidering Web Applications With Burp Suite

  33. Basics Of Burp Suite Targets Tab And Scope Settings

  34. Brute Force Page Names Using Burp Intruder Sniper

  35. Using Burp Intruder Sniper To Fuzz Parameters

  36. Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb

  37. Demo Usage Of Burp Suite Comparer Tool

  38. Import Custom Nmap Scans Into Metasploit Community Edition

  39. Using Metasploit Community Edition To Locate Web Servers

  40. XSS DNS Lookup Page Bypassing Javascript Validation

  41. Use Burp Suite Sequencer To Compare Csrf Token Strengths

  42. How To Remove PHP Errors After Installing On Windows Xampp

  43. Quickstart Guide To Installing On Windows With Xampp

  44. Basics Of Running Nessus Scan On Backtrack 5 R1

  45. How To Import Nessus Scans Into Metasploit Community Edition

  46. Basics Of Exploiting Vulnerabilities With Metasploit Community Edition

  47. Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin

  48. Quick Start Overview Of Useful Pen-Testing Addons For Firefox

  49. Three Methods For Viewing Javascript Include Files

  50. Reading Hidden Values From HTML5 Dom Storage

  51. How To Execute Javascript On The Urlbar In Modern Browsers

  52. Adding Values To Dom Storage Using Cross Site Scripting

  53. Alter Values In Html5 Web Storage Using Cross Site Script

  54. Altering Html 5 Web Storage Values Using Persistent XSS

  55. Altering HTML 5 Web Storage With A Reflected XSS

  56. Generate Cross Site Scripts With Sql Injection

  57. Injecting Cross Site Script Into Logging Pages Via Cookie Injection

  58. Manual Directory Browsing To Reveal Mutillidae Easter Egg File

  59. How To Upgrade To Nessus 5 On Backtrack 5 R2

  60. Creating Reports And Metasploit Db Importable Reports With Nmap Xml Output

  61. Mutillidae How To Use Dradis To Organize Nmap And Nessus Scan Results

  62. Finding Comments And File Metadata Using Multiple Techniques

  63. Detailed Look At Linux Traceroute

  64. Introduction To TCPDump Network Sniffer

  65. Basics Of Using The Maltego Reconnaissance Graphing Tool

  66. Creating Syn Port Scan Manually With Scapy

  67. Contrast Nmap And Amap Service Version Detection Scanning

  68. Using Hydra To Brute Force Web Forms Based Authentication Over Http

  69. Connect To Unreachable Web Site Through Meterpreter Port Forwarding

  70. Using Metasploit Hashdump Post Exploit Module Creds Table And John

  71. Using Metasploit Community Edition To Determine Exploit For Vulnerability

  72. Gaining Administrative Shell Access Via Command Injection

  73. How To Install Metasploitable 2 With Mutillidae On Virtual Box

  74. Using Command Injection To Gain Remote Desktop On Windows

  75. How To Exploit Metasploitable 2 With Nmap Nexpose Nessus Metasploit

  76. Setting User Agent String And Browser Information

  77. Walkthrough Of CBC Bit Flipping Attack With Solution

  78. Installing Latest Mutillidae On Samurai WTF Version 2

  79. How To Upgrade To Latest Mutillidae On Samurai WTF 2

  80. Using ettercap and sslstrip to capture login

  81. SQL Injection via AJAX request with JSON response

  82. Introduction to Installing, Configuring, and Using Burp-Suite Proxy

     

 

Determine Http Methods Using Netcat

Using Mutillidae as a target, we look at discovering the HTTP methods offered by a web server during the discovering phase. First we use netcat to send the HTTP OPTIONS request then use W3AF to automate this process.


Click To Load Video

 

Determine Server Banners Using Netcat Nikto And W3af

Using Mutillidae as the target, this video looks at 3 ways to find web server banner information in which may be found the web server type and version along with application server type and version. We use netcat, nikto, and w3af.

Click To Load Video

 

Bypass Authentication Using SQL Injection

Using Mutillidae as a target, we look at bypassing authentication using SQL injection with the only tools being Firefox with the Firebug add-on. In later videos we can use Burp-Suite to make this easier. Mutillidae is a free web application that has vulnerabilities added on purpose to act as a training environment for security enthusiast.
 

 

Click To Load Video

 

Using Menus

This video is an overview of the different settings in Mutillidae plus a look at the menu items. The security levels, hints, database reset, and basic menu layout are covered.

Click To Load Video

 

Bypass Authentication Via Authentication Token Manipulation

In this video we bypass authentication by manipulating session authentication tokens found in cookies. The cookies are found and modified using the Cookie Manager+ add-on for Firefox. Mutillidae is a web application with a series of vulnerabilities added on purpose to allow security enthusiast, pen testers, and students to practice attacking a web application.
 

Click To Load Video

 

Explanation Of Httponly Cookies In Presense Of Cross Site Scripting

Using Mutillidae, we look at the effect HTTPOnly cookies have when a page is infected with a cross site script. The demonstration is primarily targetted at developers who wish to understand better why it is a good idea to set cookies with the HTTPOnly flag. A better solution would be to have all cookies be HTTPOnly unless the developer overrides.  
 

 

Click To Load Video

 

Closer Look At Cache Control And Pragma No Cache Headers

Using Mutillidae, we look at cache-control headers for HTTP 1.0 and HTTP 1.1. 
 

 

Click To Load Video

 

Demonstration Of Frame Busting Javascript And X-Frame Options Header

Using Mutillidae, we contrast JavaScript frame busting code and the X-FRAME-OPTIONS header. The two methods are compared on a site being framed. The site is framed inside of an iframe tag and the two methods prevent the site from appearing in the iframe. These two methods are useful in helping with cross site framing and click-jacking. 
 

Click To Load Video

 

How To Install And Configure Burp Suite With Firefox

This video discussing installing and configuring Burp Suite. Download Burp Suite from http://portswigger.net/burp/download.HTML. Unzip the downloaded file and place Burp Suite into a folder. In this video, Burp is placed onto a WinXP machine in the Program Files directory. Create a shortcut for Burp. Configure Firefox to use Burp as the web proxy so that traffic flows through Burp Suite.
 

 

Click To Load Video

 

Basics Of Web Request And Response Interception Using Burp Suite

Using Mutillidae as a target, we look at intercepting web requests and server responses using the interception proxy in Burp Suite. This allows us to alter the requests before letting the requests proceed to the server. Burp-Suite is available at portswigger.net.
 

 

Click To Load Video

 

Brute Force Authentication Using Burp Intruder

Using Mutillidae as a target, we brute force the authentication. The tool that attempts brute forcing is Burp Suite Intruder set to "Cluster Bomb" mode. In this short demo, we harvest usernames from the site itself on the "View Blog" page. We try some sample passwords for demo purposes. We note how to load much longer password lists from files downloaded with FuzzDB.
 

 

Click To Load Video

 

Automate SQL Injection Using SQLMap To Dump Credit Cards Table

In this video, we use SQLMap 1.0 from a backtrack 5 machine against the mutillidae view-blog-entries.php page. We automate the attack and make setting up SQLmap easier by taking a request from Burp Suite and feeding it to SQLmap through the -r (request) parameter. We find the names of the databases, then the tables, and finally dump the credit-cards table.

Click To Load Video

 

Command Injection To Dump Files Start Services Disable Firewall

Using a vulnerable page in the mutillidae web application, we use command injection to list directories on the servers operating system. After gaining access to web source code files and listing contents, we list the Windows services running, start the telnet service, then disable the server firewall to give us access to the telnet service.

Click To Load Video

 

How To Exploit Local File Inclusion Vulnerability Using Burp Suite

Using a defect in the text file viewer page, we show how to read arbitrary files from the web server including the source code. We read files from the Windows operating system using a directory traversal attack combined with the local file include vulnerability.

 

Click To Load Video

 

HTML Injection To Popup Fake Login Form And Capture Credentials

Using the add to your blog page in Mutillidae as a target, we inject HTML. The HTML gets progressively better until it looks basically like a login form that is floating over the screen. We set up a capture page to capture any credentials typed into the login form. The capture page already exists in Mutillidae and is ready for demos. Mutillidae is a web application with vulnerabilities added on purpose to allow pen testers and security enthusiast to practice.

Click To Load Video

 

Two Methods To Steal Session Tokens Using Cross Site Scripting

This video covers using cross-site scripting to steal session cookies on the add-to-your-blog.php page in Mutillidae. A basic cross-site script is executed to show the page is vulnerable, then a script to redirect the user to a capture page. Since the redirection is noisy and relatively obvious to the user, we use an XHR (XML HTTP Request) based script to quietly force the user to browse to the capture page in the background while the main page continues to operate normally. Mutillidae is a free, easy to install web application that has vulnerabilities placed on pages to allow security enthusiasts to test.

Click To Load Video

 

How To Bypass Maxlength Restrictions On HTML Input Fields

Using the Mutillidae Login page as a target, we review 3 methods to bypass HTML maxlength restrictions on the page. HTML input fields sometimes contain maxlength restrictions and visible length restrictions. These are trivially bypassed using a variety of techniques. The few covered in this video use Firebug, Tamper Data, and Burp-Suite respectively.

 

Click To Load Video

 

Two Methods To Bypass Javascript Validation

Using the Mutillidae login page with level 1 security, we look at two methods to bypass javascript validation. One method is disabling JavaScript but this has consequences for pages which use JavaScript to help render the page correctly. After viewing these limitations, we use Burp-Suite to allow the page to render normally whhile still having control of the HTTP requests and responses.

 

Click To Load Video

 

Three Methods For Viewing Http Request And Response Headers

Using Mutillidae in security level 0 and security level 5, we look at different methods to view HTTP headers. The cache control headers are used in this video as examples. Mutillidae will not use cache control in level 0 but shows the headers in level 5. We use two Firefox add ons, plus Burp Suite. 

Click To Load Video

 

Basics Of SQL Injection Timing Attacks

Using the Mutillidae login page, we use Burp-Suite Repeater to look at a basic example of an SQL Injection timing attack. Because Mutillidae uses a MySQL server database, we use the SLEEP command sent in via a UNION statement to cause the web application response time to vary. 
 

Click To Load Video

 

Basics Of SQL Injection Using Union

Using Mutillidae, we methodically find the number of columns needed to use a UNION SQL Injection and also determine which columns in the web pages query are output onto the resulting web page when a query successfully executes. UNION can be used to extract data but only if the number of columns matches and the datatypes are compatible. 

 

Click To Load Video

 

Basics Of Inserting Data With SQL Injection

In this video, inserted data is changed by an SQL injection. While not particuarly practical in this context, the demonstration shows when insert SQL injection can be used to change data and when it cannot. The general method for performing an SQL Injection insert is shown as well. 

Click To Load Video

 

Inject Root Web Shell Backdoor Via SQL Injection

Using somewhat advanced SQL injection, we inject a new PHP file into the web root of the PHP server using and SQL injection vulnearbility in Mutillidae. The injection is a command shell written in PHP that give root access to the operating system.

 

Click To Load Video

 

Basics Of Using SQL Injection To Read Files From Operating System

Expanding on the UNION SQL Injection discussed in previous videos, we use SQL injection to read files from the operating system. One of the files read is the MySQL error log which contains a great number of items used in reconnaissance of the system. Reading files with SQL injection is somewhat advanced but can be practiced easily using Mutillidae.

 

Click To Load Video

 

How To Locate The Easter Egg File Using Command Injection

Mutillidae has a very large Easter Egg file containing scripts, injections, hacks, and tests used to check the pages over the years. As the developer tests new hacks, the file gets the new scripts added. The file contains SQL injection, command injection, XSS, and other vulnerability exploits. One way to get this file is to use command injection which is the method used in this demonstration.

 

Click To Load Video

 

Injecting Cross Site Script Into Stylesheet Context

In this video we look at injecting cross site script into the stylesheet context. The example comes from the set-background color page in Mutillidae. The example is trivial but the point is that cross site scripting can occur in any context. Developers need to encode all output even when the output is not occurring in the standard HTML context.

 

Click To Load Video

 

Introduction To Http Parameter Pollution

This video introduces HTTP parameter pollution using the user-poll page in Mutillidae. HTTP Parameter Pollution can occur when multiple parameters with the same name but different values are submitted to the application. Depending on the application server type, the parameter used may be the first, second, or a combination of the two. HTTP Parameter Pollution can be used to submit "half" values and have the server recombine them later.

 

Click To Load Video

 

Basics Of Injecting Cross Site Script Into HTML Onclick Event

This video demonstrates injecting cross site scripts into HTML events. The example requires a prefix to close off an existing JavaScript statement in the onclick event targetted. Any script injected into the HTML event will be executed when the user clicks the BACK button on the page.

 

Click To Load Video

 

Basics Of Finding Reflected Cross Site Scripting

 This video demonstrates the most basic case of injecting cross site scripts into HTML pages. The example does not require any prefixes, suffixes, or other special characters to be injected. Any script injected into the HTML will be reflected back to the user and executed. For those wishing to see cross site scripting for the first time, this video is a good place to start.

 

Click To Load Video

 

Analyze Session Token Randomness Using Burp Suite Sequencer

Using the Burp Suite Sequencer application, we capture a series of session tokens from the Mutilidae PHP application server, then analyze them using the Burp Suite Sequencer analysis functionality. The beginning of the video covers the basics of how session tokens are passed to the web browser and how to coax the web server to send multiple tokens.

 

Click To Load Video

 

Using Nmap To Fingerprint Http Servers And Web Applications

In this video nmap is used to locate machines with web servers running, then more advanced nmap options are used to fingerprint the web server. The output generated by nmap is sent to an XML file and a stylesheet is used to format the output into a presentable report.


 

Click To Load Video

 

Spidering Web Applications With Burp Suite

Using Burp Suite Spider, we find the target site and set it as the "scope" in Burp Suite. We then tell Burp Suite to spider the site by following the links in the site. We also look at the interactive form helper in Burp Spider. Burp records the pages in the site. 

Click To Load Video

 

Basics Of Burp Suite Targets Tab And Scope Settings

Most of the functionality in Burp Suite revolves around the "targets" tab. This basic tab lacks the "sexy" of the other tabs used to perform testing, but the targets tab has several useful features such as setting scope and filtering. This video looks at the features in the targets tab more closely. 
 

Click To Load Video

 

Brute Force Page Names Using Burp Intruder Sniper

This video is a basic demo of using the Burp Suite Intruder feature. The video shows the simplest case: fuzzing one field in sniper mode in order to examine the resulting responses more quickly. In this video SQL injection vulnerabilities are located by fuzzing and input field and noting that some responses are different when certain characters are sent into the parameters.

Click To Load Video

 

Using Burp Intruder Sniper To Fuzz Parameters

This video demonstrates using Burp-Suite Intruder in sniper mode to fuzz page names in Mutillidae in order to discover pages that are not in the menu. The pages are hidden generally and are not linked from other pages. By sending in guesses, some of the secret pages are located. The secret pages are just an Easter Egg that dumps the server configuration to the browser. 


Click To Load Video


Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb

Burp Intruder has several modes of operation. This video compares the sniper, battering ram, pitchfork, and cluster bomb modes against a login page. The context is brute forcing the login page comparing each of the modes. Using the different modes of the intruder is under-utilized in web pen testing. The modes can be very useful to reduce pen tester workload in various situations.


Click To Load Video

 

Demo Usage Of Burp Suite Comparer Tool

This video demonstrates using the Burp Suite comparer tool to compare two web responses returned by the web server during a brute force login attempt. The comparer tool is an under-used tool that can help web pen-testers be more productive. The application is Mutillidae which is a free, open source web application design with vulnerabilities to allow pen testers, students, and security enthusiast to practice.

Click To Load Video

 

Import Custom Nmap Scans Into Metasploit Community Edition

Nmap allows a large amount of customization when performing network scans including output to XML files. Nmap scans can be performed then imported into the Metasploit Community Edition (available at Rapid7). This video shows an nmap scan intended to locate web servers and identify basic information about the web server and web application. When the scan is done, the results are imported into Metasploit.

Click To Load Video

 

Using Metasploit Community Edition To Locate Web Servers

This video shows Metasploit Community Edition being used to run an Nmap scan on a Virtual Box network in order to discover hosts. Metasploit Community is avilable from Rapid7.

Click To Load Video

 

XSS DNS Lookup Page Bypassing Javascript Validation

In security level 1, Mutillidae uses JavaScript validation on many pages. Although the dns-recon.php page is intended to give a target to try operating system command injection, the page also contains a cross site scripting flaw. In security level 1, we bypass the javascript validation and locate the flaw in the page. Once found we exploit the flaw with a trivial popup box to show the vulnerability.  

Click To Load Video

 

Use Burp Suite Sequencer To Compare Csrf Token Strengths

Using burp sequencer we compare the predictability (strength) of the cross site request forgery tokens used in Mutillidae on the add-to-your-blog.php page. The page uses very strong tokens in security level 5, but security level 1 uses non-random tokens. Burp-Sequencer shows the randomness as the number of bits of entropy.  

Click To Load Video

 

How To Remove PHP Errors After Installing On Windows Xampp

Do errors show at the top of the page after installing Mutillidae on XAMPP? This video reviews post-installation of Mutillidae on Windows XP or Windows 7. After installing on some versions of XAMPP, Mutillidae will show errors at the top of the screen. These are warnings about the OWASP ESAPI library. On the front page of Mutillidae are detailed instructions about these errors. This video follows through those instructions to get rid of the PHP errors by altering the PHP.ini file parameter "error_reporting".  
 

Click To Load Video

 

Quickstart Guide To Installing On Windows With Xampp

This video is a basic primer on installing Mutillidae on Windows using the XAMPP installation of Apache and MySQL. XAMPP makes installing Mutillidae as easy as possible. The only easier way is to install Mutillidae on Samurai WTF because it comes preinstalled and only needs to be updated.  
 

Click To Load Video

 

Basics Of Running Nessus Scan On Backtrack 5 R1

Using a fully patched Windows XP machine running the latest version of XAMPP (Apache 2.2) as a target, we look at the basics of setting up a Nessus scan. The scan is unauthenticated so this simulates using Nessus to scan a "blackbox" target. The Mutillidae web application is running on the Windows XP box and the Windows firewall is deliberately open on port 80. This gives a service for Nessus to show some results.  

Click To Load Video

 

How To Import Nessus Scans Into Metasploit Community Edition

A previous video on the Mutillidae YouTube Channel discussed setting up and running Nessus scans on Backtrack 5 R2. This video covers importing the completed Nessus scan into Metasploit Community Edition.

Click To Load Video

 

Basics Of Exploiting Vulnerabilities With Metasploit Community Edition

This video covers the basics of launching exploits from Metasploit Community Edition. The exploits were discovered in a previous step both with Nexpose and Nessus. In the case of Nessus the results were exported as a .Nessus file then imported into Metasploit Community Edition. This video picks up right after the vulnerabilities are discovered and imported.

Click To Load Video

 

Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin

Using Mutillidae as the target, we look at identifying fields which are output into web logs, then sending a cross site script into the web log in order to capture the cookie of anyone that views the logs. In this example, the username field of the login screen is identified as a target because Mutillidae logs all login attempts.

 

Click To Load Video

 

Quick Start Overview Of Useful Pen-Testing Addons For Firefox

This is a quick overview of using addons in the Firefox browser to aid in web pen testing. Only a few of the top add-ons are reviewed but the concepts apply to any add-on. Putting icons for the add-ons into the Firefox menu bar is covered as well. The add-ons can be found on addons.mozilla.org in a collection named "Web Developers Quality Assurance Pack". Search the "Collections" for this title.

 

Click To Load Video

 

Three Methods For Viewing Javascript Include Files

Developers often include external JavaScript files to use in projects. It may be useful to read this code for various reasons but it will not appear directly on the web page source. Using Mutillidae as a an example target, this video looks at a few ways to view JavaScript which is included in files instead of being written into the HTML page source.

 

Click To Load Video

 

Reading Hidden Values From HTML5 Dom Storage

This video covers reading values from the HTML5 DOM storage. Developers may store items on the browser assuming they are difficult to read. Using Firefox and Firebug (among other techniques) these values can be read.

 

Click To Load Video

 

How To Execute Javascript On The Urlbar In Modern Browsers

A user or pen-tester can execute JavaScript on any web page but this became more difficult after Firefox 6. The URL bar no longer allows execution of JavaScript. The about:config allows the URL bar to be reactivated, but there are other options. In this video, we use Firebug add-on for Firefox to provide a JavaScript command line suitable for pen-testing.

 

Click To Load Video

 

Adding Values To Dom Storage Using Cross Site Scripting

This video explores adding values to DOM storage (also known as HTML5 storage and web storage). In the first example, we add a new value to the local DOM storage in our own browser. This would be used to inject a value into a web application via DOM storage. This type of injection is similar to any other except the vector. Pen-testers regularly inject forms fields, cookies, and URL query parameters but may neglect to inject DOM storage.

 

Click To Load Video

 

Alter Values In HTML5 Web Storage Using Cross Site Script

This video reviews altering HTML 5 Web Storage. After a brief explanation, the HTML 5 Web Storage of our own browser is altered. This might be done to change authorization tokens or other values. Then cross site scripting is used to alter values in another users HTML 5 Web Storage.

 

Click To Load Video

 

Altering HTML 5 Web Storage Values Using Persistent XSS

Using a stored cross-site script aka persistent XSS aka second-order XSS, we alter the values in the HTML 5 web storage of any user that visits the infected page. In security level 0, Mutillidae fails to encode output making it vulnerable to cross site scripting. If the site is placed into security level 5, it will properly encode output rendering the scripts harmless.

 

Click To Load Video

 

Altering HTML 5 Web Storage With A Reflected XSS

Using a reflected cross-site script aka first-order XSS, we alter the values in the HTML 5 web storage of any user that visits the infected page. In security level 0, Mutillidae fails to encode output making it vulnerable to cross site scripting. If the site is placed into security level 5, it will properly encode output rendering the scripts harmless.

Click To Load Video


Generate Cross Site Scripts With Sql Injection

This video discusses an advanced SQL injection technique. The SQL injection is used to generate cross site scripting. This is useful when cross site scripts cannot be injected into a webpage from a client because web application firewalls or other scanners are in place. When an SQL injection can be snuck past the WAF, it is possible to have the SQL injection generate the Cross Site Script dynamically.

Click To Load Video

 

Injecting Cross Site Script Into Logging Pages Via Cookie Injection

By setting the values of browser cookies, then puposely browsing to a web page that logs the value of user cookies, it may be possible to inject cross site scripts into the log files or the log data table of the web site. Later when the logs are reviewed by Administrators, the cross site scripts may execute in the administrators browser. The video uses the Mutillidae capture data pages as an example. In Mutillidae one of the capture the flag events is to poison the attackers browser by purposely exposes the attacker to a cross site script. This can be done by infecting a cookie then "letting" the attacker trick you into visiting the capture data page.

Click To Load Video

 

Manual Directory Browsing To Reveal Mutillidae Easter Egg File

This video looks at manual testing for directory browsing misconfiguration vulnerabilities in Mutillidae. For directory browsing brute forcing, OWASP DiRBuster or Burp-Suite Intruder are great tools. However, Mutillidae gives away some of its directory paths when serving PDF and other files. These can be tested manually to reveal the Mutillidae Easter egg file. Also common directory names like "include" and "includes" can be tried quickly just using a browser before firing up the tools.

Click To Load Video

 

How To Upgrade To Nessus 5 On Backtrack 5 R2

This video looks at upgrading Nessus 4 to Nessus 5. The operating system used in the video is Backtrack 5 R2. Nessus 4 was successfully registered and running on this OS prior to attempting to upgrade to Nessus 5. If a fresh Nessus install is needed, the process is different.

Click To Load Video


Creating Reports And Metasploit Db Importable Reports With Nmap Xml Output

Nmap reporting is excellent with the XML option but this is not used in a lot of cases. The XML output from nmap can be imported into other tools such as the Metasploit Community Edition (Import button), metasploit DB, and other tools. Also, the XML format can be opened in a web browser to produce a well-formatted report suitable for attachment to a pen-test.

Click To Load Video

 

How To Use Dradis To Organize Nmap And Nessus Scan Results

The latest version of Dradis (2.9) has excellent import speed compared to version 2.7. This video looks at using the import features of Dradis to organize the scan results from an nmap scan and a Nessus 5 scan. Dradis is a tool that allows pen testers, auditors, and vulnerability assessors to organize their work by server or other categories. The Dradis starts a web server which other team members can share information as well.

Click To Load Video

 

Finding Comments And File Metadata Using Multiple Techniques

This video has two related parts. The first part discusses finding the comments in Mutillidae related to the "comments challenge". This is an easy challenge in Mutillidae but the techniques can be extended to search entire sites for comments. The second part of the video looks at finding metadata in general using a variety of tools.

The tools used are Firefox "View Source", W3AF, grep, wget, Burp Suite, exiftool and strings. The demo site used is Mutillidae, which is a free open-source fully functional PHP site with a MySQL database. The site runs on localhost or it can be run in a virtual network as a practice target or capture the flag target. It is not a good idea to run Mutillidae publically because it will get hacked. Mutillidae is available at Sourceforge and Irongeek.com. Along with the project is several documents and an installation guide for Windows 7.

Click To Load Video


Detailed Look At Linux Traceroute

This video takes a detailed look at the traceroute program in Linux. The newer traceroute is used (version 2.0.18). The later versions have the ability to send packets of different protocols (i.e. TCP) to the target. This feature was previously found in the LFT (Layer Four Traceroute) tool but not found in the Linux traceroute. While LFT still is more feature-rich than the traceroute built into Linux, the new features in Linux traceroute make the tool very useful and quite capible. It helps to understand how the traceroute tool forms the packets, to what ports the packets are sent, and what protocols can be used to send the packets. This information can be used to get traceroute commands to work through firewalls and HIPS systems when ICMP and/or UDP and/or most TCP ports are blocked.

Click To Load Video

 

Introduction To TCPDump Network Sniffer

This video is an introduction to the tcpdump network packet sniffer/capture tool. The video is relatively long because of the demo used required "building up" to the HTTP capture. The video only covers the basics but is meant to be a good introduction to practical use of tcpdump.

 

Click To Load Video



Basics Of Using The Maltego Reconnaissance Graphing Tool

This video looks at using Maltego to both gather and organize information in a customer pen-test. Maltego is a GUI-based tool for Linux which is included in the Backtrack 5 R2 release. The tool is able to gather information from public sources on entities. The Community Edition (used in this video) is free. There is a paid-version with more features. The site used in this video is irongeek.com and was used with written permission from the owner. If following along, please use a domain for which you have permission.
 

Click To Load Video

 

Mutillidae Creating Syn Port Scan Manually With Scapy

This video covers creating a port scan by building the packets manually with Scapy. Scapy makes packet crafting relatively easy compared to the extensive control the operator has over the construction of the packets. Nearly any attribute of the packets can be carefully crafted by the user and responses to sent packets can be captured for examination.

In the video, an IP packet is crafted and set aside to be used repeatedly. A TCP packet is created for port 80 on the target, which is known to be open. The packet is sent and the port is confirmed open. To test a closed port, the TCP packet is set to port 81 which is a port thought to be closed. The packet is sent and the port status is confirmed. Users new to scapy, tcpdump, and nmap will receive brief tutorials in the video on getting started.

Click To Load Video

 

Contrast Nmap And Amap Service Version Detection Scanning

This video compares the service version detection abilities of nmap and amap. To start, a host discovery and port scan is performed with nmap. The results are saved to a file. This file is fed to Amap and service detection is done. Later, the nmap scan is done again but with -sV option which tells nmap to perform a service version scan once the host discovery and port scan are complete.

Users new to amap and nmap will be shown how to operate the tools in the video.

 

Click To Load Video

 

Using Hydra To Brute Force Web Forms Based Authentication Over Http


This video covers using nmap to ping sweep network then discover ports on two machines to locate a web server on which Mutillidae is running. Once the web server is running, the site is loaded into Firefox and the login page is located. Using View-Source, Burp-Suite, and the sites registration, the login process is studied. Potential usernames are gathered from using Reconnoitter, CeWL, and the sites own blog page. A password file from john the ripper is used. With the potential usernames and passwords in hand, hydra is used in http-post-form mode to search for a username and password which can log into the site.

Click To Load Video

 

Connect To Unreachable Web Site Through Meterpreter Port Forwarding


This video covers accessing a web site that is normally unreachable from our Backtrack 5 box. However, after gaining a session on a third box, we forward our web browser through the compromised host in order to browse the website. The port forwarding is done via a meterpreter session on the compromised host. After setting up the port forward, the browser is able to use the compromised host as a relay (almost like a web proxy) in order to browse to the "internal" web application.

Click To Load Video

 

Using Metasploit Hashdump Post Exploit Module Creds Table And John

This video shows how to have the hashdump post exploitation module automatically populate the creds table in the metasploit database, then export the credentials to a file suitible to pass to the john the ripper tool in order to audit the passwords.
 

Click To Load Video

 

Using Metasploit Community Edition To Determine Exploit For Vulnerability

In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in the msfcomsole in order to have metasploit guess the best exploits for a given vulnerability. This video looks at alternative functionality for the depreciated "db_autopwn -t -x" option in older versions of Metasploit's msfconsole. Metasploit Community Edition has similar exploit analysis functionality accessible via the web based GUI.


Click To Load Video

 

Gaining Administrative Shell Access Via Command Injection

Using command injection against the Mutillidae web application, we gain a root shell (Administrative Windows cmd shell). The server is fully patched with anti-virus running and a firewall blocking port 23. Additionally the telnet service is disabled. With the command injection vulnerability, this video demonstrates how misconfiguring web services can have serious consequences for security. Additionally we review how to remediate command injection vulnerabilities and discuss some of the defects which expose the server to compromise.

Click To Load Video

 

How To Install Metasploitable 2 With Mutillidae On Virtual Box

This video covers installing Rapid7's Metasploitable 2.0 with Mutillidae on a Virtual Box Host Only network. In addition to reviewing how to install Metasploitable 2 on Virtual Box, the configuration of the virtual network card is shown so that the Mutillidae web application running on Metasploitable 2 can be accessed from a separate Backtrack 5 virtual machine running on the same Host Only network.

Click To Load Video

 

Using Command Injection To Gain Remote Desktop On Windows

Using command injection, remote desktop access (RDP) is gained to a Windows web server. The web server is configured with a firewall protecting the RDP port. Also the RDP service is not running and disabled. Registry settings are set to keep RDP's underlying service (Terminal Services) from running. Additionally, there are no users in the Remote Desktop Users group. By exploiting a command injection vulnerability, the terminal services are enabled and started, the registry is altered, the firewall is opened, a user is added (root), and the user is placed in the Remote Desktop Users group. Once the exploit is complete, grdesktop from Backtrack is used to remote into the Windows box over an RDP terminal.

The video dicusses the defect and configuration mistakes which allowed the exploit to take place.

Click To Load Video

 

How To Exploit Metasploitable 2 With Nmap Nexpose Nessus Metasploit

This video tutorial covers exploiting Metasploitable-2 to get a root shell and eventually a terminal via a valid "sudo-able" login over SSH.

Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2) are set up on a VirtualBox host-only network. With this lab network set up, the demonstration walks through a practice pen-test using the phases of recon, scanning, exploitation, post-exploitation, and maintaining access. (Covering tracks and reporting are not covered. Recon is assumed because Virtual Box runs a default DHCP server on the 192.168.56/24 network). A video tutorial on installing Metasploitable-2 on VirtualBox can be found at https://community.rapid7.com/message/4137#4137.

Initially, nmap is used to locate the Metasploitable-2 machine on the Virtual Box host only network. In the video the Metasploitable-2 host is running at 192.168.56.102 and the Backtrack 5-R2 host at 192.168.56.1.3. Additionally, open ports are enumerated nmap along with the services running. The nmap default NSE scripts provide additional information on the services and help nmap discover the precise version. Some features of nmap are reviewed and an nmap XML report is generated. This report is viewed in Firefox and imported into Metasploit via msfconsole and using the Metaspoit Comminity Edition web interface which has the functionality of db_import built-in. nmap is run a second time with different options to show how to focus the information in the reports on open services.

With the services listed and versions discovered, it is possible to begin locating vulnerabilites for services. To make this step easier, both Nessus and Rapid7 NexPose scanners are used locate potential vulnerabilities for each service. Eventually an exploit suitible for the outdated samba services running on Metasploitable-2 is chosen and metasploit msfconsole is used to configure the samba-usermap exploit. The cmd/unix/bind_netcat payload is selected and sent to Metasploitable-2 via the samba-usermap exploit. A remote root shell is gained.

For post exploitation, the shell is used to gather the usernames and passwords for Metasploitable-2 which are copied back to the testing machine and cracked with john-the-ripper. The two files are "unshadowed" using JTR unshadow and then cracked with JTR MD5 module. The passwords are stored in the JTR pot file for retrieval.

Click To Load Video

 

Setting User Agent String And Browser Information

Introduction to user-agent switching: This video uses the Firefox add-on "User-Agent Switcher" to modify several settings in the browser that are transmitted in the user agent string inside HTTP requests. Some web applications will show different content depending on the user agent setting making alteration of the settings useful in web pen testing.

Click To Load Video

 

Walkthrough Of CBC Bit Flipping Attack With Solution

This video shows a solution to the view-user-privilege-level in Mutillidae. Before viewing, review how XOR works and more importantly that XOR is communicative (If A xor B = C then it must be true that A xor C = B and also true that B xor C = A). The attack in the video takes advantage that the attacker knows the IV (initialization vector) and the plaintext (user ID). The attack works by flipping each byte in the IV to see what effect is produced on the plaintext (User ID). When the correct byte is located, the ciphertext for that byte is recovered followed by a determination of the correct byte to inject. The correct value is injected to cause the User ID to change.

Mutillidae is available for download at http://sourceforge.net/projects/mutillidae/. Updates about Mutillidae are tweeted to @webpwnized along with announcements about video releases.

Click To Load Video

 

Installing Latest Mutillidae On Samurai WTM Version 2


Samurai WTF is an excellent platform for web pen testing. A very large number of tools are already included. An older version of NOWASP Mutillidae comes pre-installed. This video covers installing the latest version on Samurai WTF 2.0. Installation requires downloading the latest verion of NOWASP Mutillidae, unzipping the Zip file which contains a single folder named "mutillidae", and placing the "mutillidae" folder into /var/www directory. Configuration is done by opening the /var/www/mutillidae/classes/MySQLHandler.php file and changing the default MySQL password from blank empty string to "samurai". Starting the project is done by browsing to http://localhost/mutillidae and clicking the Reset-DB button on the menu bar.
 

Click To Load Video

 

How To Upgrade To Latest Mutillidae On Samurai WTF 2

This video covers upgrading the default version of NOWASP (Mutillidae) which comes with SamuraiWTF 2.0 with the latest available version. On this particular version of SamuraiWTF 2.0, NOWASP (Mutillidae) 2.1.20 was installed in the ISO. The latest version of NOWASP (Mutillidae) available at the time of this video was 2.3.7. In the video, the hosts file responsible for activating the links to the "target" web applications was modified so the default web applications would work. Also, the "samurai" start up script is reviewed to show why the LiveCD version of Samurai includes working web app targets but the installed version requires the targets be "activated".  The video then covers how to upgrade the existing default installation of NOWASP (Mutillidae) with the latest available version. Additionally, the video discusses how to run the default version and latest version of NOWASP (Mutillidae) side-by-side or replace the existing installation with the latest version.

Click To Load Video

 

Using ettercap and sslstrip to capture login

This video by webpwnized (@webpwnized) reviews how to intercept web communications using ettercap and intercept web traffic that is supposed to be protected with SSL using SSLStrip.

Click To Load Video

 

SQL Injection via AJAX request with JSON response

This video by webpwnized (@webpwnized) covers pen-testing an SQL Injection vulnerability that occurs in an AJAX request made in the background. The response from the server is JSON. Since AJAX requests and regular request work the same way (since they both follow the rules of the HTTP protocol), the AJAX request can be pen-tested using the same tools and tecniques used with the more traditional requests. The SQL Injection flaw is first discovered then used to pull a list of the tables in the database along with the columns for the target table. Once the target is identified, the defect is used to pull a list of the username and password fields. The demonstration site is NOWASP Mutillidae available at http://sourceforge.net/projects/mutillidae/files/mutillidae-project/. Updates concerning Mutillidae and these videos are tweeted to @webpwnized.

Click To Load Video

 

Introduction to Installing, Configuring, and Using Burp-Suite Proxy

Introduction to Installing, Configuring, and Using Burp-Suite Proxy

Click To Load Video

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast