Mass Scanning a Website for File Inclusion Vulnerabilities using Fimap and Metasploitable

Fimap by Iman Karim (https://tha-imax.de/git/root/fimap) is a great tool to scan a website for File Inclusion vulnerabilities. In this short tutorial I show how to scan the entire Metasploitable2 Purposefully Vulnerable VM with Fimap and spawn a remote shell!

Mass Scanning

Fimap can scan a target website and harvest links from it and store them so they can be used as input to its mass scan feature. Simply run fimap and use the “-H” switch to tell it to harvest links, “-u” to tell it the target website IP, “-d [x]” to tell it how deep to look for links and finally “-w [outputdirectory]” to tell it where to store the links, like so:

fimap scan one

Now that we have a list of target links stored in the “/tmp/urllist” file, we simply feed this back into Fimap to look for vulnerabilities:

fimap -m -l ‘/tmp/urllist’

This will take forever to run as I told it to pretty much harvest the links from the entire Metasploitable VM in the previous command, but check out the results:

fimap scan metasploitable

Holy cats, 688 possible File Inclusion vulnerabilities!

Exploiting via Remote Shell

One of the great things about Fimap is its ability to create a remote shell with the vulnerable page. So let’s try it with one of the 688 vulnerable pages. To do so, we simply run “fimap” with the “-x” switch:

  1. Type “fimap -x”
  2. A list of scanned domains will appear, select the the one (“1”) we just scanned.
  3. A huge list of vulnerable pages will appear, so let’s select say, “100”.
  4. Now at the Available Attacks screen, select “#2 – Spawn Pentestmonkey’s reverse shell”

RFI LFI Fimap

It will then tell you to open another terminal and run Netcat (netcat -v -l -p 4444). Then just hit enter in fimap and you have a remote Netcat shell!

fimap reverse shell

As you can see we have opened a remote shell through on of the vulnerable pages, nice! Now let’s try the other 588 possibilities. Well, maybe not, lol!

Conclusion

File Inclusion vulnerabilities are becoming more and more rare with current coding practices, but hopefully this shows that File Inclusion coding errors can be exploited for detrimental results. Companies need to be sure to use secure coding practices and test their websites for common vulnerabilities.

If you liked the tutorial, and want to learn more about ethical hacking, check out my book, “Basic Security Testing with Kali Linux“.

Advertisements

Mutillidae Database Errors in Metasploitable 2

I really enjoy using Mutillidae, it is one of my favorite teaching tools. I usually run it on a Windows box, but when I went to use it in the Metasploitable 2 VM I was getting a lot of database errors. Scanning through the support sites and comments I finally found that their is a configuration file issue and wanted to re-post the fix here.

You need to change the database name from “metasploit” to “owasp10” in the “config.inc” file.

In Metasploitable VM navigate to /var/www/Mutillidae

  • Type, “sudo nano config.inc”

Change the database name from ‘metasploit’ to ‘owasp10’ :

metasploitable database error

metasploitable mutillidae error

  • Restart Apache by typing, “sudo /etc/init.d/apache2 reload”
  • Lastly open Mutillidae in a browser
  • Click, “Reset DB”

You should now be all set to use Mutillidae!

Book Review: “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide”

You may have layers of security, popularly known as “Defense in Depth”, but are your security features setup properly? Are their configuration errors that a vulnerability scan will not find?

What information is being broadcast by your computers, company, or employees, that don’t show up in a software scan?

Many companies think that if they just run a vulnerability scan and it passes that they are good, but is this an accurate test of your network security?

Even if you have a secured environment how could you test this using the actual techniques that a hacker would use to see if your security is up to the challenge?

Enter “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide” the latest book by Lee Allen and Packt Publishing.

From preparing the scope of a pentest, to learning the tools of pentesting, to installing and running a full mock pentest on a virtual lab, this book truly is the ultimate security guide!

Here is a quick overview of the main topics:

Reconnaissance

Learn about DNS data siphoning techniques, Shodan, and the Google Hacking Data Base. The chapter also covers numerous tools that can help with recovering network, computer, and user information. And sometimes even user documents.

Enumeration

This section includes a very good tutorial on Nmap scanning including using decoys and zombie hosts in your scans, and a look at gathering pertinent information from SNMP.

Exploitation

Exploitation covers installing Kioptrics (a purposefully vulnerable Linux install) and running attacks against it from the Backtrack system. In this chapter the user learns how to retrieve service information from the target system. Then searching the Exploit-DB database (online and in Backtrack) to find exploits against it, and once an exploit is found, compiling and using it in Backtrack.

This chapter then covers transferring data to and from the system and cracking passwords, and finally exploiting the machine with the Metasploit Framework.

Web App Exploitation

Covers creating a virtual lab by installing Kioptrics level 3, pfSense (firewall), HAProxy (load Balancer) and Irongeek’s Mutillidae (contains the OWASP top 10). The author covers detecting Load Balancers and WAP firewall and scanning with the Web Application Attack and Audit Framework (w3af). You also learn how to use WebScarab to record and analyze your pentest and are introduced to Mantra, the pentester’s Plug-In toolkit.

Client Side attacks

Client side attacks are covered including Buffer Overflows, fuzzing, using David Kennedy’s (ReL1K) Fast Track and the Social Engineering Toolkit.

Post Exploitation

This chapter explains data and service enumeration on the target system. This includes which files to try to recover, which logs to analyze, what processes and networking details to view on both Linux and Windows systems. And finally using the exploited machine to scan or gain access to other hosts via pivoting.

Conclusion

The book also covers bypassing firewalls, avoiding detection, data collection tools and reporting.

Okay, after you have learned all of this excellent information, what are you going to do with it? Why not put it to the test with the last two chapters where you build a full testing lab and then run through a mock penetration test using the lab and all the skills that you have learned from the book.

This book is packed full of excellent training and tutorials. The author masterfully walks you through each section with step by step instructions, including screenshots.  It is easy to read and follow, for novice and expert alike. If you are new to pentesting or want to learn more about it, then this is the book for you.

I highly recommend this book.

Metasploitable 2 Tutorial Part 1: Checking for open Ports with Nmap

I mentioned a week or two ago that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques. In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake!  🙂  )

For this series of tutorials you will need:

You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up

The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:

Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.12.20 (metasploitable’s IP address)

This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:

Holy open ports Batman!

Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:

For each port, we see the port number, service type and even an attempt at the service software version.

From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1”, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick. With a little searching, you can find an Unreal exploit usable through Backtrack 5’s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.

If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5’s Metasploit console has several service scanners that we can use to get exact version levels. We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.