Sunday, September 5, 2010

Metasploit HTTP fuzzer

This is a tool that I developed because I thought it was kind of missing on the metasploit framework. The main purpose of this tool is to help testing a web app for different problems using a custom requests. I think this is needed because scanners often the miss simple vulnerabilities because of the fact that they rely on a specific signature to identify them. Although they are really helpful to identify vulnerabilities on large web apps, almost all the times will miss basic vulnerabilities like SQL injections or XSS just because they did not test a parameter or because they are looking for a specific response code that in a lot of cases will never be returned by the web site. My opinion is that manual and semi-automated testing is the best approach to identify web app vulns. This is where this tool might be helpful.

The types of of iterations that you can use are:

1 NUMERIC Fuzzing
2 STRING Fuzzing
3 CUSTOM Fuzzing. Define POSITIONS and advanced option CHARS
4 File (Provide a File to use)
5 RANDOM Characters e.g. �\!"#$%&/()='
6 SQL injection (will use Msf::Config.install_root/data/wordlists/sql_injections.txt)
7 Long strings eg. A x 10000

Things that you might want to try while using this tool:
- Use methods GET or POST
- Configure a COOKIE and fuzz
- Add custom HEADERS and fuzz
- Review log file created at the end of each fuzzing session
- Create your own wordlist file and provide it to the fuzzer using TYPE 4 option
Some ideas of custom files: XSS, SQL Queries, Folders or directories, common files,
transversal, passwords, etc.
- Use advanced options to only show responses with specific CODE (e.g. 500)
- Use advanced options to stop fuzzing when a phrase is found in the response
Phrase example: "[SQLServer]"

Module Options

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options




Basic configuration

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options



msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > set RHOST TARGET_IP
RHOST => TARGET_IP
msf auxiliary(http_fuzz) > set PATH /news/news.cfm?ID={X}3869{X}
PATH => /news/news.cfm?ID=3869
msf auxiliary(http_fuzz) > set VHOST TARGET.com
VHOST => TARGET.com
msf auxiliary(http_fuzz) > set TYPE 1
TYPE => 1
msf auxiliary(http_fuzz) > set START 1
START => 1
msf auxiliary(http_fuzz) > set STOP 200
STOP => 200
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Start number: 1
[*] Stop Number: 200
[*] Iterations 200
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against https//TARGET_IP/news/news.cfm?ID={X}3869{X}
[*] | ID | CODE | LENGTH | RESP TIME | TEST VALUE

[*] | 1 | 301 | 172 | 0.137653884 | 1
[*] | 2 | 301 | 172 | 0.132698855 | 2
[*] | 3 | 301 | 172 | 0.149321481 | 3
[*] | 4 | 301 | 172 | 0.140961011 | 4
[*] | 5 | 301 | 172 | 0.143869671 | 5

... and so on

[*] Log file was created: /opt/metasploit3/msf3/data/fuzz_log/all_req_resp.xml
[*] Auxiliary module execution completed



Download http-fuzz.rb from here and include it into the following metasploit directory: /msf3/modules/auxiliary/fuzzers/http/

Also, download from the same link the sample list of sql injections into the folder /msf3/data/wordlists/ to enable option 6 of the fuzzer.

Things that I know are missing:
- Implement multiple fuzzing parameters
- Threads
- Need to implement follow redirects OPTION (302 response)
- Need to implement NTLM auth to test apps as valid user
- Auxiliary tool to read and search inside log

Other great tools that can be used for the similar purposes are:
- Burp Suite
- CAT (I really recommend this one)
- Webscarab
etc

See post on proxys for further reference: HTTP web proxies

I hope this helps someone. Please send me comments if something is broken or not working. I will be glad to help :)

c4an

Saturday, September 4, 2010

HTTP web proxies

Today I am posting my opinion about the proxies that I have used on my pentests. I am going to focus on three of them since those are the ones that I use the most.

The tools:

When I usually perform external application tests I tend to use Fiddler, Burp Suite and an incredible tool that is called CAT (Context Application Tool). My take on these tools is that they are awesome and provide a great value to people that use them. Obviously, they all have there limitations but overall they help a lot (I cannot imagine person doing a web app test without using a web proxy of some kind). The following is the list of CONS and PROS that I see in each tool after using them for a long time.

Fiddler
MITM proxy for windows developed on .NET. This tool is great to just browse and understand applications. It allows you to look at all sessions being created and since it is developed over .NET will work with all web applications without problems when dealing with certificates or NTLMv2 authentication.

CONS:
- .NET = Windows (Please don't say MONO. I have not tested over Linux but when doing pentests want I don't want to waste time on functionality issues so I use two different VMs, one linux and one windows for my tests)
- Limited in functionality: No fuzzer included, limited plugins, and search engine is limited when you want to find specific patterns
- Cannot automatically scan

PROS
- Saves all requests and responses into sessions that you can later see for further analysis. Even if you need evidence that you forgot to take
- FREE!
- Plugins available that will also make your life easier
- Loading previous sessions is easy and fast no matter the amount of requests


Burp Suite
Most know tool. This has been out there forever. It started as a free tool and when it started to grow the developers started to charge users for specific functionality (PRO version). I don't thing this is bad since sometimes maintaining a tool like this will take a lot of effort and time. I will focus on the free version since that is what I use.

CONS
- It has happened to me that the tool does not works as expected when the web application uses NTLM authentication
- Limited functionality to send a large a mount of request with different parementers
- I feel that sometimes this tools is slower than the ones that I have seen. But I know CAT it is considerably faster and reliable sending large amount of requests
- The free version doesn't allow you to save sessions so if you close the proxy or if it crashes without saving a screen shoot or something that will help you to remind what were you testing you are screwed.(think that pentests go for more than one day)
- Personally, I hate the java GUI.

PROS
- Embedded spider with tree view
- Not dependent on the operating system, can run on windows and Linux
- Embedded decoder << great feature and really helpful!!
- Embedded sequencer for token or cookie tests
- Overall it is great tool with limitations when used on the free version... as expected

CAT
This tool came out not that long ago and in my opinions it is awesome. It is also developed over .NET and works like a charm almost all the time.

CONS
- .NET = Windows (Please don't say MONO again but feel free to try it)
- Has some problems when handling really long files on the fuzzer for the wordlists
- When fuzzing a lot of words (>10000) and saving the requests on the results window the tool will start to slow down due to memory consumption so you have to periodically
delete requests during large fuzzing or wait until it ends
- When loading previous sessions, if the session involves a lot of fuzzing the tool can just crash or not respond for a loooongg time.

PROS
- Embedded Fuzzer
- XSS, SQLi and CSRF scanner. Usually they work pretty well
- Saves all the sessions and allows you to review them later
- FREE!
- Fuzzer is really fast and allows a lot of customization with easy and straight
forward GUI
- Number of files to try while using the fuzzer (common folders, files, passwords, users, SQL, fuzzing)

My final take on this is that these three tools provide something different and good to users. In most cases they have to be used together while testing web applications since none of them will provide everything. Although I hate to say it the one that I like the most is CAT because of the fuzzing capabilities and because it is free, though I hate is .NET. I guess if I could use Burp Suite Pro capabilities for free and change the java GUI I will stick to that tool. However , I use the three of them in all my tests since I don't have any money or funding.

c4an.