pen test

All posts tagged pen test

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.


The assumption is that you are here because you are either trying to learn about web app pen testing or you are stuck on one of the challenges. Everyone has their own way that they like to approach web applications. This is mine. We will end up at the same place so don’t get too hung up on style, focus on content.

All of the posts here are spoilers

To setup for all of the different challenges in DVWA you need to set the security level. This is relatively simple, just click the DVWA Security button and set the level through the interface.

Set Security Level

Set Security Level

XSS Reflected – Low

I have security set to low and I have clicked on the XSS Reflected button. Nice test box huh? Well now what are you doing to do? I like to jump right in and start stuffing things in there. No foreplay or anything.

HTML Injection Test

HTML Injection Test

Why didn’t I go right for an alert(‘XSS’)? I like to see if HTML injection is possible at the same time. Feel free to skip that step and go straight to <script>alert(“XSS”)</script>. Look at that! HTML injection is possible. Let us go back and see if we can get a script to run.

HTML Injection Sucess

HTML Injection Sucess

XSS Script Success

XSS Script Success

TL;DR <script>alert(“XSS”)</script>

XSS Reflected – Medium

Set the DVWA Security to Medium and throw that script back in there.

Medium XSS Failure

Medium XSS Failure

Why didn’t that work? Time to dig into the page source. If you read the PHP by clicking on the View Source button the fumction checks for a null string. Then replaces the string <script> with ‘’ if it is found. That is super effective tools or testers that only use the exact string <script>. If you change it up a bit by adding capitalization <SCRipT> or <ScriPt> it doesn’t match and str_replace just passes it through. The PHP function is case sensitive but HTML is not.

PHP Function

PHP Function

TL;DR <SCRipt>alert(“XSS”)</scrIPT>

XSS Reflected – High

The High challenge uses the PHP function htmlspecialchars function to escape special characters. I have tried to encode the string in multiple ways and have not figured out a way to run a script. This is the correct way to handle user inputs and might be breakable but I haven’t found a way around it yet.

Normally, I use Burp Suite to do everything because it does everything. That is because I have the pro version. If you have the community version you know that some of the attacks are throttled and the vulnerability scanner just doesn’t exist. If you don’t have the pro version of Burp or just want to try a different toolset this tutorial will take you through attacking the initial login page of the Damn Vulnerable Web App (DVWA site, DVWA ISO).

Once the application is up and running you will be presented with the initial page.

DVWA Login Page

Home page for DVWA

Now what? You can either skip to the bottom and find it or we can brute-force the password and learn something. First thing we need to do is figure out what to attack. The easiest way is to look at the source code for the page.

Souce Review

Souce Review


A second way is to capture a request to the page using a proxy, in keeping with the spirit of not using Burp, I grabbed this one using OWASP Zap.

Zap Proxy Request Capture

Zap Proxy Request Capture

The three fields are username, password, and Login. The next crucial piece is knowing what a bad login displays. This gives Hydra a way of discriminating between valid and bad login attempts.

Failed DVWA Login

Failed DVWA Login

I’m going to use xHydra but will give the command to run Hydra from a shell if that is the only access that you have on a system. Launch Hydra, on Kali Linux it is under the /usr/bin directory. The following images show all of the options being set.

OWASP Target Setup

OWASP Target Setup

Set the IP of the DVWA server and the protocol in use, for this we are attacking the web form so http-post-form. To attack a login of any type you need two other things, a username and a password. The rockyou word list exists at /usr/share/wordlists. I created a short list of usernames to use also.

User List

User List

User Name and Password for Hydra

User Name and Password for Hydra

The next step is to tune the brute force attack. I can use 32 threads and a 1 second timeout because both of the virtual machines, a Kali Linux attacker and the DVWA target, are on the same local LAN segment and there is no concern of causing a denial of service. Also, piping the attack through the Zap proxy is optional and not necessary.

Hydra Tuning

Hydra Tuning

The next tab is where all of the heavy lifting happens. The http / https url field contains the ‘:’ separated string /login.php:username=^USER^&password=^PASS^&Login=Login:Login failed. Breaking out the string the /login.php is the login page. The username and passwords fields are linked to the ^USER^ amd ^PASS^ variables; these are the options set in the Passwords tab. The Login field is not linked to a variable but is used in the login string that we found in image 3. The last string Login failed is what we determined indicated a bad attempt.

Hydra HTTP Setup

Hydra HTTP Setup

Once you are all set to go just click Start on the last tab and watch it go. If you look really closely at password setup you’ll see that I cheated a bit and just ran a single password. I started running the rockyou wordlist and then realized that it would take a significant amount of time to complete.

Brute Force Success

Brute Force Success

To run this from a shell instead of the GUI use:

hydra –L UserNameFile –P PasswordFile –e ns –t 32 –u –f –m /login.php:username=^USER^&password=^PASS^&Login=Login <IP> http-post-form

-e ns checks for passwords that are the same as the username (s) and null (n)

-f exits after the first pair is found

-u is supposed to make the attack faster according to their readme but it doesn’t really say how. I think that it is a unique switch but I don’t have any proof.

Stay tuned for more DVWA updates on the challenges you now have access to since you brute forced this password.

Converting dd image to vmdk for analysis


Astute readers will notice that the names for the images used in this part are not the same as in Part 1. Good for you, astute reader. I pulled a 16GB Quantum Fireball out of an old desktop that had not spun up in at least two years. When I last booted the system it was a fully functional Windows XP SP3 desktop.

I imaged this drive using the method in Part 1. Verified the image and copied it from the Kali Linux laptop that I dropped the initial image onto to an external USB drive. Why? Because in forensics you NEVER want to work with the initial image. The entire process was about 45 minutes for all three steps. The external drive is USB3 and that definitely made the copy phase faster.

Converting this dd image to a vmdk file and then booting it is obviously going to change the hash. Just booting a Windows system adds multiple entries to the event log which is more than enough for verification to fail. Not to mention that the OS is going to install drivers for all of the new devices that are used by VMWare. In summary, NEVER WORK OFF OF THE INITIAL IMAGE.

Before we get to the actual conversion there is no reason this conversion couldn’t be from dd to VHD or VDI. I have VMWare Workstation installed on my laptop and not VirtualBox or Virtual PC. I have used all of these and can’t say I have strong feelings for any one over the others.

The Good Stuff

Get the qemu utils apt-get install qemu-utils

Next we use the qemu-utils to convert to vmdk qemu-img convert -O cmdk /path/image.dd /path/output.vmdk

qemu-utils conversion

Qemu-utils conversion

Get yourself a drink and stretch your legs. Forensics is a time consuming process. The conversion of this ~16GB dd file to vmdk took about 90 minutes.

The next step was to attach the disk to an existing virtual machine to ensure it would spin up. I happened to have a Windows XP virtual machine that I keep around mostly to run old software. Depending on how you plan on testing this hard drive you can take a snapshot of the drive to allow any changes to be rolled back; I didn’t do this simply because I could always convert the copy of the dd file again if I made some catastrophic change. If you wanted to boot directly into the XP operating system it would probably be necessary to run a repair install off of either a disk or ISO image containing the installation files. The chances that the underlying physical hardware is the same as the virtual hardware are just about zero. That is why VMWare has a physical to virtual converter.

Attachedh to VM

Attached to VM

Here is where the pen testing part comes in. I spun the VM up and opened the drive in Windows Explorer to ensure that it worked. Oh look right at the root. The Tax Backup folder. If this wasn’t my own drive I’d probably start there.

Pen Test Gold

Pen Test Gold

What next? Well we have covered acquiring the image and converting it to a virtual disk format. The next article in this series will cover juicy places to look in both the file system and Windows registry. It will probably have a cheat sheet for different operating systems to find data that will help you look good during the report writing phase of penetration testing. You know that phase? The one that everyone hates doing? Might as well look good doing it.


Version two just rolled out of the python sweat shop.

Usage is python -p <port> -r <CIDR range> -t <threads> -h <usage and help>


The highlights:

Threading makes it fast. Like a /20 CIDR  network in 10 seconds fast.

CTRL+C is handled nicely now.

IP addresses are scanned randomly to attempt firewall evasion.

The program give a little more feedback now so you know it is working.

Known issue:

On my Kali Linux VM running with more than 256 threads throws an error. But 256 threads?!? I think I can live with that.

pypeciaV2 source code



I got some great feedback on the original code. I made a few of the quick and easy changes and am putting it out with those now. Send in your feedback using email or Twitter, the goal is to have a fast tool that is useful for the info sec community.

Changes in V1:

  • Added a start/end messages
  • Added progress counters to give better user feedback when scanning large ranges

Changes coming in V2:

  • Threading to make it faster in large ranges
  • IP randmization to prevent firewalls from blocking the tool due to sequential scans
  • Graceful handling of CTRL+C

pypeciaV1 source code


I really like the network scanner propecia. But from the date in the program it was written in 1999. I wanted the same speed and simple use that also included IPv6 checks. My C programming isn’t that great so I decided to port it to python. propecia…pypecia…see what I did there?

The reason I needed to add the additional functionality was to check a firewall for proper rules restricting both IPv4 and IPv6 traffic. Hint, it wasn’t. Having a server in a DMZ locked up tight on the IPv4 interface and unsecured on the IPv6 interface is like locking half of the doors on your car and wondering why things got stolen.

pypecia scans a single port across the given CIDR network range: python -p <port> -r <CIDR range>

pypecia original version source code

Geographic Information Theory

There are two main types of geographic information found in files. Geotagging is the information placed in a file with the GPS coordinates of the location. EXIF (Exchangable Image File Format) contains the geotagging information as well as device type and speed. EXIF contains more information and is normally limited by the capabilities of the device creating the file.

What are the common weaknesses? Data leakage from the geographic information can pin point the exact location of where a file created. This information can be used to find detailed maps using software such as Google Earth or create detailed patterns of movement.

What are you trying to do? We are going to connect to Twitter and do geolocation on the @FIFAWorldCup  account.  Why the FIFAworldcup account? We know where the world cup is happening so it is easy to see if the information is correct.

 Getting Started

Get creepy from here:

Ready to Go

For this tutorial it is installed in a Windows 7 virtual machine. The Kali apt-get repositories was not the latest version when this was written. Besides, the OS is just a tool we don’t need to get caught up in an ideological battle about how somebody has to use a certain tool to be a ‘real’ hacker. Being effective is more important than being a zealot.

Edit the configuration: Edit -> Plugins Configuration then select Twitter Plugin -> Run Configuration Wizard -> Next. Enter your Twitter ID and password to authorize creepy by clicking Authorize APP.

Creepy Twitter Authorization Screen

Authorize Creepy

Wouldn’t this also be a great time to follow us @SecureNM? I’m not trying to make you feel guilty but you are here reading our stuff. Copy the PIN that Twitter generates into the text box at the bottom of the window and click the finish button.

Creepy Twitter Plugin  Configuration Complete

Creepy Twitter Plugin Configuration

Creepy should now be authorized but just to be sure select Twitter Plugin and then click the Test Plugin Configuration button. Yay, we are ready to get started. Click OK a few times to get back to the main screen.

Twitter Plugin Success

Twitter Plugin Success

From the file menu select Creepy -> New Project -> Person Based Project. This will start the project wizard. Fill in the information as you see fit.

Creepy Project Configuration

Project Configuration

Add the information and select the proper plugin then select Search. In this case we used @FIFAWorldCup.

Creepy Search Results

Search Results

Click the ID or IDs that you want to creep on, see what I did there? Then select Add to Targets. I added all of the IDs that were found to ensure data for this tutorial.

Select Next -> Next -> Finish.

Analyze the project by selecting the project and clicking the Analyze button

There are many analyze buttons like it but this one is mine

Sao Paulo, Rio de Janeiro, and the Maldives are all among the locations of texts sent by the twitter IDs that creepy analyzed. Select one of these locations on the map and through the power of google and GPS you can see the location and possibly a street view.  In the immortal words of Keanu Reeves, Whoa!

Full Map of Tweets

Full Map of Tweets

Location of Maldives Tweet

Location of Maldives Tweet

I know what you’re thinking, wow that was cool but so what. So what you say? This is how you would use it on a real life security engagement. You get a black box test with nothing but a URL. You find the companies twitter account on the website. Feeding this information into creepy gives you locations that are potential targets for social engineering, physical infiltration, and WiFi attacks. See how just a little information can turn the tide in an assessment?

This is a small python script that will parse a word list by length. While working for another company I was able to use a NULL session to get the company password policy for Active Directory. Running the passwords that were shorter than the minimum length from the policy was a waste of time so I threw this together to solve that issue.

Usage is python -i <inputfile> -o <outputfile> -l <minimumlength>


Code: dictbylengthv0

dcfldd for disk imaging



If you don’t have a USB write blocker remount the drive to prevent unintentional changes to the drive. This is good forensics. dcfldd is a part of Kali Linux but if you want to add it from source it is available here.

Find the installed drives on the system:

ls –l /dev | grep sd

grep image

/Dev output from grep

If you need more information about the drives to determine which is the source and which is the destination for the image:

fdisk –l

fdisk output

Output from fdisk

Change the drive permissions to read-only:

chmod 440 /dev/sdb

The drive is now set to read-only for both root and owner; it is time to start the image. This is a time consuming process dd takes a significant amount of time to copy the disk to image.

An astute commenter mentioned that changing the block size to 4096 bytes dramatically increases the speed of the image which is true. The default value is 512bytes. Leaving the default at 512 bytes is a belt and suspenders approach, if a block is bad dcfldd writes 0’s into the image. Using the smaller and slower default option minimizes the potential data lose. On a known good drive increasing the block size may be appropriate depending on the circumstances. Where forensics are concerned, especially if the image may be used in a disciplinary or legal setting, it is best to err on the side of caution.

The hashwindow option allows the image to be split into multiple smaller image files that individually hashed. This has the benefit of allowing a failed hash to only invalidate only a portion of the total image. The option takes an input value in bytes; to use this option set the hashwindow=1G. 

dcfldd if=/dev/sdb hash=sha1,md5 md5log=/image/md5.txt sha1log=/image/sha1.txt of=/image/toshiba.dd

Now you’re imaging.

One of the advantages of dcfldd is the built in hashing function. When the image is completed we can verify that the image is sound by checking the hash log and a separately generated hash.

Check the hash values created during the imaging process:

cat /image/md5.txt

cat /image/sha1.txt

To generate a separate hash for verification run the following and compare the outputs:

md5sum /dev/sdb

sha1sum /dev/sdb

Verify that the image file is good and that data hasn’t changed. You can use md5sum or sha1sum but they take forever to run. Dcfldd has a built in verification function.

dcfldd if=/dev/sdb vf=/image/toshiba.dd verifylog=/image/verifytoshiba.txt

This is what the whole process looks like.

Complete Image Process

Complete Image Process

If the verification fails you will get a message similar to this:

Verification Fail

Verification Fail



This article was edited on 7/20 to include great feed back that was received from reddit users as well as direct comments. The comment was published because of the email address used. If you want recognition please feel free to contact us and I’ll update it again. Thanks to F. Erensics and HackThe______ for providing insight.

Get Foca

Download Link: http://www.informatica64/foca.aspx enter an email in the textbox at the bottom of the page labeled “Cuenta de correo”. A download link will be sent out; this link will expire.

Install from downloaded package.

Now What?

What are you trying to do?

  1. Create Project
    1. Click Project a New project
    2. Enter the Project name, Domain name and Alternative domains. The domain and alternative domains will be used during later analysis. Alternative domains such as or are used by Foca during later analysis.
    3. Be aware that on a website with a large number of documents disk space can be consumed quickly. Take this into account when selecting the Folder where save documents location.
    4. Click the Create button

Figure 1: New Project Creation

  1. Save the .FOCA file. This file contains the project definitions and information that will be found later with the exception of documents which will be stored in the location provided earlier.
  2. Network and Domains Information
    1. Select the Network Icon. The buttons will have black text when active and the text will be grey when deselected. By default all searches are selected.
    2. Click Start à This can take a significant amount of time because of the dictionary search option. All of the names or IP’s added when the project was created as domain website or alternative domains will be searched.
    3. Select the Domains icon. Information gathered about the domain will be in the center pane.


Figure 2: Domain Information

  1. When the Domains icon is selected three main options can be selected to gather more information about the selected targets and to be used later to gather metadata.
  2. Clicking the Technology Recognition button will identify the web server type in use (Apache, IIS, ColdFusion, etc.). See Figure 2 for example.
  3. The Crawling button uses Google and Bing search engines to list the known files and folders.


Figure 3: Search Engine Crawling

  1. The Files button crawls the target using Google, Bing and Exalead to find documents of the selected type. These files form the basis of the metadata analysis in Section 4.
  2. Vulnerability Enumeration
    1. Currently there are no examples available of vulnerabilities found using Foca to populate this section.
    2.  Document Enumeration and Metadata Analysis
      1. Select the Metadata icon. The files found in section 2g will be listed to ensure a complete list select the Select all button.
      2. Download files for analysis. Select a subset of files and select Download from the right click menu. Alternatively right click any file and select Download All.
      3. Once all files are downloaded right click any file and select Extract All Metadata from the menu. When this completes select Analyze Metadata from the right click menu. This will populate information into the other sections of Foca.
      4. Examples of Metadata Usage
        1. The names found in the Users section create a list of accounts to be brute forced accounts.
        2. The Folders and Printers section provide names of internal systems that can be targeted if a foothold is found externally.
        3. The Software, Emails, and Operating Systems sections are the most useful when combined in a spear phishing attack. Knowing the specific operating system and software in use allows a very targeted exploit to be created. Combine this exploit with the specific information in a document from the user tied to the email address and a very effective phishing campaign should be possible.