So far we have been working on our introductory skills with a view towards becoming aweseome OS hackers (at least competent). There’s a catch though. How are we going to get access to target boxes? With that in mind we are going to start taking a look outside the OS and learn some web hacking skills that will make us more well rounded attackers.
Over the Wire.
Over the wire is a set of web based CTF games. It has preconfigured CTF challenges and a suggested order to attempt them in. You may want to experiment with a few and see where your abilities fall in the order of things. I personally started with the bandit series and went from there based on where my interests led. Even if you have some experience with Linux there are nice things to learn from the bandit series of levels. You’ll get some hands on experience with Linux commands and directory traversal. As you progress you will get more experience with some basics of how to operate ssh and a nice intro to determining file compression and how to undo it. I would recommend making a folder on your machine to store the passwords you find to make getting back to where you left off easy.
You can also log into a live network where everyone is a target on OvertheWire. I am not sure how active that portion of the site is as I haven’t done it before. But it’s a nice option to have available. It could be fun to set up a VPN and a throwaway laptop to see how well you can do against live targets. Maybe a future project….
Web App Vulnerabilities.
We need access to operating systems to be able to hack them. That means gaining access over the internet, unless you are going to travel to the location of the web servers and social engineer your way in. What are attack vectors for operating systems? If we are attacking a web server the web apps on the server may offer the the attack surface we need. There are also approaches that use breaching the browser to gain access to the underlying OS.
One Way to Get Started.
There are as many different answers to how to get started with attacking web apps as there are people learning to attack web apps. So here is the approach I’m using to gain experience.
OWASP is the Open Web Application Security Project. OWASP is a great resource for information about vulnerabilities and attacks. The project provides two great resources for getting started in the world of attacking web applications. The OWASP Testing Guide goes through a framework for conducting security tests, vulnerabilites, and how to test for those vulnerabilities.
The second resource is the OWASP Broken Web Apps virtual machine. OWASPBWA is a live environment you can import to VirtualBox and get some good experience with, all without having to worry about the FBI knocking on your door. We will go over setting up the OWASPBWA virtual machine and how to connect it safely on your host to get a live environment for testing set up next post in this portion of the blog.
If you haven’t noticed by now reading is one of the main things we do as hackers. I’m always looking at new articles about attacks and defenses, constantly seeing what’s appearing in the wild. So it should come as no surprise we’ve got a reading list for getting started in attacking the web.
We’ve already mentioned one book, the OWASP Testing Guide. Which may or may not be considered a beginner book. There are others that you can include in your library as well. Two of the most popular I’ve seen are Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman and The Hacker Playbook 2: A Practical Guide to Penetration Testing by Peter Kim. I own both of these books and unfortunately have not had the time to give them as thorough a reading as I would like. I am going to be changing that for this part of the blog. From the parts I have read Penetration Testing is a more introductory text than The Hacker Playbook. That said from the portions I’ve read of both books they both seem excellent and great places to start.
The last book I’m going to mention here is The Web Application Hackers Handbook: Finding and Exploiting Security Flaws. I have seen this book recommended for a next step after getting familiar with the OWASP Top 10.
What’s your favorite Linux flavor? It really is almost that simple. There are two camps on what type of Linux distro to use starting out in web hacking. The first camp is of the opinion that you should start with a basic Linux distro like Fedora, Debian, Ubuntu, Mint, on down the list, and then gather up the tools as you learn how to use them. There is something to be said for this approach and I won’t say it’s a bad one.
The second camp says to just go download Kali and learn how to use the tools included. That’s not a bad route to go either, and in fact both Weidman and Kim tell you to do just that in the set up phase of their books. I also personally like BlackArch and Parrot for pen testing distro’s. BlackArch allows you to pick and choose whatever open source tools are available from their repo’s of 1000+ tools for any kind of hacking related activity you can think of. But BlackArch is based on Arch and you have to be careful about the stability of the system sometimes. That said I like BlackArch, Parrot, and Kali all for different reasons. I also like having choices.
One of the greatest things about cyber security and hacking is the number of ways you can get involved in it. You could probably spend your entire life constantly learning and still not be lacking for new areas to branch into if you get bored. The best part is that those areas are interconnected. By branching into web app hacking we will become better OS hackers. Exploring the connections will tie both parts of the blog back into each other.
Next time we will start setting up a virtual environment to get some practice with.