Using the Nikto Web Application Vulnerability Scanner

Nikto is an extremely popular web application vulnerability scanner. Web application vulnerability scanners are designed to examine a web server to find security issues. Identifying security problems proactively, and fixing them, is an important step towards ensuring the security of your web servers. Nikto checks for a number of dangerous conditions and vulnerable software. Running Nikto on a regular basis will ensure that you identify common problems in your web server or web applications. Because most web servers host a number of web applications, with new software deployed over time, it is a good idea to run a scanner like Nikto against your servers on a routine basis.

Secure Web Application Penetration Testing

Engaging in a web application penetration test (pen test) is an increasingly common task for today's infosec professionals. Sadly, there's not a whole lot of guidance about how to begin this process with respect to basic logistics. A lot of testers simply set up a web server, install the software to test, and begin pounding away. This approach presents a number of issues, however. Careful consideration and measured approach are better investments of time and effort.

Hookworm Stealth PHP Backdoor

PHP remote shell backdoors are scripts that are uploaded by attackers onto compromised web servers in order to provide an easy way to issue commands on the remote server. Their capabilities vary, from simple scripts that evaluate URL arguments, execute them with a function, then display the results on the web page, to complex user interfaces that provide point and click functionality to perform many post compromise activities.

When is LFI Really ACE?

Local file inclusion (LFI) is a nasty vulnerability that affects many web applications. Normally, dynamic file inclusion is an extremely useful feature of scripting languages such as PHP. This compartmentalization allows for separation of logic code, display code, and various other components into separate areas of the application structure. However, dynamic file inclusion can open the door for vulnerabilities. Clever attackers can exploit these vulnerabilities to escalate LFI vulnerabilities into arbitrary code execution (ACE) attacks.

Mallory is More than a Proxy

Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, however, reveals that Mallory offers functionality above and beyond traditional tools for packet inspection. Mallory looks like an exceptional tool that could be a valuable part of any software security assessor's toolkit.

Exploiting PHP PCRE Functions

Several high profile arbitrary code execution vulnerabilities in PHP web applications stem from improper handling of PCRE (Perl Compatible Regular Expression) functions. PCRE is designed to implement regular expressions for the preg_ functions in PHP (such as preg_match and preg_replace). Under most circumstances the PCRE engine is completely safe. It does, however, provide the /e modifier which allows evaluation of PHP code in the preg_replace function. This can be extremely dangerous if used carelessly. With the addition of this flag the normally innocuous search and replace function becomes a potential vulnerability.

PHP Null Byte Poisoning

Null byte poisoning can be an extremely dangerous problem in PHP applications. Null byte poisoning is often used as a technique to exploit arbitrary local and remote file include vulnerabilities, information disclosure vulnerabilities, and arbitrary filesystem manipulation vulnerabilities. Many of the functions vulnerable to null byte poisoning in PHP operate on the filesystem and can be the source of severe problems if misused. In order to fully understand the PHP null byte issue we have to examine how C handles strings.

PHP Arbitrary File Include

File include vulnerabilities in PHP present a pervasive problem that eludes many efforts at remediation. Understanding the dangers posed by PHP include and require functions is critical to defending web application. There are many strategies for utilizing file inclusion safely to prevent against file include vulnerabilities (both local and remote) as well as directory traversal attacks and information disclosure vulnerabilities. Using native PHP functionality allows a developer to produce safe, and maintainable PHP based web applications.

OWASP Releases DirBuster 0.11.1

Two days ago OWASP announced the release of a new version of their DirBuster tool. DirBuster is a Java based web application scanner. Basically you give it a host and it scans that host for directories on the host. DirBuster can utilize a list of directories and files or it can brute force them. DirBuster is nice because it can find files directories that might not be directly linked to. This can be used to expose information on the host that you might not find otherwise. DirBuster will also parse the HTML of files that it does discover, allowing it to follow links present in discoverable files as well. You can find more information about DirBuster at the OWASP site at

PHP Malware C99 Shell

The c99 shell is a somewhat notorious piece of PHP malware. C99 shell is often uploaded to a compromised web application to provide an interface to an attacker. The c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands on the server as the account under which PHP is running.

Security Researcher Toolkit

When you start working in computer security, as with many computer related fields, you'll find that there are a lot of expensive tools out there to assist in your work.

Building an MD5 Rainbow Table

The MD5 hashing algorithm is a common way to store user passwords in many PHP based applications. This mechanism effectively obscures the password so that if the password store is compromised, user accounts are not necessarily exposed. This mechanism also obscures passwords from site administrators, protecting the privacy of users. However, an attacker can build a table of MD5 values for dictionary or other values and simply look up stolen MD5 values in this "rainbow table."

Interrogating DNS

DNS (Domain Name System) is an important component of any reconnaissance or discovery phase of an attack on internet systems. DNS contains a host of valuable information that many attackers will seek out as a precursor to an attack on an organization. Like many services offered on the internet, DNS is designed to be open. In order to function properly DNS must provide records to both legitimate requestors and potentially malicious attackers.

Brute Forcing PHP MD5 Hashed Passwords

Many PHP based web applications use md5 hashing in order to obscure stored passwords. At first glance this seems like an effective security measure, however upon further examination it becomes clear that this approach does little to secure a password. Let us assume that an attacker somehow captures the md5 hash of a users password. This could happen in many ways, the most obvious being a SQL injection that reveals the password.

Using Paros for Web Application Auditing and Debugging

Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging. Although Paros is well known in the web application security circles, it is less known in general web development circles. In this article I'll go over some of the great uses from Paros that cross over both realms. Paros' proxy feature is invaluable for inspecting traffic as it comes to and from your browser. This allows you to investigate things like how cookies are set, redirects being issued to a browser, and queries sent from the browser to the server. While Paros includes some automated scanning tools, these are rather weak and Paros really shows its strength in the hands of a skilled penetration tester who knows what to look for.

Web Hacking Lesson 6 - Arbitrary Code Execution Vulnerabilities

Arbitrary code execution vulnerabilities are the most damaging sorts of vulnerabilities to find in web applications. A web application that exposes an attacker to a direct connection provides an easy route for system compromise. At the very least this sort of application will ensure a server compromise. Discovering, and preventing, code execution vulnerabilities is critical for developers in order to protect the systems that host their web applications.

Web Hacking Lesson 5 - File Upload Vulnerabilities

File upload vulnerabilities (and local file disclosure vulnerabilities) are some of the most devastating vulnerabilities in PHP applications. Learning how to spot these sort of vulnerabilities, and prevent them, is critical to web application developers. In this, the fifth installment of the web hacking lessons, we explore how file file upload and local file inclusion vulnerabilities can be exploited to compromise a web application's security.

Web Hacking Lesson 3 - Brute Force

Brute forcing a web application is a method to bypass traditional authentication checks. Although brute forcing may seem like an attack that a PHP developer might not be able to mitigate, it is actually an important consideration when developing web applications.

SSHatter SSH Brute Forcer

SSHatter is a simple SSH brute forcer written in Perl. Although it is not a very robust tool, it is still useful when combined with other target enumeration tools such as NMAP.

Investigating Rogue Ports

Often times a system administrator will find open ports on a machine and wonder what they are for. It is easy enough to check to see the default use of a well known port (for instance, SMTP uses the default port 25), but this is no guarantee that the actual port observed is using the default service.

Wireless Hacking with Kismet

The proliferation of wireless networks is sometimes scary when you consider how insecure most wireless configurations are. With a little work, and some technical know-how you can easily break into most wireless networks or simply monitor the wireless traffic flowing all around you.

Password Recovery on Windows XP

Resetting or decrypting Windows XP passwords is as fast as booting from a CD. With proper tools it is easy to recover forgotten passwords or reset the administrator password on a Windows XP system.

Computer Security Class - Notes 2

These are the notes from the second session of the 'Computer Security' class I taught at Byte Back. This class covered general steps to breaking into a system and specific discussion of information gathering techniques useful prior to attempting any active system exploration or attack.

Suggested Material for Computer Security Class

These are my suggestions for reading for Computer Security class students. I've given handouts to most of the students so I'm providing this material online for their reference. A short list of good books, websites, and mailing lists related to computer security.

Computer Security Class - Notes 1

These are the notes from the first session of the 'Computer Security' class I taught at Byte Back. General outline of types of computer security, types of machines on a network and some basic terminology.

Happy Hacking via Wireless

Abusing unsecured wireless connections for fun and profit, including advice for protecting your own wireless connections.

Hack by Numbers

An examination of the how-to steps taken by many system crackers. Also includes some information on learning about system security, including how to set up a lab environment.

Madirish Tutorial 11 (Brute Forcing)

Breaking in - using a brute forcer to find a username and password for the target system. This article uses brutus specifically (from to break into a Windows 2000 FTP site.

Madirish Tutorial 10

Automating hacking tools, making a program to do what we did by hand in Tutorial 9. Includes the code for madirish.bat.

Madirish Tutorial 08

Finding a target and seeing what is available on target systems (target enumeration).