Join Malcolm Shore for an in-depth discussion in this video Working with websites, part of Penetration Testing Essential Training.
- A significant part of any pen tester's work will be website testing. While automated testing tools are readily available, there are times when you might need to do manual testing using scripting tools such as Python. Let's have a look at how we can use Python to work with websites. Websites need to have pages uploaded and one common way to do this is using FTP. We can use the FTP server for testing if we have its credentials. So let's access the FTP server to check for our webpages.
We import the FTP library and then set the remote server address. We then login with a set of credentials and set the working directory to the website folder, which is vas/www. We then issue a dir command to get the directory listing. Okay, let's run it. Okay, we've accessed the target server and listed the directory. We can use the URLlib to retrieve webpages.
I'll import the URLlib library and I'll call the URL open function and include the webpage I want to see and I'll print it. The next thing an attacker might do is to modify a webpage to do something malicious. Let's see how an attacker can inject code into a webpage to send a web user to a malicious website.
Okay, so the first thing we do is to open the website FTP server and login. Then we switch to the directory in which the target webpage exists. We open a temporary file on our system and use the FTP command retr to write the webpage into it. Then we write an iFrame with this embedded link to the malicious website. For convenience, I've included my gotcha file in the same directory as the target page. But it could be anywhere. Then we reopen the temporary file and use the FTP command store to write that into the target, overwriting its webpage.
We then display a message indicating we've completed our inject. Let's see how this works. I've modified the Metasploitable starting page with an additional menu item for my account. This links to my account's webpage. This is a fairly simple query page for user with a link to display user information. Let's take a look at our gotcha page, which the inject will call.
Here I'm printing a message in a visible iFrame but we could be just as well using an invisible iFrame and downloading malware. Let's navigate to the webpage. We can see the new menu item at the bottom, called User Accounts. I'll select that. Then I ask for an account number. Okay, we can see the account details. Now let's run our Python script.
And let's have a look at our temporary file. We can see the account request webpage with the iFrame included at the end. Now let's go and look at our accounts webpage. I'll navigate to the webpage and now when I ask for an account number, I've also got the iFrame message. I've been compromised.
Cybersecurity expert Malcolm Shore reviews popular pen testing tools, as well as the Bash and Python scripting skills required to be able to acquire, modify, and re-use exploit code. He also provides a refresher on Kali Linux and introduces techniques for testing web services. At the end of this course, you'll be prepared to take more advanced training, and to pursue the popular Offensive Security Certified Professional (OSCP) certification.
- Pen testing overview
- Pen testing tools
- Bash scripting
- Python scripting
- Kali and Metasploit
- Web testing
- Finding exploit code