April 23, 2015

Security Testing Meetup: Beginners Kali Linux w/ RailsGoat

The Beginners Kali Linux w/ Railsgoat Meetup that I attended Wednesday, April 22, 2015 had one requirement: Set up Kali Linux running in a virtual machine.

After tinkering with Kali Linux on-and-off a few days before the training session, I finally was able to have a working installation up and running in a virtual machine on my MacBook Pro. It took me a while. Setting up a Linux distribution is a bit out of my comfort zone, but it was a good experience. Between listening to the instructional video one of the organizers, Apollo Clark, had created, and doing a lot of independent research, I was able to download, install, and set it up using Oracle's VirtualBox. 



Once it is all set up, the desktop looks like this: 
  • IceWeasel: Debian Linux's version of FireFox
  • Terminal: the Command Line Interface. 
  • NMap:  A free open source Network Mapper that can identify computers on a network, and scan for any open ports.
  • BurpSuite:  Allows you to inspect and modify traffic between your browser and a web or mobile application.
  • Wireshark: A packet sniffer I am only familiar with by name. 
Why Kali Linux?
  • Kali Linux is a shared platform. Once you have it running in a virtual machine, whether the main computer is a Mac, a PC or a Linux box, it is the same system. 
  • It's like a Swiss Army knife. All of the security tools are pre-installed, so it provides a good starting point. 
  • You can put it on a thumbdrive. Let's say you do not want to add all the security tools to a machine that is not your own. You can have a live boot option on a USB Flash drive, and boot into Kali Linux. 
  • It's quicker than installing each tool individually. As long as it took for me to set it up, it is easier installing one huge program than a hundred smaller programs. 
  • Maintenance becomes someone else's problem. Offensive Security does the work of bundling and updating the system.  
Install RailsGoat
For this Meetup, we were testing against RailsGoat (http://railsgoat.cktricky.com/), a Ruby on Rails application that has been left vulnerable on purpose, so security testers can practice examining web applications without actually doing any damage to any actual websites. Once you have Kali Linux set up, you then can then download and install RailsGoat to your Kali Linux environment.
If this explanation seems a bit "hand waving" it is because even though I have dabbled in testing mobile applications with the Ruby gem called Calabash-IOS, most of this material was new to me. 







Note that next to Applications, and Places, you can see the icons for a few commonly used programs.


When you select Applications -> Kali Linux -> Top 10 Security Tools you can see the most commonly used tools by security testers. 




Some of them I used when I was part of the security testing team at my last position:

At the Meetup, I asked Apollo and the other organizers: Why not just download the tools individually, such as your own specific Windows or Mac version of the tool? 


Next, Apollo recommended we install a Ruby on Rails web application called RailsGoat that beginning security testers can use to practice their trade. 




Instead of going to RailsGoat's Getting Started section of their website, Apollo wrote a shell script that does this for us:



This script goes into the home directory of Kali Linux, uses the Ruby Version Manager (RVM) to install Ruby version 2.1.5, clone the version of OWASPs GitHub site, installs the bundle package (called a "gem" in Ruby), installs mySql, sets up the database with rake (a Ruby version of the Make utility in Unix), starts up the application, opens up Firefox, and goes to the home directory (127.0.0.1) on port 3000. 


Steps to Install RailsGoat using the bash script: 

1) Open the Terminal for Kali Linux

Select the ">_" icon next to the IceWeasel icon. 

2) Check that Kali Linux has an internet connection

Before we run this script we need to check that we have internet access. Ideally, it should share the same network connection my MacBook has. You can open up a new Terminal in Kali Linux by clicking on the icon marked ">_" on the top left. In Kali Linux, open a terminal window and type in: ping google.com and made sure that I received an connection connection. Selecting CONTROL-C will exit out of Ping.

2) Save the installation shell script to the Desktop and run it

In the Terminal type in cd ~/Desktop to change the target directory to the Kali Linux Desktop. 

Once in the directory for the Desktop, type in wget http://apolloclark/install_railsgoat.sh to get the shell script Apollo wrote and stored on his site, and save it to the Desktop. 

Set the permissions by entering: chmod 777 install_railsgoat.sh
Run the shell script: ./install railsgoat.sh

This process will take a good ten or fifteen minutes for everything to install. 

3) Wait for RailsGoat to open

Once the installation process is done, a Firefox -- whoops, I mean "IceWeasel" -- browser will open displaying the RailsGoat application.


What information is the most valuable? 

While waiting for this page to appear, the organizers were talking about security testing. When it comes to basic security, you need to create threat models. 

What data do you need to protect the most? The most valuable data is medical data. Medical data is worth a good 50 to 60 bucks, it was mentioned, because it usually provides a person's full name, addresses, social security numbers, and maybe even mother's maiden name. Everything anyone would want to open up new credit accounts. The identities of people with retirement accounts are valuable. Credit information of someone with a high credit score is valuable. 


People's accounts and passwords? Not as valuable. Security testers need to know what threats to protect against. 


What threats are the most common? 


OWASP, the Open Web Application Security Project is a not-for-profit organization that focuses on improving the security of software. They compile a list of the OWASP Top Ten every few years detailing the ten most critical web application security risks, such as the top ten risks for 2013 in PDF format or on a Wiki

Some of them are:

  • SQL Injections when erroneous data is inserted into a query.
  • Cross-Site Scripting (XSS) where untrusted data can be sent to a web browser without validation. 
  • Security Misconfiguration, not updating the latest security patches of the server. 
  • Unvalidated redirects and forwards, where victims are taken to phishing or malware sites. 

RailsGoat walks the security tester through these various security risks with internal tutorials a security tester in training can read the hints and figure out how to test the application using the exploit. 

These tutorials can also be accessed on the RailsGoat Wiki at https://github.com/OWASP/railsgoat/wiki/tutorials




Because this web application is being run locally, you can bang on it all you want without worrying you will be wrecking someone's site. 


Sidenote: More RailsGoat Information: 



Ken Johnson (@cktricky), one of the creators of RailsGoat and former manager of the LivingSocial application, gave a talk about the program at the Atlanta Ruby on Rails Users Group back in September 2014.


Burp Suite Demo 




Official site of Burp Suite: http://portswigger.net/burp/




After RailsGoat was installed on the local machine, Apollo briefly gave the attendees a demo setting up Burp Suite. He mentioned that 99% of security testers use this tool. It's a proxy server that can be set up to listen to the traffic. You can then grab and edit the traffic. Other tools out there which do the same thing are Charles WebProxy and Fiddler.  


What we are trying to do in security testing is to get the system to behave in unexpected ways, discovering security flaws. 


Once we figure out an exploitation with this tool, you can also automate them on the command line using bash and curl to run scripts over and over.


BurpSuite can be accessed in Kali Linux on Applications -> Kali -> Top 10 -> Burpsuite. 


The main problem I had with this Meetup was that I was expecting a training session, and received a speed run. 


Apollo raced us through:



  • Setting up Burp Proxy: Note that RailsGoat is running on 127.0.0.1 (the HOME address) port 8080. You can change IceWeasel's network settings for the manula proxy configurations to be 127.0.0.1 port 8080, removing "No Proxy", so Burp will be listening to the traffic on your local machine. You can set Burp Proxy to listen in and intercept any HTTP calls the web application is sending. Users of Burp Proxy can then see all GET, POST. PUT, CREATE or DELETE calls. 
  • Using RailsGoat: With RailsGoat you can sign up for a new account with a made up email address, such as test@test.com, see what users are on the system, and go to the dashboard.  
  • Reviewing the HTTP Calls in Burp Proxy: Using Burp Proxy, you can see the /signup/users and /dashboard/home directories we entered. We can also see an encoded password. Using Burp's decoder we can copy and paste this string and see the exact username and password we entered into RailsGoat. If we double-click on the username test@test.com we can make the username blank, submit it, and see what we get as a response, and what sign up screen it re-directs us too. 
  • Performing a rudimentary Cross-Site Scripting example: If you go to the login screen, and enter in, say, the First Name field the following piece of JavaScript code: <script>alert("xss");</script> and refresh the page, you will see a popup in the web app saying "XSS". If you ever get an email where someone is pretending to be a bank, providing you with a link to go to the bank website to enter your username and password, you may be redirected to the actual bank website, but it is listening in to what your username and password is. Then, they can inject code into the browser to attack the bank's site with a valid username and password. 
  • Change the user you just created to be an admin: Let's say a developer creates a table of the different roles in the database. The first account might be an admin account. With RailsGoat, they purposely did that, where in the user table, if the [role_id] is 1, the user will become an admin. If you go to the Profile settings in RailsGoat, play around with the settings there, then examine what you see in Burp Suite, you can see  the JSON reference for user/6.json  and the parameter User[role_id]. In Burp Proxy, we can set our test@test.com account to role_id to Value: 1. After this is done, we see {msg: success}. If we go back to the dashboard in RailsGoat, we have a new section that appears: The Admin section. We have now changed a regular user to an admin user on RailsGoat!


Using Curl

The command "cURL" is a recursive acronym of Curl URL Request Library, like GNU (GNU's not Unix) and Nano (Nano's ANOther editor). It's Computer Science humor, folks! 

In the Terminal of your MacBook or in Kali Linux, type in: curl google.com. You get:


<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

This shows that when you tried to get the source code of "google.com", you came across a redirect. If you wanted to get all of the source code of the Google website, you can type in curl www.google.com

Sidenote: 

Apollo mentioned you can use cURL to:
  • Grab data from Burp Proxy and place it in a file login_headers.txt and login_request.txt on his Kali Linux Desktop.
  • Alter the file do it only contains the relevant headers such as: Host, Accept_Language, Accept_Encoding, Context_Type, x-requested, Referrer, Cookie, Connection, Pragma, Cache_Control.
  • Change the DOS endline characters that Burp outputted in the text file to Unix endline characters by: dos2unix login_request.txt and dos2unix login_headers.txt. 
After this was complete, Apollo wrote a complex cURL script and entered in into the Kali Linux Terminal:

curl -i -X POST http://127.0.0.1:3000/users/6.json --data-binary @login_data.txt -v -H "$(cat ~/Desktop/login_headers.txt)" --proxy 127.0.0.1:8080

When Apollo executed this cURL script, he was performing exactly what he did manually:
  • It posts to the RailsGoat site (http://127.0.0.1:3000) where it's user data is contained in a JSON file (/users/6.json).
  • It posts the data-binary file called "login_data.txt".
  • It executes the bash script to execute the Unix command to read using cat (cat: concatenate) the login_headers.txt file he created, connecting through the proxy 127.0.0.1:8080.
With a few text files and this curl script, a security tester can give the developers working on the products the actual bash code to execute they can then demo on their Unix environment. 

Other Notes: 

  • Attendees from Google mentioned that instead of RailsGoat, they use a site they created called Google Gruyerehttps://google-gruyere.appspot.com/ 
  • It was mentioned that there are pentesters that focus on specific languages, such as all the ways to test against exploitations in Java web apps, or all the exploitations in Ruby web apps.
  • Pentesting is actually a small field. If you go to OWASP Boston group meetings or the Boston Application Security Group meetings, you start seeing the same people.

What about Certifications? 

Current knowledge is worth most of all. If you follow the lessons in RailsGoat or do independent research, it is more worth your while, according to the organizers of the Meetup. There are certifications such as:

The problem with security testing is that there always a new technology coming out, and applications built in the new technology may have been pushed out without being adequately tested when it comes with security. JavaScript, it was mentioned, was originally meant to be executed on the client side, in a user's browser. Now, with node.js, it is operating on the server side. 

... Oh, and why did we install Oracle's VirtualBox when VM Mare is a better way to create virtual machines? VirtualBox is free. 



-T.J. Maher
 Sr. QA Engineer, Fitbit
 Boston, MA

// Automated tester for [ 1 ] month and counting!

Please note: 'Adventures in Automation' is a personal blog about automated testing. It is not an official blog of Fitbit.com
Post a Comment