1 00:00:00,240 --> 00:00:09,590 Welcome to part six of this module in this century we're going to be taking a look at a sequel map and 2 00:00:09,590 --> 00:00:15,930 how we can use it to perform sequel injections for testing against a web application. 3 00:00:15,950 --> 00:00:21,470 The purpose of this demonstration will be to show how a hacker might use these techniques to obtain 4 00:00:21,470 --> 00:00:29,030 user names passwords credit card numbers your grandmother's laundry list as well as any other information 5 00:00:29,630 --> 00:00:33,690 that is meant to be kept secret on a Web site database. 6 00:00:33,770 --> 00:00:39,620 We must understand the attacks so that we can know what to guard against and this tool will allow you 7 00:00:39,620 --> 00:00:47,590 to pen test the web applications that you build so as to keep your users data safe from the unscrupulous. 8 00:00:47,600 --> 00:00:54,260 This is one of the most powerful tools in Cali and it does the sort of thing people normally think of 9 00:00:54,260 --> 00:00:56,250 when they hear the word hacker. 10 00:00:56,270 --> 00:01:00,740 For that reason I have to remind you that performing these techniques against a Web site that you do 11 00:01:00,740 --> 00:01:07,130 not personally own or have written permission from the owner to pen test is going to be highly illegal 12 00:01:07,130 --> 00:01:13,640 in almost every jurisdiction sequel map comes prepackaged with Kelly 2.0. 13 00:01:13,640 --> 00:01:21,200 It is open source software that is used to detect and exploit database vulnerabilities and provides 14 00:01:21,290 --> 00:01:24,650 options for injecting malicious code into them. 15 00:01:24,650 --> 00:01:30,950 The tool automates the process of detecting and exploiting sequel injection flaws providing its user 16 00:01:30,980 --> 00:01:33,190 interface in the terminal window. 17 00:01:33,200 --> 00:01:42,680 The program can be launched by going to applications web applications and clicking on sequel map but 18 00:01:42,680 --> 00:01:47,030 we'll be launching it in the terminal window to do this. 19 00:01:47,030 --> 00:01:54,460 We just type sequel map and we're going to include TAC each for help. 20 00:01:54,730 --> 00:01:58,820 The command alone without a target or a switch won't do anything. 21 00:01:58,820 --> 00:02:03,640 The software itself is available to download for different operating systems. 22 00:02:03,710 --> 00:02:06,860 It works on pretty much all Linux distributions. 23 00:02:06,860 --> 00:02:10,410 Mac OS and yeah even even windows. 24 00:02:10,670 --> 00:02:17,060 In addition to mapping and detecting vulnerabilities the software enables access to the databases editing 25 00:02:17,060 --> 00:02:26,540 and deleting data and viewing data in tables such as users passwords backups phone numbers email addresses 26 00:02:26,570 --> 00:02:33,030 credit card numbers your grandmother's super secret CIA alternate identity and so on. 27 00:02:33,050 --> 00:02:42,560 You get the idea sequel map has full support for multiple DB M.S. including my sequel Oracle post grass 28 00:02:42,680 --> 00:02:54,200 Microsoft Eskew l server Microsoft Access IBM DB to Eskew lite Firebird and SAP Max DV and offers full 29 00:02:54,200 --> 00:03:01,040 support for all injection techniques including boolean error stack time and union. 30 00:03:01,040 --> 00:03:07,580 This tutorial will cover all of the basic usage although given the power and the sheer range of options 31 00:03:07,580 --> 00:03:13,670 available for this tool to cover every possible use and iteration of it would be an entire class unto 32 00:03:13,670 --> 00:03:14,770 itself. 33 00:03:14,810 --> 00:03:21,200 Our target in this demonstration is going to be the bricks vulnerable web app which is part of the O 34 00:03:21,200 --> 00:03:23,700 WASP broken web app. 35 00:03:23,900 --> 00:03:29,390 -- vulnerable web app for me to split able to would work just fine but I wanted to mix things up a 36 00:03:29,390 --> 00:03:35,240 little and since most of you are probably following along with met hospitable to to conduct your own 37 00:03:35,240 --> 00:03:36,470 tests. 38 00:03:36,470 --> 00:03:41,840 This will make it an excellent exercise for you to crack into -- vulnerable web app on Metis political 39 00:03:41,840 --> 00:03:43,800 to yourselves. 40 00:03:43,820 --> 00:03:50,420 Here we see a basic log in page this is what we are going to be testing against. 41 00:03:50,420 --> 00:03:57,380 The goal is going to be to find all of the usernames and passwords by testing whether or not these fields 42 00:03:57,410 --> 00:03:59,870 are vulnerable to ESC fuel injection. 43 00:03:59,870 --> 00:04:05,600 And if so can we use that to gain access to the back end database. 44 00:04:05,690 --> 00:04:07,700 Now that everything is set up 45 00:04:11,890 --> 00:04:12,860 will begin. 46 00:04:13,000 --> 00:04:16,710 So without further ado let's get started with sequel map. 47 00:04:16,710 --> 00:04:26,530 So to launch the program we're going to do s q l map tech u for you are L and this is where we would 48 00:04:26,530 --> 00:04:36,670 give it a target such as I don't know whatever Web site you've been given permission to test against. 49 00:04:36,830 --> 00:04:42,530 And of course after the URL you would put in the various options that you wish to use with it as outlined 50 00:04:42,530 --> 00:04:51,780 in the help file but I'll be entering the IP address of my broken web app which is running on my own 51 00:04:51,780 --> 00:04:53,610 network here in the office 52 00:04:58,870 --> 00:05:00,060 as we work through this. 53 00:05:00,070 --> 00:05:03,900 We will be introducing different switches at the command line. 54 00:05:03,940 --> 00:05:11,960 Little by little each time we were on the program we'll build on the last thing that we did since we're 55 00:05:11,960 --> 00:05:16,010 going to be using that log in page from the Brooks application 56 00:05:19,260 --> 00:05:20,200 to go ahead and 57 00:05:23,510 --> 00:05:28,500 copy this and let's just go ahead and take a look at this real quick. 58 00:05:28,630 --> 00:05:33,940 We can see that we only have to form fields if we view the page source 59 00:05:39,850 --> 00:05:43,720 we can see that the forum is posting back to itself. 60 00:05:43,720 --> 00:05:50,650 We have input boxes for the user name and password and that is the information we need to give to sequel 61 00:05:50,650 --> 00:05:53,990 map in order to test against these fields. 62 00:05:55,630 --> 00:05:57,650 And what I'm talking about is writing here 63 00:06:00,850 --> 00:06:02,910 there are a few other ways you can do this. 64 00:06:03,900 --> 00:06:08,040 One of them is by using the Tac tac forms options. 65 00:06:08,040 --> 00:06:09,870 So let me just correct our target 66 00:06:14,470 --> 00:06:21,730 to include the Web you are El and we know that the back end database being used here is my sequel. 67 00:06:21,870 --> 00:06:32,100 So to save time with the numerator one we'll just specify with that with Tak tak D.B. M.S. equals my 68 00:06:32,100 --> 00:06:42,840 sequel and then we're going to do Tack Tack forms and we'll have it retrieve the banner information 69 00:06:43,680 --> 00:06:51,980 for the database with Tag tacking banner so if we go back and look at what we have here the tack you 70 00:06:51,980 --> 00:07:01,610 option is where we specify the U.R.L. of our target Tak tak DNS is where we specify the back end database 71 00:07:02,620 --> 00:07:09,580 if you don't know the back end database there is another option that you can use which is Tak tak D.B. 72 00:07:09,580 --> 00:07:16,780 s which will cause sequel map to try to enumerate the database and figure out if it is my sequel or 73 00:07:16,780 --> 00:07:23,990 a Microsoft back end or post press or something like that it'll try to figure it out for you but be 74 00:07:23,990 --> 00:07:32,460 aware that this will turn an already lengthy process into an extremely lengthy one as for tak tak forms 75 00:07:32,880 --> 00:07:39,500 what this is going to do is have sequel map look at the source code for the Web site and look for forms 76 00:07:39,500 --> 00:07:47,610 of input so with the BRICS application it's going to see that username and password form fields and 77 00:07:47,610 --> 00:07:49,820 that is what it is going to test against. 78 00:07:50,010 --> 00:07:56,280 And finally the tac tac banner is going to tell it to try to retrieve the version of my secret database 79 00:07:56,310 --> 00:07:59,460 that is running on the back end so we could enter 80 00:08:02,750 --> 00:08:09,500 and almost right away it's going to start asking us to verify certain options for most of these we're 81 00:08:09,500 --> 00:08:15,470 going to say yes and we're going to leave this field blank just by hitting enter because we don't know 82 00:08:15,470 --> 00:08:19,240 what this is yet and yes 83 00:08:24,000 --> 00:08:32,040 OK so it's identified two places that are vulnerable to sequel injection which are the two forms I spoke 84 00:08:32,040 --> 00:08:39,100 of user name and password we'll just select the zero for user name and this is asking if we want to 85 00:08:39,100 --> 00:08:45,040 exploit this sequel injection which is a bit like asking a kid in a candy store if you would like some 86 00:08:45,040 --> 00:08:45,820 candy. 87 00:08:45,970 --> 00:08:47,650 So of course we're going to say yes 88 00:08:50,770 --> 00:08:59,760 so here we see the version being run which is my sequel and we can see that the version the banner version 89 00:08:59,760 --> 00:09:03,960 is five point one point for one a bunch too. 90 00:09:03,960 --> 00:09:10,920 OK now we'll see if we can get sequel mapped print out a list for all of the database users on the server 91 00:09:12,090 --> 00:09:14,030 so we're going to bring back our command. 92 00:09:14,040 --> 00:09:24,410 And we're going to replace banner with Tac tac users we'll leave everything else the same and we'll 93 00:09:24,410 --> 00:09:25,160 hit enter 94 00:09:30,210 --> 00:09:33,010 and it's going to ask us the same questions again. 95 00:09:33,150 --> 00:09:35,400 So we're gonna give the exact same answers 96 00:09:42,460 --> 00:09:44,050 and there we go. 97 00:09:44,050 --> 00:09:46,930 Now I should mention I've run this already. 98 00:09:46,930 --> 00:09:56,740 So the first time you do this it's probably going to take a while so it has retrieved you scroll up 99 00:09:56,740 --> 00:09:59,890 here 38 total users. 100 00:09:59,890 --> 00:10:06,510 These are database users for every application on the server which is good information to have. 101 00:10:06,550 --> 00:10:13,850 We could also take this a step further and try to get the password hashes for these users so we're going 102 00:10:13,850 --> 00:10:22,380 to bring back our command and we're going to add in Tac tac passwords is literally as easy as just adding 103 00:10:22,380 --> 00:10:27,070 in TAC tech passwords at the end of our command string and we'll press enter again. 104 00:10:27,270 --> 00:10:29,360 We have to answer the same questions again. 105 00:10:29,370 --> 00:10:33,310 And I know that can be a bit tedious. 106 00:10:33,520 --> 00:10:36,770 Yes yes. 107 00:10:36,810 --> 00:10:43,680 And zero. 108 00:10:44,210 --> 00:10:52,040 And now it's asking if we would like to store the hashes for eventual processing with another tool. 109 00:10:52,070 --> 00:10:53,540 Normally you would do this. 110 00:10:53,540 --> 00:10:59,720 I'm not going to but it is something that you can do if you don't want to have sequel map attempt to 111 00:10:59,720 --> 00:11:05,600 break the hashes itself or you can have the sequel map try and if it fails you'll have the file that 112 00:11:05,600 --> 00:11:07,340 you can then run through something else. 113 00:11:07,340 --> 00:11:12,860 So I'm just going to say no here but you'll probably say yes when you're using this you're on your own 114 00:11:15,210 --> 00:11:18,110 and do we want to perform dictionary based attacks. 115 00:11:18,120 --> 00:11:19,580 The answer is yes. 116 00:11:19,680 --> 00:11:21,700 This may take a while. 117 00:11:21,880 --> 00:11:30,120 Now it's going to attempt to crack all of these password hashes that we have for these user names and 118 00:11:30,630 --> 00:11:33,000 it's going to use a word list to do this. 119 00:11:33,000 --> 00:11:40,260 Now you can use the default dictionary file that comes prepackaged with sequel map and that's what I'm 120 00:11:40,260 --> 00:11:41,340 going to do. 121 00:11:41,640 --> 00:11:50,090 Or you can use your own custom dictionary file or you could use a file with a list of dictionary files 122 00:11:50,120 --> 00:11:54,000 although that's getting into some really lengthy processes. 123 00:11:54,140 --> 00:12:03,200 So I'm going to select one here and I recommend against using common password suffixes. 124 00:12:03,200 --> 00:12:05,520 It will take a very long time. 125 00:12:05,540 --> 00:12:07,000 You can do it if you wish. 126 00:12:10,800 --> 00:12:11,190 All right. 127 00:12:11,190 --> 00:12:18,180 And now sequel map is essentially brute forcing each and every password that it finds. 128 00:12:18,180 --> 00:12:25,350 And fair warning this may be a rather lengthy process so I may be making a small cut to the recording 129 00:12:25,350 --> 00:12:26,400 here in a moment. 130 00:12:26,610 --> 00:12:35,070 But essentially what this is doing is sequel map is is testing each password hash using the dictionary 131 00:12:35,070 --> 00:12:40,870 file in this case the default dictionary file that came prepackaged with sequel map. 132 00:12:40,980 --> 00:12:47,520 It's testing every possible letter and word combination against that password hash. 133 00:12:47,520 --> 00:12:53,460 Now it is going to succeed in a relatively timely manner because this is a vulnerable web application. 134 00:12:53,550 --> 00:13:01,410 So all of the passwords that it's going to be cracking are relatively simple very complex passwords 135 00:13:01,410 --> 00:13:07,280 will not be quick to crack. 136 00:13:07,460 --> 00:13:13,730 And if you do decide to use the common suffixes it will improve your chances of cracking the password. 137 00:13:13,880 --> 00:13:22,030 But it will also greatly lengthen the cracking process so I'm going to make a small pause to the video 138 00:13:22,030 --> 00:13:28,220 here this should take about five to 10 minutes give or take. 139 00:13:28,270 --> 00:13:35,630 Already we have successfully cracked these hashes it took about seven or eight minutes which isn't too 140 00:13:35,630 --> 00:13:36,020 bad. 141 00:13:36,020 --> 00:13:42,290 Of course your mileage may vary depending on the strength of the passwords and the power of your system 142 00:13:42,290 --> 00:13:45,350 and your wordless complexity. 143 00:13:45,650 --> 00:13:54,560 But as you can see it's taken these hashes and it has converted them into plain text passwords which 144 00:13:54,560 --> 00:13:59,480 we can use with the user names associated with them to log in. 145 00:13:59,480 --> 00:14:05,050 So now of course these weren't very complex passwords. 146 00:14:05,080 --> 00:14:10,360 It goes without saying that people who are wise will use very strong passwords and those will be highly 147 00:14:10,360 --> 00:14:12,390 resistant to this sort of method. 148 00:14:12,490 --> 00:14:19,330 Of course if it's a major web server and it's vulnerable to sequel injection then it's pretty much 100 149 00:14:19,330 --> 00:14:25,420 percent certain that an attacker is going to walk away with a pretty large number of passwords one way 150 00:14:25,420 --> 00:14:30,250 or another because most people just don't use strong passwords. 151 00:14:30,250 --> 00:14:37,120 So now that we have the usernames and passwords let's move on to listing the actual databases that are 152 00:14:37,120 --> 00:14:39,480 available to use on the server. 153 00:14:39,670 --> 00:14:45,910 We're going to use the same basic commands before but this time we're going to introduce another option 154 00:14:46,240 --> 00:14:53,380 called Tac tac DB Yes this is going to enumerate the server and list out any databases that our session 155 00:14:53,380 --> 00:15:02,980 user has access to so we'll clear out users and passwords because we have them. 156 00:15:03,480 --> 00:15:09,180 And yes we hit enter and we're going to have to answer the questions again. 157 00:15:09,190 --> 00:15:15,430 Now you can run sequel map in such a way that you don't need to answer these questions every time but 158 00:15:15,550 --> 00:15:19,570 that that is a bad habit to get into for complex tests. 159 00:15:19,570 --> 00:15:21,490 So I don't advocate doing that 160 00:15:29,310 --> 00:15:30,500 already. 161 00:15:30,690 --> 00:15:36,510 It looks like it was able to retrieve all of the databases which are on this particular VM. 162 00:15:36,750 --> 00:15:40,440 Of course this doesn't normally go that smoothly. 163 00:15:40,560 --> 00:15:47,130 If a web app is setup correctly the user that the database is running at should not have access to all 164 00:15:47,130 --> 00:15:49,710 of the other databases on the server. 165 00:15:49,710 --> 00:15:53,530 In this tutorial we'll just be going over the BRICS application. 166 00:15:53,550 --> 00:16:00,870 But if we wanted to spend the time we could enumerate every single database that is on the server some 167 00:16:00,870 --> 00:16:08,850 of these databases could in a real world situation contain credit card information Social Security numbers 168 00:16:09,720 --> 00:16:15,020 the nuclear launch codes or anything else you might not want to get out. 169 00:16:15,030 --> 00:16:21,690 So this is where patience and persistence becomes important against a target with real safeguards passwords 170 00:16:21,690 --> 00:16:26,400 and credit cards are obviously going to be a lot harder to get thankfully. 171 00:16:26,400 --> 00:16:34,140 However if we look at large scale data breaches the past such as for example the Ashley Madison hack 172 00:16:34,140 --> 00:16:42,240 of 2015 these same methods were used to pull an immense amount of personal information on users including 173 00:16:42,240 --> 00:16:49,470 real names home addresses search history and although credit card numbers were not pulled or were encrypted 174 00:16:49,470 --> 00:16:56,220 in such a way that they could not be broken through brute force credit card transaction history was 175 00:16:56,940 --> 00:17:02,730 not to mention the plethora of passwords that may be applicable to other accounts associated with that 176 00:17:02,730 --> 00:17:09,900 user over 25 gigabytes of this personal information was then leaked resulting in many users being publicly 177 00:17:09,900 --> 00:17:15,180 shamed and the eventual the eventual collapse of the service. 178 00:17:15,190 --> 00:17:20,290 Now the example I'm citing a slightly more complex than what you're seeing here for example I believe 179 00:17:20,290 --> 00:17:27,430 that hash cat was used to crack the password hashes rather than cracking them right there in sequel 180 00:17:27,430 --> 00:17:27,820 map. 181 00:17:27,820 --> 00:17:34,300 But that sort of thing aside it's clear to see that the sort of real world consequences this type of 182 00:17:34,300 --> 00:17:40,660 attack can have can be pretty dire even when the obvious things like credit card numbers are being properly 183 00:17:40,660 --> 00:17:41,850 protected. 184 00:17:41,860 --> 00:17:47,740 The lesson here for security minded people is that when you are setting up a database in a web app on 185 00:17:47,740 --> 00:17:54,160 a live production system be sure to watch out for the user that you are letting that database run as 186 00:17:54,550 --> 00:18:01,070 and the permissions that user has for right now we'll just concentrate our efforts on the brink status 187 00:18:01,450 --> 00:18:04,180 since this is the page that we're looking at. 188 00:18:04,270 --> 00:18:10,120 The next thing we need to do then is enumerate the tables and columns that database contains 189 00:18:12,600 --> 00:18:21,260 so we're going to replace PBS with TAC D bricks lowercase. 190 00:18:21,330 --> 00:18:21,780 Forgive me 191 00:18:27,640 --> 00:18:32,800 and that's going to specify the database that we're going after and we're going to tack tack tables 192 00:18:36,870 --> 00:18:45,330 so we typed bricks to signify our target and then by adding Tac tac tables that tell sequel map that 193 00:18:45,330 --> 00:18:51,750 we want to find out all of the tables that are contained within the BRICS database we hit enter 194 00:18:55,270 --> 00:19:03,490 and we're going to have to answer the questions again yes enter yes zero. 195 00:19:03,500 --> 00:19:04,980 We could use one. 196 00:19:05,210 --> 00:19:06,230 And yes 197 00:19:09,390 --> 00:19:09,990 all right. 198 00:19:10,230 --> 00:19:15,290 It looks like there was only one table in that database which is the user table. 199 00:19:15,300 --> 00:19:19,290 Well that's fine because that is what we would be looking for anyway. 200 00:19:19,290 --> 00:19:26,020 The next thing we want to do is enumerate the columns that are contained within this user table. 201 00:19:26,100 --> 00:19:31,690 So we go back to our command and we're going to change. 202 00:19:31,830 --> 00:19:33,240 We're gonna get rid of tables. 203 00:19:33,240 --> 00:19:44,910 We're gonna do TAC t users tac tac columns. 204 00:19:44,970 --> 00:19:49,080 You can see that we've once again extended our command. 205 00:19:49,080 --> 00:19:54,960 I mentioned at the start of this tutorial that each subsequent command would build on itself and that 206 00:19:54,960 --> 00:20:01,770 is a good example. 207 00:20:02,050 --> 00:20:07,070 Sorry. 208 00:20:07,180 --> 00:20:15,370 Now it's come back and it shows us all the different columns contained in that user table email host's 209 00:20:15,580 --> 00:20:19,550 passwords et cetera et cetera. 210 00:20:19,690 --> 00:20:24,070 From here we could choose to dump all of the information that is presented. 211 00:20:24,070 --> 00:20:31,300 But right now we only want the ones that contain the juiciest types of data we'll tell it to grab the 212 00:20:31,300 --> 00:20:36,370 names passwords and I think we'll have a get the email addresses as well. 213 00:20:40,400 --> 00:20:47,590 So we're going to pull up our command again and we're going to remove code breaks 214 00:20:50,600 --> 00:21:05,570 see you taxi and we're going to do names comma password comma email tap tech dump the syntax is just 215 00:21:05,570 --> 00:21:11,870 going to be the name of the column that you want a comma and then the next column. 216 00:21:11,990 --> 00:21:19,270 But make sure you don't put any spaces in between them and of course we have to answer our questions 217 00:21:19,270 --> 00:21:19,660 again 218 00:21:40,340 --> 00:21:45,550 and we can see the process running it's retrieving the info for us 219 00:21:51,150 --> 00:22:01,610 and this is about how long it usually takes. 220 00:22:01,790 --> 00:22:09,180 I'm not going to store the hashes at this time but I am going to try to crack them all right. 221 00:22:09,180 --> 00:22:16,040 So it looks like we got the passwords and email but I'm sorry. 222 00:22:16,170 --> 00:22:17,240 I see what happened. 223 00:22:19,050 --> 00:22:19,680 All right. 224 00:22:19,740 --> 00:22:24,970 I said names when I really meant to say name because that was the name of the table. 225 00:22:24,970 --> 00:22:28,770 I think that's why we're seeing blank right here. 226 00:22:28,930 --> 00:22:31,510 That is a mistake that can happen. 227 00:22:33,710 --> 00:22:34,710 Yeah. 228 00:22:35,020 --> 00:22:39,280 Name OK. 229 00:22:39,660 --> 00:22:45,350 Well I think I'm going to leave that mistake in because it's an example of what can happen if you make 230 00:22:45,350 --> 00:22:54,140 a syntax here but I will very quickly rerun this command and I won't make you sit through the enumeration 231 00:22:54,140 --> 00:22:55,000 process again. 232 00:22:55,010 --> 00:22:57,280 I'll make a small cut right here. 233 00:22:57,310 --> 00:22:59,680 Alrighty so it came back already. 234 00:22:59,720 --> 00:23:07,130 We now have the main password an email for all of the users that are contained within the user's table 235 00:23:07,430 --> 00:23:09,800 within the BRICS database. 236 00:23:09,800 --> 00:23:12,050 Now if we go back to the Web sites 237 00:23:15,190 --> 00:23:22,690 we know that we can type admin for the user name and admin for the password and we click submit 238 00:23:27,460 --> 00:23:31,180 and we're in it doesn't actually do anything of course. 239 00:23:31,190 --> 00:23:37,990 This is just a simulation but it tells us that we have successfully logged in using the admin account. 240 00:23:38,030 --> 00:23:44,800 Now we can also log in with lesser credentials for example Ron and Ron were Tom and Tom. 241 00:23:44,990 --> 00:23:52,330 If you log in with any of these you would then have access to anything that user has rights to. 242 00:23:52,400 --> 00:23:59,090 In cases where some databases are hidden depending on user permissions it may be possible to use previously 243 00:23:59,090 --> 00:24:04,320 captured credentials to escalate your attacks to find those additional databases. 244 00:24:04,370 --> 00:24:06,550 They're limited to those specific users. 245 00:24:06,560 --> 00:24:13,190 And so by that way expand and continue to drill down and enumerate and get more and more permissions 246 00:24:13,190 --> 00:24:17,480 and and so on and so forth and increase your credentials. 247 00:24:17,480 --> 00:24:23,960 It all depends on how sloppy the creator of the web app is in terms of the way in which database permissions 248 00:24:23,960 --> 00:24:27,350 are set up and where such data is stored. 249 00:24:27,380 --> 00:24:33,710 Of course if you find an admin user you've basically struck gold from there the sky is pretty much the 250 00:24:33,710 --> 00:24:41,670 limit in terms of what you can do and what you just saw applies to all of the databases on this web 251 00:24:41,670 --> 00:24:42,630 server. 252 00:24:42,690 --> 00:24:47,020 Again it's just a question of persistence and patience. 253 00:24:47,070 --> 00:24:52,700 We could theoretically get every scrap of information off every database here. 254 00:24:53,010 --> 00:24:58,440 If you remember from just a little bit ago we were actually able to get a list of all the databases 255 00:24:58,440 --> 00:24:59,870 on the server. 256 00:25:00,270 --> 00:25:16,280 So what if we wanted to look up one of those other databases to scroll up here. 257 00:25:16,390 --> 00:25:17,800 There we go. 258 00:25:17,800 --> 00:25:24,690 So we'll do DV W.A. -- vulnerable web app since those of you following along are probably using metal 259 00:25:24,700 --> 00:25:31,130 spoil to as your test target and you'll still have motility to experience all on your own. 260 00:25:31,180 --> 00:25:33,680 Of course we'll have to change this. 261 00:25:33,700 --> 00:25:40,900 Just want to show you how since our user has access to all of these databases we can pull data from 262 00:25:40,960 --> 00:25:45,480 other databases as well. 263 00:25:45,530 --> 00:25:52,400 We're going to add the W A and tack tack tables 264 00:25:55,360 --> 00:25:57,410 and this will be the same steps as before. 265 00:25:57,430 --> 00:26:04,620 Same questions as before it might not go quite as quickly because I don't think I already did this on 266 00:26:04,620 --> 00:26:06,270 a test run. 267 00:26:06,270 --> 00:26:08,030 So it may have to enumerate. 268 00:26:08,120 --> 00:26:08,350 No. 269 00:26:08,430 --> 00:26:11,010 There it goes all right. 270 00:26:11,010 --> 00:26:15,280 You can see that -- vulnerable web app has two tables in it. 271 00:26:15,390 --> 00:26:17,280 Guest Book and user. 272 00:26:17,280 --> 00:26:21,930 We can continue to drill down by working through that. 273 00:26:22,020 --> 00:26:31,350 So we're going to place tables with t users and we're going to do Tac tac columns 274 00:26:34,590 --> 00:26:36,120 once again the scan will run. 275 00:26:36,120 --> 00:26:37,590 Same questions as before 276 00:26:52,990 --> 00:26:58,600 as you can see it's giving us back the columns contained in that user table along with the data types 277 00:26:58,600 --> 00:27:03,900 for each one so let's remove columns 278 00:27:08,060 --> 00:27:17,960 and see user karma password for the columns user and password. 279 00:27:18,140 --> 00:27:19,520 Make sure I spelled those right. 280 00:27:19,520 --> 00:27:19,960 I did. 281 00:27:19,970 --> 00:27:20,740 OK. 282 00:27:20,930 --> 00:27:29,320 And remember not to put a space it needs to be user comma password all one string. 283 00:27:29,330 --> 00:27:34,770 No spaces Tak tak dump all that run 284 00:27:40,710 --> 00:27:43,330 yes enter. 285 00:27:43,330 --> 00:27:49,840 Yes 0 and yes I'm not going to store the file at this time. 286 00:27:49,840 --> 00:27:52,590 And yes all right. 287 00:27:53,140 --> 00:27:59,620 So we're getting user names and password hashes in the first phase then sequel map will ask us if we 288 00:27:59,620 --> 00:28:08,080 want to store and or crack these as you've seen I let it do so and now we've got the user names and 289 00:28:08,080 --> 00:28:15,100 in parentheses are the clear text passwords located right after the hashes that have been cracked and 290 00:28:15,100 --> 00:28:21,280 it actually went pretty fast so as you can see it got all of these if the default word list failed you 291 00:28:21,280 --> 00:28:27,460 could save the hashes and use something else to try to crack them or just a more powerful word list. 292 00:28:27,790 --> 00:28:34,210 As I said it's not possible to demonstrate every conceivable use of this tool but if you practice with 293 00:28:34,210 --> 00:28:42,510 it things like this will become self to you from a simple sequel injection floor it is possible to steal 294 00:28:42,510 --> 00:28:46,520 significant data from any web based database. 295 00:28:46,800 --> 00:28:52,220 Starting out we didn't have to be logged into a web app to try to get this information. 296 00:28:52,380 --> 00:29:00,060 We simply exploited an issue with the user name field in our target the BRICS web app which allowed 297 00:29:00,060 --> 00:29:08,280 us to bypass any authentication required for this web app and gain back end access to the database. 298 00:29:08,460 --> 00:29:14,100 From there we were able to extract all of this information and because the database user is running 299 00:29:14,100 --> 00:29:19,800 with root privileges we have access to every database on this web server. 300 00:29:19,800 --> 00:29:25,080 Imagine if you had 30 different web applications running on one server. 301 00:29:25,260 --> 00:29:32,190 One of these web apps has a flaw in it that one flaw could be leveraged by an attacker to gain access 302 00:29:32,190 --> 00:29:39,350 to all of the information that server contains depending on how the user permissions are configured. 303 00:29:39,360 --> 00:29:44,290 This is something to always keep in mind when setting up your own applications. 304 00:29:44,360 --> 00:29:52,130 Now that pretty much covers the basic barebones usage but there are a few more things I'd like to mention. 305 00:29:52,530 --> 00:29:56,430 So to show you this I'm going to delete most of this command. 306 00:29:56,430 --> 00:29:57,990 We're done with this. 307 00:29:57,990 --> 00:30:07,950 So there is an option called Tac tac level it goes from one to five with five being the most exhaustive. 308 00:30:07,970 --> 00:30:14,320 What this basically does is it causes sequel map to use a larger number of payloads. 309 00:30:14,480 --> 00:30:16,850 One testing injection sites. 310 00:30:17,090 --> 00:30:21,010 The default is 1 if you set it 2 or higher. 311 00:30:21,020 --> 00:30:28,360 Sequel map is going to try injection attacks in more than just the get and post branches of the page. 312 00:30:28,670 --> 00:30:35,420 It's going to look at the user agent and any cookie values that are passed as there may be injection 313 00:30:35,420 --> 00:30:38,220 points in those items as well. 314 00:30:38,450 --> 00:30:44,750 You would want to use maybe a higher level if you were working on a web app that might have vulnerable 315 00:30:44,750 --> 00:30:50,990 injection points but they are a little harder to leverage and exploit. 316 00:30:50,990 --> 00:30:53,020 In case this sounds a bit cryptic. 317 00:30:53,060 --> 00:31:00,680 What I mean is in the real world if you're going up against a real world target you have to assume a 318 00:31:00,680 --> 00:31:02,690 basic level of competence. 319 00:31:03,470 --> 00:31:09,770 And it will probably resist the default level of one since most web app creators are getting better 320 00:31:09,770 --> 00:31:12,450 about obvious flaws. 321 00:31:12,500 --> 00:31:19,760 So if your target of your authorized penetration test is something like a financial institution you 322 00:31:19,760 --> 00:31:26,090 would absolutely want to use a higher level attack to get the best possible test coverage. 323 00:31:26,090 --> 00:31:29,570 Another option is tack tack risk. 324 00:31:29,570 --> 00:31:33,740 This goes from 1 to 3 with 3 being the highest. 325 00:31:33,740 --> 00:31:41,200 This causes sequel map to use more risky injection techniques a word of caution with this one. 326 00:31:41,200 --> 00:31:49,210 If you do set it to a higher level you could introduce issues into the databases that you maybe didn't 327 00:31:49,210 --> 00:31:51,340 intend. 328 00:31:51,430 --> 00:31:58,300 If you have a query that is using an update statement for example it is possible that you could accidentally 329 00:31:58,300 --> 00:32:04,720 end up updating all of the different tables in that database where you didn't actually mean to. 330 00:32:05,110 --> 00:32:08,500 Just as one example so be careful when using risk 331 00:32:13,810 --> 00:32:22,240 we can see all of the different payloads that sequel map uses by looking under the user share sequel 332 00:32:22,240 --> 00:32:31,770 map XM l payloads folder we can see that these are all Excel files and named for the types of payloads 333 00:32:31,770 --> 00:32:33,260 that they contain. 334 00:32:33,360 --> 00:32:40,470 It is possible therefore to build on these and add your own or edit existing packages if you have some 335 00:32:40,470 --> 00:32:48,720 custom attack that you want sequel map to try. 336 00:32:48,770 --> 00:32:53,660 Finally I'd like to speak briefly about the TAC TAC technique switch. 337 00:32:53,750 --> 00:33:01,250 This option will allow you to specify which injection type that you want to use by default sequel map 338 00:33:01,290 --> 00:33:03,550 uses all injection types. 339 00:33:03,770 --> 00:33:12,500 And when I say injection types I mean things like boolean based error based stack queries bond injections 340 00:33:12,650 --> 00:33:21,500 inline injections and so on and so forth by default sequel map tries all of these unless you expressly 341 00:33:21,560 --> 00:33:23,550 specify otherwise. 342 00:33:23,690 --> 00:33:29,800 If you've done some manual testing on a web app and find that it is vulnerable to I don't know let's 343 00:33:29,810 --> 00:33:36,200 say an error based sequel injection you could specify with this switch that you only want sequel map 344 00:33:36,200 --> 00:33:43,640 to use that type of injection payload against the target error based attacks that will save you some 345 00:33:43,640 --> 00:33:46,620 time during your testing process. 346 00:33:46,640 --> 00:33:52,670 All right that is going to pretty much do it for this video we have just barely scratched the surface 347 00:33:52,670 --> 00:33:55,520 of all the capabilities sequel map has. 348 00:33:55,670 --> 00:34:01,670 As I said this would be an entire class unto itself but with this understanding of the foundational 349 00:34:01,670 --> 00:34:08,720 principles it should be easy to build your skill with sequel map through time and practice like and 350 00:34:08,720 --> 00:34:11,550 map and certain other programs in this class. 351 00:34:11,660 --> 00:34:18,770 The use of sequel map is part science and part art the science of it can be taught but the art has to 352 00:34:18,770 --> 00:34:20,030 be developed. 353 00:34:20,060 --> 00:34:26,360 This is one of the most powerful applications in the Cali Linux tool box and with time and effort you 354 00:34:26,360 --> 00:34:30,250 can make it do things that go far beyond what you've seen here. 355 00:34:30,260 --> 00:34:35,000 Just remember to always be legal and ethical and how you use it. 356 00:34:35,000 --> 00:34:35,480 Thank you.