zz2-f5-websec.md 8.14 KB
Newer Older
Vincent Mazenod's avatar
Vincent Mazenod committed
1
2
Title: ZZ2 F5 - Securité logicielle (2/2) - sécurité des applications web
Date: 2019-11-20 10:55
mazenovi's avatar
mazenovi committed
3
4
5
6
7
8
9
10
11
Category: <i class='fa fa-graduation-cap' aria-hidden='true'></i> &Eacute;tudiants
Tags: cours

[TOC]

## Plan du cours

* Architecture

12
    * [HTTP](slides/1337/http.html)
mazenovi's avatar
mazenovi committed
13
14
15

* Pentesting

16
    * [Collecter](slides/1337/collecting.html)
mazenovi's avatar
mazenovi committed
17

18
19
20
    * [Détecter](slides/1337/detecting.html)

<!-- * Exploit
mazenovi's avatar
mazenovi committed
21

22
    * [Heartbleed](slides/1337/heartbleed.html) -->
mazenovi's avatar
mazenovi committed
23
24
25

* Mécanisme

26
    * [Authentification](slides/1337/authentication.html)
mazenovi's avatar
mazenovi committed
27
28
29

* Vulnérabilités communes

30
    * [Command execution](slides/1337/cmdi.html)
mazenovi's avatar
mazenovi committed
31

Vincent Mazenod's avatar
websec    
Vincent Mazenod committed
32
      * [Shellshock](slides/1337/shellshock.htm)
mazenovi's avatar
mazenovi committed
33

Vincent Mazenod's avatar
websec    
Vincent Mazenod committed
34
35
    * [Upload](slides/1337/upload.htm)
    * [LFI_RFI](slides/1337/fi.htm)
mazenovi's avatar
mazenovi committed
36
37
    * [XSS](https://doc.m4z3.me/_/1337/XSS.htm)
    * [CSRF](https://doc.m4z3.me/_/1337/CSRF.htm)
Vincent Mazenod's avatar
websec    
Vincent Mazenod committed
38
    * [SQLi](https://doc.m4z3.me/_/1337/SQLi.htm)
mazenovi's avatar
mazenovi committed
39
40
41
42
43
44
45
46
47
48
49
50

* Exploit

    * [Drupalgeddon](https://doc.m4z3.me/_/1337/drupalgeddon.htm)

* Se protéger

    * [Top10](https://doc.m4z3.me/_/1337/top10.htm)
    * [anticiper](https://doc.m4z3.me/_/1337/anticiper.htm)
    * [réagir](https://doc.m4z3.me/_/gdi/cnrs.htm#/cover)


Vincent Mazenod's avatar
Vincent Mazenod committed
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<div class="panel panel-success">
  <div class="panel-heading">
    <h3 class="panel-title">FYI</h3>
  </div>
  <div class="panel-body">
    <ul>
      <li>Tous les slides sont fait avec <a href="https://github.com/hakimel/reveal.js">reveal.js</a>
        <ul>
          <li>ils sont exportables en pdf en ajoutant <code>?print-pdf#</code> à l'url (à coller juste après le <code>.html</code>) et en passant par l'impression dans un fichier du navigateur chrome ou (mieux) <a href="https://www.chromium.org/">chromium</a>
            <ul>
              <li>plus de détails sur l'<a href="https://github.com/hakimel/reveal.js/#pdf-export">export PDF de reveal</a></li>
            </ul>
          </li>
        </ul>
      </li>
    </ul>
  </div>
</div>

mazenovi's avatar
mazenovi committed
70
71
## Recréer l'environnement de cours dans VirtualBox

72
73
* testé avec [VirtualBox 5.2.18](https://download.virtualbox.org/virtualbox/5.2.18/virtualbox-5.2_5.2.18-124319~Ubuntu~bionic_amd64.deb) sous [Ubuntu Bionic](http://releases.ubuntu.com/bionic/)
  * et les [extensions pack associés](https://download.virtualbox.org/virtualbox/5.2.18/Oracle_VM_VirtualBox_Extension_Pack-5.2.18.vbox-extpack)
mazenovi's avatar
mazenovi committed
74
75

```
76
VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.2.18.vbox-extpack
mazenovi's avatar
mazenovi committed
77
78
79
```

sous windows vous devrez peut être utiliser le path entier de vboxmanage
mazenovi's avatar
mazenovi committed
80
81
82
83
84
85
86

```
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"
```

### Créer un réseau NAT

mazenovi's avatar
mazenovi committed
87
```bash
mazenovi's avatar
mazenovi committed
88
vboxmanage  natnetwork add --netname natwebsec --network "172.16.76.0/24" --enable --dhcp off
mazenovi's avatar
mazenovi committed
89
90
```

mazenovi's avatar
mazenovi committed
91
### Télécharger les images OVA
mazenovi's avatar
mazenovi committed
92
93
94

voir [https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/](https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/)

mazenovi's avatar
mazenovi committed
95
```bash
mazenovi's avatar
mazenovi committed
96
97
98
99
wget https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/files/?p=/debian.ova&dl=1
wget https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/files/?p=/proxy.ova&dl=1
wget https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/files/?p=/kali.ova&dl=1
wget https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/files/?p=/thenetwork.ova&dl=1
Vincent Mazenod's avatar
Vincent Mazenod committed
100
wget https://drive.mesocentre.uca.fr/d/69e5535b0b88425396d7/files/?p=/ubuntu-server-18.04.ova&dl=1
mazenovi's avatar
mazenovi committed
101
102
103
104
105
106
107
108
109
110
111
112
```
<div class="panel panel-warning">
  <div class="panel-heading">
    <h3 class="panel-title">FYI</h3>
  </div>
  <div class="panel-body">
    il y a environ 7 Go d'images, n'hésitez pas à vous les faire passer via des clés USB
  </div>
</div>

### Importer les images OVA

mazenovi's avatar
mazenovi committed
113
```bash
mazenovi's avatar
mazenovi committed
114
115
116
117
vboxmanage import debian.ova
vboxmanage import proxy.ova
vboxmanage import kali.ova
vboxmanage import thenetwork.ova
Vincent Mazenod's avatar
Vincent Mazenod committed
118
vboxmanage ubuntu-server-18.04.ova
mazenovi's avatar
mazenovi committed
119
120
```

mazenovi's avatar
mazenovi committed
121
### Configurer le réseau pour chaque vm
mazenovi's avatar
mazenovi committed
122

mazenovi's avatar
mazenovi committed
123
124
125
126
127
```bash
vboxmanage modifyvm debian --nic1 natnetwork --nat-network1 natwebsec
vboxmanage modifyvm proxy --nic1 natnetwork --nat-network1 natwebsec
vboxmanage modifyvm kali --nic1 natnetwork --nat-network1 natwebsec
vboxmanage modifyvm thenetwork --nic1 natnetwork --nat-network1 natwebsec
Vincent Mazenod's avatar
Vincent Mazenod committed
128
vboxmanage modifyvm ubuntu-server-18.04 --nic1 natnetwork --nat-network1 natwebsec
mazenovi's avatar
mazenovi committed
129
130
```

mazenovi's avatar
mazenovi committed
131
132
![réseau vm](images/etudiants/vm-network.png)

mazenovi's avatar
mazenovi committed
133
### (optionnel) Mettre en place le port-forwarding sur debian
mazenovi's avatar
mazenovi committed
134

mazenovi's avatar
mazenovi committed
135
```bash
Vincent Mazenod's avatar
Vincent Mazenod committed
136
137
138
139
140
vboxmanage natnetwork modify --netname natwebsec --port-forward-4 "ssh:tcp:[127.0.0.1]:1722:[172.16.76.142]:22"
vboxmanage natnetwork modify --netname natwebsec --port-forward-4 "ssh:tcp:[127.0.0.1]:1723:[172.16.76.143]:22"
vboxmanage natnetwork modify --netname natwebsec --port-forward-4 "ssh:tcp:[127.0.0.1]:1724:[172.16.76.144]:22"
vboxmanage natnetwork modify --netname natwebsec --port-forward-4 "ssh:tcp:[127.0.0.1]:1725:[172.16.76.145]:22"
vboxmanage natnetwork modify --netname natwebsec --port-forward-4 "ssh:tcp:[127.0.0.1]:1726:[172.16.76.146]:22"
mazenovi's avatar
mazenovi committed
141
142
```

mazenovi's avatar
mazenovi committed
143
### (optionnel) Se connecter en ssh
mazenovi's avatar
mazenovi committed
144

mazenovi's avatar
mazenovi committed
145
```bash
Vincent Mazenod's avatar
Vincent Mazenod committed
146
147
148
149
150
ssh -p 1722 mazenovi@127.0.0.1 #thenetwork
ssh -p 1723 mazenovi@127.0.0.1 #proxy
ssh -p 1724 mazenovi@127.0.0.1 #debian
ssh -p 1725 mazenovi@127.0.0.1 #kali
ssh -p 1726 mazenovi@127.0.0.1 #ubuntu server 18.04
mazenovi's avatar
mazenovi committed
151
152
```

mazenovi's avatar
mazenovi committed
153
## (fix) En cas de réseau injoignable sur proxy et thenetwork
mazenovi's avatar
mazenovi committed
154
155
156

si

mazenovi's avatar
mazenovi committed
157
```bash
mazenovi's avatar
mazenovi committed
158
ping 172.16.76.145 # ping sur kali
mazenovi's avatar
mazenovi committed
159
160
161
162
```

renvoie

mazenovi's avatar
mazenovi committed
163
```bash
mazenovi's avatar
mazenovi committed
164
165
166
167
168
connect: Network is unreachable
```

vérifier le numéro de votre interface réseau

mazenovi's avatar
mazenovi committed
169
170
171
```bash
student@proxy:~$ ifconfig -a

mazenovi's avatar
mazenovi committed
172
eth2      Link encap:Ethernet  HWaddr 08:00:27:ae:b5:20
mazenovi's avatar
mazenovi committed
173
          inet adr:172.16.76.143  Bcast:172.16.76.255  Masque:255.255.255.0
mazenovi's avatar
mazenovi committed
174
175
176
177
178
179
180
          adr inet6: fe80::a00:27ff:feae:b520/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Packets reçus:24 erreurs:0 :0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000
          Octets reçus:4789 (4.7 KB) Octets transmis:4679 (4.6 KB)

mazenovi's avatar
mazenovi committed
181
lo        Link encap:Boucle locale
mazenovi's avatar
mazenovi committed
182
183
184
185
186
187
188
          inet adr:127.0.0.1  Masque:255.0.0.0
          adr inet6: ::1/128 Scope:Hôte
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          Packets reçus:54 erreurs:0 :0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          Octets reçus:4076 (4.0 KB) Octets transmis:4076 (4.0 KB)
mazenovi's avatar
mazenovi committed
189
190
```

mazenovi's avatar
mazenovi committed
191
par exemple ce numéro peut être eth2 (comme ci dessus) au lieu de eth0
mazenovi's avatar
mazenovi committed
192
193
194

il faut alors modifier le fichier /etc/network/interfaces en fonction

mazenovi's avatar
mazenovi committed
195
```bash
mazenovi's avatar
mazenovi committed
196
197
198
199
student@proxy:~$ sudo vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
mazenovi's avatar
mazenovi committed
200

mazenovi's avatar
mazenovi committed
201
202
203
204
205
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
mazenovi's avatar
mazenovi committed
206
207
208
auto eth2
iface eth2 inet static
        address 172.16.76.143
mazenovi's avatar
mazenovi committed
209
        netmask 255.255.255.0
mazenovi's avatar
mazenovi committed
210
        gateway 172.16.76.1
mazenovi's avatar
mazenovi committed
211
212
213
214
```

puis activer l'interface réseau

mazenovi's avatar
mazenovi committed
215
```bash
mazenovi's avatar
mazenovi committed
216
student@proxy:~$ sudo ifup eth2
mazenovi's avatar
mazenovi committed
217
218
219
220
```

réessayer

mazenovi's avatar
mazenovi committed
221
222
```bash
ping 172.16.76.145 # ping sur kali
mazenovi's avatar
mazenovi committed
223
224
```

mazenovi's avatar
mazenovi committed
225
226
227
Ce bug est dû à la numérotation fantaisiste d'Ubuntu des interfaces réseau ...


mazenovi's avatar
mazenovi committed
228
## liste des vms / noms de domaine
mazenovi's avatar
mazenovi committed
229
230

```
mazenovi's avatar
mazenovi committed
231
232
# SecLab
172.16.76.143 proxy secured heart.bleed fo.ol #proxied version of dum.my
mazenovi's avatar
mazenovi committed
233

mazenovi's avatar
mazenovi committed
234
235
236
237
238
239
240
241
242
172.16.76.144 good.one go.od targ.et
172.16.76.144 mutillid.ae
172.16.76.144 dvwa.com dv.wa
172.16.76.144 d.oc
172.16.76.144 dum.my
172.16.76.144 drup.al hackable-drupal.com drupal
172.16.76.144 wordpre.ss bl.og wp wordpress
172.16.76.144 spip sp.ip
172.16.76.145 bad.guy hack.er 1337.net
mazenovi's avatar
mazenovi committed
243

mazenovi's avatar
mazenovi committed
244
172.16.76.142 thenetwork
mazenovi's avatar
mazenovi committed
245

mazenovi's avatar
mazenovi committed
246
172.16.76.1   us.er
mazenovi's avatar
mazenovi committed
247
```
mazenovi's avatar
mazenovi committed
248
249
250

## Evaluation

Vincent Mazenod's avatar
Vincent Mazenod committed
251
* Examen écrit en fin de session
mazenovi's avatar
mazenovi committed
252

mazenovi's avatar
mazenovi committed
253
## Mini projet en binôme
mazenovi's avatar
mazenovi committed
254

Vincent Mazenod's avatar
Vincent Mazenod committed
255
256
257
* [Enoncé](https://drive.mesocentre.uca.fr/f/d9e76a8e45934a069890/?dl=1)

<!-- * [Enoncé](https://drive.mesocentre.uca.fr/f/54bdd1a80c184bbcb63e/?dl=1) -->
mazenovi's avatar
mazenovi committed
258

Vincent Mazenod's avatar
Vincent Mazenod committed
259
* Rendu le 25/03/2019 à 23h59 dernier délais
mazenovi's avatar
mazenovi committed
260

Vincent Mazenod's avatar
Vincent Mazenod committed
261
    * à [vincent.mazenod@uca.fr](mailto:vincent.mazenod@uca.fr)
mazenovi's avatar
mazenovi committed
262
263

      * ```[TP websec]``` dans le sujet du mail ... sinon je vous perds ;)
mazenovi's avatar
mazenovi committed
264

mazenovi's avatar
mazenovi committed
265
266
    * Tous les fichiers nommés en NOMETUDIANT1_NOMETUDIANT2_nomfichier.ext

mazenovi's avatar
mazenovi committed
267
268
## Evaluation du cours

Vincent Mazenod's avatar
Vincent Mazenod committed
269
Vous avez aimé ou vous avez détesté ce cours ... [donnez moi votre avis et aidez moi à l'améliorer (en tout anonymat)](https://docs.google.com/forms/d/1w65KH2cnL_DbTKrUT-2AMvQ_p0Ht-wfSJT2YLEB8l7E/prefill)
mazenovi's avatar
mazenovi committed
270
271


mazenovi's avatar
mazenovi committed
272
273
274
## See also

* [faire son propre seclab](https://blog.mazenod.fr/faire-son-propre-seclab.html)