Understanding Log Analysis of Web Server

From Wikipedia

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) “what happened when by whom, where and why happened” of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also is known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] “GET /apache_pb.gif HTTP/1.0” 200 1068

  1. A “” in a field indicates missing data.
  2. 0.0.1is the IP address of the client (remote host) which made the request to the server.
  3. User-identifier is the RFC 1413 identity of the client.
  4. raj is the user id of the person requesting the document.
  5. [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received
  6. GET /apache_pb.gif HTTP/1.0” is the request line from the client.
  7. 200is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
  8. 2326is the size of the object returned to the client, measured in bytes

Importance of log analysis

Logs play an important role in tracking each client computer’s activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in the network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks and help that person to use better precautions.

Location of log files

Generally, in Linux or UNIX system logs are created under /var/log directory, here you will find some very important log file such as Apache, auth, MySQL, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba:  /var/log/samba

Mail: /var/log/

Mysql:  /var/log/

For Example, let’s consider apache log files for analyzing its logs, there are two types of apache http server log files:

  • Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access to log /var/log/apache/access.log.

  • Apache Error Log File

All apache2 errors information those are found during server requests is logged to this file. Location of error log /var/log/apache/error.log.

Now open apache2 log using the following command in terminal (UNIX system).

You can see all log files of apache2 as shown in the given image.

Using echo command I had deleted all previous logs from an inside access.log file so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on the browser. Therefore I had opened some web application like dvwa, BWapp and WordPress site in respective order and as result in same order log will be created inside apache2.

There are so many commands and tools used for log analyzing; among them, we had used only three command line utility cat, head and tail for reading logs. 

From the given image you can see we have used the cat command to read log which begins with dvwa’s log and end on WordPress log.

cat is standard UNIX utility use for reading the content of the file. With help of cat command, you can view whole content inside any log file.

Syntax: cat [options] file name

the head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] filename

By default, the head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example head – n 30 file name.

the tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] filename 

From the given image you can perceive that it has shown log for WordPress at the end of the file.

A significant way of reading logs

Since tail reads end lines of the log file which consist information of recent activity of the client, therefore, we are going to take help tail’s option for reading log in a significant way.

By default, the tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example tail – n 30 file name.

From the given image you can see above command applied filter and read only two logs from recent records.

If you want to read multiple log files simultaneously then type the following command.

From the given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply the filter using grep command with the tail command for specific records of the log.

Syntax: tail [option] filename | grep “string” [option]

From the given image you can notice, it has highlighted log having a string as 200.  Generally, for a network administrator, this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from the server.

When the server is not able to give reply of a request made by the client it response through error 404 “not found”.

From the given image you can see it has highlighted log string 404 from a set of log records.

As you know on browser we had browsed web application DVWA, bWAPP and WordPress as respective sequences, therefore we get their log in the same sequence dvwa log at the top; bwapp log at middle and WordPress log at the end of access.log file

Log files are very large, reading them at ones will not possible for the administrator, therefore, he/she can use after and before option with grep as a filter for logs.

Syntax: tail [option] filename | grep -A [number of lines] “string”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicate 2 logs of WordPress as shown in the given image.

Similarly, apply the filter using before parameter and type following command with a specific argument.

Here -B stands for before, therefore it will filter 2 logs created before WordPress logs and hence it will indicate 2 logs of bwapp as shown in the given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing a connection with the server, for example, SSH login between server and client

Location: /var/log

Again I had used echo command to remove all previous record from inside auth.log

Suppose the client uses putty for ssh login into the server.

If the client having a valid credential for ssh then he will get successfully login into the server. From the given image you can see I had successfully login into the server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in the next image you can read access denied message which means fail in login into an SSH server. Hence this time inside auth log again a new record will be created for SSH login failure.

Now let‘s read the whole records of the auth log file for above client activities using cat command.

From the given image you can read the logs for successful and failed login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either success or failure.

Location: /var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading the whole file. From the given image you can observe it has created a record in the log file for client 192.168.0.104 is CONNECT.

System Log

syslog is a standard for system logs or message logging. The administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in the given image.

APT Log

The apt is a standard command-line tool in UNIX, which works for performing functions such as the installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location: /var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

  • log : /var/log/apt
  • log /var/log/apt

Now type the following command for reading history log of apt.

From the given image you can observe the result which contains information about software installation and updates.

It was a brief theory for reading logs in the simplest way.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

WordPress Penetration Testing Lab Setup in Ubuntu

Today we are demonstrating how to install and configure WordPress for penetration testing inside the web server. To configure WordPress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in setting up of your own localhost web server. Here we are using our own web server which had to configure in Ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit //en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as the password for the root user. Now start with login into phpmyadmin as the root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains the name of existing databases and the right panel contains a functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store WordPress data, we need to create a new database. Now click on the databases tab given at the top of the right panel.

Now enter the name for database system such as WordPress and then click on create. After that, you will observe a new database “WordPress” will get added into the left panel.

Open the terminal and type following command to download WordPress inside /var/www/html

Now unzip the folder of latest.zip

From the given image you can see we have a folder of WordPress inside /html/ directory.

Now for WordPress installations open it on the browser through URL: // localhost/wordpress as shown in the given image.  At the end of the window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Now click on the submit tab.

In the next window, you will get some code of line to configure the wp-config.php file as shown in the given image. Now copy the highlighted text into a text document. After you have done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on the desktop.

Since we have saved wp-config.php on the desktop, therefore, we are going to shift it inside /var/www/html/wordpress using the following command.

After then go back to the previously open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for WordPress installation.

At last click on “install WordPress” tab given at the end of the window.

Once WordPress will successfully install, click on log in as shown in the given image.

Now enter your WordPress credential for login.

Great!!  Finally our website “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in WordPress so that we can make WordPress penetration testing by exploiting these plug-in based vulnerabilities. WordPress’ plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type the following command to give all permission to the file and folder own by www-data of /var/www/html.

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable WordPress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many another vulnerable plug-in from exploit database.

Now login into WordPress as admin to access administration control panel and then select plugins option from the dashboard and go for the new plugin so that you can add your install plug-in in your WordPress.

Now browse you downloaded the zip file and then click on upload plugin for installation.

It will install the plug-in into WordPress, now to activate it click on given tab Activate Plugin as shown in the given image.

Similarly, you can install as much as can be possible vulnerable plug-in into WordPress. You can see we had installed many plug-ins inside our WordPress so that we can make more practice on WordPress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how to exploit WordPress plug-in base vulnerability.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Configure Web Application Penetration Testing Lab

In our previous article, you had learned how to configure a web server using Ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI, and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using the following command

Basically to operate all web application on the browser through localhost you should download and configure these web application inside html directory only.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using the following command.

Now type following command step by step to configure dvwa.

From given image you can see we have downloaded the master.zip file, now unzip this file using below command.

After unzip, move file and folder of DVWA-master into dvwa

 After then move inside config in order to rename config.inc.php.dist into config.inc.php

Now open config.inc.php using above command, here you will observe that db_password is [email protected]  But remove the password and left it blank space for db_password.

 After leaving blank password save config.inc.php

Now run the web application in the browser through URL:  localhost/dvwa/setup.php

As shown in the given image a web page will get open for dvwa setup, now click on a given tab Create/ Reset Database.

Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.

Using the above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.

bWAPP

buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

Now shift bwapp from download directory to html directory using the move command

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

Here remove the password “bug” for db_password as done above.

Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in the image a web page will get open for installation; now click on the given link “click here to install wapp”. After that, your bwapp will get successfully install and will ready for penetration testing.

Now use the default username and password bee: bug for login into bwapp and start your practice.

SQLI

SQLI labs to test error based, Blind boolean based, Time based.

Download SQLI dhakkan inside html directory and then unzip it.

Copy all file and folder of sqli-labs-master into sqli using the following command

Now open web application inside the browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

This will create database setup for lab and after that, it will be ready for SQL penetration testing. This lab is design for mainly SQL injection attack each lesson have different SQL error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for the web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download Mutillidae using the following command

Move file and folder of Mutillidae from the inside download into var/www/html by typing following command

This web application does not require extra configuration setting you can directly open it inside the browser using URL: localhost/mutillidae

Now use your pentest skill to exploit its vulnerability.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Fuzzing SQL,XSS and Command Injection using Burp Suite

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on the bwapp application using burp suite intruder, performing this testing manually is time-consuming and may be a boring process for any pentester.

The fuzzing plays a vital role in software testing, it is a tool which is used for finding bugs, errors, faults, and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool is best in identifying vulnerability like SQL injection, buffer overflow, XSS injection, and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such as SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: test (user input for the first name)

Attack type: Sniper (for one payload)

A set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for the attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contains fuzzing string for testing XSS injection, therefore choose fuzzing –xss and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the random string to test XSS vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have a select request 1 having a length equal to 13926.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Bravo!!  Fuzzing test is completed and it found that the application has a bug which leads to XSS vulnerability. From the screenshot, you can see it is showing an XSS alert prompt.

Fuzzing OS command injection

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contains a fuzzing string which will test for os command injection, therefore choose to fuzz full and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the arbitrary string to test OS command injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 34 having a length equal to 13343.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Great Job!!  Fuzzing test is completed and it found that the application has a bug which leads to OS command vulnerability. From the screenshot, you can see the application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contains a fuzzing string which will test for SQL injection, therefore choose to fuzz –SQL Injection for first payload position and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

Similarly, repeat the same process to set payload option for second payload position.

It will start the attack by sending a request which contains the arbitrary string to test SQL injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 168 having a length equal to 13648.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Wonderful!!  Fuzzing test is completed and it found that the application has a bug which leads to SQL injection vulnerability. From the screenshot, you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here