Testing Exploitation of Apache2

AlphaObeisance

Active Member
Joined
Nov 7, 2022
Messages
207
Reaction score
167
Credits
2,814
I decided to start my own thread so not to hijack the OP's thread. I read the following on this post and it got me thinking.

I can't bring this to them without being able to prove it. I would need the working exploit and a proof of concept video or something. Otherwise they aren't likely to give me the time of day.

Signed,

Matthew Campbell

This sounds completely out of my pay grade, but I'm curious. Would utilizing a home lab environment to demonstrate the attack in real time be sufficient? I don't know the first thing about the inner workings of Security IT so you'll have to forgive my ignorance and accept I'm just a curious mind.

I'd imagine that's how exploits get tested is through labs. If what @Trenix25 is true could a guy just test the exploit within a controlled environment and OBS the process to show that it can be done?

Idk maybe this is a stupid (more likely obvious) inquiry but the linked thread really got me to thinking and I enjoyed the read.

I've never really put much mind into learning networking/security (beyond typical router stuff), so I figure maybe it's time I piddle around and learn how to actually do things properly.

Anyway,I thought the linked post is a good read.
 


Would utilizing a home lab environment to demonstrate the attack in real time be sufficient?
You don't need home lab to simulate an attack, all that you need is either another computer or VM, either on same subnet or separate subnet that will serve as attacker's machine from where you'll attempt to exploit your web server.
That attacker's machine should have Kali-Linux installed to simplify the process.

As a safety precaution while you do so your server should not be accessible over the internet to rule out someone taking advantage of it due you exploiting your server.

One approach is to use ready to use exploits, which one exactly you'd use depends on existing vulnerabilities on your web server, therefore first step is to learn known vulnerabilities (CVE's) on your server.
By "server" here I mean Apache server not your web site code.

Tools exist that help list CVE's, on Debian the tool is called debsecan but since you're using Arch they might have their own tool.
If you can't find such tool then you'll need to browse CVE database somewhere online to list known CVE's for your currently running Apache version.

Once you know the holes next step is to boot up your attack machine and use metasploit framework which contains numerous exploits already written, it will take some time to learn how to use it effectively, but your job boils down to launching exploits vs vulnerabilities that you know they exist from what's said beforehand.

Further method if previous one proves to be ineffective (ex. no attack succeeded) is to write exploits yourself, I assume you won't know how to do this so I'll only share abstract concepts:

  • Clone apache server source code
  • Use various analysis tools to detect programmer mistakes in code (ex. flawfinder, rats, splint, psscan etc.)
  • Otherwise also use your own skills to study the code to spot programmer errors
  • If an error or mistake is found write an exploit suitable to be used by metasploit framework to exploit that mistake

Further method is testing your own web server code...
I have no exact clues how this could be done but I assume you'd be looking for exploits that target server side code or libraries.
So the principle is likely the same except you'd be targeting server side site code instead of server itself.

If you're specifically interested in testing your own server side code, I'd also suggest to run static analysis tools on your code and fix any warnings reported. (which one depends on what server side code do you use on server)
Often such warnings point to your programming errors that could easily be exploited.

All this is only about your web server, if you however run other services on your home lab then those services need to be tested as well using the same principle, because an attacker may compromise whole system by exploiting only one service.

edit:
You might also want to simulate DDoS against your server:


Bash:
# Launch attack in one terminal
sudo hping3 --rawip --syn --ipproto 6 --flood 10.10.10.10 --destport 80

# Measure PPS in another terminal
vnstat -i eth0 -tr

The first command above is launched from your attacker's machine where 10.10.10.10 is your server address and --destport is your server port.

The second command can be used on same machine whose only purpose is to measure how many packets are sent, this is usually limited by your link local bandwidth (which is likely larger than your ISP bandwidth).
If you local bandwidth is lower than your ISP bandwidth then the only limitation is that of how fast can hping3 send packets.

According to my past tests that was:
Bash:
# hping3 statistics:
# TCP: 76,97 Mbit/s        178154 packets/s (2314 packets/1Mbit)
# UDP: 56,23 Mbit/s        167360 packets/s (2976 packets/1Mbit)
# ICMP: 58,82 Mbit/s    175058 packets/s (9276 packets/1Mbit)

But I don't recall whether limited by my hardware or hping3, so you might also want to set up multiple attack machines for the purpose.

While the attack is running you'll normally want to attempt to visit your server from your phone so that it's over the internet and not over LAN which is now hopefully under burden enough for server to fail to serve.

To prevent DDoS you'll want to play with nftables although that's not the ultimate defense but it's better than none.

Note that with the help of hping3 you can send malware to your server, therefore you can also simulate such scenario in combination with DDoS simulation.

Hackers sometimes launch DDoS not to deny service (as it is popular and false belief) but to exploit the machine during the attack by launching exploits in same time or sending their malware to server.

---

You'll also want use nmap from attacker's machine to be able to determine what hackers can learn about your server, and then accordingly set up nftables so that minimum information can be gathered.
This includes attempting and preventing port scanning in addition to OS and server name and version detection.
 
Last edited:
Thank you for taking the time to write all that out @CaffeineAddict ! I'ma give it a solid study over coffee as I wake up here.

You don't need home lab to simulate an attack, all that you need is either another computer or VM, either on same subnet or separate subnet that will serve as attacker's machine from where you'll attempt to exploit your web server.
That attacker's machine should have Kali-Linux installed to simplify the process.

No worries man. I wouldn't ever use my personal rig even for testing lol. Thankfully I have a rack in my basement exclusively used for experimentation and trying to learn the ins and outs of Linux. I use Proxmox and host it on an old Dell Server. This gives me access to ample resources and any operating system I can get my hands on. Arch is just my PC's primary distro but I use pretty much everything =)

I've got a "Sandbox" pool set up on the hypervisor specifically for just playing around with different operating systems and distros, tools and gadgets n what nots. So safe environment to play around with this should I be competent enough to do so.

I've got Kali, Parrot, and I used to dabble with Arch Strike but if I recall that hasn't been updated in a few years. Either way the distro is irrelevant at this point as the bundled toolkits are what I would need. (Keep in mind OpSec is above my paygrade at this time so this is 100% experimental just for funzies. And if by some miracle I figure out how to do it, I could record it and share it with whoever is competent enough to get it to the right people to be patched. I know there are more skilled individuals out there for this kind of thing, but time is money and right now I have more time than money, so why not lol.


You'll also want use nmap from attacker's machine to be able to determine what hackers can learn about your server, and then accordingly set up nftables so that minimum information can be gathered.
This includes attempting and preventing port scanning in addition to OS and server name and version detection.

I'm still digesting the full gravity of your post over coffee here, trying to set up an offensive pool on the hypervisor and a target pool for testing. Then I'll try to follow along in real time as I read your post and with any luck figure some of it out. I'll be sure to post progress if I manage to be even remotely successful lol.

That said, your mention of nmap reminded me of a script I wrote a while back in python (make no mistake, I'm no programmer). I spent about a week talking with my self hosted AI LLM about how to essentially scrape my network for any data I could about any device/port/ip/mac/ you name it I could regarding any device connected to my network. The LLM gave me the basis and I just reverse engineered it to function the way I wanted it too.

Essentially I can plant the script on the target and run my nmap script which creates a database to input it's findings in regard to each device discovered. Once it's done it exports the data into markdown format giving me a relatively easy to read report, more of an "inventory" of everything found and on which devices it was found on. Idk if it's the proper way to use nmap but I was pretty happy to have at least figured out how to know exactly what is on my network.

Point being, I got a bit excited because your mention of nmap made me think it might be an opportunity to use the script in a real world(ish) test lol. More of a real world scenario than a real world test lol

I'm going to keep trying to set up an environment for this. Pretty excited as I need a change of pace and honestly I'd love to learn something new!
 
Last edited:

Members online


Top