Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection. 

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

Other posts in this series:

Hack - Leveraging the information disclosure with evasion technique Directory self-reference (/./)

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 3 -evasion 2
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Using Encoding:     Directory self-reference (/./)
+ Start Time:         2023-05-31 15:46:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
...
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
...
+ /%2e/ - Redirects (302) to http://10.0.0.106/dashboard/ , Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher.
+ /?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.
+ /index.php?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.
...
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// - Redirects (302) to http://10.0.0.106/dashboard/ , Abyss 1.03 reveals directory listing when multiple /'s are requested.
...
+ End Time:           2023-05-31 15:46:19 (GMT-4) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Detect - Log Analysis

Looking at the first 5 lines of the access.log file.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ head access.log --lines=5
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi.cgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./webcgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi-914/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

As always, looking at the HTTP Methods. Why so much emphasis on the HTTP methods? Well this is a HTTP based attack, isn't it?!

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse    
   1743 GET
      5 POST
      3 OPTIONS
      2 TRACK
      1 TRACE
      1 PUT
      1 PROPFIND
      1 INDEX
      1 GSHJQSVC
      1 get
      1 DEBUG

Int the interest of time, let's focus on the response codes:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | cut --fields 3 --delimiter '"' | cut -f 2 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse                                                                                   
   1665 404
     48 302
     24 403
     10 400
      6 503
      3 200
      1 HTTP/1.1
      1 417
      1 405
      1 >\\\

Focusing only on the 3 200 codes:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | grep --perl-regexp '\s+200\s+'
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "GET /./favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "TRACE /./ HTTP/1.0" 200 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Nothing pressing above. Transitioning to packet analysis.

Detect - Packet Analysis

Looking at the packets where the response codes is 200.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y
ip.src  ip.dst  tcp.srcport     tcp.stream
10.0.0.106      10.0.0.108      80      4
10.0.0.106      10.0.0.108      80      8
10.0.0.106      10.0.0.108      80      9

Following stream 4, we see favicon.ico file was requested and returned successfully. We also see the size of the .ico file was 30894 bytes.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11
GET /./favicon.ico HTTP/1.1
Connection: Keep-Alive
Host: 10.0.0.106
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36


        1460
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive
Content-Type: image/x-icon

What is in stream 8?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=7
OPTIONS * HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106


        187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive

Wrapping this up with stream 9.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,9 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=5
TRACE /./ HTTP/1.0
Trace-Test: Nikto
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive


        354
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Connection: close
Content-Type: message/http

Nothing of much interest in these logs so far.

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Once again, focusing only on the requests which were successful.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ grep --perl-regexp '\s+200\s+' http.log                                                                                                                                                                   
1685562364.123858       CQL8E11QNWY25b3JN8      10.0.0.108      42706   10.0.0.106      80      53      GET     10.0.0.106      /./favicon.ico  -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       30894   200     OK      -       -       (empty) -       -       -       -       -       -       F4aCd4167hfNQFAJac   -image/x-icon
1685562364.456930       CTvaTF2T3PeQ14SQBj      10.0.0.108      59226   10.0.0.106      80      24      OPTIONS 10.0.0.106      *       -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       0       200     OK      -       -       (empty) -       -       -       -       -       -       -       -       -
1685562364.473468       CD9XXK1A6PKuRKepl3      10.0.0.108      59240   10.0.0.106      80      1       TRACE   -       /./     -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       194     200     OK      -       -       (empty) -       -       -       -       -       -       -       -       -

No need to dig deeper at this time

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all

How many unique alerts were generated for this activity?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
42

What does the top 5 alerts look like?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5
     32 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     27 1:2101201:11] GPL WEB_SERVER 403 Forbidden 
     18 1:2101071:8] GPL WEB_SERVER .htpasswd access 
     16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. 
     13 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access 

We have seen some of those before. What is this one with "ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY." Peeking into it a bit.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat alert-debug.log | grep xxe --before-context=42 | more                                                                                                                                                 
+================
TIME:              05/31/2023-15:46:18.795363
PKT SRC:           wire/pcap
SRC IP:            10.0.0.108
DST IP:            10.0.0.106
PROTO:             6
SRC PORT:          56368
DST PORT:          80
TCP SEQ:           2333024969
TCP ACK:           3679706670
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     05/31/2023-15:46:18.675078
FLOW PKTS TODST:   62
FLOW PKTS TOSRC:   59
FLOW Total Bytes:  51064
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
PACKET LEN:        995
PACKET:
 0000  08 00 27 88 B8 34 08 00  27 DB 96 6A 08 00 45 00   ..'..4.. '..j..E.
 0010  03 D5 0F A3 40 00 40 06  12 AB 0A 00 00 6C 0A 00   ....@.@. .....l..
 0020  00 6A DC 30 00 50 8B 0F  22 C9 DB 53 DE 2E 50 18   .j.0.P.. "..S..P.
 0030  01 F5 18 9D 00 00 47 45  54 20 2F 2E 2F 66 6C 65   ......GE T /./fle
 0040  78 32 67 61 74 65 77 61  79 2F 2E 2F 20 48 54 54   x2gatewa y/./ HTT
 0050  50 2F 31 2E 31 0D 0A 63  6F 6E 74 65 6E 74 2D 6C   P/1.1..c ontent-l
 0060  65 6E 67 74 68 3A 20 37  31 34 0D 0A 43 6F 6E 6E   ength: 7 14..Conn
 0070  65 63 74 69 6F 6E 3A 20  4B 65 65 70 2D 41 6C 69   ection:  Keep-Ali
 0080  76 65 0D 0A 55 73 65 72  2D 41 67 65 6E 74 3A 20   ve..User -Agent: 
 0090  4D 6F 7A 69 6C 6C 61 2F  35 2E 30 20 28 57 69 6E   Mozilla/ 5.0 (Win
 00A0  64 6F 77 73 20 4E 54 20  31 30 2E 30 3B 20 57 69   dows NT  10.0; Wi
 00B0  6E 36 34 3B 20 78 36 34  29 20 41 70 70 6C 65 57   n64; x64 ) AppleW
 00C0  65 62 4B 69 74 2F 35 33  37 2E 33 36 20 28 4B 48   ebKit/53 7.36 (KH
 00D0  54 4D 4C 2C 20 6C 69 6B  65 20 47 65 63 6B 6F 29   TML, lik e Gecko)
 00E0  20 43 68 72 6F 6D 65 2F  37 34 2E 30 2E 33 37 32    Chrome/ 74.0.372
 00F0  39 2E 31 36 39 20 53 61  66 61 72 69 2F 35 33 37   9.169 Sa fari/537
 0100  2E 33 36 0D 0A 68 6F 73  74 3A 20 31 30 2E 30 2E   .36..hos t: 10.0.
 0110  30 2E 31 30 36 0D 0A 0D  0A 3C 3F 78 6D 6C 20 76   0.106... .<?xml v
 0120  65 72 73 69 6F 6E 3D 22  31 2E 30 22 20 65 6E 63   ersion=" 1.0" enc
 0130  6F 64 69 6E 67 3D 22 75  74 66 2D 38 22 3F 3E 3C   oding="u tf-8"?><
 0140  21 44 4F 43 54 59 50 45  20 74 65 73 74 20 5B 20   !DOCTYPE  test [ 
 0150  3C 21 45 4E 54 49 54 59  20 78 78 65 20 53 59 53   <!ENTITY  xxe SYS
 0160  54 45 4D 20 22 2F 65 74  63 2F 70 61 73 73 77 64   TEM "/et c/passwd
 0170  22 3E 20 5D 3E 3C 61 6D  66 78 20 76 65 72 3D 22   "> ]><am fx ver="
 0180  33 22 20 78 6D 6C 6E 73  3D 22 68 74 74 70 3A 2F   3" xmlns ="http:/
 0190  2F 77 77 77 2E 6D 61 63  72 6F 6D 65 64 69 61 2E   /www.mac romedia.

Well that is enough peeking for now.

Hope you enjoyed the posts in this series:

- Beginning Nikto - Scanning for interesting files seen in the logs

- Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)

- Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)

- Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending

- Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string

- Beginning Nikto - Command Execution / Remote Shell 

- Beginning Nikto - SQL Injection with default evasion

- Beginning Nikto - File Upload Vulnerability testing