This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection.
From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.
Other posts in this series:
Hack - Leveraging the information disclosure with evasion technique Directory self-reference (/./)
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 3 -evasion 2 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.0.0.106 + Target Hostname: 10.0.0.106 + Target Port: 80 + Using Encoding: Directory self-reference (/./) + Start Time: 2023-05-31 15:46:03 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 ... + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing ... + /%2e/ - Redirects (302) to http://10.0.0.106/dashboard/ , Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. + /?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string. + /index.php?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string. ... /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// - Redirects (302) to http://10.0.0.106/dashboard/ , Abyss 1.03 reveals directory listing when multiple /'s are requested. ... + End Time: 2023-05-31 15:46:19 (GMT-4) (16 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Detect - Log Analysis
Looking at the first 5 lines of the access.log file.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ head access.log --lines=5 10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi.cgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./webcgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi-914/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
As always, looking at the HTTP Methods. Why so much emphasis on the HTTP methods? Well this is a HTTP based attack, isn't it?!
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse 1743 GET 5 POST 3 OPTIONS 2 TRACK 1 TRACE 1 PUT 1 PROPFIND 1 INDEX 1 GSHJQSVC 1 get 1 DEBUG
Int the interest of time, let's focus on the response codes:
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat access.log | cut --fields 3 --delimiter '"' | cut -f 2 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse 1665 404 48 302 24 403 10 400 6 503 3 200 1 HTTP/1.1 1 417 1 405 1 >\\\
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat access.log | grep --perl-regexp '\s+200\s+' 10.0.0.108 - - [31/May/2023:15:45:45 -0400] "GET /./favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:45 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.108 - - [31/May/2023:15:45:45 -0400] "TRACE /./ HTTP/1.0" 200 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
Detect - Packet Analysis
Looking at the packets where the response codes is 200.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ tshark -n -r tuning_3.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y ip.src ip.dst tcp.srcport tcp.stream 10.0.0.106 10.0.0.108 80 4 10.0.0.106 10.0.0.108 80 8 10.0.0.106 10.0.0.108 80 9
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11
GET /./favicon.ico HTTP/1.1
Connection: Keep-Alive
Host: 10.0.0.106
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
1460
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive
Content-Type: image/x-icon
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=7
OPTIONS * HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106
187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,9 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=5
TRACE /./ HTTP/1.0
Trace-Test: Nikto
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
354
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Connection: close
Content-Type: message/http
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ sudo zeek --iface any --no-checksums
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ grep --perl-regexp '\s+200\s+' http.log 1685562364.123858 CQL8E11QNWY25b3JN8 10.0.0.108 42706 10.0.0.106 80 53 GET 10.0.0.106 /./favicon.ico - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 30894 200 OK - - (empty) - - - - - - F4aCd4167hfNQFAJac -image/x-icon 1685562364.456930 CTvaTF2T3PeQ14SQBj 10.0.0.108 59226 10.0.0.106 80 24 OPTIONS 10.0.0.106 * - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 0 200 OK - - (empty) - - - - - - - - - 1685562364.473468 CD9XXK1A6PKuRKepl3 10.0.0.108 59240 10.0.0.106 80 1 TRACE - /./ - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 194 200 OK - - (empty) - - - - - - - - -
┌──(kali㉿securitynik)-[/var/log/suricata] └─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all
How many unique alerts were generated for this activity?
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines 42
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 32 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 27 1:2101201:11] GPL WEB_SERVER 403 Forbidden 18 1:2101071:8] GPL WEB_SERVER .htpasswd access 16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. 13 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3] └─$ cat alert-debug.log | grep xxe --before-context=42 | more +================ TIME: 05/31/2023-15:46:18.795363 PKT SRC: wire/pcap SRC IP: 10.0.0.108 DST IP: 10.0.0.106 PROTO: 6 SRC PORT: 56368 DST PORT: 80 TCP SEQ: 2333024969 TCP ACK: 3679706670 FLOW: to_server: TRUE, to_client: FALSE FLOW Start TS: 05/31/2023-15:46:18.675078 FLOW PKTS TODST: 62 FLOW PKTS TOSRC: 59 FLOW Total Bytes: 51064 FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE FLOW ACTION: DROP: FALSE FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE FLOW APP_LAYER: DETECTED: TRUE, PROTO 1 PACKET LEN: 995 PACKET: 0000 08 00 27 88 B8 34 08 00 27 DB 96 6A 08 00 45 00 ..'..4.. '..j..E. 0010 03 D5 0F A3 40 00 40 06 12 AB 0A 00 00 6C 0A 00 ....@.@. .....l.. 0020 00 6A DC 30 00 50 8B 0F 22 C9 DB 53 DE 2E 50 18 .j.0.P.. "..S..P. 0030 01 F5 18 9D 00 00 47 45 54 20 2F 2E 2F 66 6C 65 ......GE T /./fle 0040 78 32 67 61 74 65 77 61 79 2F 2E 2F 20 48 54 54 x2gatewa y/./ HTT 0050 50 2F 31 2E 31 0D 0A 63 6F 6E 74 65 6E 74 2D 6C P/1.1..c ontent-l 0060 65 6E 67 74 68 3A 20 37 31 34 0D 0A 43 6F 6E 6E ength: 7 14..Conn 0070 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 0080 76 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 ve..User -Agent: 0090 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E Mozilla/ 5.0 (Win 00A0 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 dows NT 10.0; Wi 00B0 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 n64; x64 ) AppleW 00C0 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 ebKit/53 7.36 (KH 00D0 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 TML, lik e Gecko) 00E0 20 43 68 72 6F 6D 65 2F 37 34 2E 30 2E 33 37 32 Chrome/ 74.0.372 00F0 39 2E 31 36 39 20 53 61 66 61 72 69 2F 35 33 37 9.169 Sa fari/537 0100 2E 33 36 0D 0A 68 6F 73 74 3A 20 31 30 2E 30 2E .36..hos t: 10.0. 0110 30 2E 31 30 36 0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 0.106... .<?xml v 0120 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 ersion=" 1.0" enc 0130 6F 64 69 6E 67 3D 22 75 74 66 2D 38 22 3F 3E 3C oding="u tf-8"?>< 0140 21 44 4F 43 54 59 50 45 20 74 65 73 74 20 5B 20 !DOCTYPE test [ 0150 3C 21 45 4E 54 49 54 59 20 78 78 65 20 53 59 53 <!ENTITY xxe SYS 0160 54 45 4D 20 22 2F 65 74 63 2F 70 61 73 73 77 64 TEM "/et c/passwd 0170 22 3E 20 5D 3E 3C 61 6D 66 78 20 76 65 72 3D 22 "> ]><am fx ver=" 0180 33 22 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 3" xmlns ="http:/ 0190 2F 77 77 77 2E 6D 61 63 72 6F 6D 65 64 69 61 2E /www.mac romedia.
No comments:
Post a Comment