The idea of this series, is to use Nikto to learn about common vulnerabilities in web services. Once those vulnerabilities are identified, we will then attempt to exploit them where possible. As I work in a SOC, we have to be prepared to detect. As a result, we will analyze logs, packets (Tshark), IDS (Suricata) and Zeek data. This is all in the spirit of hack and detect.
We will attempt to learn some of the different evasion techniques used by Nikto throughout this series, as we go through the 10 different "Tuning" strategies.
The web server I will be targeting is Dam Vulnerable Web App (DVWA).
In this first post within this series, we will leverage Nikto to find "interesting files" on the web server.
Hack "Interesting File / Seen in logs"
Let's assume we did reconnaissance on the host and identified that port 80 is opened and offering web service. With that knowledge, lets' see if what we can learn about interesting files on the system.
First run Nikto without any type of evasions.
┌──(kali㉿securitynik)-[~/nikto_stuff] └─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json \
-o /tmp/nikto.json -nossl -no404 -Tuning 1 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.0.0.106 + Target Hostname: 10.0.0.106 + Target Port: 80 + Start Time: 2023-05-11 16:08:10 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 ... + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /img/: Directory indexing found. + /img/: This might be interesting. ... + 2596 requests: 0 error(s) and 8 item(s) reported on remote host + End Time: 2023-05-11 16:08:16 (GMT-4) (6 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | cut --fields 1 --delimiter=' ' | uniq --count 2596 10.0.0.107
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | grep nikto 10.0.0.107 - - [11/May/2023:16:07:39 -0400] "PUT /nikto-test-Bqe4RxLj.html HTTP/1.1" 405 321 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | grep "10.0.0.107" | cut --field 6 --delimiter='"' | \
sort | uniq --count | sort --numeric-sort --reverse 2408 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 123 () { :; }; echo 93e4r0-CVE-2014-6271: true;echo;echo;
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | grep "10.0.0.107" | cut --field 2 --delimiter=']' | \
cut --fields 1 --delimiter='/' | sort | uniq --count | sort --numeric-sort --reverse 2586 "GET 2 "TRACK 1 "UVMGSHXG 1 "TRACE 1 "PUT 1 "PROPFIND 1 "OPTIONS * HTTP 1 "OPTIONS 1 "GET . HTTP 1 "DEBUG
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | grep "10.0.0.107" | cut --field 2 --delimiter=']'| \
cut --fields=3 --delimiter='"' | cut --fields=2 --delimiter=' ' | sort | \
uniq --count | sort --numeric-sort --reverse 2496 404 51 21 302 13 ./.\\\ 5 400 4 403 4 200 1 417 1 405
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat access.log | grep "10.0.0.107" | grep --perl-regexp '\s+200?\s+' | \
awk --field-separator='Mozilla' '{ print $1 }' 10.0.0.107 - - [11/May/2023:16:07:40 -0400] "GET /favicon.ico HTTP/1.1" 200 30894 "-" " 10.0.0.107 - - [11/May/2023:16:07:41 -0400] "OPTIONS * HTTP/1.1" 200 - "-" " 10.0.0.107 - - [11/May/2023:16:07:41 -0400] "TRACE / HTTP/1.0" 200 192 "-" " 10.0.0.107 - - [11/May/2023:16:07:42 -0400] "GET /img/ HTTP/1.1" 200 1214 "-" "
┌──(kali㉿securitynik)-[~/nikto_stuff] └─$ tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0 Capturing on 'eth0' ** (tshark:395047) 16:07:08.756192 [Main MESSAGE] -- Capture started. ** (tshark:395047) 16:07:08.756254 [Main MESSAGE] -- File: "tuning_1.pcap" 5808 ^C
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -q -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: eth frames:5808 bytes:2283533 ip frames:5808 bytes:2283533 tcp frames:5808 bytes:2283533 http frames:5189 bytes:2214997 data-text-lines frames:2574 bytes:1523618 urlencoded-form frames:1 bytes:358 media frames:1 bytes:603 tcp.segments frames:1 bytes:603 tcp.segments frames:1 bytes:60 http frames:1 bytes:60 message-http frames:1 bytes:60 ===================================================================
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -q -z conv,ip ================================================================================ IPv4 Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.107 <-> 10.0.0.106 2869 1,578 kB 2939 704 kB 5808 2,283 kB 0.000000000 6.6385 ================================================================================
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -q -z conv,tcp | more ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.107:37652 <-> 10.0.0.106:80 104 59 kB 106 27 kB 210 86 kB 1.456681410 0.2623 10.0.0.107:38216 <-> 10.0.0.106:80 104 59 kB 106 26 kB 210 86 kB 4.558459670 0.4762 10.0.0.107:37538 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.000000000 0.2090 10.0.0.107:37550 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.209464854 0.2453 10.0.0.107:37554 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.454103547 0.163 ....
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -q -z conv,tcp | sed '1,5d;$d;/^$/d' | \
wc --lines 84
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -T fields -e tcp.stream | sort | \
uniq --count | sort --numeric-sort --reverse | wc --lines 84
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -T fields -e tcp.len -e tcp.stream | \
sort --numeric-sort --key=1 --reverse | more 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1460 4 1443 13 742 6 660 81 607 0 ...
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]
└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp '^HTTP/1.1' | sort | uniq --count | sort --numeric-sort --reverse
80 HTTP/1.1 404 Not Found
4 HTTP/1.1 302 Found
1 HTTP/1.1 400 Bad Request
1 HTTP/1.1 200 OK
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]
└─$ tshark -n -r tuning_1.pcap -Y 'http.response.code == 200'
967 0.944983715 10.0.0.106 → 10.0.0.107 HTTP 603 HTTP/1.1 200 OK (image/x-icon)
1363 1.441673139 10.0.0.106 → 10.0.0.107 HTTP 241 HTTP/1.1 200 OK
1381 1.450651187 10.0.0.106 → 10.0.0.107 HTTP 60 HTTP/1.1 200 OK (message/http)
1951 2.310611664 10.0.0.106 → 10.0.0.107 HTTP 1497 HTTP/1.1 200 OK (text/html)
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ tshark -n -r tuning_1.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y ip.src ip.dst tcp.srcport tcp.stream 10.0.0.106 10.0.0.107 80 4 10.0.0.106 10.0.0.107 80 8 10.0.0.106 10.0.0.107 80 9 10.0.0.106 10.0.0.107 80 13
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]
└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp '200 OK' --after-context=5 --before-context=7
OPTIONS * HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106
187
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 20:07:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]
└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,13 | \
grep --perl-regexp '200 OK' --after-context=5 --before-context=7
GET /img/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106
1443
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 20:07:42 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 1214
Keep-Alive: timeout=5, max=35
Connection: Keep-Alive
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ sudo zeek --iface any --no-checksums
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ ls conn.log dhcp.log dns.log files.log http.log packet_filter.log reporter.log weird.log
┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff] └─$ cat http.log | grep --perl-regexp '\s+200\s+' | awk --field-separator=' ' '{ print $1" " $3":"$4 " " $5":"$6 " " $8 " " $9 " " $10 }' 1683835691.086935 10.0.0.107:37570 10.0.0.106:80 GET 10.0.0.106 /favicon.ico 1683835691.585128 10.0.0.107:37616 10.0.0.106:80 OPTIONS 10.0.0.106 * 1683835691.592865 10.0.0.107:37630 10.0.0.106:80 TRACE - / 1683835692.447548 10.0.0.107:37658 10.0.0.106:80 GET 10.0.0.106 /img/
┌──(kali㉿securitynik)-[/var/log/suricata] └─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | wc --lines 65
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | \
sort --unique | wc --lines 18
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | sort | uniq --count | sort --numeric-sort --reverse 38 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] 5 [**] [1:2101201:11] GPL WEB_SERVER 403 Forbidden [**] 3 [**] [1:2101877:11] GPL WEB_SERVER printenv access [**] 3 [**] [1:2100977:15] GPL EXPLOIT .cnf access [**] 2 [**] [1:2019904:5] ET EXPLOIT QNAP Shellshock CVE-2014-6271 [**] 2 [**] [1:2009485:7] ET WEB_SERVER /etc/shadow Detected in URI [**] 1 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] 1 [**] [1:2221028:1] SURICATA HTTP Host header invalid [**] 1 [**] [1:2102073:7] GPL WEB_SERVER globals.pl access [**] 1 [**] [1:2101402:9] GPL EXPLOIT iissamples access [**] 1 [**] [1:2101401:11] GPL EXPLOIT /msadc/samples/ access [**] 1 [**] [1:2101013:12] GPL EXPLOIT fpcount access [**] 1 [**] [1:2100952:10] GPL WEB_SERVER author.exe access [**] 1 [**] [1:2044504:1] ET INFO Request for Visual Studio Code sftp.json - Possible Information Leak [**] 1 [**] [1:2034253:2] ET SCAN FTPSync Settings Disclosure Attempt [**] 1 [**] [1:2015940:4] ET SCAN SFTP/FTP Password Exposure via sftp-config.json [**] 1 [**] [1:2010766:12] ET POLICY Proxy TRACE Request - inbound [**] 1 [**] [1:2006445:14] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [**]
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp '\[Priority.*?\]' --only-matching | \
sort | uniq --count 43 [Priority: 1] 20 [Priority: 2] 2 [Priority: 3]
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp '\[Classification.*?\]' --only-matching | \
sort | uniq --count | sort --numeric-sort --reverse 40 [Classification: Attempted Administrator Privilege Gain] 9 [Classification: Attempted Information Leak] 9 [Classification: access to a potentially vulnerable web application] 3 [Classification: Web Application Attack] 2 [Classification: Potentially Bad Traffic] 2 [Classification: Generic Protocol Command Decode]
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat fast.log.1 | grep --perl-regexp 'Attempted Administrator Privilege Gain' | cut --fields=3- --delimiter=' ' |sort | uniq --count | sort --numeric-sort --reverse 26 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37600 -> 10.0.0.106:80 12 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37616 -> 10.0.0.106:80 2 [**] [1:2019904:5] ET EXPLOIT QNAP Shellshock CVE-2014-6271 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37600 -> 10.0.0.106:80
┌──(kali㉿securitynik)-[~/nikto_stuff] └─$ cat /var/lib/suricata/rules/suricata.rules | grep "2022028" alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1] └─$ cat /var/log/suricata/alert-debug.log.1 | grep --ignore-case "img"
No comments:
Post a Comment