Institute for Information Processing and Microprocessor Technology … · 2012. 5. 24. · Nikto is pre-installed on the Linux Live-CD Your task: Scan the local web server This might

© Michael Sonntag 2012

Network investigation

Institute for Information Processing andMicroprocessor Technology (FIM)

Johannes Kepler University Linz, AustriaE-Mail: [email protected]://www.fim.uni-linz.ac.at/staff/sonntag.htm

Mag. iur. Dr. techn. Michael Sonntag

Michael Sonntag 2Vulnerability scanning

Source data

Requirements:

Administrative rights

» For installing software

Installed software (see CD)

Software:

Nmap

Wireshark

Nikto


Please note!

We are not going to attack anyone here!

We are trying to indentify problems for later fixing it

Permission is always required for vulnerability scanning

Which system(s)

At what time

What kinds of scans (destructive, …)

We will scan our own system here ONLY!


NMap

NMap (Network MAPper) is a network scanner

It tries to find all computers in a specific network and checks what ports are open, what OS they are running, whether there is a firewall, etc.

It does not look for specific vulnerabilities!

But it gives recommendations; e.g. services to disable

Some scans + vuln. systems Lock-up/crash!

Used as a tool for inventory generation in a network

Are there any computers which should not be there?

Can also be used to gather information for a later attack

» Which OS/software and which version is running

Stages: 1 = Host discovery, 2 = Port scan, 3 = Service/ version detection, 4 = OS detection, 5 = Scripting

Scripting may also include vulnerability/malware detection!


NMap

Usage:

Start program and enter IP address

Select profile for scanning

» Special options only available in the command line version or when constructing a new profile!

Your tasks:

Install NMap

Scan the local subnet for hosts

» Use a "Regular scan"

Scan the machine of your neighbour

» Use a “Quick scan plus"

Interpret the results

» Correct output?» Something surprising/dangerous found?


Sample result: NMap local subnet scan


Sample result: NMap OS detection


Sample result: Scripting

Compare: Local time of target

OS / Domain information


Wireshark

Wireshark is a network sniffer

Available for Windows and Linux

It will make a “copy” of every incoming and outgoing packet and present it to you

This would not be that useful…

It also parses a lot of protocols

So no binary display (also available!), but

layer 3 display (IP addresses, port numbers, …),

up to layer 5 (actual http content as text/binary file)

Practical problem: Network traffic is very large & frequent

Filtering is an absolute necessity or anything useful will get lost in a torrent of uninteresting traffic!


Wireshark Common display filtering expressions (1)

Operators: == != < > <= >= && || ^^ !

[…] or […:…] or […-…]: Offset / Offset:Length / Offset-End

» Only possible as comparison, e.g. eth.src[0:3]==08:15:47!

Layer 1/2: frame.??? / eth.???, arp.???, ppp.???

Usually not very interesting

Layer 3: ip.???, ipv6.???, icmp.???, icmpv6.???

Examples ip.???: .src, .dst, .addr, .src_host, .dst_host, .host, .flags, .fragment, .len, .proto, .ttl

» ip.tos, ip.tos.cost, ip.tos.delay, ip.tos.precedence, ip.tos.reliability, ip.tos.throughput

Examples icmp.???: .code, .type, .mtu

Layer 4: tcp.???, udp.???

Examples tcp.???: .syn, .ack, .fin, .checksum, .flags, .len, .srcport, .dstport, .port, .time_delta, .window_size

Examples udp.???: .srcport, .dstport, .port, .length

See also: http://packetlife.net/library/cheat-sheets/


Wireshark Common display filtering expressions (2)

Layer 5: http, ospf, rip, …

Examples http.???

» .accept, .accept_encoding, .accept_language, .cookie, .date, .host, .last_modified, .location, .referer, .request, .request.method, .request.uri, .response, .response.code, .server, .set_cookie, .user_agent, .transfer_encoding

Attention: This means that packets have been received and are stored, but will not be shown in the graphical UI!

There is also the possibility of filtering-before-storing

These are “capture filters”, which use the syntax on libpcap (or tcpdump, which is the same)

» Examples: ether host 08:15:47:11:CA:FE– Display filter for the same: eth.addr=08.15.47.11.CA.FE

» Note: Too many packets to store Some might be lost» But: Capture filter dropped it Gone forever


Wireshark

Interface: Select where to listen

Capture filter: Throw away packets before handling/storing them

Capture file: How/where to store data; especially useful for keeping a history (e.g. last 60 minutes), timing, ..

Display options: Personal prefer.

Name resolution: Be careful!

This might cause additional traffic!


Wireshark

Usage:

Start program and select interface to monitor

Investigate content while running (difficult) or stop the scan and the start evaluation (store to disk, …)

Your tasks:

Install Wireshark

» Might require reboot for the packet capturing library!

Start a scan of your local interface

» Note: Wireless can be difficult/require additional libraries!

Ping your neighbour & analyze the traffic

Navigate to a website & analyze the traffic

Log in to this website through a form (unencrypted)

» Analyze the traffic

Do the same as before, but now using a TLS connection!


Wireshark Ping


Wireshark Ping


Wireshark Ping


Wireshark Ping


Wireshark HTTP - DNS


Wireshark HTTP - DNS

What‘s this? Investigate!

Note: Google Chrome used


Wireshark HTTP - Request

What are these? Investigate!


Wireshark HTTP - Response

Redirect

P3P Compact Policy: http://www.p3pwriter.com/LRN_111.asp


Wireshark HTTP - Stream



Keep-alive: Requested by browser and accepted by sender

Result: After the end of the first response, there follows immedaitely the next request and response

Content-Encoding: gzip

The content would have to be saved as a binary file and then unzipped to access it (selecting & copying won‘t work!)

Response: Normal response headers, P3P information and lots of cookies!

7 cookies, but note: we didn’t send even a single one!

» Would have been in the request header

Careful: Second request in this stream already knows the headers and does send them with the request!




Wireshark HTTP authentication

Use www.gmx.at:

You can select whether you want to authenticate securely over TLS through a toggle switch

» TLS: „Ohne SSL“=“Without SSL” is shown (to deactivate this)– Default value when arriving there and after each failed login!

» Unencrypted: „Mit SSL“=“With SSL” is shown (for activation of security)

» This is very confusing for users!


Wireshark HTTP authentication


Wireshark HTTP authentication + TLS


Nikto

Nikto is a vulnerability scanner for web servers

Other vulnerability scanners exist, but today most of them are commercial, i.e. require a subscription

» For private/personal use often a free version exists

Example: Nessus. But it would require an individual subscription by each student, so we cannot use it here!

How do most of them work?

Building a database of known problems/vulnerabilities

» This is where most of the work is and what you pay for

Check the webserver against these

Nikto looks for

Server/software misconfiguration

Default files/programs (useless and often a security problem)

Insecure files and programs

Outdated servers and programs


Practical problems

Modern CMS never return an error code, instead they send "200 OK" and produce a custom error page

This is good from the security point of view, but is difficult for vulnerability scanners!

These may differ also for the problem/requested file/…

Nikto tries to get around these problems by

Inspecting the return code

Content matching (e.g. "could not be found" on the page)

Hashes: Remove date and time strings (always change!) from the response and create a hash and compare it with other responses

» This is done separately for each file type A huge "library" must be built up for each server

Nikto will only check the server itself – not any applications

I.e., whether the server software itself is vulnerable!


Nikto - Task

Nikto is pre-installed on the Linux Live-CD

Your task: Scan the local web server

This might take a very long time, so we will reduce the problems to be searched for

Command while running:

» <Space>: Show current status» v: Verbose mode» q: Terminate scan

Starting it:

perl nikto.pl –h 127.0.0.1 –no404 –T 349

» -no404: Skips recognition of missing files (far fewer requests)» Test 3: Information disclosure» Test 4: Injection (XSS/Script/HTML)» Test 9: SQL injection


Nikto – Results (1)

We get all three kinds of results:

None (T 9):

» "ETag header found on server": This is potentially interesting, but normal and not a problem

– ETag: Used for caching; to determine whether a resource has changed since the last request

» "Allowed HTTP Methods: GET, HEAD, POST, OPTIONS"– This is rather restrictive already a no problem in itself

False positive (T 4):

» "OSVDB-6659: /ODpshb … XQyV<font%20size=50>DEFACED <!--//--: MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version."

– This server is using Apache, not MyWebServer– Try this URL manually to see, that it DOES echo the string to the

output, but that it is properly escaped!


Nikto – Results (2)

Real (T 3):

"OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc."

» Another false (?) positive. This URL is accessible, but it is not /usr/doc!

» Try to find out which directory it actually is and test it, by putting a file there and accessing it via the webserver!

– It is "/usr/share/doc" Potentially a big problem!

"OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate lines in httpd.conf or restrict access to allowed hosts."

» This is the Apache status page» Try to find out, whether this is a problem

– Actually it is restricted to the local host, but this is not necessarily secure: What if we were running a web proxy on this host? Requests from the proxy would originate from the local host!


Conclusions

Investigating network traffic: Speed is a problem

GBit MANY packets per second!

Filtering is essential

Despite help by the software, intimate knowledge of the protocol is still necessary

Many tools for finding vulnerabilities exist

Use them yourself, or someone will use them on you!

Interpreting the result is still often problematic

Is this really a problem? Or is it a false positive?

How do I fix this?

Commercial solutions are typically much better here, especially regarding the second problem!

© Michael Sonntag 2012

Questions?Questions?Thank you for your attention!

? ?

??

??

Documents

Institute for Information Processing and Microprocessor Technology … · 2012. 5. 24. · Nikto is pre-installed on the Linux Live-CD Your task: Scan the local web server This might