CSC/ECE 517 Spring 2014/security audit
Overview
This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.
Scans
Basic server info
[~]$ nslookup http://expertiza.ncsu.edu Server: 209.18.47.61 Address: 209.18.47.61#53 Non-authoritative answer: Name: http://expertiza.ncsu.edu Address: 198.105.251.210 Name: http://expertiza.ncsu.edu Address: 66.152.109.110
Nmap scans
Collecting open ports.
[~]$ nmap -Pn 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds [~]$ nmap -Pn 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.
[~]$ nmap -Pn -p1-65535 66.152.109.110 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds
Checking for a firewall (none evident).
[~]$ sudo nmap -sA 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.034s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds [~]$ sudo nmap -sA 198.105.251.210 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT Nmap scan report for 198.105.251.210 Host is up (0.056s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds
Check versions of running services.
[~]$ nmap -sV 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT Nmap scan report for 198.105.251.210 Host is up (0.069s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 443/tcp closed https Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Determine OS.
[~]$ sudo nmap -A -Pn 198.105.251.210 [sudo] password for daniel: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 410) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html). 443/tcp closed https Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 101.01 ms 10.0.0.1 2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) 3 118.38 ms 66.26.47.101 4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) 5 125.87 ms 107.14.19.42 6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) 7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) 8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) 9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) 10 146.84 ms 66.110.8.46 11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) 12 53.93 ms 216.187.124.60 13 48.89 ms 198.105.251.210 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
Metasploit wmap
[~]$ msfconsole
=[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ]
+ -- --=[ 1299 exploits - 791 auxiliary - 217 post ]
+ -- --=[ 334 payloads - 35 encoders - 8 nops ]
msf > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://expertiza.ncsu.edu/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 152.14.105.146 152.14.105.146 80 http 0 0
msf > wmap_targets -t http://152.14.105.146/home.html
msf > wmap_targets -t http://152.14.105.146/home
msf > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 152.14.105.146 152.14.105.146 80 false /home.html
1 152.14.105.146 152.14.105.146 80 false /home
msf > wmap_run -t
[*] Testing target:
[*] Site: 152.14.105.146 (152.14.105.146)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2014-04-21 02:33:20 -0400
[*] Loading wmap modules...
msf > wmap_run
[*] 39 wmap enabled modules loaded.
<snip>
[*] Done.
msf > wmap_vulns -l
msf > # No vuls discovered
Metasploit dir_listing
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(dir_listing) > show options Module options (auxiliary/scanner/http/dir_listing): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The path to identify directoy listing Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_listing) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Metasploit WebDAV IIS6 Unicode vulnerability
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_webdav_unicode_bypass) > run [*] Using first 256 bytes of the response as 404 string [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Results and Future Work
This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.