CSC/ECE 517 Spring 2014/security audit: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
(Added basic wmap scan data)
 
(Added Overview section)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
= Overview =


This page will document a security audit of Expertiza.
This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.
 
= Scans =
 
== Basic server info ==
 
<pre>
[~]$ nslookup http://expertiza.ncsu.edu
Server: 209.18.47.61
Address: 209.18.47.61#53
 
Non-authoritative answer:
Name: http://expertiza.ncsu.edu
Address: 198.105.251.210
Name: http://expertiza.ncsu.edu
Address: 66.152.109.110
</pre>
 
== Nmap scans ==
 
Collecting open ports.
 
<pre>
[~]$ nmap -Pn 66.152.109.110
 
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open  http
443/tcp closed https
 
Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds
[~]$ nmap -Pn 198.105.251.210
 
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open  http
443/tcp closed https
 
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
</pre>
 
Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.
 
<pre>
[~]$ nmap -Pn -p1-65535 66.152.109.110
 
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 65533 filtered ports
PORT    STATE  SERVICE
80/tcp  open  http
443/tcp closed https
 
Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds
</pre>
 
Checking for a firewall (none evident).
 
<pre>
[~]$ sudo nmap -sA 66.152.109.110
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.034s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https
 
Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
[~]$ sudo nmap -sA 198.105.251.210
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT
Nmap scan report for 198.105.251.210
Host is up (0.056s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https
 
Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds
</pre>
 
Check versions of running services.
 
<pre>
[~]$ nmap -sV 198.105.251.210
 
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT
Nmap scan report for 198.105.251.210
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open  http    nginx
443/tcp closed https
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
</pre>
 
Determine OS.
 
<pre>
[~]$ sudo nmap -A -Pn 198.105.251.210
[sudo] password for daniel:
 
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open  http    nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 410)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html).
443/tcp closed https
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
 
TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1  101.01 ms 10.0.0.1
2  136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1)
3  118.38 ms 66.26.47.101
4  118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0)
5  125.87 ms 107.14.19.42
6  118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200)
7  118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149)
8  146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2)
9  139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178)
10  146.84 ms 66.110.8.46
11  48.12 ms  10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129)
12  53.93 ms  216.187.124.60
13  48.89 ms  198.105.251.210
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
</pre>


== Metasploit wmap ==
== Metasploit wmap ==
Line 52: Line 196:
msf > # No vuls discovered
msf > # No vuls discovered
</pre>
</pre>
== Metasploit dir_listing ==
<pre>
msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(dir_listing) > show options
Module options (auxiliary/scanner/http/dir_listing):
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  PATH    /                yes      The path to identify directoy listing
  Proxies                  no        Use a proxy chain
  RHOSTS                    yes      The target address range or CIDR identifier
  RPORT    80              yes      The target port
  THREADS  1                yes      The number of concurrent threads
  VHOST                    no        HTTP server virtual host
msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_listing) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
</pre>
== Metasploit WebDAV IIS6 Unicode vulnerability ==
<pre>
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_webdav_unicode_bypass) > run
[*] Using first 256 bytes of the response as 404 string
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
</pre>
= Results and Future Work =
This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.

Latest revision as of 19:43, 8 May 2014

Overview

This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.

Scans

Basic server info

[~]$ nslookup http://expertiza.ncsu.edu
Server:		209.18.47.61
Address:	209.18.47.61#53

Non-authoritative answer:
Name:	http://expertiza.ncsu.edu
Address: 198.105.251.210
Name:	http://expertiza.ncsu.edu
Address: 66.152.109.110

Nmap scans

Collecting open ports.

[~]$ nmap -Pn 66.152.109.110

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds
[~]$ nmap -Pn 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds

Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.

[~]$ nmap -Pn -p1-65535 66.152.109.110

Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 65533 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds

Checking for a firewall (none evident).

[~]$ sudo nmap -sA 66.152.109.110
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.034s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
[~]$ sudo nmap -sA 198.105.251.210
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT
Nmap scan report for 198.105.251.210
Host is up (0.056s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds

Check versions of running services.

[~]$ nmap -sV 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT
Nmap scan report for 198.105.251.210
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
443/tcp closed https

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds

Determine OS.

[~]$ sudo nmap -A -Pn 198.105.251.210
[sudo] password for daniel: 

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 410)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html).
443/tcp closed https
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   101.01 ms 10.0.0.1
2   136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1)
3   118.38 ms 66.26.47.101
4   118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0)
5   125.87 ms 107.14.19.42
6   118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200)
7   118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149)
8   146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2)
9   139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178)
10  146.84 ms 66.110.8.46
11  48.12 ms  10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129)
12  53.93 ms  216.187.124.60
13  48.89 ms  198.105.251.210

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds

Metasploit wmap

[~]$ msfconsole

       =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ]
+ -- --=[ 1299 exploits - 791 auxiliary - 217 post ]
+ -- --=[ 334 payloads - 35 encoders - 8 nops      ]

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://expertiza.ncsu.edu/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host            Vhost           Port  Proto  # Pages  # Forms
     --  ----            -----           ----  -----  -------  -------
     0   152.14.105.146  152.14.105.146  80    http   0        0
msf > wmap_targets -t http://152.14.105.146/home.html
msf > wmap_targets -t http://152.14.105.146/home
msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost           Host            Port  SSL    Path
     --  -----           ----            ----  ---    ----
     0   152.14.105.146  152.14.105.146  80    false	/home.html
     1   152.14.105.146  152.14.105.146  80    false	/home
msf > wmap_run -t
[*] Testing target:
[*] 	Site: 152.14.105.146 (152.14.105.146)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2014-04-21 02:33:20 -0400
[*] Loading wmap modules...
msf > wmap_run 
[*] 39 wmap enabled modules loaded.
<snip>
[*] Done.
msf > wmap_vulns -l
msf > # No vuls discovered

Metasploit dir_listing

msf > use auxiliary/scanner/http/dir_listing 
msf auxiliary(dir_listing) > show options 

Module options (auxiliary/scanner/http/dir_listing):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The path to identify directoy listing
   Proxies                   no        Use a proxy chain
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Metasploit WebDAV IIS6 Unicode vulnerability

msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_webdav_unicode_bypass) > run

[*] Using first 256 bytes of the response as 404 string
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Results and Future Work

This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.