CSC/ECE 517 Spring 2014/security audit: Difference between revisions
(Added basic nmap scans, better formatting) |
(Added Overview section) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Overview = | = Overview = | ||
This | This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike. | ||
= Scans = | = Scans = | ||
Line 20: | Line 20: | ||
== Nmap scans == | == Nmap scans == | ||
Collecting open ports. | |||
<pre> | <pre> | ||
[~]$ nmap -Pn 66.152.109.110 | [~]$ nmap -Pn 66.152.109.110 | ||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | ||
Line 33: | Line 35: | ||
Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds | Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds | ||
[~]$ nmap -Pn 198.105.251.210 | [~]$ nmap -Pn 198.105.251.210 | ||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | ||
Line 44: | Line 46: | ||
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds | Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds | ||
</pre> | |||
Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port. | |||
<pre> | |||
[~]$ nmap -Pn -p1-65535 66.152.109.110 | |||
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT | |||
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) | |||
Host is up (0.038s latency). | |||
Not shown: 65533 filtered ports | |||
PORT STATE SERVICE | |||
80/tcp open http | |||
443/tcp closed https | |||
Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds | |||
</pre> | |||
Checking for a firewall (none evident). | |||
<pre> | |||
[~]$ sudo nmap -sA 66.152.109.110 | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT | |||
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) | |||
Host is up (0.034s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE | |||
80/tcp unfiltered http | |||
443/tcp unfiltered https | |||
Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds | |||
[~]$ sudo nmap -sA 198.105.251.210 | |||
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT | |||
Nmap scan report for 198.105.251.210 | |||
Host is up (0.056s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE | |||
80/tcp unfiltered http | |||
443/tcp unfiltered https | |||
Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds | |||
</pre> | |||
Check versions of running services. | |||
<pre> | |||
[~]$ nmap -sV 198.105.251.210 | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT | |||
Nmap scan report for 198.105.251.210 | |||
Host is up (0.069s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE VERSION | |||
80/tcp open http nginx | |||
443/tcp closed https | |||
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds | |||
</pre> | |||
Determine OS. | |||
<pre> | |||
[~]$ sudo nmap -A -Pn 198.105.251.210 | |||
[sudo] password for daniel: | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT | |||
Nmap scan report for 198.105.251.210 | |||
Host is up (0.058s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE VERSION | |||
80/tcp open http nginx | |||
|_http-methods: No Allow or Public header in OPTIONS response (status code 410) | |||
| http-robots.txt: 1 disallowed entry | |||
|_/ | |||
|_http-title: Site doesn't have a title (text/html). | |||
443/tcp closed https | |||
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) | |||
No exact OS matches for host (test conditions non-ideal). | |||
Network Distance: 13 hops | |||
TRACEROUTE (using port 443/tcp) | |||
HOP RTT ADDRESS | |||
1 101.01 ms 10.0.0.1 | |||
2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) | |||
3 118.38 ms 66.26.47.101 | |||
4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) | |||
5 125.87 ms 107.14.19.42 | |||
6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) | |||
7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) | |||
8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) | |||
9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) | |||
10 146.84 ms 66.110.8.46 | |||
11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) | |||
12 53.93 ms 216.187.124.60 | |||
13 48.89 ms 198.105.251.210 | |||
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds | |||
</pre> | </pre> | ||
Line 95: | Line 196: | ||
msf > # No vuls discovered | msf > # No vuls discovered | ||
</pre> | </pre> | ||
== Metasploit dir_listing == | |||
<pre> | |||
msf > use auxiliary/scanner/http/dir_listing | |||
msf auxiliary(dir_listing) > show options | |||
Module options (auxiliary/scanner/http/dir_listing): | |||
Name Current Setting Required Description | |||
---- --------------- -------- ----------- | |||
PATH / yes The path to identify directoy listing | |||
Proxies no Use a proxy chain | |||
RHOSTS yes The target address range or CIDR identifier | |||
RPORT 80 yes The target port | |||
THREADS 1 yes The number of concurrent threads | |||
VHOST no HTTP server virtual host | |||
msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110 | |||
RHOSTS => 66.152.109.110 | |||
msf auxiliary(dir_listing) > run | |||
[*] Scanned 1 of 1 hosts (100% complete) | |||
[*] Auxiliary module execution completed | |||
</pre> | |||
== Metasploit WebDAV IIS6 Unicode vulnerability == | |||
<pre> | |||
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass | |||
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110 | |||
RHOSTS => 66.152.109.110 | |||
msf auxiliary(dir_webdav_unicode_bypass) > run | |||
[*] Using first 256 bytes of the response as 404 string | |||
[*] Scanned 1 of 1 hosts (100% complete) | |||
[*] Auxiliary module execution completed | |||
</pre> | |||
= Results and Future Work = | |||
This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time. |
Latest revision as of 19:43, 8 May 2014
Overview
This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.
Scans
Basic server info
[~]$ nslookup http://expertiza.ncsu.edu Server: 209.18.47.61 Address: 209.18.47.61#53 Non-authoritative answer: Name: http://expertiza.ncsu.edu Address: 198.105.251.210 Name: http://expertiza.ncsu.edu Address: 66.152.109.110
Nmap scans
Collecting open ports.
[~]$ nmap -Pn 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds [~]$ nmap -Pn 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.
[~]$ nmap -Pn -p1-65535 66.152.109.110 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds
Checking for a firewall (none evident).
[~]$ sudo nmap -sA 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.034s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds [~]$ sudo nmap -sA 198.105.251.210 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT Nmap scan report for 198.105.251.210 Host is up (0.056s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds
Check versions of running services.
[~]$ nmap -sV 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT Nmap scan report for 198.105.251.210 Host is up (0.069s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 443/tcp closed https Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Determine OS.
[~]$ sudo nmap -A -Pn 198.105.251.210 [sudo] password for daniel: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 410) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html). 443/tcp closed https Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 101.01 ms 10.0.0.1 2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) 3 118.38 ms 66.26.47.101 4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) 5 125.87 ms 107.14.19.42 6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) 7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) 8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) 9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) 10 146.84 ms 66.110.8.46 11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) 12 53.93 ms 216.187.124.60 13 48.89 ms 198.105.251.210 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
Metasploit wmap
[~]$ msfconsole =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ] + -- --=[ 1299 exploits - 791 auxiliary - 217 post ] + -- --=[ 334 payloads - 35 encoders - 8 nops ] msf > load wmap .-.-.-..-.-.-..---..---. | | | || | | || | || |-' `-----'`-'-'-'`-^-'`-' [WMAP 1.5.1] === et [ ] metasploit.com 2012 [*] Successfully loaded plugin: wmap msf > wmap_sites -a http://expertiza.ncsu.edu/ [*] Site created. msf > wmap_sites -l [*] Available sites =============== Id Host Vhost Port Proto # Pages # Forms -- ---- ----- ---- ----- ------- ------- 0 152.14.105.146 152.14.105.146 80 http 0 0 msf > wmap_targets -t http://152.14.105.146/home.html msf > wmap_targets -t http://152.14.105.146/home msf > wmap_targets -l [*] Defined targets =============== Id Vhost Host Port SSL Path -- ----- ---- ---- --- ---- 0 152.14.105.146 152.14.105.146 80 false /home.html 1 152.14.105.146 152.14.105.146 80 false /home msf > wmap_run -t [*] Testing target: [*] Site: 152.14.105.146 (152.14.105.146) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2014-04-21 02:33:20 -0400 [*] Loading wmap modules... msf > wmap_run [*] 39 wmap enabled modules loaded. <snip> [*] Done. msf > wmap_vulns -l msf > # No vuls discovered
Metasploit dir_listing
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(dir_listing) > show options Module options (auxiliary/scanner/http/dir_listing): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The path to identify directoy listing Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_listing) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Metasploit WebDAV IIS6 Unicode vulnerability
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_webdav_unicode_bypass) > run [*] Using first 256 bytes of the response as 404 string [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Results and Future Work
This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.