CSC/ECE 517 Spring 2014/security audit: Difference between revisions
Jump to navigation
Jump to search
(Added basic nmap scans, better formatting) |
(→Nmap scans: Added many more scan results) |
||
Line 20: | Line 20: | ||
== Nmap scans == | == Nmap scans == | ||
Collecting open ports. | |||
<pre> | <pre> | ||
[~]$ nmap -Pn 66.152.109.110 | [~]$ nmap -Pn 66.152.109.110 | ||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | ||
Line 33: | Line 35: | ||
Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds | Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds | ||
[~]$ nmap -Pn 198.105.251.210 | [~]$ nmap -Pn 198.105.251.210 | ||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT | ||
Line 44: | Line 46: | ||
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds | Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds | ||
</pre> | |||
Checking for a firewall (none evident). | |||
<pre> | |||
[~]$ sudo nmap -sA 66.152.109.110 | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT | |||
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) | |||
Host is up (0.034s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE | |||
80/tcp unfiltered http | |||
443/tcp unfiltered https | |||
Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds | |||
</pre> | |||
Check versions of running services. | |||
<pre> | |||
[~]$ nmap -sV 198.105.251.210 | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT | |||
Nmap scan report for 198.105.251.210 | |||
Host is up (0.069s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE VERSION | |||
80/tcp open http nginx | |||
443/tcp closed https | |||
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds | |||
</pre> | |||
Determine OS. | |||
<pre> | |||
[~]$ sudo nmap -A -Pn 198.105.251.210 | |||
[sudo] password for daniel: | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT | |||
Nmap scan report for 198.105.251.210 | |||
Host is up (0.058s latency). | |||
Not shown: 998 filtered ports | |||
PORT STATE SERVICE VERSION | |||
80/tcp open http nginx | |||
|_http-methods: No Allow or Public header in OPTIONS response (status code 410) | |||
| http-robots.txt: 1 disallowed entry | |||
|_/ | |||
|_http-title: Site doesn't have a title (text/html). | |||
443/tcp closed https | |||
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) | |||
No exact OS matches for host (test conditions non-ideal). | |||
Network Distance: 13 hops | |||
TRACEROUTE (using port 443/tcp) | |||
HOP RTT ADDRESS | |||
1 101.01 ms 10.0.0.1 | |||
2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) | |||
3 118.38 ms 66.26.47.101 | |||
4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) | |||
5 125.87 ms 107.14.19.42 | |||
6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) | |||
7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) | |||
8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) | |||
9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) | |||
10 146.84 ms 66.110.8.46 | |||
11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) | |||
12 53.93 ms 216.187.124.60 | |||
13 48.89 ms 198.105.251.210 | |||
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds | |||
</pre> | </pre> | ||
Revision as of 07:31, 21 April 2014
Overview
This page will document a security audit of Expertiza.
Scans
Basic server info
[~]$ nslookup http://expertiza.ncsu.edu Server: 209.18.47.61 Address: 209.18.47.61#53 Non-authoritative answer: Name: http://expertiza.ncsu.edu Address: 198.105.251.210 Name: http://expertiza.ncsu.edu Address: 66.152.109.110
Nmap scans
Collecting open ports.
[~]$ nmap -Pn 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds [~]$ nmap -Pn 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
Checking for a firewall (none evident).
[~]$ sudo nmap -sA 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.034s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
Check versions of running services.
[~]$ nmap -sV 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT Nmap scan report for 198.105.251.210 Host is up (0.069s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 443/tcp closed https Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Determine OS.
[~]$ sudo nmap -A -Pn 198.105.251.210 [sudo] password for daniel: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 410) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html). 443/tcp closed https Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 101.01 ms 10.0.0.1 2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) 3 118.38 ms 66.26.47.101 4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) 5 125.87 ms 107.14.19.42 6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) 7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) 8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) 9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) 10 146.84 ms 66.110.8.46 11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) 12 53.93 ms 216.187.124.60 13 48.89 ms 198.105.251.210 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
Metasploit wmap
[~]$ msfconsole =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ] + -- --=[ 1299 exploits - 791 auxiliary - 217 post ] + -- --=[ 334 payloads - 35 encoders - 8 nops ] msf > load wmap .-.-.-..-.-.-..---..---. | | | || | | || | || |-' `-----'`-'-'-'`-^-'`-' [WMAP 1.5.1] === et [ ] metasploit.com 2012 [*] Successfully loaded plugin: wmap msf > wmap_sites -a http://expertiza.ncsu.edu/ [*] Site created. msf > wmap_sites -l [*] Available sites =============== Id Host Vhost Port Proto # Pages # Forms -- ---- ----- ---- ----- ------- ------- 0 152.14.105.146 152.14.105.146 80 http 0 0 msf > wmap_targets -t http://152.14.105.146/home.html msf > wmap_targets -t http://152.14.105.146/home msf > wmap_targets -l [*] Defined targets =============== Id Vhost Host Port SSL Path -- ----- ---- ---- --- ---- 0 152.14.105.146 152.14.105.146 80 false /home.html 1 152.14.105.146 152.14.105.146 80 false /home msf > wmap_run -t [*] Testing target: [*] Site: 152.14.105.146 (152.14.105.146) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2014-04-21 02:33:20 -0400 [*] Loading wmap modules... msf > wmap_run [*] 39 wmap enabled modules loaded. <snip> [*] Done. msf > wmap_vulns -l msf > # No vuls discovered