CSC/ECE 517 Spring 2014/security audit: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 223: | Line 223: | ||
== Metasploit WebDAV IIS6 Unicode vulnerability == | == Metasploit WebDAV IIS6 Unicode vulnerability == | ||
<pre> | <pre> | ||
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass | |||
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110 | |||
RHOSTS => 66.152.109.110 | |||
msf auxiliary(dir_webdav_unicode_bypass) > run | msf auxiliary(dir_webdav_unicode_bypass) > run | ||
Revision as of 21:20, 29 April 2014
Overview
This page will document a security audit of Expertiza.
Scans
Basic server info
[~]$ nslookup http://expertiza.ncsu.edu Server: 209.18.47.61 Address: 209.18.47.61#53 Non-authoritative answer: Name: http://expertiza.ncsu.edu Address: 198.105.251.210 Name: http://expertiza.ncsu.edu Address: 66.152.109.110
Nmap scans
Collecting open ports.
[~]$ nmap -Pn 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds [~]$ nmap -Pn 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.
[~]$ nmap -Pn -p1-65535 66.152.109.110 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.038s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds
Checking for a firewall (none evident).
[~]$ sudo nmap -sA 66.152.109.110 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110) Host is up (0.034s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds [~]$ sudo nmap -sA 198.105.251.210 Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT Nmap scan report for 198.105.251.210 Host is up (0.056s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp unfiltered http 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds
Check versions of running services.
[~]$ nmap -sV 198.105.251.210 Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT Nmap scan report for 198.105.251.210 Host is up (0.069s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 443/tcp closed https Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
Determine OS.
[~]$ sudo nmap -A -Pn 198.105.251.210 [sudo] password for daniel: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT Nmap scan report for 198.105.251.210 Host is up (0.058s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 410) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html). 443/tcp closed https Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 101.01 ms 10.0.0.1 2 136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1) 3 118.38 ms 66.26.47.101 4 118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0) 5 125.87 ms 107.14.19.42 6 118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200) 7 118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149) 8 146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2) 9 139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178) 10 146.84 ms 66.110.8.46 11 48.12 ms 10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129) 12 53.93 ms 216.187.124.60 13 48.89 ms 198.105.251.210 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
Metasploit wmap
[~]$ msfconsole =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ] + -- --=[ 1299 exploits - 791 auxiliary - 217 post ] + -- --=[ 334 payloads - 35 encoders - 8 nops ] msf > load wmap .-.-.-..-.-.-..---..---. | | | || | | || | || |-' `-----'`-'-'-'`-^-'`-' [WMAP 1.5.1] === et [ ] metasploit.com 2012 [*] Successfully loaded plugin: wmap msf > wmap_sites -a http://expertiza.ncsu.edu/ [*] Site created. msf > wmap_sites -l [*] Available sites =============== Id Host Vhost Port Proto # Pages # Forms -- ---- ----- ---- ----- ------- ------- 0 152.14.105.146 152.14.105.146 80 http 0 0 msf > wmap_targets -t http://152.14.105.146/home.html msf > wmap_targets -t http://152.14.105.146/home msf > wmap_targets -l [*] Defined targets =============== Id Vhost Host Port SSL Path -- ----- ---- ---- --- ---- 0 152.14.105.146 152.14.105.146 80 false /home.html 1 152.14.105.146 152.14.105.146 80 false /home msf > wmap_run -t [*] Testing target: [*] Site: 152.14.105.146 (152.14.105.146) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2014-04-21 02:33:20 -0400 [*] Loading wmap modules... msf > wmap_run [*] 39 wmap enabled modules loaded. <snip> [*] Done. msf > wmap_vulns -l msf > # No vuls discovered
Metasploit dir_listing
msf > use auxiliary/scanner/http/dir_listing msf auxiliary(dir_listing) > show options Module options (auxiliary/scanner/http/dir_listing): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The path to identify directoy listing Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_listing) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Metasploit WebDAV IIS6 Unicode vulnerability
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110 RHOSTS => 66.152.109.110 msf auxiliary(dir_webdav_unicode_bypass) > run [*] Using first 256 bytes of the response as 404 string [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed