CSC/ECE 517 Spring 2014/security audit: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
(→‎Overview: Added notes about results and future work)
(Added Overview section)
 
Line 1: Line 1:
= Results and Future Work =
= Overview =


This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.
This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.


= Scans =
= Scans =
Line 232: Line 232:
[*] Auxiliary module execution completed
[*] Auxiliary module execution completed
</pre>
</pre>
= Results and Future Work =
This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.

Latest revision as of 19:43, 8 May 2014

Overview

This wiki documents the more interesting results of a security audit against the main Expertiza server and the latest version of the Expertiza code. The audit made extensive use of Metaspolit, NMap, Wireshark and a few additional online scanners. These are realistic tools, used in the wild by blackhats and whitehats alike.

Scans

Basic server info

[~]$ nslookup http://expertiza.ncsu.edu
Server:		209.18.47.61
Address:	209.18.47.61#53

Non-authoritative answer:
Name:	http://expertiza.ncsu.edu
Address: 198.105.251.210
Name:	http://expertiza.ncsu.edu
Address: 66.152.109.110

Nmap scans

Collecting open ports.

[~]$ nmap -Pn 66.152.109.110

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds
[~]$ nmap -Pn 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds

Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.

[~]$ nmap -Pn -p1-65535 66.152.109.110

Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 65533 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds

Checking for a firewall (none evident).

[~]$ sudo nmap -sA 66.152.109.110
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.034s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
[~]$ sudo nmap -sA 198.105.251.210
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT
Nmap scan report for 198.105.251.210
Host is up (0.056s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds

Check versions of running services.

[~]$ nmap -sV 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT
Nmap scan report for 198.105.251.210
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
443/tcp closed https

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds

Determine OS.

[~]$ sudo nmap -A -Pn 198.105.251.210
[sudo] password for daniel: 

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 410)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html).
443/tcp closed https
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   101.01 ms 10.0.0.1
2   136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1)
3   118.38 ms 66.26.47.101
4   118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0)
5   125.87 ms 107.14.19.42
6   118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200)
7   118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149)
8   146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2)
9   139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178)
10  146.84 ms 66.110.8.46
11  48.12 ms  10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129)
12  53.93 ms  216.187.124.60
13  48.89 ms  198.105.251.210

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds

Metasploit wmap

[~]$ msfconsole

       =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ]
+ -- --=[ 1299 exploits - 791 auxiliary - 217 post ]
+ -- --=[ 334 payloads - 35 encoders - 8 nops      ]

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://expertiza.ncsu.edu/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host            Vhost           Port  Proto  # Pages  # Forms
     --  ----            -----           ----  -----  -------  -------
     0   152.14.105.146  152.14.105.146  80    http   0        0
msf > wmap_targets -t http://152.14.105.146/home.html
msf > wmap_targets -t http://152.14.105.146/home
msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost           Host            Port  SSL    Path
     --  -----           ----            ----  ---    ----
     0   152.14.105.146  152.14.105.146  80    false	/home.html
     1   152.14.105.146  152.14.105.146  80    false	/home
msf > wmap_run -t
[*] Testing target:
[*] 	Site: 152.14.105.146 (152.14.105.146)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2014-04-21 02:33:20 -0400
[*] Loading wmap modules...
msf > wmap_run 
[*] 39 wmap enabled modules loaded.
<snip>
[*] Done.
msf > wmap_vulns -l
msf > # No vuls discovered

Metasploit dir_listing

msf > use auxiliary/scanner/http/dir_listing 
msf auxiliary(dir_listing) > show options 

Module options (auxiliary/scanner/http/dir_listing):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The path to identify directoy listing
   Proxies                   no        Use a proxy chain
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Metasploit WebDAV IIS6 Unicode vulnerability

msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_webdav_unicode_bypass) > run

[*] Using first 256 bytes of the response as 404 string
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Results and Future Work

This security audit addressed the HTTP server software and configuration, SQL injection attacks, XSS attacks and privilege escalation attacks via poorly coded checks. The major vulnerability that was detected and exploited was a result of the site's use of HTTP (cleartext) for all communication. The attacker was able to use Wireshark to quickly and easily intercept his own password. Perhaps more importantly, this audit should establish some confidence in the setup of the server used to host Expertiza. It withstood serious attacks from major tools like Metaspolit, which are very realistic examples of the types of automated scanning attacks the server is likely to face in practice. The site's use of cookies seems to be managed by Rails properly, preventing XSS attacks. The attacker was unable to find SQL injection attacks using sophisticated automated tools, but did note some sections of the codebase that don't follow SQL-related best practices. Two areas that need future study are the site's manual SQL code and privilege-related coding errors that could allow escalation attacks. The server itself and the site's protection against XSS attacks should be considered fairly robust at this time.