CSC/ECE 517 Spring 2014/security audit

From Expertiza_Wiki
Revision as of 21:17, 29 April 2014 by Drfarrel (talk | contribs)
Jump to navigation Jump to search

Overview

This page will document a security audit of Expertiza.

Scans

Basic server info

[~]$ nslookup http://expertiza.ncsu.edu
Server:		209.18.47.61
Address:	209.18.47.61#53

Non-authoritative answer:
Name:	http://expertiza.ncsu.edu
Address: 198.105.251.210
Name:	http://expertiza.ncsu.edu
Address: 66.152.109.110

Nmap scans

Collecting open ports.

[~]$ nmap -Pn 66.152.109.110

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds
[~]$ nmap -Pn 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:18 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds

Full port scan. No SSH port was shown in the default scan, but it's possible it has been changed to a non-default port.

[~]$ nmap -Pn -p1-65535 66.152.109.110

Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 17:03 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.038s latency).
Not shown: 65533 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 128.19 seconds

Checking for a firewall (none evident).

[~]$ sudo nmap -sA 66.152.109.110
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:26 EDT
Nmap scan report for 66-152-109-110.tvc-ip.com (66.152.109.110)
Host is up (0.034s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
[~]$ sudo nmap -sA 198.105.251.210
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-29 16:57 EDT
Nmap scan report for 198.105.251.210
Host is up (0.056s latency).
Not shown: 998 filtered ports
PORT    STATE      SERVICE
80/tcp  unfiltered http
443/tcp unfiltered https

Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds

Check versions of running services.

[~]$ nmap -sV 198.105.251.210

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:21 EDT
Nmap scan report for 198.105.251.210
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
443/tcp closed https

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds

Determine OS.

[~]$ sudo nmap -A -Pn 198.105.251.210
[sudo] password for daniel: 

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-21 03:29 EDT
Nmap scan report for 198.105.251.210
Host is up (0.058s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE VERSION
80/tcp  open   http    nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 410)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html).
443/tcp closed https
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), D-Link DIR-615, Encore 3G, or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   101.01 ms 10.0.0.1
2   136.69 ms cpe-075-182-096-001.nc.res.rr.com (75.182.96.1)
3   118.38 ms 66.26.47.101
4   118.44 ms ae19.rlghncpop-rtr1.southeast.rr.com (24.93.64.0)
5   125.87 ms 107.14.19.42
6   118.50 ms ae0.pr1.dca10.tbone.rr.com (107.14.17.200)
7   118.50 ms ix-17-0.tcore2.AEQ-Ashburn.as6453.net (216.6.87.149)
8   146.79 ms if-2-2.tcore1.AEQ-Ashburn.as6453.net (216.6.87.2)
9   139.47 ms if-7-2.tcore1.MLN-Miami.as6453.net (66.198.154.178)
10  146.84 ms 66.110.8.46
11  48.12 ms  10ge-ten1-2.mia-89p-cor-2.peer1.net (216.187.124.129)
12  53.93 ms  216.187.124.60
13  48.89 ms  198.105.251.210

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds

Metasploit wmap

[~]$ msfconsole

       =[ metasploit v4.9.2-2014040906 [core:4.9 api:1.0] ]
+ -- --=[ 1299 exploits - 791 auxiliary - 217 post ]
+ -- --=[ 334 payloads - 35 encoders - 8 nops      ]

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://expertiza.ncsu.edu/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host            Vhost           Port  Proto  # Pages  # Forms
     --  ----            -----           ----  -----  -------  -------
     0   152.14.105.146  152.14.105.146  80    http   0        0
msf > wmap_targets -t http://152.14.105.146/home.html
msf > wmap_targets -t http://152.14.105.146/home
msf > wmap_targets -l
[*] Defined targets
===============

     Id  Vhost           Host            Port  SSL    Path
     --  -----           ----            ----  ---    ----
     0   152.14.105.146  152.14.105.146  80    false	/home.html
     1   152.14.105.146  152.14.105.146  80    false	/home
msf > wmap_run -t
[*] Testing target:
[*] 	Site: 152.14.105.146 (152.14.105.146)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2014-04-21 02:33:20 -0400
[*] Loading wmap modules...
msf > wmap_run 
[*] 39 wmap enabled modules loaded.
<snip>
[*] Done.
msf > wmap_vulns -l
msf > # No vuls discovered

Metasploit dir_listing

msf > use auxiliary/scanner/http/dir_listing 
msf auxiliary(dir_listing) > show options 

Module options (auxiliary/scanner/http/dir_listing):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The path to identify directoy listing
   Proxies                   no        Use a proxy chain
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(dir_listing) > set RHOSTS 66.152.109.110
RHOSTS => 66.152.109.110
msf auxiliary(dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Metasploit WebDAV IIS6 Unicode vulnerability

msf auxiliary(dir_webdav_unicode_bypass) > run

[*] Using first 256 bytes of the response as 404 string
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed